A framework to replace PCI?

There has been much commentary this past week about the limited enhancements in the upcoming PCI-DSS 2.0 framework. Martin McKeay wrote a post, How would I write a framework to replace PCI? where he talks about three key principles: (1) Everything flows from policy, (2) Keep it simple, and (3) Concentrate on results, not technologies.

I see it differently. The key principles of the SANS Twenty Critical Security Controls for Effective Cyber Defense make more sense and provide the basis for the Cymbel Approach:

  • Offense must inform defense – knowledge of actual attacks that have compromised systems provides an essential foundation for on which to construct effective defenses.
  • Work from a prioritized baseline of information security measures and controls
  • Most controls must be automated – there is no way for an organization to cost effectively defend itself with manual controls
  • Measure the effectiveness of controls – Automated techniques, where possible, should be used to measure the effectiveness of deployed controls.

Furthermore, regarding policies – you cannot start the process with policies without establishing context first. Therefore we start our processes with Visibility. You can read more about this on the Cymbel Services page.

About Bill Frank

Principal at Cymbel. 25+ years in IT. Specialist in information security since 1999, helping organizations mitigate the risks of modern malware. @riskpundit http://www.linkedin.com/in/riskpundit

Speak Your Mind

*