How do you know what to recommend as best security practices?

A recurring question among novice professionals is to know what to recommend as best security practices.

As a security specialist, companies will ask you what to do to ensure security.

Some security professionals got together and created documents that we call security standards or security frameworks.

Organizations such as ISO and NIST, provide paid and free documents with security controls that can be used.

These documents provide security controls, based on practical objectives that you can adopt in your company.

But first, it is necessary to plan and define the security strategy. Then define policies, controls and processes.

Another detail is that there is no “One size fits all”. You should evaluate the recommendations and apply only what makes sense for your organization.

After the controls and policies are applied, there is a constant check and monitoring.

Practices also change over time, as technologies change and attacks too.

In the case of assessments or security assessments, practices are also used to reference your recommendations.

Watch this video from Artigo 12, Fabio Sobiecki talks about these security frameworks. The video was originally published in Portuguese.

Author: fabio

Fabio Sobiecki is a systems analyst, graduated from Unopar and specialist in Information Security from Senac and has an MBA from FGV. Since 2004, he works with Information Security, between 1998 and 2004, he worked with information technology, in the area of infrastructure and computer networks. Fabio Sobiecki is certified by (ISC) 2 as CISSP and CCSP, since 2008 and 2017, respectively. He is currently president of the São Paulo chapter (ISC) 2 and is a solutions engineer at RSA.