Building a comprehensive Information Security plan requires a detailed understanding of the business and the related requirements. An Information Security plan should ensure that the business requirements are captured and the related risks and controls are addressed in the plan.The plan shall provide “Defense in Depth” for the information
The answer to this question is simple, like all other corporate initiatives, it needs to be set by the management. Who decides the core value of the company, core culture of the company and /or the other strategic decisions? It is ideal to have the same person or the role to announce security has core value in the company.
Information Security and Microsoft
Let us take the case with Microsoft. Bill Gates wrote a letter to the entire organization to address the security concerns. His letter not only discusses about the importance of security as a strategic imitative, but also provides a roadmap to ensure the Microsoft products secure.
Support from executive offices will convey the message of importance for Information Security in the company. It will also convey the message that, Information Security cannot be achieved without the cooperation of everyone in the company.
Microsoft sets the slogan .Secure by Design, Secure by development and Secure by deployment.. There is one more aspect to be understood, Secure by assessing the requirement.
Not every company will have the same view about information security, but all companies will agree on a common point that information security is critical to their success in today.s business. In today.s global village companies should understand the power of information and the ways to protect the information as the core asset of the company.
It is not an easy task to protect the information and being a secure company, it will take resources by means of people, process, technology and money. Engage/develop an information security model which will ensure continual improvement, so that you can keep your protection above the industry standard. It is good to be at par with the industry benchmark, but it is better to be on the upper side of the benchmark line.
In today.s business Information Security has a greater importance as part of the Risk Management strategy. There are many efforts are taking place across the world and many Information Security programs are evolving as a result of this. These programs address security not only as a technical component, but also a Management practice. Business is growing faster and it requires integrating security with business. This leads to developing programs which can strategically protect the business information and assets This series of articles will focus on the requirement of addressing security as a strategic decision and tries to address the concerns of the Business owner and the security professionals. Within these articles, you will find information from the regulations like Sarbanes Oxley, HIPAA, FISMA, PCI Data Security etc. and standards like BS7799/ISO27001, COBIT, ITIL, and ISM3 etc. This series aims at bringing together the interest of business owners and security professionals. This series also aims at identifying the business problems and potentials solutions for them.
Many companies have initiated their Information Security program; these initiates are mainly through the information technology organization and hence it will remain a part of the IT organizations. Some other companies are trying to identify the right reporting structure.
Another group of companies believes that, the protection of Information Asset is a core business function and has strategic Information Security programs. For them, Information Security is part of their corporate strategy and is not an additional or add-on task. In such organizations, Information Protection is the responsibility of every employee. It is built into the culture of those organizations. In such organizations information protection is not something addition to their work, it is their work. Not for 8 hours, but 24 hours a day.