Standard of Good Practice for Information Security (SOGP) - Full guide

About the Information Security Forum (ISF)?

It was established in 1989 as a nonprofit consortium of global industry leaders committed to improving information security. The group's mission is to address the company needs of its members by examining, clarifying, and resolving critical challenges in cyber, infosec, and risk management through the creation of best practice techniques, procedures, and solutions.

When members of the ISF pool the vast resources of their respective organizations and the results of a rigorous research and development effort, everyone wins. Via its private framework and forum, the ISF helps its members implement cutting-edge methods for protecting their data. By cooperating, ISF SOGP Members are able to avoid incurring the substantial costs necessary to achieve the same objectives on their own. Short-term, expert assistance with implementing ISF products is provided in the form of consulting services, which can be purchased by both ISF Members and Non-Members.

‍

What is the Standard of Good Practice for Information Security?

It is the primary source of data privacy supervision. It takes a business-oriented approach to securing information and provides a useful framework for evaluating a firm's data encryption. The Standard's many aspects encompass the whole gamut of precautions that must be taken to reduce the dangers that data systems pose to businesses. Thus, it is a major tool for enhancing the effectiveness and robustness of a company's security regulations. Being a component of the ISF's information risk management portfolio of products, the Standard is grounded on a plethora of resources, substantial research, and the extensive knowledge and practical experience of ISF Members from all over the world. It is revised at least once every two years to:

• Accommodate the requirements of preeminent international bodies.
• Improve upon existing information privacy best practices.
• Include the latest theories and methods in the field of cybersecurity.
• Maintain compatibility with other standards for information security like ISO 27002 and COBIT v4.1.
• Offer information regarding the newest "hot issues."

‍

SOGP Goals

The Standard gives special attention to the role that infosec plays in facilitating a company's most important operations. In many cases, the effectiveness of these operations hinges on the availability of specific IT-based business applications. Security for Important Business Applications is therefore a primary consideration in the development of the Standard.

It is essential to remember that vital business applications cannot function without the underlying infrastructure provided by computer installations and networks. The measures made to secure corporate and desktop apps that people use to process info and facilitate business procedures fall within the purview of the End User Environment. The process of developing new applications is the focus of systems development, while security management is concerned with strategic oversight and administration.

‍

6 Aspects Of SOGP

‍

Security Management

Organizational leaders must provide strategic guidance, allocate sufficient resources, make efficient arrangements for promoting good infosec practice across the organization, and set up a secure setting in order to successfully mitigate the hazards to the company posed by data systems.

• SM1 High-Level Direction 

Clear leadership is needed to implement an effective and uniform information security standard across the organization. This section discusses top management's data security direction and commitment. It mandates an infosec policy and staff agreements for all workers with access to the company's systems and files.

• SM2 Security Organization  

Organization-wide network security activity is needed to shield data and systems. This section covers the organization's cybersecurity, employee security awareness, and system security expertise.

• SM3 Security Requirements 

Good practice requires that information and system safeguards match their business value. This field encompasses classification, ownership, information risk analysis, management, and legal and regulatory compliance.

• SM4 Secure Environment 

Infosec is difficult to standardize throughout an association. Creating a shared framework of disciplines and standardizing organizational configurations can help. This section addresses enterprise-wide security arrangements.

• SM5 Malicious Attack 

Malicious outsiders frequently launch attacks against businesses. Hence, this domain covers security measures needed to prevent malware, patch applications and systems, identify intrusions, respond to significant attacks, and handle forensic analysis.

• SM6 Special Topics 

Business and technology are changing rapidly, making distinct themes with unique safety contemplations that must be addressed enterprise-wide. This field involves cryptography, public key infrastructure, electronic messaging, remote working, third-party access, e-commerce, and outsourcing safeguards.

• SM7 Management Review

The condition of the company's infosec should be known by the management in order to exert control over it. In this section, we will discuss the steps that must be taken to ensure that corporation leaders have access to accurate facts regarding the protection of company data and systems.

Critical Business Applications

To determine an app's importance, it is necessary to evaluate how a breach in security will affect a company's capacity to conduct business. A solid foundation has been laid for identifying data risks and establishing the appropriate level of safeness to maintain tolerable levels of endangerment.

• CB1 Enterprise Prerequisites for Safety

Both the level of defense that distinct company applications require and the degree to which they are useful might vary substantially. Thus, the protection requirements are specified here.

• CB2 Application Management 

The degree of importance that various kinds of industry applications have, as well as the quantity of protection they require, might vary substantially.

• CB3 User Environment 

Disciplines to limit application access, set up workstations, and educate users on personal responsibility for both local and remote users are covered in this area.

• CB4 System Management 

Applications need computers and networks to work. This includes service agreements, application resilience, external connectivity, and data and software backup.

• CB5 Local Security Management 

Secure business application controls should align with business doubts. This section outlines steps to determine data precedence, safety needs, and risks. It also covers local and frequent security audits.

• CB6 Special Topics 

Emerging technologies and business practices require enhanced security measures for key applications that involve third-party access, cryptographic key management, PKI, or web-enabled systems.

