Major security standards are set to be revised to reduce risk and drive business direction.
This is according to Allen Baranov, security analyst for the South African Breweries, who will speak about the history and philosophy of standards and security at the ITWeb Security Summit next week.
“There aren't any major new standards but all the major standards including ISO27001/2, the Information Security Forum's Standard of Good Practice, and the Information Systems Audit and Control Association's COBIT are going through revisions soon.
“To prepare for these revisions, organisations will need to take what they are doing at the moment and remap it to the new version and then look for gaps.”
According to Baranov, security standards can help an organisation to gain direction and measure success.
“Security should drive the standards – not the other way round. Standards can help to fill in the gaps and give direction, but if you use them to drive security then you may end up with extra risk.”
Baranov explains that the South African security standard for handling credit card details doesn't mention data loss prevention. This means companies that would benefit from data loss prevention are not using it because it is not a requirement for payment card industry compliance.
Many organisations are overspending in other places just to be compliant, while they neglect investing in areas such as data loss prevention solutions, says Baranov.
He adds that the biggest challenge surrounding standards and frameworks is deciding which standard will best suit the company. “Also, realising that you can't do everything in every standard and deciding what parts to do and what to completely ignore are decisions the security professional will have to make.”
IT Web Financial