Pdf 2017 Isf Standard Good Practice

4/13/2019
44 Comments
Jump to navigationJump to search
Information Security Forum
Industryinformation securitybest practice research
FoundedLondon, United Kingdom (1989)
WebsiteSecurityForum.org

The Information Security Forum (ISF) is an independent information security body.

  • 1Primary deliverables

Primary deliverables[edit]

The ISF delivers a range of content, activities, and tools.The ISF is a paid membership organisation: all its products and services are included in the membership fee. From time to time, the ISF makes research documents and other papers available to non-members.

The Standard of Good Practice for Information Security[edit]

Main article: Standard of Good Practice

The ISF released the updated Standard of Good Practice for Information Security in 2018. The Standard is available to ISF members and non-members, who can purchase copies of the report. The 2018 Standard represents an update on the 2016 release of the Standard, and builds upon the previous release to include the most up-to-date controls, approaches and thought leadership in information security.

The standard is a business-focused, practical and comprehensive guide available for identifying and managing information security risks in organizations.[1]

The 2016 standard covers current information security 'hot topics' such as Threat Intelligence, Cyber Attack Protection and Industrial Control Systems, as well as, significant enhancement of existing topics including: Information Risk Assessment, Security Architecture and Enterprise Mobility Management. It can be used to build a comprehensive and effective information security management system. In addition to covering information security-related standards such as COBIT 5 for Information Security, The CIS Critical Security Controls for Effective Cyber Defense, the 2016 standard covers ISO/IEC 27002 as well as PCI DSS 3.1 and the NIST Cybersecurity Framework.

Research projects[edit]

Based on member input, the ISF selects a number of topics for research in a given year. The research includes interviewing member and non-member organizations and thought leaders, academic researchers, and other key individuals, as well as examining a range of approaches to the issue. The resulting reports typically go into depth describing the issue generally, outlining the key information security issues to be considered, and proposing a process to address the issue, based on best practices.

Methodologies and tools[edit]

For broad, fundamental areas, such as information risk assessment or return-on-investment calculations, the ISF develops comprehensive methodologies that formalize the approaches to these issues. Supporting the methodology, the ISF supplies web and spreadsheet-based tools to automate these functions.

The Benchmark[edit]

The ISF's Benchmark (formerly called the 'Information Security Status Survey') has a well-established pedigree – harnessing the collective input of hundreds of the world's leading organizations for over 25 years. Organizations can participate in the Benchmark service at any time and can use the web-based tool to assess their security performance across a range of different environments, compare their security strengths and weaknesses against other organizations, and measure their performance against the ISF's 2016 Standard of Good Practice, ISO/IEC 27002:2013, and COBIT version 5 for information security. The Benchmark provides a variety of data export functionality that can be used for analyzing and presenting data for management reporting and the creation of security improvement programs. It is updated on a biennial basis to align with the latest thinking in information security and provide the ISF Members with improved user experiences and added value.

Face-to-face networking[edit]

Regional chapter meetings and other activities provide for face-to-face networking among individuals from ISF member organisations. The ISF encourages direct member-to-member contact to address individual questions and to strengthen relationships. Chapter meetings and other activities are conducted around the world and address local issues and language/cultural dimensions.[citation needed]

Annual World Congress[edit]

The ISF's annual global conference, the 'World Congress', takes place in a different city each year. The 2017 conference will take place in October in Cannes, France. The event offers an opportunity for attendees to discuss and find solutions to current security challenges, and gain practical advice from peers and leading industry experts from around the world. Over 1,000 global senior executives attend. The event includes a series of keynote presentations, workshops and networking sessions, best practice and thought leadership in a confidential peer-group environment.[2]

Web portal (ISF Live)[edit]

The ISF's extranet portal, ISF Live, enables members to directly access all ISF materials, including member presentations, messaging forums, contact information, webcasts, online tools, and other data for member use.[3]

Leadership[edit]

The members of the ISF, through the regional chapters, elect a Council to develop its work program and generally to represent member interests. The Council elects an 'Executive' group which is responsible for financial and strategic objectives.

See also[edit]

See Category:Computer security for a list of all computing and information-security related articles.

References[edit]

  1. ^'Archived copy'. Archived from the original on 2014-10-18. Retrieved 2014-10-13.CS1 maint: Archived copy as title (link)
  2. ^'Archived copy'. Archived from the original on 2014-10-18. Retrieved 2014-10-13.CS1 maint: Archived copy as title (link)
  3. ^'Archived copy'. Archived from the original on 2014-10-18. Retrieved 2014-10-13.CS1 maint: Archived copy as title (link)

External links[edit]

Retrieved from 'https://en.wikipedia.org/w/index.php?title=Information_Security_Forum&oldid=877544766'
Categories:
Hidden categories:
Jump to navigationJump to search

The Standard of Good Practice for Information Security, published by the Information Security Forum (ISF), is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains.

The most recent edition is 2018, an update of the 2016 edition.

Upon release, the 2011 Standard was the most significant update of the standard for four years. It covers information security 'hot topics' such as consumer devices, critical infrastructure, cybercrime attacks, office equipment, spreadsheets and databases and cloud computing.

The 2011 Standard is aligned with the requirements for an Information Security Management System (ISMS) set out in ISO/IEC 27000-series standards, and provides wider and deeper coverage of ISO/IEC 27002 control topics, as well as cloud computing, information leakage, consumer devices and security governance.

