Information Security Management Plan

Introduction

Most everything of tangible value in today's society (and many intangibles as well) is stored in digital form some-where. Without the knowledge to defend our digital assets, we are lost, and our potential loss grows larger everyday as we pour the contents of our lives into databases, PDAs, personal computers, and Web servers through routers, hubs, switches, cell phones, gateways, copper, coax, and the air itself. The need for security has existed since introducing the first computer. The paradigm has shifted in recent years, though, from terminal server mainframe systems, to client/server systems, to the widely distributed Internet.

Information Security Management Plan

Recent events have led information security to become a significant focus in the way an organization conducts its business. Most businesses today have at least a rudimentary security program in place, and many programs are developing and growing in maturity. As these programs have grown, so has the need to move beyond the view that security is just a technical issue. Security today should be combined with the fabric of a business. In doing so, information security programs need to move from tactical implementations of technology to strategic partners in business (Wylder, 2004) Although companies were committed to developing a comprehensive information security program, they may not have integrated them into the framework of their businesses.

The Case for Information Security Scrutiny

Data in an information technology (IT) system is at risk from various sources—user errors and malicious and nonmalicious attacks. Accidents can occur, and attackers can gain access to the system and can disrupt services, make systems useless, or change, delete, or steal information. Some companies have taken an enlightened view of security. They believe that, to be successful, they must show their customers that security and protecting information assets are a core business function. Security by design means that it is not an afterthought in the design process; instead, it is one of the requirements that designers use when starting a project. Secure in deployment means that products will be shipped and ready to use in a way that will not compromise the security of the customer or other products.

In the broadest definition, an information security program is a plan to mitigate risks associated with the processing of information. The security profession (Bensen, 2006) has defined the basics of security as three elements:

1. Confidentiality. Confidentiality is preventing unauthorized use or disclosure of information. The system contains information that calls for protection from unauthorized disclosure. Examples include timed dissemination information (e.g., interim financial statements, personal information, and proprietary business information). Privacy is a closely related topic that has lately been getting more visibility.

2. Integrity. Integrity is ensuring that information is accurate and complete and that it has not been modified by unauthorized users or processes. The system contains information that must be protected from unauthorized, unanticipated, or unintentional modification. Examples include survey reports, economic indicators, or financial transactions systems.

3. Availability. Availability is ensuring that users have timely and reliable access to their information assets. The system contains information or ...