Standard of Good Practice for Information Security (SOGP) - Full guide

Each cyber safety expert works towards the common aim of protecting the company's operations and data from harm. The organization's privacy rules and standards are the connecting link between the research, planning, and meetings and a safe working environment.
Due to the fact that the SOGP 2020 standard places a business-centric emphasis on these issues, the guidance it provides can be of great value to organisations in the process of developing an effective framework for information security policies, standards, and procedures..
Security Workforce, Core Cloud Security Controls, Security Operation Centres, Mobile Application Management, Asset Registers, Security Assurance, Supply Chain Management, and Security Event Administration are just some of the Categories, Areas, and Topics that have been added to or expanded upon in this latest version of the SOGP 500.
About the Information Security Forum (ISF)?
It was established in 1989 as a nonprofit consortium of global industry leaders committed to improving information security. The group's mission is to address the company needs of its members by examining, clarifying, and resolving critical challenges in cyber, infosec, and risk management through the creation of best practice techniques, procedures, and solutions.
When members of the ISF pool the vast resources of their respective organizations and the results of a rigorous research and development effort, everyone wins. Via its private framework and forum, the ISF helps its members implement cutting-edge methods for protecting their data. By cooperating, ISF SOGP Members are able to avoid incurring the substantial costs necessary to achieve the same objectives on their own. Short-term, expert assistance with implementing ISF products is provided in the form of consulting services, which can be purchased by both ISF Members and Non-Members.
What is the Standard of Good Practice for Information Security?
It is the primary source of data privacy supervision. It takes a business-oriented approach to securing information and provides a useful framework for evaluating a firm's data encryption. The Standard's many aspects encompass the whole gamut of precautions that must be taken to reduce the dangers that data systems pose to businesses. Thus, it is a major tool for enhancing the effectiveness and robustness of a company's security regulations. Being a component of the ISF's information risk management portfolio of products, the Standard is grounded on a plethora of resources, substantial research, and the extensive knowledge and practical experience of ISF Members from all over the world. It is revised at least once every two years to:
- Accommodate the requirements of preeminent international bodies.
- Improve upon existing information privacy best practices.
- Include the latest theories and methods in the field of cybersecurity.
- Maintain compatibility with other standards for information security like ISO 27002 and COBIT v4.1.
- Offer information regarding the newest "hot issues."
SOGP Goals
The Standard gives special attention to the role that infosec plays in facilitating a company's most important operations. In many cases, the effectiveness of these operations hinges on the availability of specific IT-based business applications. Security for Important Business Applications is therefore a primary consideration in the development of the Standard.
It is essential to remember that vital business applications cannot function without the underlying infrastructure provided by computer installations and networks. The measures made to secure corporate and desktop apps that people use to process info and facilitate business procedures fall within the purview of the End User Environment. The process of developing new applications is the focus of systems development, while security management is concerned with strategic oversight and administration.
6 Aspects Of SOGP
Security Management
Organizational leaders must provide strategic guidance, allocate sufficient resources, make efficient arrangements for promoting good infosec practice across the organization, and set up a secure setting in order to successfully mitigate the hazards to the company posed by data systems.
- SM1 High-Level Direction
Clear leadership is needed to implement an effective and uniform information security standard across the organization. This section discusses top management's data security direction and commitment. It mandates an infosec policy and staff agreements for all workers with access to the company's systems and files.
- SM2 Security Organization
Organization-wide network security activity is needed to shield data and systems. This section covers the organization's cybersecurity, employee security awareness, and system security expertise.
- SM3 Security Requirements
Good practice requires that information and system safeguards match their business value. This field encompasses classification, ownership, information risk analysis, management, and legal and regulatory compliance.
- SM4 Secure Environment
Infosec is difficult to standardize throughout an association. Creating a shared framework of disciplines and standardizing organizational configurations can help. This section addresses enterprise-wide security arrangements.
- SM5 Malicious Attack
Malicious outsiders frequently launch attacks against businesses. Hence, this domain covers security measures needed to prevent malware, patch applications and systems, identify intrusions, respond to significant attacks, and handle forensic analysis.
- SM6 Special Topics
Business and technology are changing rapidly, making distinct themes with unique safety contemplations that must be addressed enterprise-wide. This field involves cryptography, public key infrastructure, electronic messaging, remote working, third-party access, e-commerce, and outsourcing safeguards.
- SM7 Management Review
The condition of the company's infosec should be known by the management in order to exert control over it. In this section, we will discuss the steps that must be taken to ensure that corporation leaders have access to accurate facts regarding the protection of company data and systems.
Critical Business Applications
To determine an app's importance, it is necessary to evaluate how a breach in security will affect a company's capacity to conduct business. A solid foundation has been laid for identifying data risks and establishing the appropriate level of safeness to maintain tolerable levels of endangerment.
- CB1 Enterprise Prerequisites for Safety
Both the level of defense that distinct company applications require and the degree to which they are useful might vary substantially. Thus, the protection requirements are specified here.
- CB2 Application Management
The degree of importance that various kinds of industry applications have, as well as the quantity of protection they require, might vary substantially.
- CB3 User Environment
Disciplines to limit application access, set up workstations, and educate users on personal responsibility for both local and remote users are covered in this area.
- CB4 System Management
Applications need computers and networks to work. This includes service agreements, application resilience, external connectivity, and data and software backup.
