The new document represents a collaborative effort by Information Security Forum (ISF), members of which include mainly large organisations, the training and standards organisation (ISC)2 and ISACA, which represents both auditors and security professionals.
The principles are intended not only to remind security professionals of what their jobs entail, but also to provide end users and senior management with a clear idea of how information security can contribute to the well-being of an organisation.
"There are other standards and frameworks around like [the ISF's Standard of Good Practice], COBIT and ISO27002, which are all aimed at organisations," Jason Creasey, Global Alliances Leader at ISF, said in a statement, "but we were clear that we wanted these principles to be unique, practical and more like a code of conduct for individuals to adopt."
The three bodies have spent more than a year formulating the principles and distilling them to 12 key messages that are organised under three main headings: support the business, defend the business, and promote responsible security behaviour.
The list of IT security principles is free to download from all three organisations' websites, both as a two-page summary document or as an A3-size poster that contains more detail about how the principles should be implemented. "The principles are non-proprietary, and are intended for any organisation to use. [Organisations] can print off thousands of copies if they like, and put up the posters around the place," said Martin Tully, a research assistant for the ISF who worked on the principles.
He said the principles have a dual purpose: "They act as a guide for the security practitioner, but they are also written so that other managers and board members can see how security practitioners operate, and understand better how [the security team] can support the business rather than just saying 'no' to everyone."
John Colley, European managing director for (ISC)2, echoed that view, describing the document as "a common framework for truly risk-based security management that security practitioners and their stakeholders would all be able to identify with."
The principles emphasise the value of a risk-based approach to security, not only because such an approach helps to channel investment to where it will be most effective, but also because risk is something that can be understood by other managers in the organisation.
Manuel Aceves, a member of ISACA's Professional Standards Committee, said the new documents would complement ISACA's own Business Model for Information Security, which also aims to provide a common platform for information security and business management to work together in improving security.