www.securityforum.org Information Security Forum • Information security principles

AimThe principles have been produced to provide information security practitioners with a set of principles to govern their behaviour, objectives, approach and activities, in order to promote good practice in information security.

Principles for information security practitioners An overview

BackgroundInformation security practitioners need to respond to the changing requirements of organisations in today’s complex, interconnected world. For example,

• corporate, IT and information security governance have promoted information security higher up on the board’s agenda• the information security profession is not fully mature, traditionally has a bias towards technology and needs to be more risk focused• rapidly evolving threats require information security practitioners to stay ahead of the game• co-ordinated efforts are needed to maintain the adaptability of information security practitioners, particularly in changing business

environments.

Over the years there have been a number of offerings related to individual information security practitioners that cover behaviour, actions or ethics. However, there is a requirement for an independent, non-proprietary set of principles, which are:

• more generic and complete, with less focus on professional qualifications • relevant to the business world – and kept up to date• agreed throughout the security profession, rather than being proprietary to one organisation• able to map easily to different security standards and guidelines.

The principles for information security practitioners have been designed to meet these needs. They have been jointly developed by three of the worlds leading global security organisations, the ISF, ISACA and (ISC)².

Support, Defend and Promote….

The principles have been designed to help information security practitioners support and defend the business from a variety of risks. In addition, individuals can use the principles to promote responsible security behaviour. Some of these benefits are highlighted in the table below.

Benefit Adopting the principles for information security practitioners will help an organisation to...Support the business • Integrate information security into essential business activities

• Derive value from information security, helping to meet business requirements • Meet statutory obligations, stakeholder expectations and avoid civil or criminal penalties • Support business requirements and manage information risks • Analyse and assess emerging information security threats • Reduce costs, improve efficiency and enhance effectiveness

Defend the business • Treat risks in a consistent and effective manner • Prevent classified information (eg confidential or sensitive) being disclosed to unauthorised individuals • Prioritise scarce information security resources by protecting those business applications where a security incident

would have the greatest business impact • Build quality, cost-effective systems upon which business people can rely (eg that are consistently robust, accurate

and reliable)

Promote responsible security behaviour • Perform information security-related activities in a reliable, responsible and effective manner • Provide a positive security influence on the behaviour of end users, reduce the likelihood of security incidents

occurring, and limit their potential business impact.

WarningThis document is confidential and purely for the attention of and use by organisations that are Members of the Information Security Forum (ISF). If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on isfinfo@securityforum.org or on +44 (0)20 7213 1745. Any storage or use of this document by organisations which are not Members of the ISF is not permitted and strictly prohibited.

This document has been produced with care and to the best of our ability. However, both the Information Security Forum and the Information Security Forum Limited accept no responsibility for any problems or incidents arising from its use. The Information Security Forum is an independent, not-for-profit association of leading organisations dedicated to clarifying and resolving key issues in information security and developing security solutions that meet the business needs of its Members.

Reference: ISF 10 10 01 Copyright © 2010 Information Security Forum Limited. All rights reserved. Classification: Restricted to ISF Members and ISF Service Providers

The twelve principlesThe principles for information security practitioners are presented below, showing how they can be used to support or defend the business and promote responsible security behaviour.

A. Support the business A1 Focus on the businessA2 Deliver quality and value to stakeholdersA3 Comply with relevant legal and regulatory requirementsA4 Provide timely and accurate information on security performanceA5 Evaluate current and future information threatsA6 Promote continuous improvement in information security

B. Defend the business B1 Adopt a risk-based approachB2 Protect classified informationB3 Concentrate on critical business applicationsB4 Develop systems securely

C. Promote responsible security behaviour

C1 Act in a professional and ethical mannerC2 Foster a security-positive culture

The principles for information security practitioners are available as a poster, which presents the principles under three categories: support the business; defend the business; and promote responsible security behaviour. An objective for each principle is also included, together with a detailed description for each one.

Target audienceThe principles for information security practitioners are aimed at all individuals working in the information security community, including those who:

• are employed as part of a security function• provide security services in local environments (eg local security co-ordinators)• are responsible for developing systems securely• supply security products and services (eg vendors and consultants)• influence legal / regulatory requirements for information security• are aspiring to become security practitioners (eg students).

Enhancing information security practitioners Adopting these principles will help practitioners:

• build confidence when explaining the key areas of information security to business representatives • increase the reputation of their organisation in the marketplace (and amongst suppliers and new employees) as being a ‘trusted’ company• add value by being supportive of staff development, leading to improved staff morale and subsequent organisational performance• promote themselves as working to ethical and responsible practices• increase their own credibility within the information security profession

Note: While individuals should be responsible for applying the principles, organisations should need to support the adoption of the principles, for example by setting policy and providing a security-positive environment.

www.securityforum.org Reference: ISF 10 ISP Copyright © 2010 Information Security Forum Limited. All rights reserved.

Principles for Information Security Practitioners are reproduced with the permission of the Information Security Forum (ISF) for use by representatives of (ISC)² and ISACA.