Information Security - Essay Example

There is also a vast body of empirical evidence that demonstrates that general managers ought to be much more involved in the formulation and implementation of information security because they are more able to assess particular types of risks, more attuned to cost-benefit considerations, and better able to integrate information security into a business organization's larger structure than narrow-minded security specialists (Lacity, 2005). In order to more clearly elaborate how organizations should approach information security issues, this essay will discuss how businesses should strike a balance between information security and information sclerosis and what professional competencies ought to oversee information security policies, procedures, and practices.

As an initial matter, it should be noted that information security can be neglected by business organizations (National Institute of Standards and Technology, 1998) as well be over-hyped and made far too complex for complete use (Angus, 2005; Miller, 2005). The most prudent course of action, to be sure, is neither a zero-information security policy nor a systemic approach that is too complex (Angus, 2005) or too expensive (Lacity, 2005) for the organization's needs. A balance needs to be struck.

Commenting on a study carried out by the GAO, the National Institute of Standards and Technology established a viable framework for promoting good practices for information security programs; this framework deals with risk assessment, the taking steps to reduce risk, and the creation of a central management group devoted to these risk management functions. This section will address good practices as they pertain to risk assessment and tailoring an information security policy to organizational goals and to remain cost-effective.

The essence of an effective risk assessment procedure is not to assume that every conceivable risk can be planned for, but instead to identify steps to reduce the treat of potential risks to levels that are deemed acceptable (Workstation Services Support Group, 1998). This notion of acceptability is crucial to any cost-benefit analysis involving an information security system. The first step is to create a recognition that an organization's informational resources are valuable assets in need of protection.

This means creating a pervasive organizational understanding about security risks, new security threats and the procedures for keeping workers informed. The second step is to draft and implement risk assessment procedures which incorporate the information security system into the larger business structure. This means treating information security as a business concern just as much as a technical matter for IT specialists. The third step requires holding individuals accountable for information security issues.

This is important as it eliminates the possibility of passing responsibility on to security specialists and demands a comprehensive approach to information security. The fourth and final step requires that security risks be monitored and