- CB5 Local Security Management
Secure business application controls should align with business doubts. This section outlines steps to determine data precedence, safety needs, and risks. It also covers local and frequent security audits.
- CB6 Special Topics
Emerging technologies and business practices require enhanced security measures for key applications that involve third-party access, cryptographic key management, PKI, or web-enabled systems.
Computer Installations
Computer installations often support vital business applications, making their protection a top priority. A global standard of good practise for information security should be applied so that the same information security principles are employed regardless of where the system is located, how large it is, or what kind of computers are being used.
- CI1 Installation Administration
Manage information-processing computers effectively through the roles and commitments of installation workers, user agreements, asset administration, and monitoring capabilities
- CI2 Live Environment
This section covers installation design, security event logging, host and workstation setup, as well as physical protection and durability for meeting service targets.
- CI3 System Operation
Disciplined computer installations meeting service targets are covered in this section, including system operation controls such as computer media, backup, change management, and incident identification and resolution.
- CI4 Access Control
Access control is a technique used to limit who can view or use sensitive data or computer systems. Thus, this is about limiting who may access what in a computer system and how.
- CI5 Local Security
To protect valuable assets, software installations that support critical business apps and maintain susceptible material must be properly evaluated. This chapter covers identifying the installation's importance, associated risks, and necessary protection arrangements
- CI6 Service Continuity
Contingency planning and validation are essential for minimizing company damage and ensuring business continuity in the event of a disaster that disrupts data transmission.
Networks
Information is transmitted and accessed via computer networks. They are easily disrupted and abused. Network design, services, and security practices must be followed to secure business communications. These considerations apply equally to local and wide area networks, data, and voice communications.
- NW1 Network Management
Complex computer networks. They must integrate systems, adapt to change, and use third-party services. Managerial and operational difficulties must be managed well. This includes network design, resiliency, documentation, and service provider management.
- NW2 Traffic Management
Computer networks can handle traffic from various sources. This category covers the disciplines needed to block unwanted network traffic and unauthorized external or wireless users.
- NW3 Network Operations
Sound computer network management ensures user service continuity. This section manages network performance, changes, and information security events.
- NW4 Local Security Management
This section discusses the methods used to determine the network's importance, business hazards, and security needs.
- NW5 Voice Networks
Voice networks like telephone systems can disrupt business processes. Voice networks can be misused or sensitive conversations overheard, causing harm. This area covers voice and VoIP security.
Systems Development
It is safer and less luxurious to incorporate security into systems at the design stage. It calls for a unified perspective on systems development as a whole, as well as strict adherence to development quality standards. It's important to bring infosec into account throughout the entire process.
- SD1 Development Management
In order to supply the organisation with trustworthy systems, a dependable systems development process is required. Organizational structure, methods, quality control, and a risk-free outcome setting all fall under this category.
- SD2 Local Defence Planning
This domain includes procedures to audit the the state of being of being exposed of the system creation process on a regular basis, make sure the implementation team knows their roles, and coordinate the local critical material.
- SD3 Corporatio Prerequisites
In order to guarantee that procedures serve their intended functions and supply the necessary details, this section lays out the necessary enterprise and performs risk analyses.
- SD4 Design and Build
This area encompasses arrangements for addressing information security during design, acquisition, and system build and identifying required controls for applications, general systems, and the web.
- SD5 Testing
This segment covers arrangements for efficacious testing to ensure systems and security controls work as intended and minimize malfunctions without disrupting other activities.
- SD6 Implementation
This section covers system promotion criteria, installation of new systems in the live environment, and post-implementation reviews to ensure sound practices are followed during system promotion.
End User Environment
Protecting sensitive data processed or stored in end user devices like personal computers, handheld gadgets, and portable storage requires local security management, access control, desktop app protection, device and protections for confidential interactions and contingency plans for operating continuously.
- UE1 Local administration
Protecting sensitive data on end user devices needs networks that look after danger of being exposed, access control, app and gadget protection.
- UE2 Corporate business applications
This area covers disciplines required to restrict unauthorized access to corporate applications and prevent adverse business impacts caused by changes in the end user environment.
- UE3 Desktop applications
Secure desktop applications in end-user environments need general information security practices and desktop-specific technical controls, including app inventory, development, and protection.
- UE4 Computing devices
Protecting computing devices and information in end-user environments requires physical and logical controls. Disciplines in this area cover configuration, maintenance, and protection of workstations, handheld and portable devices.
- UE5 Electronic communications
To shield devices and data in end-user environments, corporal and rational controls are needed. This area covers the practices for configuring, maintaining, and securing workstations, handheld devices, and portable storage.
- UE6 Environment management
Protecting the end user environment requires security arrangements that reflect enterprise-wide standards. This area covers protection of personal facts, incident supervision, backup, physical security, and business continuity.
Benefits Of Using the Standard
The Standard can be beneficial to corporations in the ways mentioned below:
- Enhancing policies and protocols, procedures, and practises.
- Analyzing how successful info preventive controls are across the entire company.
- Increasing everyone's understanding of data integrity across the company.
- Creating new data privacy protections or upgrading existing ones.
- operating in accordance with obligations regarding the protection of data
- An investigation into the potential risks posed by essential applications and systems.
FAQ
References
Subscribe for the latest news