Security Experts:

Best Practice: Can You Really Define 'Best' Security?

How many times have you seen a vendor site or proposal say that someone supports “best of breed” security, or that a company honors “best practice”?

I see it all the time, and most of the time it makes me question the integrity and wisdom of the organization.

Why? Mostly because of the meaning the words convey, along with the fact that very few organizations actually implement “best practices.” You are more likely to see Big Foot, or get struck by lightning while being attacked by a shark… In terms of how we care about effective security, the relative measures we should be concerned with are simple:

1. Negligent

2. Good Practice

3. Best Practice

IT Security Best Practices

That is it. Pretty much everything else is a derivation of one of these three. You may hear different arguments, but I assert that they are all semantics. On the lowest end, we have “no security.” But realistically, it would probably be impossible to find an organization that really has “no” security, so think of it as poor or substandard. The message that you should think about is that bad security has the strong potential to be considered negligent.

Negligent Security is still Security

“Negligent” is a very important word, and carries a ton of implications. Depending on the exact type of organization, failure to meet standards of good practice (in other words, being negligent) can result in fines, loss of accreditation, loss of ability to obtain government re-imbursements, lawsuits due to negligence, and loss of insurance coverage. I have personally seen at least one insurance carrier refuse to pay a claim of substantial business loss because the insurance carrier said that the company had been negligent in implementing security controls. Indeed, in some industries such as the intelligence community, the military, or in some healthcare areas, consequences can lead to death.

HITECH refers explicitly to “neglect” and indicates that fines in case of neglect are increased from as low as $100 per violation, up to $250,000 per incident, with repeated violations as high as $1.5 million. Yes, “MILLION.” HIPAA includes language that identifies the largest penalties depend on your actions from when you knew of the incident, or “SHOULD HAVE KNOWN” of the incident. This “knew or should have known” language is pretty common in standards, so it should surprise no one. The problem is that if your security is so poor that you did not know you had been broken, but an industry expert or representative (or auditor) can say that you SHOULD have known if you were meeting standards of good practice, it’s worse than having no idea at all.

So, in a nutshell, if you are not doing what you should be doing to protect your environment, you are potentially negligent. If you are doing what you need to do, you are at least meeting “Good Practice.”

Good Business Practice Security is Expected

“Good Business Practice” and “Standards of Good Practice” are really just different words that also mean “Good Practice”. In our perfect little security world, most of us strive to meet standards of “good practice.” Meeting standards of good practice normally means that you are taking security measures to protect your environment that most reasonable peers would say are appropriate. It doesn’t mean you will have the strongest security program, or have implemented bullet-proof controls. In a court of law, you might call this a “reasonable person” test.

If you put 12 of your peers in the jury box, would they agree that the controls you had in place were “reasonable”? The goal is not to figure out the minimum you can get away with. The goal is actually to balance the cost of security with the cost of potential breaches, when you consider the value of the data at risk. For some security controls, good practice documentation can be easy to define. For corner case technology, you may struggle finding explicit guidance, but guidance is available.

For compliance issues, the measurement is even simpler. If you have a regulatory requirement, like HIPAA, or an industry requirement, like PCI, since those standards define your peer group, they also functionally define what is expected of your “Good Practice.” As a member of the financial industry, you are expected to be compliant with PCI, therefore, PCI functionally defines “Good Practice” for the security of the covered portions of your environment. As a member of the healthcare industry, you are expected to be compliant with HIPAA and HITECH, therefore, HIPAA and HITECH functionally define “Good Practice.” You should have the understanding that if you are meeting the requirements that have been levied on you, your environment has likely implemented good practice security controls. If you are not meeting those requirements, you are potentially negligent. If you are exceeding those requirements, you are not necessarily meeting “Best Practices.”

Best Practice is only Security

“Best Practices” is one of those buzzwords I really dislike.

Best. The ultimate. There is no better.

Can you really define “best” security?

I visited a lab once that included some pretty good physical access controls. The entry was locked. You needed to pass your ID badge and driver’s license into the guard booth before they even let you in. The guard booth included inch thick bullet resistant glass, and four armed guards. Once they let you in, you emptied your pockets into a tray then walked through a metal detector. No phones or other electronic devices were allowed inside. When the guard gave you back your badge, you had to scan the badge in a reader, provide your thumb print, use the retina scanner, and enter your password. Then the door would open and you were allowed to enter, one at a time. All under the watchful eye of the armed guards. All recorded by the two security cameras that covered the lobby.

That is awesome security. But is it “the best”? I can easily think of ways to increase this security – maybe I walk through an x-ray machine every time. Maybe they run a credit check on me every time I enter. Maybe they add facial recognition instead of retina scans (since retina scans have never worked well on me since I got hit in the eye with a racquetball and popped the blood vessels in my eye). The point is you can make it better— so when does it actually become “best”?

Perhaps you can exceed the requirements of “good practice,” but I believe that “Best Practice” is more accurately “Better Practice.” The next question is if there is value in meeting standards of ‘better’ practices, as awkward as that sounds.

So, my assertion is that we should be most worried about standards of good practice first. If we still feel like we need to improve our environment, we worry about exceeding good practice controls with measures that make sense in your environment. We can’t just say we are going to implement best practice, because there really is no such thing.

On the other hand, I guess if Chuck Norris was in that lobby we could dispense with the armed guards and everything else, and still probably call it “Best Practice”…

Jon-Louis Heimerl is Director of Strategic Security for Omaha-based Solutionary, Inc., a provider of managed security solutions, compliance and security measurement, and security consulting services. Mr. Heimerl has over 25 years of experience in security and security programs, and his background includes everything from writing device drivers in assembler to running a world-wide network operation center for the US Government. Mr. Heimerl has also performed commercial consulting for a variety of industries, including many Fortune 500 clients. Mr. Heimerl's consulting experience includes security assessments, security awareness training, policy development, physical intrusion tests and social engineering exercises.