Definition: High level description of security measure to meet the business need for security. This is to be A set of mutually reinforcing security controls implemented by technical, physical, and procedural means. Such controls are typically selected to achieve a common information security-related purpose. Note: Security capability is usually considered at high conceptual architectural level.