Information Security Forum

From Wikipedia, the free encyclopedia

Information Security Forum (ISF) is an international, independent, not-for-profit organization dedicated to benchmarking and best practices in information security. It was established in 1989 as the European Security Forum but expanded its mission and membership in the 1990s, so that it now includes hundreds of members, including a large number of Fortune 500 companies, from North America, Asia, and other locations around the world. Groups of members are organized as chapters throughout Europe, Africa, Asia, the Middle East, and North America. The ISF is headquartered in London, England, but also has staff based in New York City.

The membership of the ISF is international and includes large organizations in transportation, financial services, chemical/pharmaceutical, manufacturing, government, retail, media, telecommunications, energy, transportation, professional services, and other sectors.

In addition to the benchmarking program, the ISF runs regional chapter meetings, topical workshops, a large annual conference (called the "World Congress"), and develops and publishes research reports and tools addressing a wide variety of subjects. Its research agenda is driven entirely by its member organizations, who govern all ISF activities.

Primary deliverables

The ISF delivers and range of content, activities, and tools, which are summarized below.

The ISF is a paid membership organization, although the Standard of Good Practice is available for free. From time to time, the ISF makes other research documents available for free. In the past, the ISF has given away a comprensive checklist on Windows server security and a report entitled The Disappearance of the Network Boundary. Other products and service are included in the membership fee.

The Standard of Good Practice

Main article: Standard of Good Practice

Every two years, the ISF revises and publishes the Standard of Good Practice, a detailed documentation of best practices in information security, based on research and a comprehensive benchmarking program that has captured security behavior and detailed incident data for many years.

Research projects

Based on member input, the ISF selects a number of topics for research in a given year. The research includes interviewing member and non-member organizations and thought leaders, academic researchers, and other key individuals, as well as examining the range of approaches to the issue. The resulting reports typically go into depth describing the issue generally, outlining the key information security issues to be considered, and proposing a process to address the issue, based on best practices.

Methodologies and tools

For broad, fundamental areas, such as information risk assessment, or return-on-investment calculations, the ISF will develop comprehensive methodoligies that formalize the approaches to these issues. Supporting the methodology, the ISF supplies Web-based and spreadsheet-based tools to automate these functions.

Benchmarking program

Formerly called the "Information Security Status Survey," the ISF conducts a biannual benchmarking exercise that comprehensively examines the information-security practices of participants in all the areas addressed by the Standard of Good Practice (although participants need not adhere to the Standard in order to participate in the benchmarking). The results include detailed information on how responses compare (anonymously) to other participants. The results system allows for detailed analysis, factoring in market sector, subject scope, organizational measures (such as number of employees or revenue), and other elements.

Networking

Regional chapter meetings and other activities provide for face-to-face networking among peers in differing organizations. The ISF encourages direct member-to-member contact to address individual member questions and to strengthen relationships. Chapter meetings and other activities are conducted around the world and address local issues and language/cultural dimensions.

World Congress

The ISF's annual global conference is called the "Annual World Congress", and it takes place in a different city each year. In 2007 the conference was held in Washington, DC. The typically 2 1/2 day conference includes plenary sessions by leaders in information security, personal development, practical workshops conducted by member organizations, and a substantial evening social program. The program focuses on information-security practitioners; the participation of vendors is limited to an exhibition area and a few invited speakers.

Web portal (MX)

The ISF's extranet portal, "Member Exchange" (also MX or MX²) allows members to directly access all ISF materials, including member presentations, and also includes messaging forums, contact information, webcasts, and other data for member use.