II. DEVELOPMENT OF SECURITY PROGRAM

A corporation needs a general security policy. The policy must be developed and supported by management at all levels of the organization, from the highest to employees at the operational levels. Critical elements for the development process of a corporate security plan, as for any other planning process, include defining objectives, defining policies in support of those objectives, and devising plans to implement the policies. (Senior management and board of directors are responsible for defining objectives and policies rests at the highest level; lower levels of management devise plans and implementation strategies). People at all levels must be aware of their individual responsibilities.

  1. Objectives: Three activities are recommended as a basis of the general security policy:
    • Identify sensitive systems and data;
    • Create plans for ensuring security and control of such systems;
    • Develop and implement personnel training programs.
    The most compelling argument in support of security management from the corporation’s standpoint is that confidential data may give a competitive advantage. The firm may lose this advantage may be that is lost if controls break down, with the consequent possibility of the firm’s demise if legal requirements have been violated materially.

    Each corporation has its own strategic imperatives; objectives for a corporate security plan will follow, combined with the guidance offered by applicable legislation.

  2. Policies: The board of directors and senior management of a corporation must set strategic objectives for the management of corporate security; policies to guide implementation are also a senior level responsibility. Specific examples of policies change from company to company, but most include statements like, “This firm is committed to ethical and professional behavior.” One model for corporate policies is found in the Data Processing Management Association’s Model Corporate Security policy; other models are available in various texts including or.
  3. Connectivity, corporate structure, and security.
    1. Connectivity defined: The major thrusts of computer development in the past forty years have been the growing ease of use and growing interconnection of systems. Today, major manufacturers market computers that use compatible operating systems, from microcomputers to mainframes (UNIX or DOS). Postscript is a language accepted by an ever increasing number laser printers and by almost all new typesetting machines; it is becoming a standard language for describing marks on paper. Word processors are available that accept files from IBM compatible machines into Macintosh computers and vice versa. Networks may span continents, or simply connect rooms.
    2. Connectivity means more than compatible operating systems, compatible languages, communications, and in a holistic sense, computers simply become more pervasive and easier to use. Like a telephone network, the utility is used, with the user unaware of details of the pieces such as DOS or satellite protocols in the case of long-distance telephone.
    3. Effect on Corporate Structure: Connectivity makes a physically and/or organizationally decentralized form of corporate structure much easier to support. Connecting computers accommodates moving decision making as close as possible to the point where workers actually accomplish things. There are many reasons a decentralized structure may be chosen (see any text on organization structure for examples); connectivity makes it simple.
    4. Security considerations: When planning the basic structure of the organization, the board of directors and senior management should be aware that there are security risks involved in moving to greater connectivity. One may purchase a personal computer, write one’s own software for everything desired, and never communicate with another system; this computer is almost totally immune to things like computer viruses. Connectivity refers to a system of communications exposures, exposures caused by using programs created in an unsecured environment in a formerly secure environment.
    5. The details of the exposures are covered in other available modules (Database System Security, Communications Security, Systems Security). In the context of corporate security management one must recognize that increased connectivity implies increased exposure.

  4. Plans: Plans to implement security policies depend on the level of management involved. Operations management may be concerned with subjects like physical access to a computer room; user department management may be concerned with correct use of application systems; human resources management may be concerned with proper training programs and career path counseling, and so on. Items which must be included in any effective set of security plans include:
    • Access Controls: identify and authenticate users to protect against computer crime;
    • Data Security Programs: base data security programs on the fact that a corporation depends on its computer system.
    • Data Labeling: safeguarding sensitive data to the degree of control necessary for defined protection.
    • Human Resources Planning: hire properly qualified people and ensure good employee—management relations and effective training programs.
    • Contingency Plan: plan for problem avoidance and recovery.
    • Legal Responsibilities: understand and provide for legal requirements.

    More material about the elements of these plans is available in several references.

  5. Responsibilities
  6. Board of Directors and Senior Management define corporate security objectives;

    Senior Management and Board of Directors define corporate security objectives, define policies to achieve these objectives, and ensure that mechanisms for communicating those policies are in place. This may include tying both compensation and promotion of managers to success in meeting the corporate security objectives.

    Middle Management (e.g., Human Resources Manager, DP Manager, Plant Management) defines staff procedures to ensure proper policy implementation;

    Employees are responsible for ensuring that elements under their control are carried out according to policy and procedures to maintain effective control and security.