The Data Security Council of India (DSCI), a NASSCOM® body, has been setup as an independent self-regulatory organization to promote data protection, develop security / privacy best practices & standards, and encourage the Indian industries to implement the same.
DSCI has developed best practices for data protection in the form of two frameworks –
In this blog post, we will discuss the DSCI Security Framework (DSF) and its relevance for ISO 27001 implementers. We will discuss the Privacy Framework in a subsequent article.
The DSF has been developed in the form of 16 disciplines across 4 layers, each of which needs to be implemented / established in order to help organizations implement information security. The discipline centric approach helps in aligning an organization’s thought process to the market and helps in putting up a maturity based approach for both implementation and assessments.
The four layers in which each discipline has been divided into are –
DSF and ISO 27001
For ISMS implementers, the framework puts up important guidance towards implementation. This means that the DSF can be used to implement an ISO 27001:2005 compliant ISMS. A partial mapping table of DSF disciplines vis-à-vis ISO 27001 has been presented below. This is not an exhaustive list and has been provided as an illustration.
|S. No||ISO 27001 Control||DSD Dicipline|
|1||Security Policy||Security Strategy and Policy (SSP)|
|2||Organization of Information Security||Security Organizations (SEO), Third Party Security Management (TSM), Governance Risk and Compliance (GRC)|
|3||Asset Management||Asset Management (ASM), Data Security (DSC)|
|4||Human Resources Security||Personnel Security (PES)|
|5||Physical and Environmental Security||Physical and Environmental Security (PEN), Third Party Security Management (TSM)|
|6||Communications and Operations Management||Infrastructure Security (INS), Third Party Security Management (TSM)|
|7||Access Control||Secure Content Management (SCM), User Access and Privilege Management (UAP), Data Security (DSC)|
|8||Informations Systems Acquisition, Development and Maintenance||Application Security (APS), Threat and Vulnerability Management (TVM)|
|9||Information Security Incident Management||Security Monitoring and Incident Management (MIM)|
|10||Business Continuity Management||Business Continuity and Disaster Recovery Management (BDM)|
|11||Compliance||Governance Risk and Compliance (GRC), Security Audit and Testing (SAT), Data Security (DSC)|
This article has also appeared in the August 2013 edition of the CHMag Journal.