ECS’s compliance profile will include, at a minimum, Children’s Online Privacy Protection Act (COPPA), Federal Risk and Authorization Management Program (FedRAMP), Federal Information Security Management Act (FISMA), Payment Card Industry Data Security Standard (PCI DSS), and state privacy laws. ECS’s compliance profile could become even more complex if its ecommerce offerings store healthcare information or provide services internationally. Once compliance requirements are verified, suitable control frameworks and standard specifications along with assessment methodologies are selected.

Enablers of Compliance: Standards & Frameworks

Where statutes mandate what we must protect, security standards and frameworks tell us the how (for example, specifications), and compliance methodologies provide ongoing effectiveness assurance. Standards and frameworks provide cross-cutting specifications that one might tailor to the technology strategy of their organization. At times, it has been assumed all controls detailed must be applied; what is expected is a minimum of controls that must be applied and maintained to meet mandate requirements.

Enough of the standards can be designed modularly using the control family as the common grouping. The manner in which controls are applied is at the discretion of the organization, as long as the controls meet mandates. An established framework such as HITRUST may be used, or an organization can create a proprietary framework by blending ISO and NIST standards. There are instances when organizations must consider at least two mandates, of which one is more stringent. When such circumstances arise, jurisdictional prudence applies. That is, federal mandates set the “floor” (baseline) with locale-specific requirements taking precedence when they are more stringent. There are also instances in which a contractual agreement may specify a more stringent requirement. In such cases, those requirements take precedence over federal and locale-specific (for example, state) mandates. Finally, when an organization itself has more stringent mandates, those take precedence.

Control effectiveness is assessed continuously using either a proprietary methodology associated with a specific mandate, such as Sarbanes-Oxley (SOX), or through a prevailing standards body such as Control Objectives for Information and Related Technology (COBIT) or American Institute of Certified Public Accountants (AICPA). Realistically, expect multiple assessment methodologies, because different data types carry different levels of risk that result in different types and degrees of control application.

Key Activities and Key Partners: Your Threat Landscape

Characteristics derived from the key activities and partners of your business model form the threat landscape, but how? First, the key activities provide insight into the services you provide, thereby allowing one to reasonably assume the constructs of the underlying technology infrastructure required to support it. ECS offers cloud service models of SaaS and PaaS. Because it offers the service to multiple customers from common verticals, one can infer its solutions are multi-tenant. The zoning model is envisioned based on a Service-Oriented Architecture (SOA). Because presentation services must exist for the SaaS customers to access their solution, one can infer that customer data will be stored in a database, which means there are likely application services as well. The security and infrastructure zones support and protect the application and data zones.

Once you’ve contextualized your SOA implementation, you can align the technology stack based on the service the technology provides. Platforms that host applications or databases along with appliances that provide infrastructure (for example, routers, switches) and security services (firewalls or IDS/IPS) become your technology stack inclusive of boundary environments technologies from which they are deployed.

Next, identify those key partners that must have trusted access to your infrastructure and which partners will provide you trusted access to their infrastructures. The information systems and communication channels providing access present opportunities for access and must be factored in as part of the threat landscape.

Your hosting model, service architecture model, and partners with trusted access—along with your technology stack—compose the threat landscape.

Rationalizing Capabilities

Your organization’s threat landscape is protected by capabilities. Capabilities are realized outcomes of combining people, process, and technology (PPT). Examples include the Incident Response team, user provisioning and deprovisioning, e-discovery, and Security Information Event Monitor (SIEM). Rationalizing PPT ensures you recruit the right talent, build value-added processes, and select technology that supports the organization’s business model.

Visualizing the Master Model of Protection

Based on the characteristics of the business model we derived, we develop our master model against which we can model protection based on access.