Standard of Good Practice
Encyclopedia
Information Security Forum
The Information Security Forum is an independent, not-for-profit association of leading organizations from around the world. It is dedicated to investigating, clarifying and resolving key issues in information security, and developing best practice methodologies, processes and solutions that meet...
(ISF
ISF
ISF may stand for:*Istanbul Shopping Fest*Impôt de Solidarité sur la Fortune, a French wealth tax*Iraqi Security Forces*Incremental sheet forming*Internal Security Forces, of Lebanon*International Softball Federation*International School of Florence...
), is a business-focused, practical and comprehensive guide to identifying and managing information security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
risks in organizations and their supply chains.
The recently-published 2011 Standard is the most significant update of the standard for four years. It includes information security 'hot topics' such as consumer devices, critical infrastructure, cybercrime attacks, office equipment, spreadsheets and databases and cloud computing.
The 2011 Standard is aligned with the requirements for an Information Security Management System
Information security management system
An information security management system is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of ISO 27001....
(ISMS) set out in ISO/IEC 27001
ISO/IEC 27001
ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an Information Security Management System standard published in October 2005 by the International Organization for Standardization and the International Electrotechnical Commission...
, and provides wider and deeper coverage of ISO/IEC 27002
ISO/IEC 27002
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization and by the International Electrotechnical Commission , entitled Information technology - Security techniques - Code of practice for information security management.ISO/IEC 27002:2005...
control topics, as well as cloud computing, information leakage, consumer devices and security governance.
In addition to providing a tool to enable ISO 27001 certification, the 2011 Standard provides full coverage of COBIT
COBIT
COBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...
v4 topics, and offers substantial alignment with other relevant standards and legislation such as PCI DSS
PCI DSS
The Payment Card Industry Data Security Standard is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards....
and the Sarbanes Oxley Act, to enable compliance with these standards too.
The Standard is used by Chief Information Security Officers (CISOs), information security managers, business managers, IT managers, internal and external auditors, IT service providers in organizations of all sizes.
The 2011 Standard is available free of charge to members of the ISF. Non-members are able to purchase a copy of the standard directly from the ISF.
Organization
The Standard has historically been organized into six categories, or aspects. Computer Installations and Networks address the underlying IT infrastructure on which Critical Business Applications run. The End-User Environment covers the arrangements associated with protecting corporate and workstation applications at the endpoint in use by individuals. Systems Development deals with how new applications and systems are created, and Security Management addresses high-level direction and control.The Standard is now primarily published in a simple "modular" format that eliminates redundancy. For example, the various sections devoted to security audit and review have been consolidated.
| Aspect | Focus | Target audience | Issues probed | Scope and coverage |
|---|---|---|---|---|
| Security Management (enterprise-wide) | Security management at enterprise level. | The target audience of the SM aspect will typically include:
|
The commitment provided by top management to promoting good information security practices across the enterprise, along with the allocation of appropriate resources. | Security management arrangements within:
|
| Critical Business Applications | A business application Application software Application software, also known as an application or an "app", is computer software designed to help the user to perform specific tasks. Examples include enterprise software, accounting software, office suites, graphics software and media players. Many application programs deal principally with... that is critical to the success of the enterprise. |
The target audience of the CB aspect will typically include:
|
The security requirements of the application and the arrangements made for identifying risks and keeping them within acceptable levels. | Critical business applications of any:
|
| Computer Installations | A computer installation that supports one or more business applications. | The target audience of the CI aspect will typically include:
Data center A data center is a facility used to house computer systems and associated components, such as telecommunications and storage systems... s |
How requirements for computer services are identified; and how the computers are set up and run in order to meet those requirements. | Computer installations:
Mainframe computer Mainframes are powerful computers used primarily by corporate and governmental organizations for critical applications, bulk data processing such as census, industry and consumer statistics, enterprise resource planning, and financial transaction processing.The term originally referred to the... , server Server (computing) In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients"... -based systems, and groups of workstations) |
