In the interests of personal and corporate preservation, performing minimum standards of information security with due care and on a pre-incident basis is a wise course of action. That way, if and/or when an incident occurs, you – and your organization – can show that all “reasonable” steps, a.k.a., “industry best-practices” have been taken to ensure the security of data. Otherwise, legal claims of gross negligence can be made against the organization, and/or an attempt can be made to identify and remove a staff member who will serve as the “corporate scapegoat.”
Based on this scenario, what are the industry standards for spending and for best-practice safeguards in application security? Several resources are available to use as minimum standards of due care.
The most well known is “The Payment Card Industry’s Data Security Standard,” and specifically section 6.6. This section refers to the OWASP Top Ten, which is the level of application security that credit card merchants must maintain. Substitute any digital assets that need to be protected for the term “cardholder data,” and Section 6.6 standards can be applied to just about any organization.
For estimating a reasonable security budget to meet industry best-practices, the OWASP Security Spending Benchmarks project and the “State of Web Application Security” report by the Ponemon Institute provide recent data on organization spending habits. The Building Security In Maturity Model (BSIMM) study of thirty, large-scale software security initiatives also details the activities that organizations typically implement to meet security standards.
Overall, however, it is important to remember that although adhering to arbitrary best practices can serve as a starting point for establishing adequate security, best-practices alone are insufficient for building a comprehensive and effective information security program.