I. INFORMATION AS A CORPORATE RESOURCE
A. Security as Part of The Total Organization
Information security is not simply software or hardware security, and it does not stand apart from the total organization. An organization’s policies, plans, and procedures may affect security needs, and security practices may affect those policies, plans, or procedures. The important point is that a secure system is integral to the total organization.
B. Understanding The Organization
If a secure system is part of the total organization, then one must understand the organization, its goals, objectives, policies, and procedures. If the objectives of an organization are unclear, then implementing new technology will not help. If procedures are not secure, then new technology will not make them secure. Understanding the organization is the first step in planning for a secure system.
C. Identifying Sensitive Data
After establishing a clear understanding of the organization’s function and how it is to complete its objectives, the first step in planning for and developing a secure system is to identify sensitive data. Recognize specific levels of security and that each may not be equally valuable. Identifying sensitive data and determining their value before the fact is the most difficult task for any organization. Unfortunately for most Management Information Systems (MIS) directors, management will more easily recognize the true value of data after the data have been disclosed to unauthorized individuals and are compromised.
D. Controlled Sharing of Information and Resources
Sharing of information and resources is increasingly possible through increased networking, communications, and connectivity. As this data sharing increases, the problem of information security increases exponentially. The problem for management is one of encouraging increased productivity through technology while maintaining what will probably be an increasingly insecure system.
