The hypergrowth of computing and communications technologies increases security vulnerabilities to organizations. The lack of resources training, the complexity of new technologies, and the slow legislation process to deter the breach of security all constitute to the trends of increasing security risk in an enterprise. Traditional approaches to risk assessment focusing on either the departmental or branch level lacks of an enterprise perspective. Many organizations assess and mitigate security risks from a technology perspective and deploy technology solutions. This approach ignores the importance of assessing security risk in policy and execution. This chapter discusses a systematic and holistic approach to managing security risk. An approach that utilizes the information life cycle and information assurance (IA) assessment points for the creation of policy, monitoring, auditing of security performance, regulate, and initiate corrective action to minimize vulnerabilities. An “information life cycle” is being proposed with its stage value and the underlying security operatives (gate-points) to protect the information. An information assurance framework and its functions to audit the information security implemented in an enterprise are proposed. Organization must assess the value and the business impact of the information, so that optimal and effective security system and security assurance can be designed.
Business Drivers That Increase Security Exposure
Every organization exists to fulfill its mission. A for-profit organization strives to increase revenue and shareholders’ profits. A nonprofit organization endeavors to provide more services within the allocated grants and funding. In order to maximize the goals to achieve their mission, both types of organizations make every effort to increase efficiency and effectiveness with cost reduction or savings. The ability to outreach to clients or customers will enjoy a better return on investment. It also increases the “service to funding” ratio for nonprofit organization. It is believed that by providing the right information to clients helps the increase of sales or services. Information is now believed to be an asset, and helps organizations to gain a competitive advantage over other organizations. The followings are some of the many business drivers that increase the efficiency and effectiveness, but also create the propensity of increasing security vulnerabilities and attacks.