This article has multiple issues. Please help improve it or discuss these issues on the talk page . (Learn how and when to remove these template messages)
|
Industry | information security best practice research |
---|---|
Founded | London, United Kingdom (1989) |
Website | SecurityForum.org |
The Information Security Forum (ISF) is an independent information security body.
The ISF delivers a range of content, activities, and tools. The ISF is a paid membership organisation: all its products and services are included in the membership fee. From time to time, the ISF makes research documents and other papers available to non-members.
The ISF released the updated Standard of Good Practice for Information Security in 2018. The Standard is available to ISF members and non-members, who can purchase copies of the report. The 2018 Standard represents an update on the 2016 release of the Standard, and builds upon the previous release to include the most up-to-date controls, approaches and thought leadership in information security.
The standard is a business-focused, practical and comprehensive guide available for identifying and managing information security risks in organizations. [1]
The 2016 standard covers current information security 'hot topics' such as Threat Intelligence, Cyber Attack Protection and Industrial Control Systems, as well as, significant enhancement of existing topics including Information Risk Assessment, Security Architecture and Enterprise Mobility Management. It can be used to build a comprehensive and effective information security management system. In addition to covering information security-related standards such as COBIT 5 for Information Security, The CIS Critical Security Controls for Effective Cyber Defense, the 2016 standard covers ISO/IEC 27002 as well as PCI DSS 3.1 and the NIST Cybersecurity Framework.
Based on member input, the ISF selects a number of topics for research in a given year. The research includes interviewing member and non-member organizations and thought leaders, academic researchers, and other key individuals, as well as examining a range of approaches to the issue. The resulting reports typically go into depth describing the issue generally, outlining the key information security issues to be considered, and proposing a process to address the issue, based on best practices.
For broad, fundamental areas, such as information risk assessment or return-on-investment calculations, the ISF develops comprehensive methodologies that formalize the approaches to these issues. Supporting the methodology, the ISF supplies web and spreadsheet-based tools to automate these functions.
The ISF's Benchmark (formerly called the 'Information Security Status Survey') has a well-established pedigree – harnessing the collective input of hundreds of the world's leading organizations for over 25 years. Organizations can participate in the Benchmark service at any time and can use the web-based tool to assess their security performance across a range of different environments, compare their security strengths and weaknesses against other organizations, and measure their performance against the ISF's 2016 Standard of Good Practice, ISO/IEC 27002:2013, and COBIT version 5 for information security. The Benchmark provides a variety of data export functionality that can be used for analyzing and presenting data for management reporting and the creation of security improvement programs. It is updated on a biennial basis to align with the latest thinking in information security and provide the ISF Members with improved user experiences and added value. [2]
Regional chapter meetings and other activities provide for face-to-face networking among individuals from ISF member organisations. The ISF encourages direct member-to-member contact to address individual questions and strengthen relationships. Chapter meetings and other activities are conducted around the world and address local issues and language/cultural dimensions.[ citation needed ]
The ISF's annual global conference, the 'World Congress', takes place in a different city each year. The 2017 conference will take place in October in Cannes, France. The event offers an opportunity for attendees to discuss and find solutions to current security challenges, and gain practical advice from peers and leading industry experts from around the world. Over 1,000 global senior executives attend. The event includes a series of keynote presentations, workshops and networking sessions, best practices and thought leadership in a confidential peer-group environment. [2]
The ISF's extranet portal, ISF Live, enables members to directly access all ISF materials, including member presentations, messaging forums, contact information, webcasts, online tools, and other data for member use. [3]
The members of the ISF, through the regional chapters, elect a Council to develop its work program and generally to represent member interests. The Council elects an 'Executive' group which is responsible for financial and strategic objectives.
See Category:Computer security for a list of all computing and information-security related articles.
Business continuity may be defined as "the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident", and business continuity planning is the process of creating systems of prevention and recovery to deal with potential threats to a company. In addition to prevention, the goal is to enable ongoing operations before and during execution of disaster recovery. Business continuity is the intended outcome of proper execution of both business continuity planning and disaster recovery.
Information technology service management (ITSM) are the activities performed by an organization to design, build, deliver, operate and control information technology (IT) services offered to customers.
BS 7799 was a British standard "Code of Practice for Information Security Management", first published as such by the British Standards Institution (BSI) in February 1995. Read about the origins of BS 7799 here.
In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Compliance has traditionally been explained by reference to the deterrence theory, according to which punishing a behavior will decrease the violations both by the wrongdoer and by others. This view has been supported by economic theory, which has framed punishment in terms of costs and has explained compliance in terms of a cost-benefit equilibrium. However, psychological research on motivation provides an alternative view: granting rewards or imposing fines for a certain behavior is a form of extrinsic motivation that weakens intrinsic motivation and ultimately undermines compliance.
COBIT is a framework created by ISACA for information technology (IT) management and IT governance.
ISACA is an international professional association focused on IT governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only. ISACA currently offers 8 certification programs, as well as other micro-certificates.
Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.
The Standard of Good Practice for Information Security (SOGP), published by the Information Security Forum (ISF), is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains.
Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information security, cybersecurity and privacy protection — Information security controls.
The ISO/IEC 27000-series comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
MEHARI is a free, open-source information risk analysis assessment and risk management method, for the use of information security professionals.
Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.
IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:
ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC JTC 1/SC 27 develops International Standards, Technical Reports, and Technical Specifications within the field of information security. Standardization activity by this subcommittee includes general methods, management system requirements, techniques and guidelines to address information security, cybersecurity and privacy. Drafts of International Standards by ISO/IEC JTC 1 or any of its subcommittees are sent out to participating national standardization bodies for ballot, comments and contributions. Publication as an ISO/IEC International Standard requires approval by a minimum of 75% of the national bodies casting a vote. The international secretariat of ISO/IEC JTC 1/SC 27 is the Deutsches Institut für Normung (DIN) located in Germany.
ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a large-scale study conducted in 2020.
ISO/IEC 27040 is part of a growing family of International Standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in the area of security techniques; the standard is being developed by Subcommitee 27 (SC27) - IT Security techniques of the first Joint Technical Committee 1 of the ISO/IEC. A major element of SC27's program of work includes International Standards for information security management systems (ISMS), often referred to as the 'ISO/IEC 27000-series'.
Cyber Essentials is a United Kingdom certification scheme designed to show an organisation has a minimum level of protection in cyber security through annual assessments to maintain certification.
ISO/IEC 27017 is a security standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security problems. It was published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It is part of the ISO/IEC 27000 family of standards, standards which provides best practice recommendations on information security management. This standard was built from ISO/IEC 27002, suggesting additional security controls for the cloud which were not completely defined in ISO/IEC 27002.