Information Security Governance Papers
| Paper Title | Consistent with Key Security Practices |
|---|---|
| The Abstract of The Paper |
This framework includes the key practices that our analysis of information security reports
uncovered. A survey of the literature shows that almost all of the reports on information security
cite the following four information security requirements:
1. The need for risk assessments. Risks must be understood and acknowledged, and the security measures that are taken must be commensurate with these risks. 2. The need for a security organizational structure. 3. The need to create, communicate, implement, endorse, monitor, and enforce security policies across an organization. 4. The need to make every member of the organization aware of the importance of security and to train them in good security practices. In addition, four other recommended practices were frequently cited: 5. The need for access controls to make certain only identified and authorized users with a legitimate need can access information and system resources. 6. The need to consider security throughout the system life cycle. 7. The need to monitor, audit, and review system activity in a routine and regular function. 8. The need for business continuity plans that are tested regularly. 9 Each of these is included as part of the roles and responsibilities section of our framework. The important lesson is not the list of these practices, which numerous reports have cited, but putting them in a context that defines what level of management is responsible for them. |
| Web Link | http://www.bsa.org/country/Research%20and%20Statistics/~/media/BD05BC8FF0F04CBD9D76460B4BED0E67.ashx |