| Networks | A network Computer network A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information.... that supports one or more business applications |
The target audience of the NW aspect will typically include:
|
How requirements for network services are identified; and how the networks are set up and run in order to meet those requirements. | Any type of communications network, including:
Län Län and lääni refer to the administrative divisions used in Sweden and previously in Finland. The provinces of Finland were abolished on January 1, 2010.... (LANs) |
| Systems Development | A systems development unit or department, or a particular systems development project. | The target audience of the SD aspect will typically include
|
How business requirements (including information security requirements) are identified; and how systems are designed and built to meet those requirements. | Development activity of all types, including:
Outsourcing Outsourcing is the process of contracting a business function to someone else.-Overview:The term outsourcing is used inconsistently but usually involves the contracting out of a business function - commonly one previously performed in-house - to an external provider... , or business users) |
| End User Environment | An environment (e.g. a business unit or department) in which individuals use corporate business applications or critical workstation applications to support business processes. | The target audience of the UE aspect will typically include:
|
The arrangements for user education and awareness Security awareness Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization... ; use of corporate business applications and critical workstation applications; and the protection of information associated with mobile computing Mobile computing Mobile computing is a form of human–computer interaction by which a computer is expected to be transported during normal usage. Mobile computing has three aspects: mobile communication, mobile hardware, and mobile software... . |
End-user environments:
Security awareness Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization... . |
The six aspects within the Standard are composed of a number of areas, each covering a specific topic. An area is broken down further into sections, each of which contains detailed specifications of information security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
best practice. Each statement has a unique reference. For example, SM41.2 indicates that a specification is in the Security Management aspect, area 4, section 1, and is listed as specification #2 within that section.
The Principles and Objectives part of the Standard provides a high-level version of the Standard, by bringing together just the principles (which provide an overview of what needs to be performed to meet the Standard) and objectives (which outline the reason why these actions are necessary) for each section.
The published Standard also includes an extensive topics matrix, index, introductory material, background information, suggestions for implementation, and other information.
See also
See :Category:Computer security for a list of all computing and information-security related articles.- Cyber security standardsCyber security standardsCyber security standards are security standards which enable organizations to practice safe security techniques to minimize the number of successful cyber security attacks. These guides provide general outlines as well as specific techniques for implementing cyber security. For certain specific...
- Information Security ForumInformation Security ForumThe Information Security Forum is an independent, not-for-profit association of leading organizations from around the world. It is dedicated to investigating, clarifying and resolving key issues in information security, and developing best practice methodologies, processes and solutions that meet...
- COBITCOBITCOBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...
- Committee of Sponsoring Organizations of the Treadway CommissionCommittee of Sponsoring Organizations of the Treadway CommissionThe Committee of Sponsoring Organizations of the Treadway Commission is a voluntary private-sector organization, established in the United States, dedicated to providing guidance to executive management and governance entities on critical aspects of organizational governance, business ethics,...
(COSO) - ISO 17799
- ISO/IEC 27002ISO/IEC 27002ISO/IEC 27002 is an information security standard published by the International Organization for Standardization and by the International Electrotechnical Commission , entitled Information technology - Security techniques - Code of practice for information security management.ISO/IEC 27002:2005...
- Information Technology Infrastructure LibraryInformation Technology Infrastructure LibraryThe Information Technology Infrastructure Library , is a set of good practices for IT service management that focuses on aligning IT services with the needs of business. In its current form , ITIL is published in a series of five core publications, each of which covers an ITSM lifecycle stage...
(ITIL) - Payment Card Industry Data Security Standard (PCI DSS)
- Basel IIIBasel IIIBASEL III is a new global regulatory standard on bank capital adequacy and liquidity agreed upon by the members of the Basel Committee on Banking Supervision. The third of the Basel Accords was developed in a response to the deficiencies in financial regulation revealed by the global financial...
- Cloud Security Alliance (CSA) for cloud computing securityCloud computing securityCloud computing security is an evolving sub-domain of computer security, network security, and, more broadly, information security. It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing...