Page 17 - CISSO_Prep_ Guide
P. 17
ownership and personal accountability for the development and
implementation of a comprehensive security program starts with
the recognition that security is a part of everyone's responsibility.
Defining Information Security
If a survey asking 'what information security is' was to be
conducted in your office, what would the results be? If each
person, from the janitor that cleans the floor to the Managing
Director, was asked what information security is, how would they
respond?
To a person that watches a football or cricket match for the first
time and that does not understand the rules, the game may only
appear to be a lot of people running around in a disorganized
manner and for no apparent reason. A person unfamiliar with the
game does not understand the strategies and synchronization
required to be successful, and they do not understand the crucial
role that each player on the pitch actually serves. Such a person
needs someone to explain the rules, describe the strategies, and
point out the actions and procedures that lead to victory - or
defeat. A football match is also an excellent example of a
combination of short, mid, and long term strategies. A quick pass
may provide some progress while the main goal is to score points,
a few at a time (mid-term plan), to achieve a winning result (long
term strategies).
The first challenge the information security manager faces is an
incorrect understanding of what security is. This is because of the
knowledge of what security varies widely from one person to
another - especially between security professionals, managers,
and users.
To the user, security is often perceived as: