What is the Standard of Good Practice for Information Security?

Image

The ISF (Information Security Forum) Standard of Good Practice (SoGP) is a comprehensive set of best practices designed to help organizations effectively manage their information security risks. Covering various topics, including governance, risk management, compliance, incident management, and technical security controls, it helps establish and maintain a robust information security program tailored to an organization's specific needs and risks.

Aims of the Standard of Good Practice for Information Security

The SoGP aims to: 

• Deliver resilience— Empowers organizations to respond rapidly to threats by providing a ready-made framework of security controls. These controls are designed to mitigate known and unknown threats and challenges to help businesses prepare for, respond to, and recover from significant security incidents. 
• Assess information risk – The SoGP's security controls deliver comprehensive, consistent protection tailored to each organization's risk appetite. 
• Manage supply chains – Allows organizations to incorporate supply chains into a risk-based approach to information security, offering an easy-to-implement solution for external supplier security. 
• Ensure compliance – The SoGP is aligned with many external standards and frameworks, including ISO/IEC 27002, NIST Cybersecurity Framework, and CSA Cloud Control Matrix, meaning organizations can work towards all their compliance requirements in a single, unified approach. 
• Harmonize policies – Reduces the necessary time and effort to produce information security policies and procedures by providing structure and content that companies can adopt directly as the foundation of their ISMS, per ISO.IEC 27001. 
• Raise awareness – Provides resources to help increase information security's profile across the business, eradicating the need to develop security awareness, education, or training content from scratch. 

Implementing the Standard of Good Practice for Information Security

The SoGP is a vast document, spanning well over three hundred pages. We won't be able to cover everything in detail here. However, we can briefly highlight what you must do to comply with the Standard of Good Practice for Information Security and protect your enterprise environment from security threats.

Enterprise-Wide Security Management

Under the SoGP, company leaders must promote good information security practices and set up controls to mitigate business risks posed by data systems.

• SM1 High-Level Direction - Upper management must have a clear data security direction and commitment, implementing an information security policy and agreements for all staff with access to the company's systems and files. 
• SM2 Security Organization - Organizations must implement organization-wide security efforts, including cybersecurity, security awareness, and system security expertise.
• SM3 Security Requirements - Businesses must ensure that information and system safeguards align with business value by classifying data, determining ownership, running risk assessments, and more.
• SM4 Secure Environment - By creating a shared framework of disciplines and standardizing organizational configurations, businesses can standardize information security practices and address enterprise-wide security arrangements.
• SM5 Malicious Attack - Organizations must implement security measures to prevent malware, patch applications and systems, identify intrusions, respond to attacks, and handle forensic analysis. 
• SM6 Special Topics - IT decision-makers must keep up with emerging trends in cryptography, public key infrastructure, electronic messaging, remote working, third-party access, and e-commerce. 
• SM7 Management Review – Business managers must understand and control information security practices. 

Critical Business Applications

Organizations determine an application's importance by evaluating how a security breach would affect business continuity. The SoGP lays a foundation for identifying data risks and establishing the appropriate measures to maintain tolerable risk levels. 

• CB1 Enterprise Prerequisites for Safety – Organizations must understand and implement protection requirements for distinct applications. 
• CB2 Application Management – Businesses must understand the importance of their applications depending on their industry and protect them accordingly. 
• CB3 User Environment - Companies must limit application access, set up workstations, and educate users on personal responsibility.
• CB4 System Management - To ensure application safety, organizations need to protect the computers and networks they run on by addressing service agreements, application resilience, external connectivity, and data and software backup. 
• CB5 Local Security Management - Organizations must ensure application controls align with business risks, determine data precedents and safety needs, and conduct local and frequent security audits.
• CB6 Special Topics - Companies must implement enhanced security measures for critical applications that involve third-party access, cryptographic key management, PKI, or web-enabled systems.

Computer Installations

Businesses must apply the Standard of Good Practice for Information to protect computer installations and employ the same information security principles wherever the system is located, however large it is, or whatever kind of computers are being used.

• CI1 Installation Administration – Organizations must manage information-processing computers by clearly establishing the roles and commitments of installation workers, user agreements, asset administration, and monitoring capabilities. 
• CI2 Live Environment—Businesses must ensure effective installation design, security event logging, host and workstation setup, and physical protection and durability to meet service targets. 
• CI3 System Operation - Companies must implement system operation controls such as computer media, backup, change management, and incident identification and resolution. 
• CI4 Access Control - Organizations must implement access controls to limit who can use or view sensitive data in computer systems. 
• CI5 Local Security - Businesses must evaluate software installations that support critical business apps and maintain susceptible material to protect valuable assets. 
• CI6 Service Continuity - Organizations must carry out contingency planning and validation to minimize damage and ensure business continuity in the event of a disaster that disrupts data transmission. 

