This is an interesting question. Overall, I would say that, in the U.S. and Canadian business environments, implementing...
national, enforceable information security standards would be difficult. Not so much due to an error in the concept, but because each industry and each aspect of government/business operations are somewhat different and require a different focus.
Now, if you want, please consider the Payment Card Industry Data Security Standards (PCI DSS), HIPAA, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards, NIST 800-53 v3 and ISO 27001/2. One could argue that each of these standards can map to the others, but many of these standards are focused on fixing industry-specific security issues.
PCI DSS includes requirements for data confidentiality (encryption) and integrity (logging and access management). Similarly, the NERC CIPs include requirements for integrity (logging, access management) and availability (disaster recovery). Respectively, however, these standards are written for the systems used to handle credit cards and move electricity -– not necessarily to provide a holistic security standard.
Relative to ISO 27001/2, each of the standards can be mapped. For instance, below is a mapping of the NERC CIPs to ISO 27001/2. You can see some similarities, but the mapping is not necessarily complete or even germane to the industry.
|Click to enlarge.
Doubleclick to restore.
I would really like to see a common standard used across all governments and enterprises. ISO 27001/2 comes to mind in this case, especially because of its global recognition. However, because of the different self interests of the credit card companies, electric reliability focus by the Federal Energy Regulatory Commission (FERC) and the security requirements of the U.S. federal government, it will not be an easy -– or possibly even an achievable -– task.
However, if you need to start somewhere, I recommend using ISO 27001/2 as your checklist to build and implement your security program, especially because many of your policies, standards, procedures and guidelines, as well as technologies, will probably be transferrable to other industry requirements.
Dig Deeper on Security audit, compliance and standards
Related Q&A from Ernie Hayden
In this Ask the Expert video, Ernie Hayden answers the question of what 'big data' is and outlines big data security issues in this video. Continue Reading
Every firm needs a security conscience, according to expert Ernie Hayden, who says it is critical among key CISO responsibilities. Continue Reading
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.