In addition to providing a tool to enable ISO 27001 certification, the 2011 Standard provides full coverage of COBIT v4 topics, and offers substantial alignment with other relevant standards and legislation such as PCI DSS and the Sarbanes Oxley Act, to enable compliance with these standards too.

The Standard is used by Chief Information Security Officers (CISOs), information security managers, business managers, IT managers, internal and external auditors, IT service providers in organizations of all sizes.

The 2018 Standard is available free of charge to members of the ISF. Non-members are able to purchase a copy of the standard directly from the ISF.

Organization[edit]

The Standard has historically been organized into six categories, or aspects. Computer Installations and Networks address the underlying IT infrastructure on which Critical Business Applications run. The End-User Environment covers the arrangements associated with protecting corporate and workstation applications at the endpoint in use by individuals. Systems Development deals with how new applications and systems are created, and Security Management addresses high-level direction and control.

The Standard is now primarily published in a simple 'modular' format that eliminates redundancy. For example, the various sections devoted to security audit and review have been consolidated.

AspectFocusTarget audienceIssues probedScope and coverage
Security Management (enterprise-wide)Security management at enterprise level.The target audience of the SM aspect will typically include:
  • Heads of information security functions
  • Information security managers (or equivalent)
  • IT auditors
The commitment provided by top management to promoting good information security practices across the enterprise, along with the allocation of appropriate resources.Security management arrangements within:
  • A group of companies (or equivalent)
  • Part of a group (e.g. subsidiary company or a business unit)
  • An individual organization (e.g. a company or a government department)
Critical Business ApplicationsA business application that is critical to the success of the enterprise.The target audience of the CB aspect will typically include:
  • Owners of business applications
  • Individuals in charge of business processes that are dependent on applications
  • Systems integrators
  • Technical staff, such as members of an application support team.
The security requirements of the application and the arrangements made for identifying risks and keeping them within acceptable levels.Critical business applications of any:
  • Type (including transaction processing, process control, funds transfer, customer service, and workstation applications)
  • Size (e.g. applications supporting thousands of users or just a few)
Computer InstallationsA computer installation that supports one or more business applications.The target audience of the CI aspect will typically include:
  • Owners of computer installations
  • Individuals in charge of running data centers
  • IT managers
  • Third parties that operate computer installations for the organization
  • IT auditors
How requirements for computer services are identified; and how the computers are set up and run in order to meet those requirements.Computer installations:
  • Of all sizes (including the largest mainframe, server-based systems, and groups of workstations)
  • Running in specialized environments (e.g. a purpose-built data center), or in ordinary working environments (e.g. offices, factories, and warehouses)
NetworksA network that supports one or more business applicationsThe target audience of the NW aspect will typically include:
  • Heads of specialist network functions
  • Network managers
  • Third parties that provide network services (e.g. Internet service providers)
  • IT auditors
How requirements for network services are identified; and how the networks are set up and run in order to meet those requirements.Any type of communications network, including:
  • Wide area networks (WANs) or local area networks (LANs)
  • Large scale (e.g. enterprise-wide) or small scale (e.g. an individual department or business unit)
  • Those based on Internet technology such as intranets or extranets
  • Voice, data, or integrated
Systems DevelopmentA systems development unit or department, or a particular systems development project.The target audience of the SD aspect will typically include
  • Heads of systems development functions
  • System developers
  • IT auditors
How business requirements (including information security requirements) are identified; and how systems are designed and built to meet those requirements.Development activity of all types, including:
  • Projects of all sizes (ranging from many worker-years to a few worker-days)
  • Those conducted by any type of developer (e.g. specialist units or departments, outsourcers, or business users)
  • Those based on tailor-made software or application packages
End User EnvironmentAn environment (e.g. a business unit or department) in which individuals use corporate business applications or critical workstation applications to support business processes.The target audience of the UE aspect will typically include:
  • Business managers
  • Individuals in the end-user environment
  • Local information-security coordinators
  • Information-security managers (or equivalent)
The arrangements for user education and awareness; use of corporate business applications and critical workstation applications; and the protection of information associated with mobile computing.End-user environments:
  • Of any type (e.g. corporate department, general business unity, factory floor, or call center)
  • Of any size (e.g. several individuals to groups of hundreds or thousands)
  • That include individuals with varying degrees of IT skills and awareness of information security.

The six aspects within the Standard are composed of a number of areas, each covering a specific topic. An area is broken down further into sections, each of which contains detailed specifications of information security best practice. Each statement has a unique reference. For example, SM41.2 indicates that a specification is in the Security Management aspect, area 4, section 1, and is listed as specification #2 within that section.

The Principles and Objectives part of the Standard provides a high-level version of the Standard, by bringing together just the principles (which provide an overview of what needs to be performed to meet the Standard) and objectives (which outline the reason why these actions are necessary) for each section.

The published Standard also includes an extensive topics matrix, index, introductory material, background information, suggestions for implementation, and other information.

See also[edit]

See Category:Computer security for a list of all computing and information-security related articles.

  • Committee of Sponsoring Organizations of the Treadway Commission (COSO)
  • Information Technology Infrastructure Library (ITIL)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Cloud Security Alliance (CSA) for cloud computing security

References[edit]


External links[edit]

  • The Information Security Forum
Retrieved from 'https://en.wikipedia.org/w/index.php?title=Standard_of_Good_Practice_for_Information_Security&oldid=888932470'
Categories:
Hidden categories: