If information security were a person, the security policy would be the central nervous system. Policies become the core that provides a structure and purpose for all other aspects.
Another aspect of information security is organizational security. Organizational security takes the written security policy and develops the framework for implementing the policy throughout the organization. This would include tasks such as getting support from senior management, creating an information security awareness program, reporting to an information steering committee, and advising the business units of their role in the overall security process. The role is still so large that there are many other aspects beyond just organizational security and security policy.
Yet another aspect is asset classification. Asset classification takes all the resources of an organization and breaks them into groups. This allows for an organization to apply differing levels of security to each of the groups, as opposed to security settings for each individual resource. This process can make security administration easier after it has been implemented, but the implementation can be rather difficult.
Another class is personnel security. This can be both fun and taxing at the same time. Personnel security can often be a duty of another person and not the sole duty of the information security manager.
Another area of information security is communication and operations management. This area can often be overlooked in smaller organizations because it is often mistakenly considered overhead. Communication and operations management encompass such tasks as ensuring that no one person in an organization has the ability to commit and cover up a crime, making sure that systems that are being disposed of are being disposed in a secure manner. While it is easy to overlook some of these tasks, doing so can create large security holes in an organization.
Following the analogy used previously, if information security is the central nervous system, access control would be the skin. Access control is responsible for allowing only authorized users to have access to your organization's system and also for limiting what access an authorized user does have. Access control can be implemented in many different parts of information systems. Some common places of access control include:
- Desktop operating system
- Fire server
The last aspect discussed here is compliance. Now you may be thinking that compliance is someone else's job. And you might be telling the truth; but if we go back to our analogy that if information security were a person, with security policy being the backbone, and access control being the skin, then compliance would be the immune system.
With all the phases from policy to telecommunications, there is a lot to information security. All the phases are equally important, because when it comes to threats to an organization, a breakdown in any of these phases can present a gaping hole to the attacker.