From trusted information security controls to a trusted information security environment

Abstract

To protect the information systems of an organisation an appropriate set of security controls needs to be installed and managed properly. Through a risk analysis exercise, the most effective set of controls is recommended. This analysis or identification process can be subjective and many assumptions are made about the environment. A possible solution may be the definition of suitable protection profiles that will include the best suitable security controls for specific information technology environments. This paper will provide some guidelines in the formation of a fully defined security control. Sets of these controls can be used in the determination of an information security profile that will encompass all aspects of security such that no assumptions need to be made, thereby leading towards a totally secure organization.