Information security optimization: from theory to practice

Organizations face a significant challenge in designing and implementing appropriate information security measures. There are many sources of guidance on good and best practice relating to platforms, architectures and industries, but this guidance needs to be interpreted in the context of the specific risks faced by the organization, the desire to mitigate those risks, and the requirements for user friendliness, system performance and system availability driven by the user community. The process of identifying, justifying, implementing and maintaining the correct balance between security and ease of access for authorized users requires careful consideration at a number of phases, including the assessment of risks, the identification of appropriate standards, the definition of policies and the education of users, and organizations also need to implement mechanisms for the regular and effective review and update of the measures taken. This paper discusses the issues involved in implementing an optimized information security policy, the common pitfalls encountered by organizations in this respect, and presents an outline framework for such implementations.