The previous article introduced security audits, which are actually audits of security specifications.
There are many potential sources for security specifications. Some of them are government standards. For example, in the United States, HIPAA, the Health Insurance Portability and Accountability Act of 1996, specifies requirements for administrative safeguards, physical safeguards, and technical safeguards of medical records and personally identifiable information. Anyone dealing with Protected Health Information must comply with HIPAA.
The credit card industry has the Payment Card Industry Data Security Standard or PCI DSS, which must be followed by anyone who is handling credit card information.
The SANS Institute offers a wide range of security training and resources, including a set of Information Security Policy Templates that provide examples of best practices that can be customized for your organization. For example, the Server Security Policy specifies things like “all internal servers deployed at <company name> must be owned by an operational group that is responsible for system administration” – in other words, no zombie servers that no-one is responsible for!
The United States Department of Defense has prepared Security Technical Implementation Guides which specify how government computers will be configured and managed.
Of course there are numerous books on computer security, many including guidelines and checklists.
Finally, each organization must prepare their own security guide which lays out the security rules that they choose to follow. This is critical because each organization has their own set of requirements, needs, and threats. You can’t simply say “all computer systems must be completely secure” – first, this is impossible. There is a famous observation that the only truly secure computer system is one that is melted into slag, ground into dust, cast into a block of concrete, and dumped into the deepest part of the ocean. Second, implementing the highest levels of security for all systems is expensive and makes the systems very difficult to use.
As we have discussed before, computer security in the real world is a risk management exercise. Risk can’t be eliminated, it can’t be ignored, and it should be managed intelligently.
An organizations security guide should be based on applicable government and industry requirements, accepted best practices, and the specific requirements of the organization.