The Data Security Council of India (DSCI), a NASSCOM® body, has been setup as an independent self-regulatory organization to promote data protection, develop security / privacy best practices & standards, and encourage the Indian industries to implement the same.
DSCI has developed best practices for data protection in the form of two frameworks –
In this blog post, we will discuss the DSCI Security Framework (DSF) and its relevance for ISO 27001 implementers. We will discuss the Privacy Framework in a subsequent article.
The DSF has been developed in the form of 16 disciplines across 4 layers, each of which needs to be implemented / established in order to help organizations implement information security. The discipline centric approach helps in aligning an organization’s thought process to the market and helps in putting up a maturity based approach for both implementation and assessments.
The four layers in which each discipline has been divided into are –
DSF and ISO 27001
For ISMS implementers, the framework puts up important guidance towards implementation. This means that the DSF can be used to implement an ISO 27001:2005 compliant ISMS. A partial mapping table of DSF disciplines vis-à-vis ISO 27001 has been presented below. This is not an exhaustive list and has been provided as an illustration.
S. No | ISO 27001 Control | DSD Dicipline |
1 | Security Policy | Security Strategy and Policy (SSP) |
2 | Organization of Information Security | Security Organizations (SEO), Third Party Security Management (TSM), Governance Risk and Compliance (GRC) |
3 | Asset Management | Asset Management (ASM), Data Security (DSC) |
4 | Human Resources Security | Personnel Security (PES) |
5 | Physical and Environmental Security | Physical and Environmental Security (PEN), Third Party Security Management (TSM) |
6 | Communications and Operations Management | Infrastructure Security (INS), Third Party Security Management (TSM) |
7 | Access Control | Secure Content Management (SCM), User Access and Privilege Management (UAP), Data Security (DSC) |
8 | Informations Systems Acquisition, Development and Maintenance | Application Security (APS), Threat and Vulnerability Management (TVM) |
9 | Information Security Incident Management | Security Monitoring and Incident Management (MIM) |
10 | Business Continuity Management | Business Continuity and Disaster Recovery Management (BDM) |
11 | Compliance | Governance Risk and Compliance (GRC), Security Audit and Testing (SAT), Data Security (DSC) |
This article has also appeared in the August 2013 edition of the CHMag Journal.