ABSTRACT

The information security policy appears among the critical success factors for information protection and it should contain adequate controls. There is rather sparse academic literature about this subject and the managers face difficulties on selecting controls for a organization's policy. The main purpose of this study is to understand the controls that appear on organization information security policies to identify recurring controls that support the decision making by the information owner about the definition of the common controls that should be included in the policy. The methodology uses a qualitative approach with a descriptive objective by means of a bibliographic research, multiple case studies and primary document analysis with content analysis and cross referenced cases. The data collection was done with a non-probabilistic sample of ten distinct brazilian organizations that had mature information security policies. The results show that recurring mention of 40 controls and which in turn were associated to the main literature reference for the area and grouped in four frequency extracts: 12 controls were present on 100% of the policies, 15 were present on 90% and 40 were present on 70% of the evaluated policies.

Keyords:
Security policies; Information security; Information protection