Yes. Today the main driver of security practices are usually led by some regulatory compliance requirement. This is not to say that companies are not concerned with overall general security like ensuring their environment is meeting an internally driven corporate standard (ie. , Physical security measure, Virus Scan on all machines, VPN connectivity for remote access, Firewalls protecting internal resources from inbound traffic) but the major push for major changes in security practices of an environment are usually motivated by a regulation that bears with it some undesired consequence related to failing an audit.

For instance, to name just a couple popular standards: today their is Sarbanes Oxley that requires publicly traded companies to comply with a set of standards that ensure accounting measures, integrity of data, and the confidentiality of data are met, and there is PCI (Payment Card Industry Standards) that act as a regulatory law for any company that accepts credit card numbers, or even handles the credit card transaction in any way, whether directly or indirectly, to meet a set of standards for how that data is managed, accessed, stored, and protected.

Even though there are the obvious controls companies of all sizes implement to provide piece of mind and business contiuity to general business, there are those controls that are those controls inspired by regulatory compliance. The grading system for meeting those standards is pass/fail (even though there is usually some sort of extension available, if necessary, to reaudit) and these standards directly affect which controls are selected to meet the requirements of the audit.

Great points Warrick. When selecting controls there is "no need to recreate the wheel". Usually the time constraints on meeting these requirements wouldn't allow for that much piloting and testing anyway.

The factors you mentioned along with the many others have been considered and mapped out in many ISO's and standards making the process of selecting controls easier; because even though you have the map that shows you your destination, the path there is not always an easy one.

"Standards" are just that for a reason... they are standards.

As stated in previous posts.  A company may obtain controls from a variety of sources.  Risk analysis/assessment/management has been in use for quite some time now.  Such techniques are used as a means to perpetuate the positive flow of business by avoiding the crippling affects of undesirable events.  Companies invest mucho dineros year after year to maintain a well prepared/controlled work environment. 

On one hand, it just makes good business sense for an organization use controls defined by ISO, for instance, to prepare and plan wisely for the unexpected since potentially disruptive and sometimes catastrophic events are inevitable.  On the other hand, why spend all that money to prepare for the possibility of disaster when no one has to know about it?  Therein lies the problem.  

In today’s society there are numerous regulatory entities.  There are also myriad news and media agencies.  If a company has not done their due diligence, the public will eventually find out about it.  If an incident takes place where a company, although it may have some types of controls in place, looses valuable private data such as citizens’ social security numbers and credit card info, the media will make the public aware.  Once everyone knows, the next step would be to find out how that company ”let” it happen. 

In such a scenario, an organization could be assessed fines and lawsuits as well as having its reputation smeared.   The best way to prepare for such an event is probably to be certified by or be in compliance with a group such as ISO, HIPAA, GLBA, SOX, PCI.  By doing so, Company X will have to select and implement controls that are already considered to be valid, time-tested, and tried-and-true. 

Bear in mind that being compliant or selecting controls from some ready- made list doesn’t mean disaster won’t strike, but at least the organization can save face by proving that they invested time and effort by doing there due diligence.

Royce,

Keep in mind all of the "standards" are based onproven strategies and are to be used as a guide that is documented and has been thoroughly put into practice and been tested. When adding a safeguard, all anyone can go on is what has been developed and proven to perform. To be a PCI compliant business the business must meet the PCI set of standards. This is the minimum levels of acceptable safeguards and controls. As you stated, no control is fool proof, but if a company is PCI compliant at the time of their certification, they proved to be meeting those requirements. That doesn't mean they maintained that level of compliance the entire time afterwards. PCI is a yearly audit. And that is where the problem lies. The false security is not PCI's fault but is the fact that the company, baiscally, let down their guard. I truly believe that if a company was to become PCI compliant and follow proper procedure of maintaining and monitoring of those controls then they would be demonstrating a true-sense of security.

Message was edited by: JeffGoldman

i. Region(s) of operation i.e. City, State, Country, Continent,  International

ii. Industry i.e. Medical, Manufacturing, Government etc.

iii. Size of organization

iv. Command and Control topology i.e. Centralized, Autonomous etc.

you made nice point by jotting down some of the factors that we have to take in consideration, especially regional I took time to research a little bit and came up with some information about it u can see  it on my post but also the type of industry you mentions also it’s an important variable to be considered  but I get bit confused when  on the forth factor I still try to make benefit out of it. If you have detail info about he fourth factor u have mentioned feel free to share with us.

Where you get your controls from is less important than the use of a standardized control list. The use of standardized controls can save both time and resources, while improving quality. Since the controls do not have to be made up, the additional time saved can be used to create a better risk analysis. The standardized controls are likely better than anything we would create since teams of highly qualified people worked on them.

By using a standard such as ISO 17799, Cobit, etc your analysis can more easily be compared to others. Using standardized controls gives your report additional credibility. Certain regulations require specific controls be met for compliance, such as HIPA. Without a predetermined layout compliance may not be met.

Which standardized controls should be used is dependant on what field/area you are trying to assess. Medical fields should use HIPA, while financial should use Sarbanes Oxley. Unless specified by federal or other regulation, the company should use whatever controls are most suited to their business, however standardized controls should always be used.

With the growing popularity of Risk Management, there is no reason for individuals to create their own controls. The benefits of using standardized controls far outweigh any negatives. By using standardized controls we are reinforcing the risk management processes, while helping to move it forward and gain acceptance. As long as the controls are suited to the business and meet compliance , it is not as important where they were obtained only that they were obtained from an accredited source and suite the business.

It do not matter where you get your controls as long as you acknowledge your threats and your focus is on the best interest of the organizational system.  As it was mentioned Cobit (Control Objectives for Information and related Technology) uses a set of practices which is also similar to Coso (The Committee of Sponsoring Organizations of the Treadway Commission).  Both are similar in providing internal controls which would help to mimimize risk.