Why is an Information Security Program Important for Your Company?

Understand why information security programs are crucial for businesses. Learn how they protect assets, raise awareness, and manage risks.

Why is an information security program important?

Information security is relevant and essential to a company because it protects the organization's valuable resources. A few examples of organization assets to protect are computer hardware, applications code, legal documents, and physical security of the organization office, as Peltier (2013) discusses. The security team in the organization must pick and implement the appropriate safeguards that assist the company's mission by defending financial and physical resources, their reputation, the employees, and any other tangible or intangible assets. Some employees believe security, as Peltier (2013) points out, prevents organizational goals from being reached by putting poorly selected rules and procedures on members of the organization and systems in place. A set of well-written policies, standards, and procedures are put in place to protect assets and support all business objectives.

The information security program built and maintained by the security team needs to follow the principles of security to enable the business to create an effective security program, as Peltier (2013) discusses. The author goes on to describe four functions that continually occur by the security team. The first is exploring and assessing the information security risks to business operations. The second is analyzing and understanding any policies, standards, or controls identified as essential to implement and reduce risks. The third function is to promote company information security awareness and knowledge among the employees. The last information security function is to continually assess the compliance and effectiveness of the policies, standards, or controls implemented at the company. Just like auditing and other controls in an organization, once put in place, the aim is to improve them and keep them up to date, so there is a beginning at the implementation but no real end and continuously improving and tweaking what policies, standards, and procedures the team implemented.

An example of the third function of information security, which is to promote company information security awareness and understanding among the employees, was implemented recently at my current employer. The information security team recently sent out internal fishing emails. The team used this to get the word out on the importance of mousing over links before one clicks on them to see if the URL looks suspicious before clicking on it. This fishing attempt sought to get internal employees to click and pay a fee for Colorado express tolls. If the employee took the fishing bait and clicked on the link, they were led to a page that informed them they would be attending computer security awareness training at the company in the coming days and to contact the Information Security team for the training date. A couple of my peers clicked on the link and went through the training, and they are now more vigilant about clicking on any URL that arrives in the work email inbox. This was a great way to build awareness of the folks who clicked on the URL and peers because they heard about it after team members clicked on it and had to attend training.

References

Peltier, T. R. (2013). Information Security Fundamentals, Second Edition, 2nd Edition [VitalSource Bookshelf version]. Retrieved from https://www.routledge.com/Information-Security-Fundamentals/Peltier/p/book/9781439810620 ~