The information age went international in the 1980s. However, the fact is that a series of corresponding security weaknesses also came. For example, electronic mails are widely applied in today's daily life and business, while the virus of one computer connected to many others in a honeycomb arrangement may affect another, as usually how great they are interconnected is unknown (Shain, 1996). Therefore, information security is increasingly required to take on a considerably vital role in networks.
As Shain (1996) points out, security is a wide concept, it is a separated subject with its own theories, "which focus on the process of attack and on preventing, detecting and recovering from attacks". Certainly, these processes should be well organized in coping with the complex system issues. A coherent approach should be taken, which builds on established security standards, procedures and documentation. Actually, "the activities of the IT security function are varying in accordance with the criteria of size and sector"(Osborne, 1998).
There are an amount of core activities, including:
- Standards, procedures and documentation.
- IT security policy creation and maintenance.
- Maintenance of capability.
- Risk assessment.
- Education and awareness.
Firstly, "The most widely recognized security standard is ISO 17799" (Information Security Policy World, 2001). Comprehensive analysis of security problems can be found in ISO 17799, especially followed by a large amount of control requirements, although some of which seem quite difficult to be put in practical way. ISO 17799 contains different topics in its ten major sections. Next, two more important topics will be emphasized ---policy and system maintenance. The IT security policy, like other policies of organizations or government, provides a guideline for the actions. The security policy will help the companies to achieve success in three ways (Dorey, 1996).
Most importantly, security requirements...