DSCI Security Framework for ISO 27001 Implementers

August 28, 2013, by | Start Discussion

DSCI (Data Security Council of India), a NASSCOM® body, has been setup as an independent Self-Regulatory organization to promote data protection, develop security and privacy best practices & standards and encourage the Indian industries to implement the same.

DSCI has developed best practices for data protection in the form of two frameworks:-

  1. The Privacy Framework;
  2. The Security Framework.

We will discuss the DSCI Security Framework (DSF from here onwards) for now (discussion on Privacy Framework will come in subsequent articles) and its relevance for ISO 27001 implementers.

The DSF have been developed in the form of 16 disciplines across 4 layers each that need to be implemented / established in order to help organizations implement information security. The discipline centric approach helps in aligning an organization’s thought process to the market and helps in putting up a maturity based approach for both implementation and assessments.

The 16 disciplines are as follows:-

  1. Security Strategy and Policy (SSP)
  2. Security Organizations (SEO)
  3. Asset Management (ASM)
  4. Governance Risk and Compliance (GRC)
  5. Infrastructure Security (INS)
  6. Application Security (APS)
  7. Secure Content Management (SCM)
  8. Threat and Vulnerability Management (TVM)
  9. User Access and Privilege Management (UAP)
  10. Business Continuity and Disaster Recovery Management (BDM)
  11. Security Audit and Testing (SAT)
  12. Security Monitoring and Incident Management (MIM)
  13. Physical and Environmental Security (PEN)
  14. Third Party Security Management (TSM)
  15. Personnel Security (PES)
  16. Data Security (DSC)

The four layers in which each discipline has been divided into are:-

  1. Approach
    An attempt has been made to describe the discipline and to set the expectations and the rationale behind inclusion of the same;
  2. Strategy
    Policy statements pertaining to implementation of the discipline has been provided in this section to help management (senior / middle) in putting up appropriate direction towards successful implementation of the discipline;
  3. Best Practices
    This section details some of the best practices that have been observed over a period of time across industries pertaining to this discipline;
  4. Maturity
    This section identifies & articulates some characteristics of the discipline that showcases the evolution of the same in an organization;

Benefits of DSCI Privacy and Security Frameworks:-

  1. The discipline based approach helps align an organization to the market realities;
  2. The layered approach helps in implementation and in client assurance; in light of the recent regulations, security and privacy implementations have been implemented in many organizations across the country, both towards due diligence and to provide appropriate assurance to clients regarding the security and privacy of their data.

Improvements Wishlist:-

  1. A maturity model would be a welcome move (e.g., similar to ISM3 & SSE-CMM)
  2. Awareness on the eco-system needs to be strengthened (expect more traction in coming days as the system is new).

DSF and ISO 27001

For ISMS implementers, the framework puts up important guidance towards implementation; In other words, the DSF can be used to implement an ISO 27001:2005 compliant ISMS. A partial mapping table of DSF disciplines vis-à-vis ISO 27001 has been presented below (NB – this is not an exhaustive list and has been provided as an illustration):-

Image Credits

  1. DSF (DSCI Security Framework) Book Image    -http://images.nasscom.org/sites/default/files/imagecache/product_full/researchreports/images/DSF.jpg
  2. http://www.dsci.in/sites/default/files/Security_homepage_0.jpg

Information Sources

  1. http://www.dsci.in
  2. http://www.ism3.com
  3. http://csrc.nist.gov/groups/SMA/fasp/documents/incident_response/SSAIRBSP/SSECMMv2Final.pdf

Disclaimer

The opinions and viewpoints expressed here are personal.

Sripati is an information security process consultant & software developer with an overall experience of 8+ years, doing ISO 27001 & HIPA compliant ISMS Implementation, Risk Assessment and Management. He is aself-driven professional who continuously keeps himself abreast of the latest happenings & regulations by being part of & participating in various information security forums. Check out his site (www.sripati.info) to know more.

Leave a Reply