Initiatives of the Information Security Forum

Initiatives of the Information Security Forum, including the Standard of Good Practice and their auditing standards

Published under Risk Management
Title: The ISF Standard of Good Practice
Source reference: http://www.isfsecuritystandard.com/ (Note: this is a link to the ISF page where the standard can be freely downloaded after registration.)
Topic: High level standard disseminating a series of good practice standards in the field of information security.
Direct / indirect relevance Direct. While not legally binding, the text contains direct guidelines for sound information security practices.
Scope: Publicly available standard, drafted and maintained based on biannual surveys by the Information Security Forum (ISF), an international non profit organisation focusing on monitoring, charting and best practices in information security. The standard can be voluntarily adhered to by any interested party.
Legal force: Nonbinding private body standard.
Affected sectors: Generic. The standard can be implemented in any sector confronted by information security. Specific areas of focus in the standard include Computer Installations, Networks (i.e. infrastructure), Critical Business Applications, Systems Development and Security Management.
Relevant provision(s): Given its subject matter, the standard can be considered relevant in its entirety (247p.) to RM/RA practices.

The standard is built around the five main aspects, i.e. Computer Installations, Networks (i.e. infrastructure), Critical Business Applications, Systems Development and Security Management. A sixth aspect, User Environment, has been announced but not yet published at the time of writing.

Each of these is split into a series of areas. E.g. for Networks, areas include Network Management, Traffic Management, Network Operations, Local Security Management, and Voice Networks.

Finally, area is split into sections. E.g. for Traffic Management, sections include Configuring Network Devices, Firewalls, External Access and Wireless Access.

In each section, the standard indicates the key principles and objectives, followed by a series of specific rules in order to adhere to these.
Relevance to RM/RA: The standard is a commonly quoted source of good practices, and serves as a resource for the implementation of information security policies and as a yardstick for auditing such systems and/or the surrounding practices.

 

We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more