The following is an excert from Information security: A strategic approach.
STRATEGY AND INFORMATION TECHNOLOGY
Information technology had its start in commercial organizations in the 1950s and 1960s with the automation of routine clerical functions, specifically accounting functions. Payroll and general ledger were among the first processes to become automated. As computers became more powerful and more widespread, information systems grew to support almost every business process. Data networks also grew in this period, and have been increasingly used to support business communications. Data communications allowed an increasing internal integration of far-flung business processes. Data communications have tied businesses more closely to their suppliers and customers. Starting with the first Electronic Data Interchange (EDI) systems of the 1970s, commerce became synonymous with data networks. The speed and volume of data has increased dramatically, as has the scope of the partners with which data is exchanged and the depth to which internal systems are exposed to trading partners.
By insinuating themselves into all aspects of corporate behavior and by mediating relationships with third parties, information systems have come to wield an immense power over the form and nature of the modern business organization. Concurrent with the increasing reliance on information technology is the increasing scale and complexity of information systems. These trends combined to motivate formal information technology strategic planning, as a way to ensure that the organization realizes the maximum benefit from systems as well as a method to plan large-scale efforts requiring multiple years of effort and having far-reaching impacts on the organization.
STRATEGY AND INFORMATION SECURITY
The overriding information strategy plan may itself be composed of a number of subordinate plans defining strategies for each element of the information technology infrastructure. An information technology strategic plan may have components for application software, network infrastructure, IT management, and the like. Specific components may have a direct impact on the organization, giving that component a "strategic" importance. A software application or a type of network connectivity may itself facilitate achieving some goal, to the point where one refers to a "strategic application development" or a "strategic network infrastructure." Referring to a component as "strategic" means that its performance directly affects a strategic business goal, to the extent that the component is specifically called out in the information technology strategic plan.
Information security is one such strategic component. An increase in the breadth, scope, and depth of information sharing across organizations elevates the importance of protecting this information. Protecting shared electronic commerce information is more than simply restricting access to only authorized parties. The trustworthiness of the information as bound into a business transaction must be established and maintained. Similar issues have always existed with highly integrated systems used solely for internal support. Management often evades these issues, assuming that physical and administrative controls can compensate for inadequate technical security. Internal information systems may lack sophisticated technical security controls but still perform adequately as long as equipment and communications are physically secured, and as long as only properly managed internal staff may access the system. Opening systems to external parties—to vendors, customers, and even potential customers among the public at large—negates the physical and administrative controls. Technical security controls are explicitly required to maintain the trust relationships that organizations rely upon.
Security strategy in the age of electronic commerce focuses on building business trust relationships in which the relationship itself is based on no more than electronic signals. The traditional information security values of confidentiality, integrity, and availability are incorporated into complex trust relationships based on data communication protocols.
Information security's role in strategy has evolved from the keeper of secrets to the builder of electronic trust networks. Ensuring that information security provides the maximum strategic benefit to the organization requires a further evolution, from trust architect to information steward. Where information can be assigned value in supporting organizational goals, the efficient management of this value can provide greater benefit to the organization. Just as with any other productive asset, information should be identified, measured, and properly channeled to its most valued use. This view of information is a break with most organization's current practice, and requires that an economic and business process model be applied to information security management.
An information security strategic plan attempts to establish an organization's information security program. The information security program is the whole complex collection of activities that support information protection. An information security program involves technology, formal management processes, and the informal culture of an organization. An information security program is about creating effective control mechanisms, and about operating and managing these mechanisms.
