More than 50 security standards currently exist across the globe, and different businesses adopt different standards depending on geography, sector and other preferences, ISF noted. The widespread inability to compare or translate these disparate security policies and standards across a wide range of companies means that the ability to share information securely can be easily undermined. As a result, data breaches in the UK alone have increased tenfold in the past five years, according to new figures from the Information Commissioner's Office (ICO) and Verizon’s 2012 Data Breaches report.
In order to address this issue, the ISF Information Security Standards Group’s Supply Chain Assurance Framework Group is bringing together representatives from the UK Cabinet Office, the Information Security Office, the Cloud Security Alliance and a number of leading audit firms, to help businesses more effectively define, assess and assure the security of information they share with their suppliers.
“All of the organizations that have joined our Supply Chain Assurance Framework Group have a shared interest in improving security on a global scale, and have therefore agreed to participate in the project in order to help businesses define their information security requirements of suppliers more effectively,” said Michael de Crespigny, CEO at the ISF. “Plans have already been announced for a new ISO third-party security standard, due to be launched in April 2013, and this new framework will make the specific requirements of ISO more practical to achieve.”
Key to this will be the ability to create a risk model that indicates the areas within an organization that need greater assurance and protection, so businesses can more effectively define their security requirements and for suppliers to be able to translate those requirements into the language of the standards and policies they use.
The ISF’s initiative is not the only call for closer collaboration within the cybersecurity sector. The World Economic Forum is pushing for an agreed-to set of multi-industry, multinational and multi-stakeholder principles to improve systemic resilience to cyber risks. This initiative will play an essential role in helping secure international supply chains, in particular by managing the interdependence and vulnerability that this kind of interconnectivity brings.
“Sharing information is a key component in doing business today. In addition to any internal controls they may have, organizations need to secure their entire supply chain,” de Crespigny added. “For years, businesses may have assumed that their data is going through safe channels to secure organizations. Sadly, recent high-profile data breaches are showing this is not the case. Action is therefore needed right now.”