I. INFORMATION AS A CORPORATE RESOURCE

A. Security as Part of The Total Organization

Information security is not simply software or hardware security, and it does not stand apart from the total organiza­tion. An organization’s policies, plans, and procedures may affect security needs, and security practices may affect those policies, plans, or procedures. The important point is that a secure system is integral to the total organization.

B. Understanding The Organization

If a secure system is part of the total organization, then one must understand the organization, its goals, objectives, policies, and procedures. If the objectives of an organization are unclear, then implementing new technology will not help. If procedures are not secure, then new technology will not make them secure. Understanding the organization is the first step in planning for a secure system.

C. Identifying Sensitive Data

After establishing a clear understanding of the organization’s function and how it is to complete its objectives, the first step in planning for and developing a secure system is to identify sensitive data. Recognize specific levels of se­curity and that each may not be equally valuable. Identifying sensitive data and determining their value before the fact is the most difficult task for any organization. Unfortunately for most Management Information Systems (MIS) di­rectors, management will more easily recognize the true value of data after the data have been disclosed to unautho­rized individuals and are compromised.

D. Controlled Sharing of Information and Resources

Sharing of information and resources is increasingly possible through increased networking, communications, and connectivity. As this data sharing increases, the problem of information security increases exponentially. The prob­lem for management is one of encouraging increased productivity through technology while maintaining what will probably be an increasingly insecure system.