Chapter 25

Strategic Information Security Management

David Finnis

Information security is the protection of confidentiality, integrity, and availability of data. In addition to the technology, it includes the people and processes that use and protect that data. Information is a business asset that helps drive revenues and increase competitive advantage in the global marketplace. Protecting information is a worthwhile investment: It protects your investment in the development of your organization's intellectual property; ensures that adequate controls are in place within your environment to protect employee data and customer data considered personally identifiable information (PII), such as Social Security numbers and credit card data; and ensures compliance with regulatory requirements that your organization may be subjected to.

Information Security Business Alignment

Information security can be a business enabler as long as an organization adopts information security frameworks and management practices that balance investment with data protection. It is important that the information security framework and practices are aligned with the business strategy, the supporting IT strategy, regulatory requirements, the security objectives of the organization's management, and culture of the organization.

Unfortunately, in many organizations, it is common to perceive information security as a roadblock or “business disabler;” this is due, for the most part, to the fact that information ...

Get The Chief Information Officer's Body of Knowledge: People, Process, and Technology now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.