Business worldwide is increasingly dependent on information systems ranging from e-mail, ERP, Intranet, Extranet, e-business and knowledge management applications, for effectively running business operations.

As information systems become the backbone of business worldwide, the threat to business due to the failure of information systems, become real. More than 60 percent of the organizations surveyed by WarRoom Research reported having suffered attacks from sources within their organization. According to the WarRoom Research, over 45 percent of the attacks were associated with advance hacking techniques. A survey by PriceWaterHouseCoopers and ASIS, reveals that Fortune 1,000 companies have suffered losses of more that $45 billion, from thefts of their proprietary information.

Increasingly easy-to-use hacker tools are freely available on the Internet, reducing the time required for an intrusion from several weeks to just a few days.

Till date, information security has been addressed in a piecemeal fashion, with multifarious security products being ‘thrown at the security problem’ to make it go away.

Structured Approach for the Security Program

Enterprises should evolve a methodical approach to design, provision and maintain comprehensive information security programs for the organizations. The approach should constantly aim to balance security costs and benefits, so as to evolve the most optimum and specific security program.

The approach should be phased and it is important to ensure that the security strategy is in line with the business objectives, and procedures and practices followed, which continue to be aligned with the organization’s security strategy.

Information security is a function of not just security tools and technologies used, but also security policies and procedures adopted, and most importantly, the people involved in the security program.

The conceptual building blocks of the information security policy is shown in the following diagram.

Enterprises should begin the security program by defining the security strategy to provide the framework and the basis for overall information security program. The organization’s information security risk profile is assessed to obtain the information that is needed to obtain security risks, evaluate the effectiveness of any currently implemented security programs and justify the resources necessary for information security measures.

Assessment is followed by a technology provisioning exercise to design the security road map and manage the rollout of the security applications in a phased manner.

"Security policy is not always secure". This clearly indicates that managing a devised security policy is a very important determinant for the success of the security policy.

Conceptual Building Blocks of Enterprise Security

The five most crucial steps in devising the information security policy for an organization are