Best Practices: Do We Need Them?

I was recently reading the Food & Drug Administration (FDA)'s Web page on information security, when I happened across some pages on other manufacturing and quality control standards and regulations. I was a bit shocked to read that GxP was the current standard for various regulatory compliance areas for pharmaceutical companies. GxP, I should explain, represents Good Practices, not Best Practices. That is, for example, Good Manufacturing Practice or Good Clinical Practice.

This struck me as a bit odd: Good enough was the plan of the day for manufacturing life-saving drugs. This was a surprise to me as an IT security professional used to requirements born in banking and the Federal Financial Institutions Examination Council (FFIEC). Then there are the government regulations such as the National Industrial Security Program Operating Manual (DoD 5220.22-M), the Federal Information Security Management Act of 2002 (FISMA), Sarbanes Oxley (SOX), and the compliance requirements of the Health Insurance Portability and Accountability Act (HIPAA).

While I was pondering this, I got yet another call from a security vendor about how his product offering was the "best practice" in the industry and would surely have my company in the forefront of compliance. I started to suspect he believed I had a squeaky snake in my company which needed oiling when he began detailing how much we "needed" his widget or we would not be SOX compliant, risking fines and jail, even though we are a very small, privately held company with an annual security budget similar to the cost of his enterprise class, distributed, n-tier widget.

I continued to think about "IT best practices": Who defines them and who needs them? I began to research other industry documents, legal tests, and regulations. Other industries, I found, define good practices and standard approaches. Their publications and documents define the baseline, the median or minimum, to be considered good and respectable. Anything below that, indicating shoddy performance, means that a job needed redoing. Anything better was the hallmark of someone who went above and beyond what was required. This is why one person referred to himself as Overbuilders Inc. - he always used stock twice as sturdy as normal and he charged like it also.

While waiting during another of the seeming constant delays at O’Hare airport, I found a landscaping professional magazine in the airport describing water features (you and I call them small ponds and fountains for the yard) and how to install them for the uninitiated landscaper. I read about the minimum things one had to do to meet customer’s expectations at a minimum of effort and cost and about how to avoid call-backs and meet code requirements. Building codes define "minimal acceptable standards" that homes, lots and apparently water features have to meet.Similarly, in the legal community, there is the standard of the reasonably prudent person. Under this standard, if one’s actions are within the range of what would be expected from a reasonable prudent person, then he or she is not considered liable for damages resulting from their reasonable actions. Doctors and other professionals are typically only held to a standard of reasonable or ordinary care, not excellent or the best possible care.

Many government regulations are being derided as "fuzzy" for not specifying controls. This has led to the hiring of many consultants and generated much internal discussion about how much is enough. This is a good thing as it allows a properly sized control environment for the information being protected. To determine what is reasonable and appropriate, one performs a risk assessment to determine the level of risk to information, the current controls, and the planned/needed controls to achieve the desired risk posture. One also specifies the residual risk that is to be accepted by the organization. This allows flexibility in security mechanisms to fit your needs so long as you protect the information entrusted to you. An excellent example of this is in National Institute of Standards & Technology (NIST) 800-30, which specifies the steps for assessing the risk and determining appropriate controls. This is used to balance business and customer information risks with the ability to operate a business.

So why do people keep trying to sell me "best practices"? What is it about IT that decries that we need the best of something? Certainly there are organizations -- certain three letter agencies, or the R&D parts of firms with high-value IP (intellectual property), as well as transactional and money transfer systems that require best practices. For most of the IT world, however, isn't good enough, good enough? Shouldn’t the business requirement trump the pure technology requirement? Shouldn’t we, as IT professionals, balance the cost and onerousness of security controls, and IT costs in general, to obtain an appropriate and acceptable level of risk?

We should perform risk assessments at every technology and process decision to ask if we are spending and implementing too much, as well as too little. Performing this step and documenting the outcome –- showing reasonableness and logic in the decision will go a long way to defending the posture you implemented and reaching regulatory and legal requirements, as well as earning the respect and admiration of the business units and bean counters.

What we need is more good sense in IT. You should spend absolutely every penny you need to on security... but not a penny more.So the next time you see an advertisement, or hear a vendor start spouting about best practices, check your office for a squeaky snake. Unless you have a use for snake oil, send them on their way and find someone interested in helping you achieve the security posture you need.

David Lawson, Vice President/Director of the Global Security Practice, Greenwich Technology Partners