common to map a control from one framework to another to help show compliance with different standards. Listed below are some examples of common frameworks: ISO 27000 Series While ISO-27001 has greater acceptance outside the United States, it considered a solid standard of information security frameworks. One pitfall for ISO is the implementation and certification process can be long and difficult. COBIT A good structure for publicly traded companies that will help align compliance with Sarbanes-Oxley (SOX). NIST SP 800-53 NIST is a publication of control standards required by US federal agencies to comply with the Federal Information Processing Standards’ (FIPS) requirements. However, NIST controls can be adopted by any industry. HITRUST CSF HITRUST CSF integrates with healthcare security requirements for healthcare providers and technology vendors. HITRUST CSF combines hundreds of requirements taken from several compliance regulations. PCI DSS (Payment Card Industry Data Security Standard) PCI is an information security standard for companies that handle credit and debit card information. PCI is administered by the Payment Card Industry Security Standards Council, which establishes the control objectives, revisions, and requirements needed for compliance. Putting Your Framework into Action As you adopt controls and standards from various frameworks, it is important for the outcome to be achievable, adaptable, and attainable. Achievable – It will not do your company any favors to list every control possible and try to comply with the controls that are not achievable. Keep it realistic, and enforce the controls you can today, but continue to work to mature your security controls, policy, and processes over time as compliance allows. Adaptable – Established security controls and a well-written policy should be adaptable so as the company ebbs and
flows, your controls and policy should only require minor changes or updates. If you have a good core policy that is properly maintained and reviewed regularly, it will be easier to adapt as your company encounters change. Attainable – Even with leadership support, governance of security controls and policy is not easily attained. Companies need to invest in their information security program in order to make it successful. Here are a few ways you can keep your security efforts attainable: • Assessment – Regularly assess your program by performing security walkthroughs, looking for compliance violations, and conducting vulnerability assessments to look for weaknesses that could be exposed if not addressed. You should audit your full program no less than annually to make sure you are following your established controls, policy, and standards. • Training – Make sure the staff responsible for maintaining your information security programs have regular training or have obtained and maintain personal security certifications. • Security Awareness – The best policy ever isn’t going to be as effective if the company does not have awareness around why controls are being enforced the way they are. In addition to requiring new hire and annual security awareness training, consider articles, posters, and friendly competitions and games to help make awareness fun. Once a person understands the why, they are more likely to want to comply. Trust But Verify An old Russian proverb, “Trust but verify,” was frequently used by Ronald Reagan during his tenure as the 40th President of the United States. You can expect clients and prospects to apply this proverb to you as they consider which print/mail service provider to entrust with their data. Here are a few questions clients are likely to ask: What type of data elements will you need to produce the work? If those data elements contain sensitive PII or PHI, are you independently certified to securely produce that work? Do you have the capacity to produce the needed volumes? If not, will you need to outsource work in order to make deadlines?
Are you solvent, or having financial problems? Clients will want to validate some core company integrity checks to minimize the risk of processing disruptions: • Dunn & Bradstreet Risk Management Report • Credit history checks • Industry references check • Company balance sheets Clients will want to thoroughly audit your information security program: • Have you had a past breach? • Do you have dedicated information security staff? • Do you carry cybersecurity insurance, and how much? • Do you have an independent audit report you can share to show you are certified? • Is your business resiliency capable of supporting their business if you suffer an outage? • How much money do you dedicate to information security each year? • Are you doing what your policy says? Having been involved on both sides of an audit, I can usually spot a good audit right away. Is this just a compliance checklist audit, or is the auditor going to deeply examine us? Information security programs should evolve and grow, and an audit is one way you can make a security practice get better. When I am conducting an audit as part of an acquisition or a supplier review, there are a few questions I like to ask: What is your biggest security concern, and do you have adequate budget and expertise to properly to address that risk today? Do all employees have a clear picture of your company’s overall security policy, and how can they help make it better? What does leadership not know about your information security program, but you wish they did? Ask yourself: The next time a client or prospect is reviewing your security practice, will you be able to demonstrate that you take information security to heart, or is your approach just smoke and mirrors? John Murray is director of infrastructure and security at IWCO Direct, where he is responsible for developing data security policies and procedures that adhere to the company’s security standards. You can reach him at email@example.com. MailingSystemsTechnology.com | JULY-AUGUST 2021
Mailing Systems Technology July/August 2021