Information Security - Structuration and implementation

The organization of IS (Information Systems Security) can be viewed from a number of complementary angles. It is not only a question of risk governance, but also of a set of organizational and technical measures and resources organized around security objectives deployed within an organization.

"Organizing information systems security is always a balancing act between security objectives on the one hand, and user experience on the other, both of which are constrained by resources, but also by time. One of the difficulties we face is to avoid falling into a security trap that would drastically reduce performance, or falling into the other trap, which would lead us to neglect security for the sake of efficiency and purely financial or commercial effectiveness. We have to constantly oscillate between safety first and business first, and both issues have their non-negotiable practices, i.e. the limits of risk that must not be crossed in the case of safety, and the need to take operational needs into account in the other case, and that's what we have to try to organize...", explained an information systems security manager from an industrial group interviewed in 2024.

Organizing information systems security involves a number of challenges: defining the broad outlines and principles to be respected within an organization.

This can be seen, for example, in the form of essential principles, the most important of which is undoubtedly never to forget that security is first and foremost a matter for the players in the system. But stating principles is not enough, we also need to say what consequences should be drawn from them in organizational terms: loss of reputation, degradation of service quality linked to IS interruption, associated financial losses, regulatory sanctions for non-compliance with Article 32 of the RGPD (General Data Protection Regulation) providing for the securing of personal data processing, for example.

ISS from the point of view of the link between technology and organization, because technical resources and security are not an end in themselves, but serve security objectives defined within a dedicated ICT risk management framework. It is up to the company to define its priorities for dealing with ICT/digital risks, and to define the allocation of detection, prevention and response resources to priority risks. By way of illustration, when faced with the risk of external intrusion, sometimes referred to as a cyber attack, the resources deployed will consist of both technical and organizational solutions, as well as solutions that focus on the human factor.

Technical solutions may include the installation of the latest generation of anti-virus software (EDR), the installation of...