The Information Security Forum (ISF) has published a major update to its Standard of Good Practice for IT security professionals.
The Standard enables organizations to meet the control objectives set out in the NIST Cybersecurity Framework and extends well beyond the topics defined in the framework to include coverage of essential and emerging topics such as information security governance, supply chain management (SCM), data privacy, cloud security, information security audit and mobile device security.
The 2016 version of The Standard has been restructured into 17 main categories for ease of use and improved alignment with ISF member approaches to managing information security. Its design also offers systematic coverage of four new or enhanced lifecycles:
- Employment lifecycle – recruitment, induction, development, retention of employees and termination of their employment
- Information lifecycle – creation, processing, transmission, storage and destruction of all types of information (electronic, printed or spoken), including confidential or mission-critical information
- Hardware lifecycle – acquisition (purchase or lease), maintenance and disposal of physical equipment and devices
- System development lifecycle – mainly focused on the design and development of critical business applications, but applicable to all types of system development (e.g., for IT infrastructure)
“The increasing pace of change, shifting global threat levels, growing reliance on the supply chain and greater demand for efficacy from stakeholders represent some of the numerous challenges organizations are facing today,” said Steve Durbin, managing director, ISF. “The Standard is used widely across the ISF membership which consists of many of the leading Fortune and Forbes global companies. It provides extensive coverage of information security topics including those associated with security strategy, incident management, business continuity, resilience and crisis management. These topics present practical advice that enables organizations to improve their resilience against a wide-ranging array of threats and low probability, high-impact events that can threaten the success, and sometimes even the existence, of the organization.”
The guidance takes into account new legislation such as EU General Data Protection Regulation (GDPR), which will take effect in May 2018, impacting every organization that holds personal information on EU citizens, as well as the EU Network and Information Security (NIS) directive, which aims to protect critical infrastructure and sets common cybersecurity standards and reporting requirements for applicable organizations. Effective implementation depends on strong information risk assessment, so that controls described in The Standard are applied in line with risk, Durbin added.
“The best practices defined in The Standard will normally be incorporated into an organization’s information security policy, business processes, environments and applications, and should be of great interest and relevance to a range of individuals within the organization as well as external stakeholders,” he said.
Photo © dizain