Security management
Security management encompasses the strategies, procedures, and tools employed to safeguard an organization's valuable resources, which include not only financial assets and materials but also sensitive information such as personal identification and intellectual property. A fundamental aspect of security management is the identification and cataloging of these resources, which facilitates the development of effective protection policies and procedures. Once assets are well-documented, security professionals assess potential risks and threats, both external, such as criminal activities like hacking or breaking and entering, and internal, including employee misconduct.
To mitigate risks, security management employs a multifaceted approach that can involve physical security measures, digital protections, and strict access control protocols. For example, utilizing locks, passwords, and biometric sensors can help restrict access to authorized personnel. Additionally, tracking the flow of assets and information is crucial for identifying who has access and when, allowing for accountability and the detection of any unauthorized actions. As organizations face evolving security challenges, the importance of effective security management will continue to grow, with advancements in technology such as digital encryption and biometrics expected to enhance protective measures in the future.
On this Page
Subject Terms
Security management
Security management is the sum of all processes, procedures, and tools used to identify, evaluate, and mitigate threats to the safety and security of an organization’s resources. Those resources include money and material items of value, as well as information such as personal identification, software, hardware, access codes, data, or intellectual property. Since a wide array of resources may be involved in security management planning, a key first step is identifying the resources and maintaining records that note key pieces of data, such as where each resource is kept and who has access to it. Documentation is instrumental in providing a basis for the next step: designing procedures and policies to protect those resources.
Overview
When all assets have been identified and cataloged, the next step of security management is to identify and assess the risks, or security threats, each of the assets face. Those in charge of risk assessment determine who would potentially seek to compromise each asset and what methods they could use. This data is key to deciding the best strategies for protecting each asset. It is also vital to evaluate the impact of the loss if the asset was successfully taken from the organization and create an incident response plan. Assets that are of significant value require a higher level of protection. Methods employed may include physical means (controlled access systems, surveillance cameras), digital means (network firewalls, data encryption, password policies, regular system updates), and personnel policies (background checks, employee security protocol training). In many cases, all these tools work together to protect an organization’s information, financial, and material resources from threat.
Some threats are external. One clear example is a criminal seeking to obtain the organization’s assets by physical means, such as breaking and entering, or other means, such as hacking into a company’s computer system. Security management professionals seek to guard against external threats by taking measures to ensure that access is limited to authorized personnel. This can be accomplished with locks, passwords, and even biometric sensors.
Internal threats also exist, and the same security management team must develop ways to guard against them. This can be more difficult since employees within an organization already have some degree of access to resources. For example, an employee with a key to a storeroom might take some of the supplies there for personal purposes, or someone with their own passcode to the company computer system might take valuable information and sell it. Companies should ensure that their policies and any necessary nondisclosure agreements concerning access control, data handling, employee behavior, and intellectual property are clear, legally sufficient, and signed by every employee.
Correspondingly, an aspect of security management is tracing the flow of information and physical assets. This allows those in charge to know who has access to what and at what times, allowing tracking of missing materials or compromised information. Tracking is done by investigating access. For example, if a storeroom has a physical lock and all employees have the same key to it, it would be difficult to conclude which employee went in at the time items disappeared. However, if electronic cards with codes specific to each person are required, the time and duration of access would be recorded and could be used in the event of malfeasance.
Security management, particularly cybersecurity, continues to play an ever-greater role in protecting assets for businesses, governments, and other organizations. As more organizations shift to a hybrid or work-from-home structure, ensuring employee computers and the company’s network are private and safe from viruses is critical. Digital encryption, biometrics, intrusion detection/prevention systems (IDS/IPS), network segmentation, and multi-factor authentication are commonly implemented to limit security breaches, which result in legal fees, lost revenue, and data recovery costs. However, in case these methods fail, incident response plans are essential, particularly in the era of ransomware attacks.
Bibliography
Brooks, David J. “Security Risk Management: A Psychometric Map of Expert Knowledge Structure.” Risk Management, vol. 13, no. 1/2, 2011, pp. 17–41.
"Cybersecurity for Small Businesses." Federal Communications Commission, www.fcc.gov/communications-business-opportunities/cybersecurity-small-businesses. Accessed 23 Dec. 2024.
Donahue, John D., and Mark H. Moore. Ports in a Storm: Public Management in a Turbulent World. Brookings Institution Press, 2012.
Gomez, Anne. "What Is Cyber Security Management?" Our Lady of the Lake University, 9 Apr. 2024, www.ollusa.edu/blog/cyber-security-management.html. Accessed 23 Dec. 2024.
Hsu, Carol, et al. “Institutional Influences on Information Systems Security Innovations.” Information Systems Research, vol. 23, no. 3-part-2, 2012, pp. 918–39, doi.org/10.1287/isre.1110.0393. Accessed 23 Dec. 2024.
McCrie, Robert, and Elsevier. Security Operations Management. 3rd ed., Butterworth-Heinemann, 2015.
Robinson, Neil, et al. The Cloud: Understanding the Security, Privacy and Trust Challenges. RAND, 2011.
Scott, Jasper. Conflict and Cooperation in the Global Commons: A Comprehensive Approach for International Security. Georgetown UP, 2012.
"What Is Cybersecurity Management?" Fortinet, www.fortinet.com/resources/cyberglossary/cybersecurity-management. Accessed 23 Dec. 2024.
Workman, Michael D. Information Security Management. 2nd ed., Jones & Bartlett Learning, 2023.