Organizational Information Security

A July 2000 SANS white paper titled “Organizational Information Security From Scratch – A Guarantee For Doing It Right” by Patrick Jones, discusses a comprehensible – and verifiable – approach towards information security management.

1. Organization Infrastructure

  • Information Security Policies – These are written policies, providing management direction and support for information security-related activities.
    They are available to all employees.
  • Security Organization – Responsibilities for the management of security processes are
    defined and assigned.
  • Asset Classification and Control – Enterprise informational assets are defined and the required level of control for each has been identified. Safeguards are in place, ensuring that all informational assets receive the appropriate level of protection.

2. Techincal Infrastructure

  • Computer and Network Management – Security procedures are incorporated into routine computer and network operations to maintain the integrity and availability of information processing and communication.
  • Physical and Environmental Security – Physical and environmental protections for IT assets are in place.
  • System Access Control – Controls protecting against unauthorized access are in place for both administrators and users.
  • Systems Development and Maintenance – Security checks and balances are built into application and systems development/maintenance procedures.

3. Information Protection

  • Personal Security – Users are aware of information security threats and concerns, and they are trained and equipped to support corporate security policies.
  • Business Continuity Planning – Business continuity plans are in place across the enterprise to counteract interruptions to critical business activities and processes from the effects of major failures or disasters.
  • Information Security Policy Compliance – Reviews are performed to ensure ongoing compliance with security policies and to avoid breaches of any criminal or civil law, and of any statutory, regulatory or contractual obligations.


Although the white paper was published in 2000, organizations can still use this as a guide to create or build on their Information Security management programs.


Jones, P. (July 2000). Organizational Information Security From Scratch – A Guarantee For Doing It Right. Retrieved from