In the times when data breaches and cybersecurity incidents have become everyday news, the world requires entities which can enhance thought leadership in the field of cybersecurity. And thankfully, there are some bodies which are exactly working to strengthen the privacy and security culture in the cybersecurity landscape.
The Data Security Council of India or the DSCI is a non-profit data protection agency set up by NASSCOM® in India. The council is entrusted with making the cyberspace safe and secure and is also responsible for establishing the benchmark security standards, best practices and initiatives in privacy and cybersecurity. Moreover, the DSCI constantly engages with government agencies, industry sectors, associations and regulators in order to advocate policy, capacity building and thought leadership.
DSCI also works towards building capacity in privacy, security and cyber forensics through several certification programs and outreach activities.
Table of Content
Types of Frameworks in DSCI
The Data Security Council of India is further divided into two core frameworks. Each of these frameworks has its own vital role to play in establishing the best cybersecurity practices. Let’s take a brief look at the two frameworks:
1) DSCI Security Framework:
The DSCI Security Framework seeks to bring a very novel outlook to the way organizations focus on and prioritize security. It does so by concentrating equally on each and every core discipline of security. The security framework comprises 16 security disciplines which are spread across 4 layers. The security disciplines under the security framework range from data security and asset management to security audit and testing.
2) DSCI Privacy Framework:
DSCI aims to protect the personal information of users from malpractices like disclosure, misuse or modification and unauthorized use. To suit this purpose, DSCI introduced the DSCI Privacy Framework (DPF©) which follows the best privacy practices and frameworks from across the world.
The privacy framework takes into consideration the entire business ecosystem and focuses on the roles of all the involved entities whose personal data is handled in any manner and the associated liabilities too. The basic goal of these privacy best practices is to provide a detailed approach and guidance and assist in establishing a mature privacy framework.
Foundation Elements of DSCI Security Framework
DSCI Security Framework relies on three important foundation frameworks:
1) Security Principles:
The DSF© consists of a set of security principles which an organization conveniently plans to seek and adhere to in some of the most diverse ways. They basically include vigilance, information visibility, accuracy, coverage, defense discipline, more focus on strategic, operational and tactical layers along with compliance demonstration.
The core principle involved in DSCI is the approach they apply to security which involves more focus on checklists, extensive documentation and controls while enabling organizations to achieve proficiency and dynamism in a secure ecosystem which further enhances its ability to respond to cyber threats and attacks.
2) Discipline-Specific Approach:
The view of DSF© on security is focused around an approach which is discipline-specific. It also does not specify any type of control as compared to the other standards involved in security. It combines within itself a complete set of practices and disciplines which are based on learnings and thought processes applied by organizations, analysts, technology as well as authentic solution providers.
It provides options for the organization to make the right selections and implement further controls related to performing operations in an environment suitable to business needs. It further plays a massive role in identifying the maturity criteria required in each of the 16 disciplines that form a vital part of DSF©.
3) Data-Centric Methodology:
Visibility exercise is one of the significant areas where DSCI puts its focus on, thereby bringing a consolidated visualization of data dominating at the central level. It further identifies and analyses an integrated outlook of the available data with all of its findings. A risk profile is created by it in a similar manner which is centered around the dominant data.
DSCI consistently identifies best practices and makes use of best approaches in order to evaluate strategic options, both in terms of technological solutions as well as processes which are available for addressing prevalent risks and making the security posture stronger.
One of the basic beliefs of DSCI is that it becomes easier to bring dynamism into the security program when data visibility gets a center stage. This happens precisely because appropriate risk management measures can be taken once the recent trends, incidents and vulnerability of data security systems are identified.
Best Practices/Disciplines in DSCI Security Framework
The DSCI Security Framework consists of 16 security disciplines aggregated over 4 layers. Each of these disciplines and practices needs to be established and implemented properly in order to let an organization achieve its information security goals. This discipline centric approach set forth by the DSF helps organizations align their systems and processes with the established benchmarks and matures the security approach of the organization also.
