Aligning Corporate Strategies

Aligning Corporate Strategies With Computer Security Policies The creation and implementation of corporate policy frameworks is dependant on understanding the current state of information security practice, on the one hand, and the nature and extent of the organization’s use of information systems, on the other.  Moreover, computer security programs must be aligned with the organization’s internal and external needs. The problem that this essay addresses derives from the aforementioned and is,  simply stated, the strategy for the alignment of security program and projects to meet organizational needs, both internal and external.

Data for this research was collected from a variety of sources.  These included academic articles, policy guidelines/studies, books and interviews.  The collection of secondary data was relatively uncomplicated as, apart from the list of recommended course readings, accessing additional sources only required entering the relevant search terms into Google and sifting through the results.  The problem was the collection of primary data within the researcher’s place of employment.  Apart from the Information and Computer Technology (ICT) Director and the Chief Security Officer (CSO), few were willing to sit down for an interview and those who finally did, such as one of the organization’s many project managers (PM) insisted on anonymity.

The security threats which confront corporate entities are both internal and external in nature and include data loss/corruption, data theft, viruses/spyware/malware, insider abuse and unauthorized outsider access.  As the ICT Director mentioned, all these threats and numerous others could be completely eliminated were the company to adopt two approaches.  The first would be to go offline and the second would be to severely restrict access to the corporate intranet and, even then, to supervise and monitor all activities.  As he noted, however, to do so would be to render the corporate network useless.  The network was created for the purpose of furthering corporate objectives and maximizing the potential for their realization.  To seal off the network, therefore, would be to undermine the very purpose of its creation and implementation.  At the same time, the failure to design and install a security framework would lead to a situation in which the corporate network is, or can potentially be, used as an instrument for the undermining of the organization.  Quite simply stated, and as emphasised by both the IT Director and the CSO, an attack on the network could disrupt the business process and if serious enough, could bring the organization to a state of temporary paralysis.  The imperatives of aligning internal business objectives and key external factors with the organization’s security program emerge from the aforementioned considerations.

Security program

The organization’s security program must be founded upon a number of internal and external considerations and driven by a single objective. В Its driving objective must be the protection of В«an organization’s valuable resources … through the selection and application of appropriate safeguards [which] … help organization’s mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assetsВ» (NIST, 1996, p. 9). В Security programs, however, can В«[thwart] the mission of the organization by imposing poorly selected, В bothersome rules and procedures on users, managers, and systemsВ» (NIST, 1996, p. 9). В В The primary means by which to insure against the latter and realize the former is through the collection of data pertaining to internal business objectives and key external factors.

Information on a corporation’s internal business objectives can be obtained through a number of specific sources.  Hollet (2006) identifies an organization’s published mission statement as the chief guide to its objectives.  As she stated, however, a mission statement only provides a general outline of objectives and aligning internal objectives with the external environment is dependant upon knowledge of immediate short and medium term objectives.  Information on these can be obtained from the organization’s various departmental and project management managers.  Insofar as the design of a security program which would facilitate, rather than thwart, organizational objectives is concerned, Bosworth and Kaby (2002) contend that the information which should be collected needs to pertain to each department’s use of the corporate network.  In other words, why do department employees use the network and how does their use of it facilitate the realization of business objectives.  The security program which is subsequently designed must factor these uses in and ensure that the security procedures and mechanisms which are implemented do not function as an obstacle to legitimate and productive use.

Information regarding the nature of key external factors should be collected from an organization’s IT Director, CSO and, of course, departmental and project management managers (Hollet, 2006).  The information which is collected should pertain to the company’s relationship with its external environment and the extent to which outsiders, including part-timers, clients and external contractors would need to access the company’s network and the degree to which their access is deemed necessary within the context of the organization’s business processes and objectives (Bosworth and Kaby, 2002).  It is imperative to understand why outsiders/part-timers should need to access the organization’s network and if, indeed, their access is justified in terms of the organization’s business processes, mission and objectives, the security program should facilitate continued access, not thwart it.
The information which is collected on both key external factors and business objectives should be factored into the security program.  All types of access to the network beyond those identified as necessary, should be completely sealed off.  Obtaining consensus for the implementation of the program, according to the IT Director, should not be problematic as long as the organization’s decision-makers are persuaded that the benefit outweighs the cost.

Bosworth, S. and Kabay, M. E. (2002) В Computer Security Handbook. В NY: В Wiley.

Hollet, V. (2006) В Business Objectives Workbook. В Oxford: Oxford UP.

Kerstetter, J. and Madden, J. (11 Feb., 2000) В Web attacks raise chilling questions for IT. Zdnet eWeek.

NIST (1996) Introduction to Computer Security: The NIST Handbook. В US Department of Commerce.

This essay was prepared by Oxbridge Researcher writers for entry into our blog and not for a customer. В Nothing published here is work which was prepared for a customer. If you are interested in receiving a custom-essay written to the high standard you see here, please contact us, or visit one of our websites.

Leave a Reply

Your email address will not be published. Required fields are marked *