A customer (large bank) has been doing inquiries with several of us recently in conjunction with a major project they have to revamp their internal polices and standards and reset their foundation in Archer. A member of their team (let’s call him “Bob”) posed an interesting question about whether there was a specific standard (e.g. authoritative source) that fellow Archer customers in the financial services industry seemed to prefer above others to guide their policy and control development. It’s an interesting question and while the viewpoint I gave in my response seemed to resonate pretty well, it’s also sparked a productive dialog which in fact is still ongoing. I’ve only included the initial exchange below but I wanted to share in the hopes you might help expand the conversation by sharing your own insights at the bottom of this blog.
How would you answer? What’s your approach been to this same issue? Do you share a similar viewpoint or see things totally differently? What advice would you give?
His initial question:
“…what would be helpful as we are structuring our way ahead is to understand what Archer is seeing its financial services industry clients use…as the industry reference model for…policies.”
Nice to meet you. I can’t say there’s a universal playbook that everybody follows. I would wager if you were able to distill a typical financial services policy program down to its essence you’d likely find a lot of alignment and overlap to major standards like ISO 27001, COBIT, etc. This is probably not surprising nor should it be, considering that despite being different down in the weeds, at a higher level most of those standards have a lot in common. Some are broader and some more technical but ultimately I think many of the core principles that embody a healthy information security and assurance program are fairly universal.
The other thing that’s become universal is the increased need for a rationalization to risk. I believe this is a better foundation to build upon. Absent anything else, international standards are always a great place to start, but they’re never a universal fit. And for larger more mature organizations the expectations have shifted. A risk based approach rooted in sound principles (which may or may not be directly inspired by external standards) is going to yield the best overall result (“best” meaning most complete, most accurate, and most operationally sound and efficient). An organization that maintains a healthy risk-based view of things can easily overlay standards and know where they stand. But an organization that relies only on a specific standard and otherwise lacks that embedded risk intelligence is more likely to encounter issues and miss opportunities to capitalize on operational advantages.
For what it’s worth the default policy set in Archer was originally largely ISO based. That doesn’t mean it’s taken directly from ISO but rather it aligns with the core principles ISO 27001 covers, as well as some influence from ITIL, FFIEC, HIPAA, PCI, etc. Our Control Standards library also reflects these linkages but at a more detailed level and across a much wider set of authoritative sources including more extensive technical standards like NIST 800-53.
Personally if I had to pick only one standard to serve as the backbone for my program I’d probably pick NIST 800-53, primarily because it’s so prescriptive and technically detailed and already has a companion control assessment guide (53A) – both of which are free. I find it’s easier to abstract up from something like that than to take a higher level abstract source like COBIT and go the other direction deeper into the technical stack without additional guidance. However 800-53 is an intimidating beast that can be overwhelming without the right resources and maturity established which is why I also like PCI as a starting point. It’s certainly not perfect either but it is fairly compact, organized across distinct principle areas, sufficiently technical to get started, and often a business requirement anyway. I like that it slants toward technical security and despite its focus on credit card data I don’t think it’s a stretch to substitute other things (like “PII” for a health care org) and arrive at similar conclusions for what types of controls and policies make good sense to implement in most cases. Plus it’s also free and includes assessment content (the SAQs) that can easily be used internally for risk assessment activities.
Something else to consider from the above is any hard business requirement such as specific certifications or other industry-specific needs. If the organization must be ISO 27001 certified or will always be measured against certain FFIEC guidance then those should definitely be factored into the program design. But again I think a lot of that comes down to tailoring and even in those cases I would still challenge the organization to operate from the perspective of a risk-centered program and fill in compliance reporting gaps as needed for specific obligations. <COMPANY X> was PCI compliant as were <COMPANY Y> and <COMPANY Z>. How much would it have mattered if they were also ISO certified? There are too many asymmetric business threats that can get overshadowed when the tail wags the dog which can happen more easily if too much focus is on the “what” (ISO 27001, etc.) versus the “why” and “how” (transforming from risk managed to risk advantaged).
Hope this helps give some background and my perspective. Let me know if there’s anything else I can help with.
Ok Archer Community, I’d love to get your take below! And keep an eye out for exciting new content headed your way soon!