I. Planning

A. Security As Part of The Total Organization

Information security is not simply software or hardware security; it does not stand apart from the total organization. An organization’s policies, plans and procedures may affect security needs and security practices may affect those polices, plans or procedures. The important point is that a secure system is integral part to total organization.

B. Understanding The Organization

If a secure system is to be part of the total organization, then one must first understand the organization, its goals and objectives, policies and procedures. If an organization’s objectives are unclear, implementing new technology will not help. If an organization’s procedures are not secure, new technology will not make it any more secure. Understanding the organization is the first step in planning for a secure system.

C. Identifying Sensitive Data

After establishing a clear understanding of the organization’s function and how it is to accomplish its objectives, the first step in a secure system is to identify sensitive data. Recognize specific levels of security and that each may not be equally valuable (e.g., no need to spend $1,000 to protect a hammer). Identifying sensitive data and determining their value before the fact is a most difficult task for any organization. Unfortunately for most MIS directors, man­agement will more easily recognize the true value of data after the data are compromised.

D. Controlled Sharing of Information and Resources

Sharing information and resources is increasingly possible through networking, communications and connectivity. As this sharing increases, the problems of information security increase exponentially. The problem for management is one of both encouraging increased productivity using technology while maintaining what will probably be an in­creasingly insecure system.

E. Specific Needs

Security addresses three principal needs: secrecy, integrity, and availability. Secrecy involves preventing the unau­thorized disclosure of information and unauthorized use of information and resources. Integrity involves preventing the unauthorized creation, modification or deletion of information and ensuring the consistency of information. Availability involves preventing the unauthorized delay or denying the use of information and resources.

F. Analysis and Design

Formalizing a secure system begins with appropriate organizational analysis and identification of sensitive data and procedures for handling those data. An appropriate place to introduce this material in more detail is in an information systems analysis and design course.