Just like common sense isn’t always common, best practices aren’t always.  The best.  This matters when describing security controls.  And since it seems to be a professional trade secret, I want to come clean about it.

There are at least three qualitative ways to describe a security control:

1. How much it complies with something
2. How effective it is
3. What’re the other guys doing

Let’s consider them each.

Let’s start by using compliance with Health Care regulations as an example.  A pet peeve of mine is when a product announces that it is “HIPAA compliant”.  HIPAA, the Health Insurance Portability and Accountability Act, applies to covered entities and their business associates.  It does not, with the exception of encryption algorithms, apply to products in a way that would allow the phrase “HIPAA compliant” to make sense.  Everything from threat detection software to floor mats claim to be “HIPAA compliant”.

(For those unfamiliar with this floor mat, one places the mat where the patient
stands to talk to the receptionist in a doctor’s office.   Provided no one else
is on the mat and the conversation is conducted in civil tones, the conversation
is considered to be compliant with the HIPAA privacy rule.)

The point is that compliance with regulations, client expectations or policies as a way to measure the quality of a security control is a great place to start and a bad place to stop.  This is what people mean when they point to breaches by organizations that were certified as PCI compliant.  So judging controls by how much they comply with something is an important but incomplete method.  Additional questions need to be answered with this approach: does my organization adequately protect the data in its possession?  Are our safeguards in line with what we consider to be appropriate?  If so, why do we consider them appropriate?  These are questions the security professional should answer for the regulator or the client or the auditor.

And that should lead to the question of “how effective are the controls?”.   This questions hits at the heart of a given control and fills out the compliance question above.   Everything from encryption to shredders to awareness programs can be everything from effective to not very useful or even, blatant reference to Schneier: “security theater”.

Examples?

A. You have a contract with a third party that says they must protect your confidential data but does not obligate them to notify you if there’s a breach of the data.  That control could be more effective.

B. You have an on-line awareness program that takes five minutes, feels like an hour and is in only one of the seven languages native to your workforce.  That control needs to be more effective.

C. It’s been a few years since I’ve heard a vendor try to confuse the difference between compression and encryption.  But I’ve heard it.  It goes something like this “well, no it’s not encrypted with an algorithm like AES if that’s what you’re looking for, but if someone got a hold of the file and brought it up in Notepad, it is almost impossible to read”.

These are all examples of where a control needs to be carefully reviewed before being called “effective”.

Then there’s best practices.

“Best” is supposed to mean better than everything else.  But not here.   Here, “best” seems to be used to refer to a reasonably strong version of the control for which there is a consensus among security professionals that the control should be widely implemented.

You will, for example, hear that two-factor authentication is a “best practice”, especially for privileged accounts.  But to really be the BEST, wouldn’t we want strong biometrics to be one of the factors?   Encrypting back-up tapes?  Yes, but shouldn’t “best practice” specify the strength of the encryption?

In fact, when you start looking at things labelled “best practices” you find that a strong, but not necessarily the strongest, version of that practice is what is being referred to.   But for some reason, that’s not usually how it’s presented.  Which got me to wondering why.

Near as I can tell, the phrase is increasingly used to refer to a practice that is “what the other companies who really care about security are doing”.    Coupled with the word “industry” (i.e., “industry best practice”), the phrase is even more just a reference to “someone else’s security controls”.

And the reason it is “best” practice?  Well, it is harder to convince people to buy/support/do things that are a “common and awfully good practice”.  I’d hate to think it is just hyperbole, but maybe it is.