The Data Security Council of India (DSCI), a NASSCOM® body, has been setup as an independent self-regulatory organization to promote data protection, develop security / privacy best practices & standards, and encourage the Indian industries to implement the same.
DSCI has developed best practices for data protection in the form of two frameworks –
- The Privacy Framework
- The Security Framework
In this blog post, we will discuss the DSCI Security Framework (DSF) and its relevance for ISO 27001 implementers. We will discuss the Privacy Framework in a subsequent article.
The DSF has been developed in the form of 16 disciplines across 4 layers, each of which needs to be implemented / established in order to help organizations implement information security. The discipline centric approach helps in aligning an organization’s thought process to the market and helps in putting up a maturity based approach for both implementation and assessments.
The 16 disciplines are as follows –
- Security Strategy and Policy (SSP)
- Security Organizations (SEO)
- Asset Management (ASM)
- Governance Risk and Compliance (GRC)
- Infrastructure Security (INS)
- Application Security (APS)
- Secure Content Management (SCM)
- Threat and Vulnerability Management (TVM)
- User Access and Privilege Management (UAP)
- Business Continuity and Disaster Recovery Management (BDM)
- Security Audit and Testing (SAT)
- Security Monitoring and Incident Management (MIM)
- Physical and Environmental Security (PEN)
- Third Party Security Management (TSM)
- Personnel Security (PES)
- Data Security (DSC)
The four layers in which each discipline has been divided into are –
An attempt has been made to describe the discipline and to set the expectations and the rationale behind inclusion of the same
Policy statements pertaining to implementation of the discipline has been provided in this section to help management (senior / middle) in putting up appropriate direction towards successful implementation of the discipline
- Best Practices
This section details some of the best practices that have been observed over a period of time across industries pertaining to this discipline;
This section identifies & articulates some characteristics of the discipline that showcases the evolution of the same in an organization
DSF and ISO 27001
For ISMS implementers, the framework puts up important guidance towards implementation. This means that the DSF can be used to implement an ISO 27001:2005 compliant ISMS. A partial mapping table of DSF disciplines vis-à-vis ISO 27001 has been presented below. This is not an exhaustive list and has been provided as an illustration.
|S. No||ISO 27001 Control||DSD Dicipline|
|1||Security Policy||Security Strategy and Policy (SSP)|
|2||Organization of Information Security||Security Organizations (SEO), Third Party Security Management (TSM), Governance Risk and Compliance (GRC)|
|3||Asset Management||Asset Management (ASM), Data Security (DSC)|
|4||Human Resources Security||Personnel Security (PES)|
|5||Physical and Environmental Security||Physical and Environmental Security (PEN), Third Party Security Management (TSM)|
|6||Communications and Operations Management||Infrastructure Security (INS), Third Party Security Management (TSM)|
|7||Access Control||Secure Content Management (SCM), User Access and Privilege Management (UAP), Data Security (DSC)|
|8||Informations Systems Acquisition, Development and Maintenance||Application Security (APS), Threat and Vulnerability Management (TVM)|
|9||Information Security Incident Management||Security Monitoring and Incident Management (MIM)|
|10||Business Continuity Management||Business Continuity and Disaster Recovery Management (BDM)|
|11||Compliance||Governance Risk and Compliance (GRC), Security Audit and Testing (SAT), Data Security (DSC)|
Benefits of DSCI Privacy and Security Frameworks
- The discipline based approach helps align an organization to the market realities;
- The layered approach helps in implementation and in client assurance; in light of the recent regulations, security and privacy implementations have been implemented in many organizations across the country, both towards due diligence and to provide appropriate assurance to clients regarding the security and privacy of their data.
- A maturity model would be a welcome move (e.g., similar to ISM3 & SSE-CMM)
- Awareness of the eco-system needs to be strengthened (expect more traction in coming days as the system is new).
This article has also appeared in the August 2013 edition of the CHMag Journal.
- DSF (DSCI Security Framework) Book Image – http://images.nasscom.org/sites/default/files/imagecache/product_full/researchreports/images/DSF.jpg