Information security forms the core of an organization's information internal
control system.
[GASSP95]
Complexity: This principle originated in the financial arena but has
universal applicability. As an internal control system, information security
organizations and safeguards should meet the standards applied to other
internal control systems. "The internal control standards define the minimum
level of quality acceptable for internal control systems in operation and
constitute the criteria against which systems are to be evaluated. These
internal control standards apply to all operations and administrative
functions but are not intended to limit or interfere with duly granted
authority related to development of legislation, rule-making, or other
discretionary policymaking in an organization or agency."
fc@red.a.net