Summary
A security program should address issues from a strategic, tactical, and operational view, as shown in Figure 3-13. Security management embodies the administrative and procedural activities necessary to support and protect information and company assets throughout the enterprise. It includes development and enforcement of security policies and their supporting mechanisms: procedures, standards, baselines, and guidelines. It encompasses risk management, security-awareness training, and proper countermeasure selection and implementation. Personnel (hiring, terminating, training, and management structure) and operational (job rotation and separation of duties) activities must also be conducted properly to ensure a secure environment. Management must understand the legal and ethical responsibilities it is required to respect and uphold.
Security is a business issue and should be treated as such. It must be properly integrated into the company’s overall business goals and objectives because security issues can negatively affect the resources the company depends upon. More and more corporations are finding out the price paid when security is not given the proper attention, support, and funds. This is a wonderful world to live in, but bad things can happen. The ones who realize this notion not only survive, but thrive.