A formalized approach to the effective selection and evaluation of information security controls

Electronic commerce holds many advantages for the commercial world, but before it can really take off, the associated information security problems need to be addressed satisfactorily. The identification, implementation and management of the most effective set of controls to provide an adequate level of security is the first step towards this goal. The second step is the possible evaluation and certification of the installed controls in an IT-environment. The selection of the security controls should be driven by the business needs and the associated security requirement. This security requirement should be clearly defined in the information security policy and the security policy should dictate the set of controls that will provide the required protection. If this set of controls can be evaluated and certified as meeting the business needs of the organization, the trust that is required for electronic commerce can be provided. This paper will provide a formalized approach towards identifying a set of controls meeting the business needs and also suggest a model whereby this can be evaluated and certified.