DSCI Security Framework for ISO 27001 Implementers

The Data Security Council of India (DSCI), a NASSCOM® body, has been setup as an independent self-regulatory organization to promote data protection, develop security / privacy best practices & standards, and encourage the Indian industries to implement the same.

DSCI has developed best practices for data protection in the form of two frameworks –

1. The Privacy Framework
2. The Security Framework

In this blog post, we will discuss the DSCI Security Framework (DSF) and its relevance for ISO 27001 implementers. We will discuss the Privacy Framework in a subsequent article.

The DSF has been developed in the form of 16 disciplines across 4 layers, each of which needs to be implemented / established in order to help organizations implement information security. The discipline centric approach helps in aligning an organization’s thought process to the market and helps in putting up a maturity based approach for both implementation and assessments.

1. Security Strategy and Policy (SSP)
2. Security Organizations (SEO)
3. Asset Management (ASM)
4. Governance Risk and Compliance (GRC)
5. Infrastructure Security (INS)
6. Application Security (APS)
7. Secure Content Management (SCM)
8. Threat and Vulnerability Management (TVM)
9. User Access and Privilege Management (UAP)
10. Business Continuity and Disaster Recovery Management (BDM)
11. Security Audit and Testing (SAT)
12. Security Monitoring and Incident Management (MIM)
13. Physical and Environmental Security (PEN)
14. Third Party Security Management (TSM)
15. Personnel Security (PES)
16. Data Security (DSC)

The four layers in which each discipline has been divided into are –

1. Approach
   An attempt has been made to describe the discipline and to set the expectations and the rationale behind inclusion of the same
2. Strategy
   Policy statements pertaining to implementation of the discipline has been provided in this section to help management (senior / middle) in putting up appropriate direction towards successful implementation of the discipline
3. Best Practices
   This section details some of the best practices that have been observed over a period of time across industries pertaining to this discipline;
4. Maturity
   This section identifies & articulates some characteristics of the discipline that showcases the evolution of the same in an organization

DSF and ISO 27001

For ISMS implementers, the framework puts up important guidance towards implementation. This means that  the DSF can be used to implement an ISO 27001:2005 compliant ISMS. A partial mapping table of DSF disciplines vis-à-vis ISO 27001 has been presented below. This is not an exhaustive list and has been provided as an illustration.

Benefits of DSCI Privacy and Security Frameworks

1. The discipline based approach helps align an organization to the market realities;
2. The layered approach helps in implementation and in client assurance; in light of the recent regulations, security and privacy implementations have been implemented in many organizations across the country, both towards due diligence and to provide appropriate assurance to clients regarding the security and privacy of their data.

Improvements Wishlist

1. A maturity model would be a welcome move (e.g., similar to ISM3 & SSE-CMM)
2. Awareness of the eco-system needs to be strengthened (expect more traction in coming days as the system is new).

This article has also appeared in the August 2013 edition of the CHMag Journal.