
4. Test and reevaluate risks
Continually perform security reviews, audits, background checks, and
security assessments
5. Obtain stakeholder support
Gain the approval and support of the information security policies by the
Board of Directors and all stakeholders
Top 10 Questions Managers Should Ask Regarding Information Security:
1. Does the board of directors recognize information security is a board-level
issue that cannot be left to the IT department alone?
2. Is there clear accountability for information security in the organization?
3. Do the board members articulate an agreed-upon set of threats and critical
assets? How often do they review and update these?
4. How much is spent on information security and what is it being spent on?
5. What is the impact on the organization of a serious security incident?
6. Does the organization view information security as an enabler? (For example,
by implementing effective security, could the organization increase business
over the Internet?)
7. What is the risk to the business of getting a reputation for low information
security?
8. What steps have been taken to ensure that third parties will not compromise
the security of the organization?
9. How does the organization obtain independent assurance that information
security is managed effectively?
10. How does the organization measure the effectiveness of its information
security activities?
The importance of educating employees on information security
Adding to the complexity of information security is the fact that organizations
must enable employees, customers, and partners to access information
electronically to be successful in this electronic world. Doing business
electronically automatically creates tremendous information security risks for
organizations. Surprisingly, the biggest issue surrounding information security
is not a technical issue, but a people issue.
A few samples of employee information security policies specifically
for Making The Grade.
Employees cannot disclose passwords or con#dential information to
outsiders
Business Driven Information Systems - Instructor’s Manual Chapter 4 Page 2 of 8