The Information Security Forum (ISF), the International Information Systems Security Certification Consortium (ISC)², and ISACA have teamed to develop a set of 12 information security principles to help guide information security professionals in responding to security challenges.
“The objective of the principles is to provide an individual practitioner with a set of good practice and ethical guidance on how they should perform their duties so that the information under their control is protected and the organization they work for is secure”, Martin Tully, a research analyst at ISF, told Infosecurity.
The 12 principles are broken down into three categories: support the business, defend the business, and promote responsible security behavior. Tully explained that the first category is about aligning information security with business objectives; the second is about risk management and protecting information; and the third is about how individuals carry out responsible security behavior within the organization.
Detailed in a handy-to-use poster, the principles contain specific actions individual practitioners can take to further the principles' broad objectives.
For example, under principle A3, “Comply with relevant with legal and regulatory requirements”, the poster notes: “Compliance obligations should be identified, translated into requirements specific to information security and communicated to all relevant individuals. The penalties associated with noncompliance should be clearly understood. Controls should be monitored, analysed and brought up-to-date to meet new or updated legal or regulatory requirements.”
Tully explained that if a practitioner is involved with information security compliance issues, this principle and accompanying actions provide background on the things he or she should focus on.
At the same time, the principles offer guidance to practitioners across a broad range of information security areas, not just an individual’s area of expertise. “Often the regulatory issue changes depending on which stakeholder is asking for information. So the regulatory guy needs” to understand the business side of the issue. Information security practitioners need to bear “all of the principles in mind”, Tully explained.
Anecdotal feedback from industry has been positive. Tully said that ISF provided a draft of the principles to its members, who affirmed that the principles are useful in a number of ways, including criteria for hiring information security professionals.
The organizations plan to update the principles in about a year after receiving more systematic industry feedback, Tully said, adding that they would like to have the principles endorsed by large companies, such as Microsoft. This would help in having the principles accepted on a broad industry basis, he concluded.