The best practices and security disciplines enlisted in the DSCI Security Framework include:
1. Security Strategy and Policy (SSP)
2. Security Organizations (SEO)
3. Asset Management (ASM)
4. Governance Risk and Compliance (GRC)
5. Infrastructure Security (INS)
6. Application Security (APS)
7. Secure Content Management (SCM)
8. Threat and Vulnerability Management (TVM)
9. User Access and Privilege Management (UAP)
10. Business Continuity and Disaster Recovery Management (BDM)
11. Security Audit and Testing (SAT)
12. Security Monitoring and Incident Management (MIM)
13. Physical and Environmental Security (PEN)
14. Third-Party Security Management (TSM)
15. Personnel Security (PES)
16. Data Security (DSC)
The outlined security practices in each DSF discipline could be articulated under these four sections:
In this section, the security disciplines have been described and also the associated expectations and the rationale as to why these disciplines have been included in the outline.
The strategic directions including the policy statements regarding how the disciplines can be implemented have been provided in this section of the DSF. This basically helps the senior and middle management in laying out the groundwork for the proper implementation of these security disciplines.
As the name suggests, this section outlines some of the best security practices that have been tried and tested over the years across several industry verticals.
In this section, those characteristics of the security disciplines have been identified and articulated which showcase the evolution and maturity of security best practices inside any organization.
Additional Approaches Followed by Organizations
There are also some additional approaches other than the DSCI which consist of standards and best practices and promote information security. The existing approaches can be categorized into:1) The ISO 27001 falls in the category of Information Security Management Standards
2) Technical Standards which may include Digital Signature, Encryption etc.
3) Security Management specifics like Infrastructure Security and Application Security.
4) Standards specific to Payment Transactions like the PCI-DSS etc.
5) Industry-specific standards like HIPAA for the healthcare industry.
6) Government enforced standards like FISMA.
7) Standards such as the GLBA for financial transactions which are specific to particular
8) Standards which are specific to particular business sectors like the NERC for the energy sector.
Which Organizations Use the DSCI Approach?
The DSCI Privacy Framework and the DSCI Security Framework are being followed extensively by numerous organizations across several industry verticals. These security-centric approaches are widely popular as these frameworks don't focus on any particular security control or any specific technology but are rather inclined towards strategy, decision making and established best practices which help businesses mature their security practices in the long run.
The DSCI Security Framework is Suitable for:
1) Organizations which are interested in maturing their specific security disciplines.
2) Those organizations and businesses which are looking to benchmark their security practices based on operational, tactical, and strategic perspectives.
3) Vulnerable business sectors where security has a very important role to play in the overall operations.
4) Entities which provide IT support services to critical business sectors.
5) Solution providers whose products and services are mapped to the security disciplines of the DSCI Security Framework.
6) Cybersecurity experts who are involved in the design of security solutions for the concerned organizations.
7) Auditors and evaluators who are responsible for assessing the security capabilities of the organizations.
The security framework improves the vigilance of the organizations towards the evolving security threats and enables higher-level management like the CISOs to make quick decisions based on the ongoing trends of security.
By providing sufficient insights and helping businesses stick to security compliances, the security framework also enhances the ROI for businesses when it comes to investments in security.
DSCI Security Framework Benefits
The benefits of the DSCI security framework are more profound than we can explain here. Not only does this framework offer the guiding principles to implement true and realistic security, but also provides insights on how to make the entire security ecosystem dynamic and responsive to changes. The framework also guides on aligning security to the ongoing best practices and trends and also offers ways and means for the involved entities to converge and collaborate effectively.
The DSCI security framework introduces a fresh and vibrant perspective to the way security should be managed inside organizations of any size and scale by focusing on the core security disciplines. The framework achieves its goal of making organizations take security seriously by extending its scope to all the specific and granular elements and leaving no stone left unturned.
And by guiding the stakeholders on all important fronts including the operational, tactical and strategic perspectives, the DSCI security framework seems to be fulfilling all of its purposes.