I. INFORMATION AS A CORPORATE RESOURCE
A. Security as Part of The Total Organization
Information security is not simply software or
hardware security, and it does not stand apart from the total organization. An
organization’s policies, plans and procedures may affect security needs, and
security practices may affect those policies, plans or procedures. The important
point is that a secure system is integral to the total organization.
B. Understanding
The Organization
If a secure system is part of the total
organization, then one must understand the organization, its goals, objectives,
policies and procedures. If the objectives of an organization are unclear, then
implementing new technology will not help. If procedures are not secure, then
new technology will not make them secure. Understanding the organization is the
first step in planning for a secure system.
C. Identifying Sensitive Data
After establishing a clear understanding of the
organization’s function and how it is to complete its objectives, the first
step in planning for and developing a secure system is to identify sensitive
data. Recognize specific levels of security and that each may not be equally
valuable. Identifying sensitive data and determining their value before the fact
is a most difficult task for any organization. Unfortunately for most Management
Information Systems (MIS) directors, management will more easily recognize the
true value of data after the data have been disclosed to unauthorized
individuals and are compromised.
D. Controlled Sharing of Information and Resources
Sharing of information and resources is
increasingly possible through increased networking, communications and
connectivity. As this data sharing increases, the problem of information
security increases exponentially. The problem for management is one of
encouraging increased productivity through technology while maintaining what
will probably be an increasingly insecure system.