DAF- DSCI Assessment Framework

Organizations can respond to the security challenge posed by ever expanding threat scenarios only through preparedness. They have to implement appropriate technical and process safeguards along with physical, legal, and personnel security measures for securing their businesses. DSCI Security Framework - DSF© - details the best practices using an innovative approach that brings dynamism into security. It is a new risk based approach to security, that is data-centric; driven by security principles of information visibility, coverage & accuracy; they help an organization evaluate itself through self-assessment on the maturity criteria proposed in DSF©. Strategic and implementation guidelines in DSF© can enable choosing of appropriate controls to help migrate in maturity from low to high levels. Even though DSF© does not focus on certification, the need for certification or rating does not go away. Managements are keen to understand the security posture of their organizations; they want to know what improvements can be made, and how to evaluate them. Clearly, maturity is one indicator that would give them some direction. But it is obvious that we have to look at some form of assessment process to assess the security posture, without getting into the trap of checklists and a basket of controls to choose from, in order to satisfy an auditor. How do we not let this assessment become a mechanical process? At DSCI we have debated this internally. We reviewed our security surveys that were based on detailed questionnaires. We analyzed the responses of companies to our rather elaborate questionnaires that we had designed for the DSCI Excellence Awards. It was interesting to observe the emerging pattern, which provided clues to light-weight assessment. The assessment process would lend itself to self-assessment by organizations; with additional confirmation by a third party using a little more inputs. This can act as a quick guide to confirm the security posture. Practices in each of the 16 disciplines of DSF© have been articulated in the framework document. The detailed assessment process has been developed for some of the areas that comprise the DSF©. In this we have benefitted from consultations with industry – the companies that came forward to test the framework in the pilot projects; the consulting firms that have partnered with us. The guiding principle has been to add value to the organization through the assessment by way of reviewing the strategy, rocesses, implementation including technology solutions deployed – through rating arrived for each of the identified criteria. It may look a bit difficult to begin with, but I’m sure the value generated by this assessment approach will speak for itself. I want to reiterate that DSF© does not promote organization wide certification. DSCI Assessment Framework - DAF© - is in your hands. As always, I encourage you to review it critically and give us your constructive suggestions to make it more useful to organizations.