A. Security As Part of The Total Organization
Information security is not simply software or hardware security; it does not stand apart from the total organization. An organization’s policies, plans, and procedures may affect security needs and security practices may affect those policies, plans, or procedures. The important point is that a secure system is an integral part of the total organization.
B. Understanding The Organization
If a secure system is to be part of the total organization, then one must first understand the organization, its goals, and objectives, policies, and procedures. If an organization’s objectives are unclear, implementing new technology will not help. If an organization’s procedures are not secure, new technology will not make it any more secure. Understanding the organization is the first step in planning for a secure system.
C. Identifying Sensitive Data
After establishing a clear understanding of the organization’s function and how it is to accomplish its objectives, the first step in a secure system is to identify sensitive data. Recognize specific levels of security and that each may not be equally valuable (e.g., no need to spend $1,000 to protect a hammer). Identifying sensitive data and determining their value before the fact is the most difficult task for any organization. Unfortunately for most MIS directors, management will more easily recognize the true value of data after the data is compromised.
D. Controlled Sharing of Information and Resources
Sharing information and resources is increasingly possible through networking, communications, and connectivity. As this sharing increases, the problems of information security increase exponentially. The problem for management is one of both encouraging increased productivity using technology while maintaining what will probably be an increasingly insecure system.
E. Specific Needs
Security addresses three principal needs: secrecy, integrity, and availability. Secrecy involves preventing the unauthorized disclosure of information and unauthorized use of information and resources. Integrity involves preventing the unauthorized creation, modification, or deletion of information and ensuring the consistency of information. Availability involves preventing the unauthorized delay or denying the use of information and resources.
F. Analysis and Design
Formalizing a secure system begins with appropriate organizational analysis and identification of sensitive data and procedures for handling those data. An appropriate place to introduce this material in more detail is in an information systems analysis and design course.