Computer Installations

Computer installations often support vital business applications, making their protection a top priority. A global standard of good practise for information security should be applied so that the same information security principles are employed regardless of where the system is located, how large it is, or what kind of computers are being used.

• CI1 Installation Administration

Manage information-processing computers effectively through the roles and commitments of installation workers, user agreements, asset administration, and monitoring capabilities

• CI2 Live Environment 

This section covers installation design, security event logging, host and workstation setup, as well as physical protection and durability for meeting service targets.

• CI3 System Operation 

Disciplined computer installations meeting service targets are covered in this section, including system operation controls such as computer media, backup, change management, and incident identification and resolution.

• CI4 Access Control 

Access control is a technique used to limit who can view or use sensitive data or computer systems. Thus, this is about limiting who may access what in a computer system and how.

• CI5 Local Security 

To protect valuable assets, software installations that support critical business apps and maintain susceptible material must be properly evaluated. This chapter covers identifying the installation's importance, associated risks, and necessary protection arrangements

• CI6 Service Continuity 

Contingency planning and validation are essential for minimizing company damage and ensuring business continuity in the event of a disaster that disrupts data transmission.

Networks

Information is transmitted and accessed via computer networks. They are easily disrupted and abused. Network design, services, and security practices must be followed to secure business communications. These considerations apply equally to local and wide area networks, data, and voice communications.

• NW1 Network Management 

Complex computer networks. They must integrate systems, adapt to change, and use third-party services. Managerial and operational difficulties must be managed well. This includes network design, resiliency, documentation, and service provider management.

• NW2 Traffic Management 

Computer networks can handle traffic from various sources. This category covers the disciplines needed to block unwanted network traffic and unauthorized external or wireless users.

• NW3 Network Operations 

Sound computer network management ensures user service continuity. This section manages network performance, changes, and information security events. 

• NW4 Local Security Management 

This section discusses the methods used to determine the network's importance, business hazards, and security needs.

• NW5 Voice Networks 

Voice networks like telephone systems can disrupt business processes. Voice networks can be misused or sensitive conversations overheard, causing harm. This area covers voice and VoIP security.

Systems Development 

It is safer and less luxurious to incorporate security into systems at the design stage. It calls for a unified perspective on systems development as a whole, as well as strict adherence to development quality standards. It's important to bring infosec into account throughout the entire process.

• SD1 Development Management 

In order to supply the organisation with trustworthy systems, a dependable systems development process is required. Organizational structure, methods, quality control, and a risk-free outcome setting all fall under this category.

• SD2 Local Defence Planning

This domain includes procedures to audit the the state of being of being exposed of the system creation process on a regular basis, make sure the implementation team knows their roles, and coordinate the local critical material.

• SD3 Corporatio Prerequisites 

In order to guarantee that procedures serve their intended functions and supply the necessary details, this section lays out the necessary enterprise and performs risk analyses.

• SD4 Design and Build 

This area encompasses arrangements for addressing information security during design, acquisition, and system build and identifying required controls for applications, general systems, and the web.

• SD5 Testing 

This segment covers arrangements for efficacious testing to ensure systems and security controls work as intended and minimize malfunctions without disrupting other activities.

• SD6 Implementation

This section covers system promotion criteria, installation of new systems in the live environment, and post-implementation reviews to ensure sound practices are followed during system promotion.

End User Environment

Protecting sensitive data processed or stored in end user devices like personal computers, handheld gadgets, and portable storage requires local security management, access control, desktop app protection, device and protections for confidential interactions and contingency plans for operating continuously.

• UE1 Local administration

Protecting sensitive data on end user devices needs networks that look after danger of being exposed, access control, app and gadget protection.

• UE2 Corporate business applications 

This area covers disciplines required to restrict unauthorized access to corporate applications and prevent adverse business impacts caused by changes in the end user environment.

• UE3 Desktop applications 

Secure desktop applications in end-user environments need general information security practices and desktop-specific technical controls, including app inventory, development, and protection.

• UE4 Computing devices 

Protecting computing devices and information in end-user environments requires physical and logical controls. Disciplines in this area cover configuration, maintenance, and protection of workstations, handheld and portable devices.

• UE5 Electronic communications 

To shield devices and data in end-user environments, corporal and rational controls are needed. This area covers the practices for configuring, maintaining, and securing workstations, handheld devices, and portable storage.

• UE6 Environment management

Protecting the end user environment requires security arrangements that reflect enterprise-wide standards. This area covers protection of personal facts, incident supervision, backup, physical security, and business continuity.

‍

Benefits Of Using the Standard

The Standard can be beneficial to corporations in the ways mentioned below:

• Enhancing policies and protocols, procedures, and practises.
• Analyzing how successful info preventive controls are across the entire company.
• Increasing everyone's understanding of data integrity across the company.
• Creating new data privacy protections or upgrading existing ones.
• operating in accordance with obligations regarding the protection of data
• An investigation into the potential risks posed by essential applications and systems.