Organizations rely significantly on the use of information technology (IT) products and services to drive and maintain day-to-day internal and external customer-facing activities. The failure to consider information security as part of system support and operations can be detrimental to the organization’s success. Ensuring the overall safety of corporate digital and non-digital assets is mission-critical and should focus on how the organization proactively safeguards information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide confidentiality, integrity, and availability.
The failure to deploy appropriate security policies, rules, and, procedures maintains unnecessary risk exposure presented at all levels of an organization. In today’s digital-driven environment of malicious code, system breaches, and insider threats, publicized security issues can have disastrous consequences, particularly to the profitability and reputation of the enterprise.
Executives are, in the end, responsible for shaping the acceptable level of risk for a specific system and the organization, considering, the cost and potential loss associated with security controls. Since information security risk is not avoidable, the objective is to find the optimal balance between protecting the information or system and utilizing available resources. It is vital for systems and related processes to have the ability to preserve information, financial assets, physical assets, and employees, while also considering resource availability.
The formalized creation and implementation of an enterprise strategic information security framework is a mandatory initiative to protecting the organization’s information assets as well as it’s brand, legal position, personnel, and other tangible or intangible assets.
Information Security Definition
Information Security is defined by National Institute Standards and Technology (NIST) as the maintenance of ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. The definition provides a clear understanding of corporate risk tolerance to assist officials in setting priorities and managing risk throughout the organization in a consistent manner and; ensures that the selected security controls remain effective and maintains organizational awareness of threats and vulnerabilities.
Monitoring and Assessment
Information security is not a static activity and requires continuous monitoring and assessment to protect the confidentiality, integrity, and availability of information as well as to ensure that new vulnerabilities and evolving threats are identified and responded to accordingly. In the presence of a continually changing workforce and a digital-driven environment, it is essential that organizations provide timely and accurate information while operating at a tolerable level of risk.
System Support & Operations
System support and operations cover all activities of operating and maintaining a system. The framework includes system administration and tasks external to the system that supports its service (e.g., maintaining documentation). The support and operation of any system—from a 3-5-person local area network to a global application serving many thousands of users—is critical to maintaining the security health of the system. Support and operations are routine activities that enable systems to function correctly. These include fixing software or hardware problems, installing and maintaining software, and helping users resolve issues.
An organization’s information security policies and procedures should address the below categories:
- User support
- Software support
- Configuration management
- Media controls