Information security has four key components: security policy, threat identification, incident prevention and incident response. Each component has several subsets and the theories that drive them are as varied as the types of organizations implementing them. Unbeknownst to many people, information security from an organizational standpoint doesn't begin with technology: it begins with policy.

A security policy addresses the physical security of the hardware and data, the network security, overall system security on both the client and server sides as well as information sharing services such as the Web, email, file transfer protocol and file sharing. Security policies identify broad, sweeping concepts such as who has access to different bodies of data or functionality, the type or level of access (admin or basic user) and the protocol for changing passwords, among other concepts. Security policies also address narrow concepts such as how many characters are in a password and how often passwords should change. As the environment in which information systems exist is constantly changing, security policies must evolve over time.

Security is implemented to protect against threats. Threats can be physical, such as someone stealing a server or the server being damaged in a fire, to logical, where a server or application comes under a programmatic assault. Other types of threats include unauthorized access (hacker), disclosure of private information (privacy compromise), and denial of service, to name a few. A balance must be struck between the implementation of security and the perception of the likelihood of a threat materializing. Once attacked by outsiders, many victims say something akin to "why us?" The response from security pundits is "why not?" Just like a burglar who is looking for an easy house to target, hackers look for unprotected, or improperly protected, systems.

A recent example involves organizations using Microsoft's Internet Information Server (IIS), which is the target of many hacker attacks. Flaws in that web server software's security are so severe that a premier and widely respected research firm, the Gartner Group, warned companies to not to use it. The FBI announced that it was the easiest web server to compromise. Organizations should take note of glaring, obvious warning signs like these into account when they consider their security policies and act accordingly.

Once one identifies the threats, the next step is to implement mechanisms for preventing the threat from materializing. A typical solution to incident prevention is the correct installation and use of firewall. A firewall establishes an electronic barrier between your system and the outside world and carries with it certain protocols for permitting certain types of communication to occur while barring other types. Another example of an incident prevention measures are intrusion detection systems, which notify system administrators that the system is under assault and can react to prevent further penetration. Other incident prevention measures include installing up-to-date software patches, security scanners, anti-virus software, audit trails, data encryption, secure backups and security testing and audits. Remember, information security is constantly evolving and testing your security measures on a regular basis is important.

Despite all of these measures, systems can still become compromised. How will your organization respond? As part of a security policy, one should consider how to assess and contain the different types of threats. One can address a password sharing violation by changing passwords and checking the audit trails for all uses of the compromised password. In the case of a penetration through a security hole in a web server that resulted in a worm being inserted into the server, an eradication process must ensue. Once the threat has been eradicated, organizations will proceed with identifying data or processes that may need to be recovered. Finally, conducting a post-mortem to identify how the threat materialized and making modifications to the security policy and system will help reduce the likelihood of a repeat occurrence.

Information systems are built to be interactive and, as such, there is a certain amount of risk that one tacitly agrees to accept. Managing threat with a security policy and balancing the need for information sharing with security is the responsibility of seasoned security experts and should not be left to newly certified systems administrators. In fact, working with a third party security firm can provide an organization with an entirely different perspective on their information security as the security analyst is not burdened with groupthink, which can unknowingly plague system administrators who place great pride on their systems and know-how. Regardless whether it is handled internally or externally, maintaining information security is the responsibility of every person in your organization and a security policy is the first place to start when securing your information.