This is an interesting question. Overall, I would say that, in the U.S. and Canadian business environments, implementing national, enforceable information security standards would be difficult. Not so much due to an error in the concept, but because each industry and each aspect of government/business operations are somewhat different and require a different focus.
Now, if you want, please consider the Payment Card Industry Data Security Standards (PCI DSS), HIPAA, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards, NIST 800-53 v3 and ISO 27001/2. One could argue that each of these standards can map to the others, but many of these standards are focused on fixing industry-specific security issues.
PCI DSS includes requirements for data confidentiality (encryption) and integrity (logging and access management). Similarly, the NERC CIPs include requirements for integrity (logging, access management) and availability (disaster recovery). Respectively, however, these standards are written for the systems used to handle credit cards and move electricity -– not necessarily to provide a holistic security standard.
Relative to ISO 27001/2, each of the standards can be mapped. For instance, below is a mapping of the NERC CIPs to ISO 27001/2. You can see some similarities, but the mapping is not necessarily complete or even germane to the industry.
|Click to enlarge.|
Doubleclick to restore.
I would really like to see a common standard used across all governments and enterprises. ISO 27001/2 comes to mind in this case, especially because of its global recognition. However, because of the different self interests of the credit card companies, electric reliability focus by the Federal Energy Regulatory Commission (FERC) and the security requirements of the U.S. federal government, it will not be an easy -– or possibly even an achievable -– task.
However, if you need to start somewhere, I recommend using ISO 27001/2 as your checklist to build and implement your security program, especially because many of your policies, standards, procedures and guidelines, as well as technologies, will probably be transferrable to other industry requirements.
This was first published in March 2010