1- Leadership should provide support for security, including budget allocation.
Purpose:
Support from leadership helps motivate all to care about security
Best Practices:
Allocate and document the budget for security.
Examples:
A method to document roles and responsibilities is a responsibility assignment matrix that includes who is responsible and accountable.
2- Information Security Policy should be developed and implemented
Purpose:
A documented Information Security Policy helps focus on a set of security priorities specific to the business.
Best Practices:
Do as you say, say as you do.