Fundamental Computer Security Requirements - DoD 5200.28 STD Trusted Computer System Evaluation Criteria (The Orange Book).    POLICY Requirement 1 - SECURITY POLICY - There must be an explicit and well-defined security policy enforced by the system. Requirement 3 - IDENTIFICATION - Individual subjects (users, programs, processes, etc.) must be identified. Requirement 4 - ACCOUNTABILITY - Audit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party. ASSURANCE Requirement 5 - ASSURANCE - The computer system must contain hardware/software mechanisms that can be independently evaluated to provide sufficient assurance that the system enforces requirements 1 - 4 above. Requirement 6 - CONTINUOUS PROTECTION - The trusted mechanism that enforce these basic requirements must be continuously protected against tampering and/or unauthorized changes.

Note:  These are some of the requirements set forth in the "Orange Book" which laid the foundation for structured security policies and standards in both governmental and commercial arenas.             

ISO 17799:  "What Is Information Security?"
Information security is achieved by implementing a suitable set of controls, which could be policies, practices, procedures, organizational structures and software functions. These controls need to be established to ensure that the specific security objectives of the organization are met.