Information Security Fundamentals

The purpose of information security is to protect an organization’s valuable resources, such as information, computer hardware, and software. Through the selection and application of appropriate safeguards, security helps the organization’s mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets. To many, security is sometimes viewed as thwarting the business objectives of the organization by imposing poorly selected, bothersome rules and procedures on users, managers, and systems. Well-chosen security rules and procedures do not exist for their own sake — they are put in place to protect important assets and thereby support the overall business objectives. Developing an information security program that adheres to the principle of security as a business enabler is the first step in an enterprise’s effort to build an effective security program. Organizations must continually (1) explore and assess information security risks to business operations; (2) determine what policies, standards, and controls are worth implementing to reduce these risks; (3) promote awareness and understanding among the staff; and (4) assess compliance and control effectiveness. As with other types of internal controls, this is a cycle of activity, not an exercise with a defined beginning and end. This book was designed to give the information security professional a solid understanding of the fundamentals of security and the entire range of issues the practitioner must address. We hope you will be able to take the key elements that comprise a successful information security program and implement the concepts into your own successful program.