In late 2010, three of the world's leading global security organizations -ISF, (ISC)Β² and ISACA -released a set of 12 independent, non-proprietary security principles designed to help security practitioners respond more effectively to the changing needs of organizations in today's complex, inter-connected world.
The principles provide advice to security professionals to help govern their behavior, objectives, approach and activities in order to promote good practice in information security.
ISF and (ISC)Β², together with ISACA, have worked closely together over the past year to create these principles for two important reasons. First, to promote good practice guidelines for information security professionals worldwide who may not be affiliated with any professional organization. Second, to offer clear, practical advice to all professionals on how information security can best support business objectives.
There are other security standards and frameworks around, like SOGP, COBIT and ISO27002, which are aimed at organizations. As industry bodies representing our members, however, we felt there was a need for something akin to a code of conduct for individuals to adopt. The business environment is changing all the time, while the information security profession is still not fully mature, and traditionally, has had a bias toward technology. As a result, we all need to be much more risk focused when it comes to rapidly evolving threats.
Today, the success of security within organizations -both large and small -is highly dependent upon how closely aligned security is with the business. These principles are designed to be accessible to everyone working in information security, whatever their level, qualification or affiliation. This is what makes them so relevant and unique.
Security professionals now have a common framework for truly risk-based security management. Plus, we believe they will become a real asset to businesses, which will be able to refer to them as pillars of 'good business practice'.
Importantly, they will also help information security professionals convince management of their strategic significance in managing business risk and to continue to enhance the quality and visibility of the information security profession throughout the world.
This set of principles also complements other guidelines and models provided by each of the individual security organizations, including (ISC)Β²'s own professional Code of Ethics, which gives assured reliance on the character, ability, strength, or truth of a fellow (ISC)Β² member and provides a suggested framework for the security management of an organization.
The principles also complement the ISF's Guidelines for Information Security -a highlevel framework comprising 21 statements and objectives covering the full spectrum of information security, which provide the basis for implementing information security across an organization. Finally, they support ISACA's Business Model for Information Security (BMIS), which provides an approach for describing the information security ecosystem and a common language for information security and business management to improve information protection.
The principles for information security practitioners are outlined under three main categories: support the business; defend the business; and promote responsible security behavior. Each principle has an objective and detailed description.
Available as a poster and downloadable from the ISF, (ISC)Β² and ISACA websites, the principles are aimed at all individuals working within the information security community, including those responsible for developing, supplying and managing security systems, and those influencing legal or regulatory requirements for security and others educating tomorrow's workforce.