Mindful Administration of IS Security Policies

Managers of information systems have ethical, moral and legal obligations to protect their organization’s intellectual property. They often look to frameworks such as the Control Objectives for Information and related Technology (CobIT) to guide them to what data needs to be secured or standards such as the ISO/IEC 27000 series to provide best practices regarding their policies on how to safeguard this information. However, these policies are either vague in the details or not fluid and flexible enough to account for the unexpected security events that may render them obsolete. For example, Google recently released an online suite of applications that would allow an organization’s employees to collaborate on items of intellectual capital stored on Google’s servers outside the control of the organization’s information technology (IT) department. Additionally, new techniques have been discovered to break the encryption of data that was previously thought to be lost when the device containing it was powered off. While these events certainly have utility to practitioners, they also pose new threats to the security of intellectual capital created and stored on IT artifacts. This paper advocates mindfulness (Weick and Sutcliffe, 2001) as a necessary component of choosing and adapting security policies to better predict the unexpected security threats that may come as a result of technological change, environmental forces, or organizational use of IT.