I. Planning
A. Security As Part of The Total Organization
Information security is not simply software or
hardware security; it does not stand apart from the total organization. An
organization’s policies, plans and procedures may affect security needs and
security practices may affect those polices, plans or procedures. The important
point is that a secure system is integral part to total organization.
B. Understanding The Organization
If a secure system is to be part of the total
organization, then one must first understand the organization, its goals and
objectives, policies and procedures. If an organization’s objectives are
unclear, implementing new technology will not help. If an organization’s
procedures are not secure, new technology will not make it any more secure.
Understanding the organization is the first step in planning for a secure
system.
C. Identifying Sensitive Data
After establishing a clear understanding of the
organization’s function and how it is to accomplish its objectives, the first
step in a secure system is to identify sensitive data. Recognize specific levels
of security and that each may not be equally valuable (e.g., no need to spend
$1,000 to protect a hammer). Identifying sensitive data and determining their
value before the fact is a most difficult task for any organization.
Unfortunately for most MIS directors, management will more easily recognize
the true value of data after the data are compromised.
D.
Controlled Sharing of Information and Resources
Sharing information and resources is increasingly
possible through networking, communications and connectivity. As this sharing
increases, the problems of information security increase exponentially. The
problem for management is one of both encouraging increased productivity using
technology while maintaining what will probably be an increasingly insecure
system.
E.
Specific Needs
Security addresses three principal needs: secrecy,
integrity, and availability. Secrecy involves preventing the unauthorized
disclosure of information and unauthorized use of information and resources.
Integrity involves preventing the unauthorized creation, modification or
deletion of information and ensuring the consistency of information.
Availability involves preventing the unauthorized delay or denying the use of
information and resources.
F.
Analysis and Design
Formalizing a secure system begins with appropriate
organizational analysis and identification of sensitive data and procedures for
handling those data. An appropriate place to introduce this material in more
detail is in an information systems analysis and design course.