Networks

Organizations must follow network design, services, and security best practices to secure business communications. These considerations apply equally to local and wide area networks, data, and voice communications.

• NW1 Network Management - Organizations must ensure complex computer networks can integrate systems, adapt to change, and use third-party services. They must also effectively manage operational and managerial difficulties such as network design, resiliency, documentation, and service provider management. 
• NW2 Traffic Management - Businesses must implement controls to block unwanted network traffic and unauthorized external or wireless users. 
• NW3 Network Operations - Companies must manage network performance, changes, and information security events. 
• NW4 Local Security Management - Organizations must determine network importance, business hazards, and security needs. 
• NW5 Voice Networks - Businesses must secure voice networks like telephone systems. 

Systems Development

Organizations should incorporate security into systems at the design stage, implement a holistic approach to systems development, and adhere to development quality standards. 

• SD1 Development Management - Businesses must implement a dependable systems development process that considers organizational structure, methods, quality control, and a risk-free outcome. 
• SD2 Local Defence Planning - Companies must coordinate information security locally, ensure systems development staff understand their personal security responsibilities, and regularly audit/review systems development activities. 
• SD3 Business Requirements - Organizations must specify business requirements, determine security requirements, and conduct information risk analysis.
• SD4 Design and Build - Businesses must address information security during design, acquisition, and system build and identify the necessary controls for general systems, applications, and the web.
• SD5 Testing - Companies must test systems and security controls to ensure they work as intended and minimize malfunctions without disrupting other activities.
• SD6 Implementation - Organizations must establish sound system promotion criteria, safely install new systems in the live environment, and run post-implementation reviews to ensure proper system promotion. This section covers system promotion criteria, installation of new systems in the live environment, and post-implementation reviews to ensure sound practices are followed during system promotion.

End User Environment

Organizations must protect sensitive data processed or stored in end-user devices like personal computers, handheld gadgets, and portable storage by implementing local security management, access control, desktop app protection, device protections for confidential interactions, and business continuity plans. 

• UE1 Local Security Management – Businesses must determine security roles and responsibilities, improve security awareness, and provide training to staff.
• UE2 Corporate Business Applications - Companies must restrict unauthorized access to corporate applications and prevent adverse business impacts caused by changes in the end-user environment.
• UE3 Desktop Applications - Organizations must protect desktop applications in end-user environments by implementing general information security practices and desktop-specific technical controls, including app inventory, development, and protection.
• UE4 Computing Devices - Businesses must protect computing devices and information in end-user environments with physical and logical controls. 
• UE5 Electronic Communications - Companies must shield devices and data in end-user environments by effectively configuring, maintaining, and securing workstations, handheld devices, and portable storage.
• UE6 Environment Management - Organizations must implement end-user security controls that reflect enterprise-wide standards to protect personally identifiable information, manage information security incidents, back up important information and security, and ensure business continuity. 

Although you now have a basic understanding of the Standard of Good Practice for Information Security and could likely make a start on implementing it, it’s important to consult the full document.

The above is merely a brief overview of the best practices you should adhere to protect your enterprise environment, whereas the full Standard provides in-depth guidance on how to build a comprehensive information security program.

How Tripwire Can Help

Tripwire’s File Integrity Monitoring (FIM) solution can help implement the SoGP in your business. FIM monitors and detects file changes that could be indicative of a cyberattack. Otherwise known as change monitoring, FIM specifically involves examining files in systems and network devices to see if and when they change, how they change, who changed them, and what can be done to restore those files if those modifications are unauthorized. FIM is valuable for detecting malware as well as achieving compliance with best practices like SoGP.

Specifically, Tripwire’s FIM helps you meet the following standards:

• CI3 System Operation - Companies must implement system operation controls such as computer media, backup, change management, and incident identification and resolution. 
• NW3 Network Operations - Companies must manage network performance, changes, and information security events. 

Similarly, Tripwire’s Security Configuration Management (SCM) solution includes NIST technical controls 800-53, 800-82, 800-171, and 800-172 as well as ISO 27001 and newer standards to assess your environment and ensure you comply with the SoPG. Tripwre SCM also ensures compliance with the CSA Cloud Control Matrix and SoPG by:

• Ensuring security event logging, host and workstation setup is secure and reliable (CI2 Live Environment)
• Ensuring access controls are configured to best practice (CI4 Access Control)
• Ensure controls to block unwanted network traffic and unauthorized external or wireless users are maintained (NW2 Traffic Management)

To find out more about how Tripwire’s FIM and SCM solution can help you comply with the SoPG, request a live demo here.