Using Compliance Standards to Jump Start Your Security

Most small companies cannot afford to hire a 24x7 in-house enterprise security team. Generally, companies hire a security consultant that will get them started then advise them on which security products they should buy. However, more and more small companies are realizing that they don't have to know everything because they can take advantage of existing industry standards, regulations, compliance frameworks, and best practices. By using compliance standards, companies can secure a single server, a network, or an entire enterprise.

Individual servers are the easiest place to start. Most operating system vendors provide best practice guidelines for securely configuring their servers. The guidelines specify good security standards, such as access controls and audit logging. Some vendors even provide analyzers that can be run on the server to identify any setting that doesn’t follow security best practices. In addition to the vendor-provided information, the Center for Internet Security (CIS) provides CIS Benchmarks for most common operating systems. These benchmarks represent the industry standards for the secure configuration on those servers.  

Of course, security includes a lot more than having the right settings on your servers. The Payment Card Industry Data Security Standard (PCI DSS) provides their own set of security requirements. The PCI DSS specifies requirements on how to keep your credit card data environment secure. PCI doesn’t require every company that takes credit cards to prove that they comply with by being audited against these standards. However, it is in the credit card companies’ best interest to make sure that all credit card data is secure.

The PCI DSS requirements are wrote in way that is easy to understand – good structure, well written requirements, and good explanations of why the requirements are important. When possible, the requirements allow alternative, often less expensive, ways of maintaining an adequate level of security without the resources of a large company. Most importantly, the requirements are a thorough roadmap on how to keep an environment secure, covering everything from encryption standards to employee training policies. The PCI data security standard is so well-respected, many companies use it for environments that contain their corporate data that matters specifically to their business, not just credit card data.

More advanced companies, or companies that need higher security, opt to follow the Information Security Management standard known as International Organization for Standardization (ISO) 27001.  The goal of this standard is to keep information assets secure, as it covers people, procedures, and networks. Completely adhering to and getting audited against this standard across a large organization can be very expensive. However, smart owners of growing companies can use these requirements to help keep their companies secure as they grow.

The documentation required for standards like PCI DSS and ISO 27001 can also be very useful to an owner of a growing business making the transition beyond the point where the owner knows all the equipment, software, and employees who have access to each asset. The documentation can also be beneficial if the owner is considering selling the company, going public, or getting significant funding from investors.

Although the standards mentioned here are freely available to anyone, there are still expenses that are required, such as anti-virus software, an intrusion detection system, file integrity monitoring, and space to store audit logs. Small companies might be able to find free versions or select companies like Alert Logic® that charge less for smaller environments.