A round-up of information security news.
The Information Security Forum (ISF) has announced the latest version of its Standard of Good Practice for Information Security. The updated 2005 version is freely available and allows organisations to manage the range of threats and improve information security.
The ISF says the standard deals with current issues such as secure instant messaging, web server security, patch management and virus protection besides information risk management, outsourcing, privacy and the disappearance of the network boundary. The standard is based, its writers say, on 16 years and $75m of investment in research. The standard draws on the knowledge and experiences of the ISF’s 270 global members – including half of the Fortune 100 – besides building on other standards such as ISO 17799 (based on the British Standard in information security management) and the COBIT (Control Objectives for Information and Related Technology) IT control framework.
Frank Marsh, Group Information Security Manager at British American Tobacco plc and a member of the ISF Executive, said: "Companies and organisations of all types and sizes face a daunting task to manage the breadth and depth of information risk and meet the growing demands from corporate governance initiatives. The ISF standard provides a powerful framework to implement international best practice, comply with legal and regulatory requirements such as Sarbanes-Oxley and reduce the likelihood of disruption from major incidents."
The ISF Standard of Good Practice is split into five areas: security management, critical business applications, computer installations, networks and systems development. It is available free from www.securityforum.org and provides a set of principles and objectives for information security, plus steps to implement good practice. Forum members can also use the ISF’s information security status survey. This enables organisations to measure the effectiveness of their information security against the standard.
Steve Thorne, who heads the management team at the ISF, added: "The ISF is an international organisation and by making the Standard of Good Practice available at no charge, we want to offer it as a real world, practical benchmark for information security which helps drive the adoption of best practice.”
A report published by the ISF highlights the impact that failing to manage ‘personally identifiable information’ can have on an organisation’s brand and reputation. The report presents a detailed process to help analyse privacy risks and to implement and maintain an effective privacy policy.
With most organisations handling some form of personally identifiable information and growing consumer awareness of privacy rights, the need to manage information correctly has never been greater, it is claimed. However, with such a wide range of differing privacy legislation around the world – most of it still evolving – as well as embedded requirements in other laws, it is difficult for global companies to identify and maintain compliance within the countries in which they operate, the forum claims.
The Information Security Forum was founded in 1989 and is a not-for-profit international association of over 270 organisations which fund and co-operate in the development of what the forum calls practical, business-driven solutions to information security and risk management problems. The ISF undertakes a research programme. Reports are available free to ISF members. To find out more about becoming a member of the ISF, visit the website or ring Becky Meyjes on 020 7212 5346. For more information and a list of members, visit
