There has been much commentary this past week about the limited enhancements in the upcoming PCI-DSS 2.0 framework. Martin McKeay wrote a post, How would I write a framework to replace PCI? where he talks about three key principles: (1) Everything flows from policy, (2) Keep it simple, and (3) Concentrate on results, not technologies.

I see it differently. The key principles of the SANS Twenty Critical Security Controls for Effective Cyber Defense make more sense and provide the basis for the Cymbel Approach:

• Offense must inform defense – knowledge of actual attacks that have compromised systems provides an essential foundation for on which to construct effective defenses.
• Work from a prioritized baseline of information security measures and controls
• Most controls must be automated – there is no way for an organization to cost effectively defend itself with manual controls
• Measure the effectiveness of controls – Automated techniques, where possible, should be used to measure the effectiveness of deployed controls.

Furthermore, regarding policies – you cannot start the process with policies without establishing context first. Therefore we start our processes with Visibility. You can read more about this on the Cymbel Services page.