Computer and Information Security Handbook, 2nd Edition

Book Preface

It seems logical that any business, whether a commercial enterprise or a not-for-profit business, would understand that building a secure organization is important to longterm success. When a business implements and maintains a strong security posture, it can take advantage of numerous benefits. An organization that can demonstrate an infrastructure protected by robust security mechanisms can potentially see a reduction in insurance premiums. A secure organization can use its security program as a marketing tool, demonstrating to clients that it values their business so much that it takes a very aggressive stance on protecting their information. But most importantly, a secure organization will not have to spend time and money identifying security breaches and responding to the results of those
breaches.

As of December 2011, according to the National Conference of State Legislatures, 46 states, the District of Columbia, Puerto Rico and the Virgin Islands had enacted legislation requiring notification of security breaches involving personal information. In 2011, 14 states expanded the scope of this legislation.1 Security breaches can cost an organization significantly through a tarnished reputation, lost business, and legal fees. And numerous regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Sarbanes-Oxley Act, require businesses to maintain the security of information. Despite the benefits of maintaining a secure organization and the potentially devastating consequences of not doing so, many organizations have poor security mechanisms, implementations, policies, and culture.