5ISACA defines information security as something that: Ensures that within the enterprise, information is protected against disclosure to unauthorised users (confidentiality), improper modification (integrity) and non-access when required (availability).Confidentiality means preserving authorised restrictions on access and disclosure, including means for protecting privacy and proprietary information.Integrity means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.Availability means ensuring timely and reliable access to and use of information.
8Enabler: Principles, Policies and Framework 2.1 Principles, Policies and Framework Model2.2 Information Security Principles2.3 Information Security Policies2.4 Adapting Policies to the Enterprise’s Environment2.5 Policy Life Cycle
9Enabler: Principles, Policies and Framework 1. Support the business:• Focus on the business to ensure that information security is integrated into essential business activities.• Deliver quality and value to stakeholders to ensure that information security delivers value and meetsbusiness requirements.• Comply with relevant legal and regulatory requirements to ensure that statutory obligations are met, stakeholderexpectations are managed, and civil or criminal penalties are avoided.• Provide timely and accurate information on information security performance to support businessrequirements and manage information risk.• Evaluate current and future information threats to analyse and assess emerging information security threats sothat informed, timely action to mitigate risk can be taken.• Promote continuous improvement in information security to reduce costs, improve efficiency and effectiveness,and promote a culture of continuous improvement in information security.2. Defend the business:• Adopt a risk-based approach to ensure that risk is treated in a consistent and effective manner.• Protect classified information to prevent disclosure to unauthorised individuals.• Concentrate on critical business applications to prioritise scarce information security resources by protecting thebusiness applications in which a security incident would have the greatest business impact.• Develop systems securely to build quality, cost-effective systems on which business people can rely.3. Promote responsible information security behaviour:• Act in a professional and ethical manner to ensure that information security-related activities are performed in areliable, responsible and effective manner.• Foster an information security-positive culture to provide a positive security influence on the behaviour of endusers, reduce the likelihood of security incidents occurring, and limit their potential business impact.
11Appendix A Information security policy Access control policy Personnel information security policyPhysical and environmental information security policyIncident management policyBusiness continuity and disaster recovery policyAsset management policyRules of behaviour (acceptable use)Information systems acquisition, software development and maintenance policyVendor management policyCommunications and operation management policyCompliance policyRisk management policy
12Enabler: Process 3.1 The Process Model 3.2 Governance and Management Processes3.3 Information Security Governance and Management Processes3.4 Linking Processes to Other Enablers
23Enabler: Information 6.1 Information Model 6.2 Information Types 6.3 Information Stakeholders6.4 Information Life Cycle
24Appendix E example in figure 17): – A—Approver – O—Originator – I—Destination for information purposes– U—Destination: information consumer
25Enabler: Services, Infrastructure and Applications 7.1 Services, Infrastructure and Applications Model.7.2 Information Security Services, Infrastructure and Applications
26Appendix F Provide a security architecture. Provide security awareness.Provide secure development (development in line with security standards).Provide security assessments.Provide adequately secured and configured systems, in line with security requirements and security architecture.Provide user access and access rights in line with business requirements.Provide adequate protection against malware, external attacks and intrusion attempts.Provide adequate incident response.Provide security testing.Provide monitoring and alert services for security-related events.
31Appendix HISO/IEC series provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS:Security- and risk-related processes in the EDM, APO and DSS domainsVarious security-related activities within processes in other domainsMonitoring and evaluating activities from the MEA domainThe ISF 2011 Standard of Good Practice for Information Security is based on the ISF Information Security Model four main categories: information security governance, information security requirements, control framework, and information security monitoring and improvement.Guide for Assessing the Information Security Controls in Federal Information Systems and Organisations, NIST—The purpose of this guide is to provide direction with regard to information security controls for executive agencies of the US government