Friday, February 29, 2008

Sometimes I need to remind myself...

Information Security Management's primary function is to ensure that the risks that may lead to unauthorized alteration or disclosure of information does not exceed an acceptable level.

Mechanisms that we use to achieve that acceptable level consist mainly of controls that can roughly be grouped in policy and technology. Setting the level at which risk is acceptable is not the responsibility of the information security manager.

Information Security Management's responsibility includes ensuring that users can be aware of the policies that are in place, and that they know how to use information security technology.

To ensure that policies are followed, and that technology is used properly, information security management also includes the responsibility for preventing, detecting, and investigating breaches of policy, or threats against the technology used to manipulate information.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.