Particularly for SMEs, information security frequently operates as a CMM level 1 ("initial" or uncontrolled) process of ad hoc reaction to technical threats as they arise. However with the introduction of statutory controls such as the Payment Card Industry Data Security Standard (PCI) and increasing emphasis on data protection, it is becoming effectively mandatory for all businesses - not just the big players - to be able to demonstrate due diligence by implementing security management processes at CMM level 3 ("defined": standardised and documented) or higher. The range of regulations is huge, and it can seem a very complex task to develop manageable compliance processes, drawing as they must on numerous separate standards, each of which has its own emphasis.
The latest edition of Urs+Nahum's Security Checklist, published by Swiss security and risk management consultants CyTRAP is a welcome contribution to the solution. It is a checklist of the regulatory instruments and standards relevant to controls covering the core components of business information security. Notably, it provides a recommended priority rating and a notional review time scale for each control (both absent from, and sorely missed in, ISO/IEC 17799), and includes an extensive bibliography with links and descriptions for the regulatory instruments and standards it cites.
- Urs+Nahum's Security Checklist, from CyTRAP