WITH EACH PASSING YEAR, technology is more integrated into business. It is common for businesses to use technology for data management, financial transactions, advertisement, customer service, and a host of other activities. Almost all businesses and governments use technology to support their operations, from the most basic to the most complex. Dependence on information technology has grown so rapidly over the past decades that it’s hard for people to envision their lives without it.

Consider what it would be like to disconnect from technology for a week. No cell calls. No GPS to find that new restaurant. No Internet. It’s not only the products people use or consume, but also the way they get these products. Without technology, delivery of products and services often would not be possible. However, this integration of technology into our lives also introduces new threat vectors to our information. Whether in the public or private sector, the threat of information being stolen and the threat of unauthorized access are major concerns. When you reduce these types of risks to information assets, you reduce risks to the business as well. Security policies let your organization set rules to reduce risks to information assets.

The goal of information security is not to eliminate all risk. That is not possible. The goal is to effectively manage risk so the risk is at or below an acceptable level. What an acceptable level is varies between organizations and even within different segments (departments, teams, workgroups, etc.) in the same organization. A good policy can reduce the likelihood of risk occurring or reduce its impact. This is the essence of risk management. A business must find a way to balance a number of competing drivers. Some of these drivers include:

• Cost—Keep costs as low as practical.
• Customer satisfaction—Keep customer satisfaction high.
• Compliance—Meet regulatory obligations.
• Measurement—Be self-aware and avoid surprises.

Security policies define how to protect and handle information. These security policies should be brief and concise. They should define in simple terms how information should be handled and processed to meet business goals. Aligning security policies with business objectives makes policies easier to understand and more likely to be followed.

This chapter provides an overview of concepts that can reduce business risk. Although the term business is used, the concepts apply equally to both public and private organizations, and for-profit as well as nonprofit entities. When the term risk is used, it refers only to the risk to information assets. It is impossible to discuss all potential business drivers to reduce risk for every organization. This chapter focuses on key risk areas.