Information Security Policies and Procedures: A Practitioner’s Reference

Book Preface

The overall objective of an information security program is to protect the integrity, confidentiality, and availability of information. The primary threats that keep an organization from attaining this goal are unauthorized access, modification, destruction, and disclosure. These threats can be either accidental or deliberate.

An information protection program should be part of any organization’s overall asset protection program. The goals and objectives that make up the information security program must be understandable by all employees.

As long as there have been Information Systems Security Officers (ISSOs), there has been a need to create and implement information security policies and procedures. The ISSO was usually brought in from one of the various groups within Information Technology and charged with the responsibility to create these documents. The background in IT often helped the ISSO in understanding technical issues, but it was sometimes a hindrance in grasping the business strategies and objectives. With this very vaguely defined charter, the ISSO would usually try to find a book on the subject and often look to attend a seminar or workshop. The information gathered from these resources often provided the “how-to,” but usually failed in the “why-for.”