As these examples suggest, this not to say that IT security has little or no relevance to information security. Far from it. Without protecting and defending the resources that house, handle and manage information, an information security strategy has no foundation. Nor can it hope to be effective without taking into consideration what is arguably the most significant factor of all: what people do with information and IT resources.
Information security must be built on three key domains:
The integration of these domains represents maturity, not only in the enterprise approach to information security, but in the way the enterprise itself is managed. The more mature organization will be able to take advantage of extending solutions in each domain across its comprehensive information security challenges — but only if its approach to each domain exhibits the discipline necessary to make such integration possible.
What is happening today, however, is that the events of recent months have brought the two domains even closer, with technologies emerging in IT — in concert with people, process, and enterprise management as a whole — that offer new solutions for enhancing the security of information itself.
Scott Crawford is a senior analyst with Enterprise Management Associates in Boulder, Colo., an industry analyst firm focused on all aspects of enterprise management systems and services. Scott is the former information security chief for the International Data Centre of the Comprehensive Nuclear-Test-Ban Treaty Organization in Vienna, Austria, and has also been a systems professional with the University Corporation for Atmospheric Research as well as Emerson, HP, and other organizations in both public and private sectors. He can be reached at [email protected].