Information: most valuable asset of company. Distinguishes one business from another.

Information security: process of protecting intellectual property.

5 "phases"

  1. Inspection current status & right level of security
  2. Protection proactively create secure environment. 10 building blocks
  3. Detection reactively detect bad activities and alert responsible people
  4. Reaction responding to incident to minimize impact
  5. Reflection feedback to improve security.


Changing business environment, relationships, information, IT means greater threat and thus more security needed.

Near-future: ubiquitous information: all info appliances integrated, sharing data

IT: globally distributed infrastructure, interconnected networks, portable devices/ mobile employees/ virtual offices

Migrate from centralized to distributed computing.
Migrate from corporate network to Internet (not private, impersonal, not accountable but cheap and ubiquitous)


Info is a business asset. Security is a business process. Info security is a business requirement.
Info security evaluated like any other business process to determine how much security is needed to protect the info asset.

3 attributes/goals

security as a weak-link problem: total security no better than the weakest point.

security as trade-offs: more security needed -- more admin & controls -- -- less ease of use


Security plan: reasonable & prudent
  1. business impact analysis: info of greatest impact
  2. risk analysis: probabilty of harm & extent of damage
  3. disaster planning: method to minimize harm
  4. business continuity plan: how to continue to conduct business

5 phases again

  1. Inspection evaluates security needs & current level of preparation
  2. Protection what needs protection, how much protection is needed, how to implement this level
  3. Detection of misuses: attacker, methods of attack, technologies to detect
  4. Reaction emergency/incident response plan: how to respond
  5. Reflection identify improvements