Information security is not a technical issue; it is a management issue. It rests on three cornerstones—critical infrastructures, organization, and technology. While critical infrastructures are beyond the direct control of the organization, balancing them is a critical component of corporate governance. Total security is neither technically feasible nor operationally practicable. Therefore the organization must determine what information assets must be protected and the degree of protection to be provided for them. As Internet-based commerce diffuses through society, there will be decreasing tolerance on the part of customers for losses stemming from perceived or actual cyber vulnerabilities. Only senior management can initiate the plans and policies that address the different aspects of security in a balanced and integrated manner. Leaving security primarily to the IT function will strengthen just one of the cornerstones—namely, technology—and will not yield the intended results. Security lapses are management failures more than technical failures. This article presents an organizational security approach that senior managers can use as a roadmap to initiate security plans and policies and audit their implementation.
- Copyright ©2002 The Regents of the University of California