click to print


Information security is a business issue that needs to be managed effectively. Good security management can provide consistent protection from compromised data and downtime. Although complete security is impossible to achieve, too little security can cost a company dearly. The appropriate amount of security is unique to every organization. The following chapters explore some of the methods and tools used to manage security.

Key Points

  • Information security is a business problem, not a technology problem.
  • Total security is impossible. A trade-off has always existed between security and usability.
  • Some amount of security is possible, but this can only be achieved after an organization identifies its security philosophy and integrates that philosophy into its business processes.
  • Security policies are used to integrate a security philosophy with business processes. They should be driven by the needs of the business, not the needs of the technology.


When developing a security philosophy, a security assessment can provide necessary information on how business processes use network technology. It also identifies critical points of security within the business.

Once a philosophy has been established and security policies have been developed, systems and network monitoring tools provide feedback. This feedback can be used to refine policies and the overall philosophy.