Security like I’m five: International standards

Time for part 2, b*tches. (Why I swear so much, I don't know.)Before we start this next post in the series I have to come clean:I made the term "the big four" up. This is purely my imagination.I warn you because I know how you guys & gals get, flexing you know the big four on parties. Your conversation partner won't have a clue what you mean.No streedcred gained, no dragon points, no kuddos, no nothing.For those of you who forgot what part 1 was about:

So now that we have that out the way

➡ The MVP 9000 & ISO 27001➡ ISAE 3402, the duck test.➡ PCI DSS, the goat?➡ Lesser gods

reading time: 04:37

 The MVP 9000 & ISO 27001

This newsletter is about information security and tech, so I keep this one short. But before we dive into the relevant ones, it's hard to ignore the MVP, ISO 9000.ISO 9000 is a set of internationally recognized standards for quality assurance and management. Often used by established businesses to show they provide goods and services at an international level of quality.It's the most used and recognized across the globe. Mostly because almost every business could implement it. Other ISO standards are more use-case dependent.

So now that we have our due diligence out of the way. Let's talk shop!

ISO27001, the nail to my coffin.The international standard for Information security. According to the documentation:ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."

Small fact, if you didn't yawn after seeing this GIF, you're probably a psychopath.

Let me sum it up with some bite-sized pro's and cons, right?

✅ Technology independent. Use Microsoft, Google, Apple or your own platform? Doesn't matter. ISO 27001 doesn't focus on particular technology or vendors.As long as you have a proces in place to describe what it does, where it stores your data and how you handle it.. YOU GOOD FAM!

✅ Entire framework. Unlike other standards it focuses on everything in your business proces.Yes, you may leave out certain parts of your business if they're not relevant - the lunch lady probably doesn't proces any data - but other than those, it's about your business in it's full form.✅ Long term value. Not only does it boost your own internal processes and the way you handle information. There is an incremental rise in businesses who will only work with ISO 27001 certified businesses. Source: trust me bro.

❌ Lengthy. Don't think this is done overnight.Even for companies who have their stuffos-in-placeos this can be quite a hassle.Leading me right into my second point.

❌ High impact on business resources. You'll need some people working on this, and you'll need participation from the entire business.This costs time, and time is money. What also costs money is the yearly audit.If you're looking to do this, hire a professional to guide you, this will save you a lot of time and they can scope your total expenses.

❌ Process based. Yes you get an entire framework, but if you have idea and no technology to help you it's much to overlook.Like I said before, hire an external to help.

ISAE 3402, the duck test.

The ISAE 3402 is an international assurance standard that describes Service Organization Control (SOC) engagements, which provides assurance to an organization's customer that the service organization has adequate internal controls.yawn.gifPro's and con's I hear? Sure thing.

✅ You get to choose. ISAE 3402 focuses on what you tell it to focus on. You chose the relevant processes.If you're an IT service provider, there is no need to have your finance and marketing  department audited, you can just single out the your client facing departments.This gives immense freedom and let's you focus on the relevant things.✅ Less impact on your business resources. Because you get to choose, the impact on your business is lower.You don't need to appoint certain people to certain tasks like in the ISO27001.Overall this requires fewer people spending time.

❌ Says nothing about your business. Not going to make any friends by saying this, but let's call a duck a duck.You can single out services and perform very well on those, while your others are in shambles.It all depends what your client is after.

❌ Less known. While the ISO 27001 is growing to be the default, the ISAE 3402 is less known and doesn't always provide the right assurance (BUT IT'S IN THE NAME?) some business partners are looking for.❌ Still costly. There are 2 types of reports, 2 audit moments. Audits are expensive.You do the math.

You right now.

PCI DSS, THE GOAT?

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.

Haha why would you do this though? For real.

✅ Clear controls. Opposed to the other 2 process or service based, this one brings a clear set of controls.For example: change the default accounts on any network device.Good stuff.

✅ Audits adjusted to your transaction size. If you're a business with a small transaction volume, you'll get off with a self assessment.For businesses with moderate transaction volumes or more you get into other categories.

❌ Focuses on payment card information. So this appears to irrelevant to businesses not doing those.Why you might have to reconsider this I'll explain in the last post in this series.

❌ Mostly used in America. While emerging very much in Europe, this is still mostly used in the US and lesser known elsewhere.

❌ Rather technical. You'll need IT guys for this.

Lesser gods

I hope this post shed some light on the different International Standards and their pro's and con's.There are way more than the ones I talked about. But there is no point in knowing all of them.Before I end, there is one I'll casually mention: the Cloud Security Alliance - Cloud Controls Matrix (keepin' it light and short there..).If you're in a tech company or a company that relies a lot on technology this is a good one to look after.A free non-sponsored tip by your friendly neighborhood uncle Angie.If you haven't signed off yet, thanks!I know the meme's haven't been as plentiful as other posts, but that's just becauseI'm only funny when I'm drunkMy meme dealer is on holidayIt's a hard subject to meme on.In the last part I'll do what I'm best at, hand out advice nobody asked for.Raw and unsolicited.And LOTS of meme's. We're talking every 2-3 words. Too much for you?

Later y'allllllllllllllllllllllllllllllllllllllll