Thursday, June 21, 2007


There's a fine balance between protecting information and making it accessible, on the other hand, to the authorized users.

Does it surprise you that InfoSec’s primary component—the one that can make or break it—is people?

Let’s examine the major elements of InfoSec first. As we go down the list, visualize the role that people will play in each one. InfoSec should support the mission and business objectives of the enterprise while protecting what is arguably its second most important asset, information.

  1. InfoSec program and procedures must be communicated and communicated frequently to its stakeholders—notably the organization’s employees.
  2. InfoSec must be cost-effective. By its very nature InfoSec’s practices run counter to the natural business process. Before any security rule is implemented, the nature, likelihood, and magnitude of the risk that the rule seeks to prevent or mitigate must be weighed against the potential disruption the rule will cause to the natural business process. If the rule’s implementation’s cost outweigh the disruption’s cost, then that rule is probably cost-effective (keep in mind that other non-financial aspects might alter the equation).
  3. InfoSec will inevitably extend outside the organizational boundaries. Consider the obvious—field employees equipped with company laptops. A leading security institute, SANS reported that 630,000 laptops were lost in airports (alone) last year. Clearly, unless infosec practices do not extend to mobile devices, there will be a multitude of gaping holes that, for all practical purposes, defeat all infosec practices at corporate. SIDEBAR: You may or may not know that most of the organization’s valuable information resides on employee computers. Why? Employees are on the front line. They deal mostly with current information. And information is generally most valuable when it is new or at the beginning of its life cycle.
  4. To be effective, InfoSec must be comprehensive and ideally integrated into all business processes that pose a security risk (which covers most processes, unfortunately).InfoSec should be periodically assessed and updated. It might work better if there were major and minor reviews. A sensible rule for determining the frequency of these reviews could be based on the introduction of new technology into the organization.
  5. Business units must have some latitude to determine the extent of InfoSec’s involvement in the unit’s business processes. This is necessary for both political and practical reasons (e.g., if it’s a multinational, then it must consider cultural implications).
Sphere: Related Content

No comments: