DSCI Security Framework for ISO 27001 Implementers

By - M.S. Sripati | 16 Dec 2013

The Data Security Council of India (DSCI), a NASSCOM® body, has been setup as an independent self-regulatory organization to promote data protection, develop security / privacy best practices & standards, and encourage the Indian industries to implement the same.

DSCI has developed best practices for data protection in the form of two frameworks –

  1. The Privacy Framework
  2. The Security Framework

In this blog post, we will discuss the DSCI Security Framework (DSF) and its relevance for ISO 27001 implementers. We will discuss the Privacy Framework in a subsequent article.

The DSF has been developed in the form of 16 disciplines across 4 layers, each of which needs to be implemented / established in order to help organizations implement information security. The discipline centric approach helps in aligning an organization’s thought process to the market and helps in putting up a maturity based approach for both implementation and assessments.

DSCI Security Framework - DSF

The 16 disciplines are as follows –

  1. Security Strategy and Policy (SSP)
  2. Security Organizations (SEO)
  3. Asset Management (ASM)
  4. Governance Risk and Compliance (GRC)
  5. Infrastructure Security (INS)
  6. Application Security (APS)
  7. Secure Content Management (SCM)
  8. Threat and Vulnerability Management (TVM)
  9. User Access and Privilege Management (UAP)
  10. Business Continuity and Disaster Recovery Management (BDM)
  11. Security Audit and Testing (SAT)
  12. Security Monitoring and Incident Management (MIM)
  13. Physical and Environmental Security (PEN)
  14. Third Party Security Management (TSM)
  15. Personnel Security (PES)
  16. Data Security (DSC)

The four layers in which each discipline has been divided into are –

  1. Approach
    An attempt has been made to describe the discipline and to set the expectations and the rationale behind inclusion of the same
  2. Strategy
    Policy statements pertaining to implementation of the discipline has been provided in this section to help management (senior / middle) in putting up appropriate direction towards successful implementation of the discipline
  3. Best Practices
    This section details some of the best practices that have been observed over a period of time across industries pertaining to this discipline;
  4. Maturity
    This section identifies & articulates some characteristics of the discipline that showcases the evolution of the same in an organization

DSF and ISO 27001

For ISMS implementers, the framework puts up important guidance towards implementation. This means that  the DSF can be used to implement an ISO 27001:2005 compliant ISMS. A partial mapping table of DSF disciplines vis-à-vis ISO 27001 has been presented below. This is not an exhaustive list and has been provided as an illustration.

S. NoISO 27001 ControlDSD Dicipline
1Security PolicySecurity Strategy and Policy (SSP)
2Organization of Information SecuritySecurity Organizations (SEO), Third Party Security Management (TSM), Governance Risk and Compliance (GRC)
3Asset ManagementAsset Management (ASM), Data Security (DSC)
4Human Resources SecurityPersonnel Security (PES)
5Physical and Environmental SecurityPhysical and Environmental Security (PEN), Third Party Security Management (TSM)
6Communications and Operations ManagementInfrastructure Security (INS), Third Party Security Management (TSM)
7Access ControlSecure Content Management (SCM), User Access and Privilege Management (UAP), Data Security (DSC)
8Informations Systems Acquisition, Development and MaintenanceApplication Security (APS), Threat and Vulnerability Management (TVM)
9Information Security Incident ManagementSecurity Monitoring and Incident Management (MIM)
10Business Continuity ManagementBusiness Continuity and Disaster Recovery Management (BDM)
11ComplianceGovernance Risk and Compliance (GRC), Security Audit and Testing (SAT), Data Security (DSC)

Benefits of DSCI Privacy and Security Frameworks

  1. The discipline based approach helps align an organization to the market realities;
  2. The layered approach helps in implementation and in client assurance; in light of the recent regulations, security and privacy implementations have been implemented in many organizations across the country, both towards due diligence and to provide appropriate assurance to clients regarding the security and privacy of their data.

Improvements Wishlist

  1. A maturity model would be a welcome move (e.g., similar to ISM3 & SSE-CMM)
  2. Awareness of the eco-system needs to be strengthened (expect more traction in coming days as the system is new).

This article has also appeared in the August 2013 edition of the CHMag Journal.

Image Credits

  1. DSF (DSCI Security Framework) Book Image – http://images.nasscom.org/sites/default/files/imagecache/product_full/researchreports/images/DSF.jpg
  2. http://www.dsci.in/sites/default/files/Security_homepage_0.jpg

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.