Amir Ameri (2004) suggests that information security relies upon five fundamentals, which Ameri refers to as pillars: protection, detection, reaction, documentation, and prevention. The modern organization must balance the information security risks against the costs to the business. The perfectly secure information system is neither affordable nor usable. When faced with scarce resources, in this case a fixed budget, the implementation of Ameri’s five pillars must be undertaken in a prioritized and phased approach that aligns with the cost constraints imposed by the business.
Ameri defines the protection pillar to include the definition and valuation of the information security risks. As Ameri states, “In this regard, the protection pillar is one of the first and most crucial for information security.” (Ameri, 2004) For this reason, the protection pillar, including the implementation of a standardized method for evaluating and assessing information security risks, will be the highest priority and the first phase of our company’s efforts.
The prevention, reaction, and documentation pillars all share a similar grounding in behaviors and company culture. Collectively, these three pillars represent information security practices focused on continuous improvement, learning from our own and others’ incidents, and knowledge & best practice capture. Developing these pillars within our company can be accomplished at relatively low cost by instilling a culture of continuous improvement and encouraging behaviors focused on documenting new information security knowledge and adapting processes and procedures. In addition, by approaching these pillars from a cultural and behavioral standpoint, the organization will also be more resilient against social engineering attacks by instilling a security aware culture. For these reasons, the prevention, reaction, and documentation pillars share a medium priority and will be phase two of our company’s efforts.
The fifth and final pillar described by Ameri (2004) is detection. Of all the pillars, detection requires the most immediate costs. Detection of viruses, spyware, worms, and the many other types of information security threats invariable implies investment in anti-virus, anti-spyware, and intrusion detection systems. While there are low cost, even free, options for these systems, there are significant training and implementation costs even when using free and open source solutions. In addition, although detection is important, existing solutions are not effective at stopping social engineering. For these reasons, detection will be the lowest priority and the final phase of our company’s information security strategy.
The five pillars of information security, as described by Ameri (2004), provide businesses a means for evaluating their information security strategies. By implementing Ameri’s pillars in a phased, prioritized approach, organizations can balance information security against cost constraints.
Ameri, A. (2004). The five pillars of information security. Risk Management, 51(7), 48. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=657612531&Fmt=7&clientId=62763&RQT=309&VName=PQD