The Information Security Forum (ISF), together with (ISC)² and ISACA, released last month a set of 12 principles designed to help security practitioners respond more effectively to the changing needs of organizations in today’s complex, interconnected world.
(ISC)² worked with closely with both organizations to create the principles for two reasons: 1) to promote good practice guidelines to information security professionals worldwide who may be unaffiliated with any professional organization, and 2) to offer clear, practical advice to all professionals on how information security can best support business objectives agreed upon by key players in the security profession.
I think I’ll offer a couple more reasons for good measure: to help information security professionals convince management of their strategic significance in managing business risk and to continue to enhance the quality and visibility of the information security profession throughout the world.
Now everyone knows that high-minded documents such as these can be made with the best intentions but quickly forgotten. But even if only a small fraction of the information security population and its management see these, it can have a tremendous impact on organizations, not to mention people new to the profession. That is our hope, in any case.
I should also mention that these principles complement (ISC)²’s own professional Code of Ethics. The principles provide a suggested framework for the security management of an organization. Our Code of Ethics concerns professional behavior that all our members must subscribe to. If any member is found to have broken their ethical commitment, they can be expelled from the organization and lose their certification permanently.
You can download the principles and a poster here: www.isc2.org/industry-initiatives.aspx .
As always, I appreciate your thoughts.