Standard of Good Practice

From Wikipedia, the free encyclopedia

The Standard of Good Practice (SoGP) is a detailed documentation of best practices for information security. It is published and revised biannually by the Information Security Forum (ISF), a private international best-practices organization consistening of member organizations in financial services, manufacturing, consumer products, and other market sectors. It is available free of charge from the ISF.

The Standard is developed from research based on the actual practices of and incidents experienced by major organizations. Its relatively frequent update cycle (every two years) also allows it to keep up with technological developments and emerging threats. The Standard is used as the default governing document for information security behavior by many major organizations, by itself or in conjunction with other standards such as ISO 17799 or COBIT.

1 Organization
2 2007 Update
3 See also
4 External links

[edit] Organization

The Standard is broken into six categories, or aspects:

Aspect SM Security Management. From the Standard: "Keeping the business risks associated with information systems under control within an enterprise requires clear direction and commitment from the top, the allocation of adequate resources, effective arrangements for promoting good information security practice throughout the enterprise and the establishment of a secure environment."
Aspect SD Systems Development. From the Standard: "Building security into systems during their development is more cost-effective and secure than grafting it on afterwards. It requires a coherent approach to systems development as a whole, and sound disciplines to be observed throughout the development cycle. Ensuring that information security is addressed at each stage of the cycle is of key importance."
Aspect CB Critical Business Applications. From the Standard: "A critical business application requires a more stringent set of security controls than other applications. By understanding the business impact of a loss of confidentiality, integrity, or availability of information, it is possible to establish the level of criticality of an application. This provides a sound basis for identifying business risks and determining the level of protection required to keep risks within acceptable limits."
Aspect CI Computer Installations. From the Standard: "Computer installations typically support critical business applications and safeguarding them is, therefore, a key priority. Since the same information security principles apply to any computer installation—irrespective of where information is processed or on what scale or type of computer it takes place—a common standard of good practice for information security should be applied."
Aspect NW Networks. From the Standard: "Computer networks convey information and provide a channel of access to information systems. By their nature, they are highly vulnerable to disruption and abuse. Safeguarding business communications requires robust network design, well-defined network services, and sound disciplines to be observed in running networks and managing security. These factors apply equally to local and wide area networks, and to data and voice communications."
Aspect UE User Environment. This new aspect has been announced but is not yet published.

Each aspect is further broken down by areas and sections. These sections contain detailed specifications of information security practice. The final specifications contain statement of best practice. Each statement has a unique reference. For example, SM41.2 indicates that a specification is in the Security Management aspect, area 4, section 1, and is listed as specification #2 within that section.

[edit] 2007 Update

The Standard was updated in February 2007 to include a new aspect focusing on end-user environments. It also includes greatly expanded sections on application security, risk assessment, and other areas, and entirely new sections addressing compliance and evolving security issues arising out of the ISF's best-practices research and recommendations.