Information Systems Security Strategy: A Process View

Abstract

This chapter adopts a process view of information security strategy. That is, it is centrally concerned with how to "make" strategy; this extends the concern about what strategy "is." From a process viewpoint, information security strategy involves one or more strategy-setting processes. Such processes require an assessment of the goals for organizational information security. Examples include compliance with regulatory requirements, national and international standards, and professional practices. The strategy-setting process may be organized using a product criterion or a process criterion. A product criterion would organize the strategy-setting process by grouping activities according to the end products of the process. The products of strategy setting include statements of vision, core values, rationale, and strategic plans such as the security organization structure, security operations, and security budgeting strategy. A process criterion would organize the strategy-setting process by grouping activities according to major components, such as the alignment of security with organizational strategy, the planning of operational strategies, and the planning of security organizations. This chapter elaborates not just security goals, but the goal assessment process; not just the security criteria, but the criterion organizing processes; and not just the products of the strategic processes, but the strategy-setting processes themselves.