ISO 27001 & NIST
Information Security Frameworks, Baby Sharks and You
By Evan Stos
When asked to write a blog post about information security frameworks, the first thought that crossed my mind was, “I hope nobody reading it is near a pillow or blanket.” The common perception is that while information security frameworks are incredibly important in our “work” lives, the main question still lingers: Are information security policies and standards really something that we employ in our day-to-day lives outside of work?
I’m happy to report that whether you realize it or not, that yes, they are!
There is a lot of buzz right now about ISO 27001 or NIST (two of the more prominent infosec frameworks). Before I jump into them full throttle and discuss whether your company is doing security and risk assessment the right way, let me tell you about the time my daughter ordered $24.99 worth of “Baby Shark” songs.
Please, keep reading.
Not Secure: The Baby Shark Song
For those not in the know (and if you aren’t, I’d like to humbly apologize in advance), “Baby Shark” is a viral song intended for small children with billions (you got that right: BILLIONS) of views on YouTube. It’s around a minute long and the lyrics will slowly melt your brain due to how simple and repetitive they are. In fact, if you know what I’m talking about, the song is probably already playing in your head while you read this.
Again, I’m sorry…but I’m trying to make a point here.
Last year I purchased a kid-friendly tablet for my (then) four-year old daughter. Like any other responsible parent, I made sure there was no content my daughter could access that was inappropriate for children. So without burying the lead too much here, that was essentially “information security standard #1” (I’m not sure if “Baby Shark” fits into ISO 27001 or NIST) established for said tablet. Unfortunately, that was the only standard established at that time. When setting up my daughter’s profile on the tablet, I overlooked disabling the “In-App Purchases” feature—that’s when the Baby Shark incident occurred.
I know, I know. Am I ever going to talk about ISO27001 or NIST? Keep reading.
After about three days of owning the tablet, I’m pretty sure my daughter had listened to “Baby Shark” roughly 157 times. That is to say my ears had gone completely numb to the song. The Baby Shark, the Mama Shark, the Grandpa Shark, the “doo doo doo doo doo’s” – they haunted my dreams. But then, suddenly, I heard a song that sounded a lot like “Baby Shark”, but wasn’t “Baby Shark.” I walked up to my daughter, Elise, and the following exchange went down:
Me: What is that song? It sounds like Baby Shark…
Daughter: Yeah, I got more Pinkfong songs (Pinkfong is the group that creates this “music”).
Me: What do you mean you got more?
Daughter: (Taps a few things on the screen) Right here.
Me: (Falls to knees, arms outstretched whilst staring toward the heavens) WHAT?! NOOOO! (Over-dramatized for the purposes of this blog).
What she showed me were the “packages” of songs you could buy. They were priced at $1.99 for 3, $4.99 for 7, etc. She got the most expensive package that contained 50 songs for $24.99. One more time: 50 songs. Just like “Baby Shark.” Around one-third of the songs WERE “Baby Shark,” just in different languages and tempos. Have you ever heard a super-fast version of that song in Mandarin? Because I have…and I paid for it.
That’s when information security standard #2 and #3 were instituted for the tablet:
- Standard #2 – No purchasing could be done on that tablet unless I put in my password.
- Standard #3 – During the week, after an hour of use, the tablet “shuts down” for the day to keep my kids from melting their brains because of excessive screen time. That last sentence makes me seem like a conscientious, thoughtful parent, but I’ll come clean: At the time I just wanted to limit the playing of the songs for my own sanity.
And now—finally!—some words on the security standards.
You Need an Established Framework: ISO 27001 or NIST
We employ information security standards and policies in our personal lives all of the time. While they may not be formally written down, these are things we must be cognizant of at all times. When it comes to establishing this framework at an organization, there is so much more to be aware of, and so many more regulations to comply with. In my house, a lack of information security cost me $25—at your organization, it could cost $25 million.
I needed an ISMS. Your company needs an ISMS.
For those of you asking, “What exactly is that acronym you just threw at me?” ISO 27001 is an information security management system (ISMS). An ISMS is a framework of policies and standards that encompasses a wide variety of technical, physical and legal controls involved in an organization’s information risk management process. ISO 27001 uses a risk-based approach, is technology neutral and defines a 6-step planning process:
- Define a security policy.
- Define the scope of the ISMS.
- Conduct a risk assessment.
- Manage identified risks.
- Select control objectives and controls to be implemented.
- Prepare a statement of applicability.
NIST (the National Institute of Standards and Technology) is a non-regulatory government agency that develops technology, metrics, and most importantly for the purposes of this blog post, standards and guidelines to help organizations meet the requirements of the Federal Information Security Management Act (FISMA) set forth by the federal government.
So whether it be ISO27001 or NIST, ensuring that you are employing the proper policies and frameworks is essential. Not doing a regular assessment could cause major, unsustainable damage to your business. Having the right platform to help you organize all of the policies, risks and other pertinent information (trust me, there’s a lot) is essential. Don’t end up like me, with a pillow over your head, while the Christmas version of “Baby Shark” plays in the background in the middle of August.
Now go ahead, you know the tune: “Baby shark, doo doo doo doo doo doo.”