Standard of Good Practice

From Wikipedia, the free encyclopedia

The Standard of Good Practice (SoGP) is a detailed documentation of best practice for information security. First released in 1996, the Standard is published and revised biannually by the Information Security Forum (ISF), an international best-practices association consisting of member organizations in financial services, manufacturing, consumer products, telecommunications, government, and other areas. The Standard is available free of charge for non-commercial use from the ISF, whereas other ISF reports and tools are generally available only to member organizations.

The Standard is developed from research and the actual practices of and incidents experienced by major organizations, incorporating the ISF's extensive research program, comprehensive benchmarking program, analysis of other standards and prevailing practices, and the direct feedback from and active involvement of ISF members. Its regular and relatively frequent update cycle (every two years) also allows it to keep up with technological developments and emerging threats. The Standard is used as the default governing document for information security behavior by many major organizations, by itself or in conjunction with other standards such as ISO/IEC 27002 or COBIT.

The Standard was updated most recently in February 2007 to include a new addition focusing on end-user environments. It also includes expanded sections on application security, risk assessment, and other subjects and new sections addressing regulatory compliance and evolving security issues arising out of the ISF's best-practices research and recommendations.

[edit] Organization

The Standard is broken into six categories, or aspects. Computer Installations and Networks address the underlying IT infrastructure on which Critical Business Applications run. The End-User Environment covers the arrangements associated with protecting corporate and workstation applications at the endpoint in use by individuals. Systems Development deals with how new applications and systems are created, and Security Management addresses high-level direction and control.

Aspect	Focus	Target audience	Issues probed	Scope and coverage
Security Management (enterprise-wide)	Security management at enterprise level.	The target audience of the SM aspect will typically include: Heads of information security functions Information security managers (or equivalent) IT auditors	The commitment provided by top management to promoting good information security practices across the enterprise, along with the allocation of appropriate resources.	Security management arrangements within: A group of companies (or equivalent) Part of a group (e.g. subsidiary company or a business unit) An individual organization (e.g. a company or a government department)
Critical Business Applications	A business application that is critical to the success of the enterprise.	The target audience of the CB aspect will typically include: Owners of business applications Individuals in charge of business processes that are dependent on applications Systems integrators Technical staff, such as members of an application support team.	The security requirements of the application and the arrangements made for identifying risks and keeping them within acceptable levels.	Critical business applications of any: Type (including transaction processing, process control, funds transfer, customer service, and workstation applications) Size (e.g. applications supporting thousands of users or just a few)
Computer Installations	A computer installation that supports one or more business applications.	The target audience of the CI aspect will typically include: Owners of computer installations Individuals in charge of running data centers IT managers Third parties that operate computer installations for the organization IT auditors	How requirements for computer services are identified; and how the computers are set up and run in order to meet those requirements.	Computer installations: Of all sizes (including the largest mainframe, server-based systems, and groups of workstations) Running in specialized environments (e.g. a purpose-built data center), or in ordinary working environments (e.g. offices, factories, and warehouses)
Networks	A network that supports one or more business applications	The target audience of the NW aspect will typically include: Heads of specialist network functions Network managers Third parties that provide network services (e.g. Internet service providers) IT auditors	How requirements for network services are identified; and how the networks are set up and run in order to meet those requirements.	Any type of communications network, including: Wide area networks (WANs) or local area networks (LANs) Large scale (e.g. enterprise-wide) or small scale (e.g. an individual department or business unit) Those based on Internet technology such as intranets or extranets Voice, data, or integrated
Systems Development	A systems development unit or department, or a particular systems development project.	The target audience of the SD aspect will typically include Heads of systems development functions System developers IT auditors	How business requirements (including information security requirements) are identified; and how systems are designed and built to meet those requirements.	Development activity of all types, including: Projects of all sizes (ranging from many worker-years to a few worker-days) Those conducted by any type of developer (e.g. specialist units or departments, outsourcers, or business users) Those based on tailor-made software or application packages
End User Environment	An environment (e.g. a business unit or department) in which individuals use corporate business applications or critical workstation applications to support business processes.	The target audience of the UE aspect will typically include: Business managers Individuals in the end-user environment Local information-security coordinators Information-security managers (or equivalent)	The arrangements for user education and awareness; use of corporate business applications and critical workstation applications; and the protection of information associated with mobile computing.	End-user environments: Of any type (e.g. corporate department, general business unity, factory floor, or call center) Of any size (e.g. several individuals to groups of hundreds or thousands) That include individuals with varying degrees of IT skills and awareness of information security.

The six aspects within the Standard are composed of a number of areas, each covering a specific topic. An area is broken down further into sections, each of which contains detailed specifications of information security best practice. Each statement has a unique reference. For example, SM41.2 indicates that a specification is in the Security Management aspect, area 4, section 1, and is listed as specification #2 within that section.

The Principles and Objectives part of the Standard provides a high-level version of the Standard, by bringing together just the principles (which provide an overview of what needs to be performed to meet the Standard) and objectives (which outline the reason why these actions are necessary) for each section.

The published Standard also includes an extensive topics matrix, index, introductory material, background information, suggestions for implementation, and other information.

[edit] See also

See Category:Computer security for a list of all computing and information-security related articles.

• Best practice
• COBIT
• Committee of Sponsoring Organizations of the Treadway Commission (COSO)
• Cyber security standards
• Information security
• Information Security Forum
• ISO 17799
• ISO/IEC 27002
• Information Technology Infrastructure Library (ITIL)

[edit] External links

• The Standard of Good Practice
• The Information Security Forum