ISF starts work on new IT security standard
The Information Security Forum (ISF) has launched a series of initiatives designed to lead toward a industry standard for managing information security requirements for enterprise third-party relationships.
The initiatives begins with workshops at the Infosecurity Europe 2010 exhibition (Earls Courts, London, 27-29 April) that will address challenges faced by ISF members that work with a broad range of first-line suppliers, partners, consultants, and ICT service providers.
According to ISF senior research consultant Adrian Davis, ensuring that third-parties have established baseline for security provision is becoming an increasing concern for enterprises that have to exchange information with business partners, or allow consultants to have access to enterprise systems and data.
There is no reliable baseline measurement for ensuring that third-parties' security provision meets a common level, Davis told E&T magazine; at the same time the situation is “complicated by the changing demands made by business operations on the IT function”.
Davis adds: “The implications of IT security are shifting – it is no longer just about keeping out hackers and stopping viruses and malware. The notion of IT security is, to an extent, being re-defined as 'risk management', and that risk includes guaranteeing as far as possible that critical external partners implement standardised security procedures where they have access to a client's computer systems or handle their data.”
The new ISF standard aims to establish a baseline of security controls and skills, that will eventually serve to validate third-parties information security arrangements. As part of the initiative the ISF will be extending its membership to the enterprise supply chain.
This week's workshops will be followed by other consultative processes taking place over the summer. The ISF is considering submitting the outputs to the ISO (International Organisation for Standardisation) before the end of 2010. Davis says that a new ISO Third Party Relationship Management Standard could then be announced in time for Infosecurity Europe 2011.