Considering the Enterprise’s Information Security Context, Desirable Behavior

Every enterprise needs to define and implement its own information security enablers depending on factors in the enterprise’s specific internal and external environment, such as:

• Ethics and culture relating to information security
• Applicable laws, regulations and policies
• Applicable contractual regulations
• Existing policies and practices
• Maturity level of the current information security enablers
• Information security capabilities and available resources
• Industry practices
• Existing and mandatory standards and frameworks regarding information security

The enterprise’s information security requirements need to be defined based on:

• Business plan and strategic intentions
• Management style
• Information risk profile
• Risk appetite

A number of desirable behaviors have been identified that positively influence the culture towards information security and its actual implementation in day-to-day life. These include:

• Information security is practiced in daily operations.
• People respect the importance of information security policies and principles.
• People are provided with sufficient and detailed information security guidance, and are encouraged to participate in and challenge the current information security situation.
• Everyone is accountable for the protection of information within the enterprise.
• Stakeholders are aware of how to identify and respond to threats to the enterprise.
• Management proactively supports and anticipates new information security innovations and communicates this to the enterprise. The enterprise is receptive to account for and deal with new information security challenges.
• Business management engages in continuous cross-functional collaboration to allow for efficient and effective information security programmes.
• Executive management recognizes the business value of information security.

ISACA,  COBIT  for Information Security