Abstract
Management is often dissatisfied with the performance of many information
security efforts. After investment of considerable resources, and prolonged
waiting for results, many efforts can demonstrate little if any significant
improvement. This is largely due to a lack of planning. Many efforts lack
explicitly articulated plans as well as specific performance milestones.
Although many are loathe to admit it, information security efforts at many
organizations lack formal planning and performance monitoring.....
This article examines why information security efforts are often
ineffective and why more formal planning efforts can alleviate this condition.
It discusses tools best usedto prepare an action plan for information security
and gives some tips on how to sell such a plan to management. Also discussed
are organizational design, policies, standards, and guidelines and other
elements of a foundation that is required if an effective information
security planning process is to be sustained. The article dwells on the
establishment of a context for effective information security planning.