The Role of Technology

What should be clear by now is that technology's role in INFOSEC is really one of policy enforcement.

Only with the clear articulation of INFOSEC policy can intelligent decisions regarding specific technology be made. Without such policy definition, questions like whether something is ``secure enough'' cannot be successfully answered, since each individual's notion of what constitutes appropriate risk vs. benefit will differ. This is a common problem in organizations today, with the end result being large amounts of money being spent in the name of security, with remarkably little to show for the expenditure. At the same time, the best intentions of technical staff are frequently overrun by a manager's arbitrary decision about how much risk the organization is willing to accept. So while the technologists and management spend their time frustrating each other, the information critical to the organization's operation continues to be at risk.

Technology, through its design and configuration, will express policy. Though inappropriate for non-technical managers to decide whether particular protocols may be allowed between their sensitive networks and untrusted networks, such non-technical managers must provide the higher-level framework defining operational and risk management requirements. Technical people, understanding this framework, will be able to implement the organization's policy successfully.

No amount of spending will secure an organization whose policy is fundamentally flawed. No amount of policy will secure an organization where the policy is not effectively implemented. Cookies and milk are better separated than policy and technology.

Thus, INFOSEC can be described as “saying what you do, and doing what you say.” Following this simple maxim is really the goal of information security. INFOSEC, however, is not an end to itself. Rather, it is part of a larger framework of how information is to be collected and managed--the processes that define a business operation.