The justification and role of a security information system hinges on simple terms when coupled with some basic assumptions: 1. Assumption. Security information, such as security policies and technical control documentation, is a necessary and integral component of an information security program. 2. Assumption. Security information comes in various forms, from various sources, and at various levels of detail. It is increasing in both volume and detail. Therefore, it is difficult to manage. 3. Assumption. Security information must be accessible to the entire enterprise at some level. (Security information is necessary) + (Information is difficult to manage) + (Information must be communicated) = Need for information system When the need is confirmed, the initiation of a project to develop and deploy an information system is the next step. The main challenge then is to design and deploy a solution that is fitting for the organization. Some organizations may require a sophisticated mechanism to support the security process. Other organizations may be able to put into place a simpler system. This all depends on the definition of the necessary inputs and outputs of the system.
展开▼
