ABSTRACT
Important to the proper implementation of a security strategy within an organization is its alignment to
that organization’s business objectives. Performing security activities for technology’s sake does nothing
to protect, or assure, those components that fall outside the purview of technical security. At a high level,
people, processes, facilities, and, arguably, data typically fall outside of technical security inspection. It is
clear that security, as a process itself, must consider these inputs in order to provide a comprehensive
view of protection for the organization. Equally important to achieving a balanced security program is
the understanding that an organization will not protect all of its assets equally; that is, aspects of the
organization necessary to the continued fulfillment of the organization’s business goals must take
precedence over those activities or inputs that are not essential to the organization’s survival. This notion
is crucial to the concept of controls within the organization; resources used to protect the environment
should first be allocated to those aspects of the organization that are essential for the continued operation
of the business. The organization may also decide to protect aspects of its organization that are not
critical to continued operation; however, it is customary for organizations to allocate fewer resources to
accomplish this objective. This scenario concurs with the industry view that critical assets and functions
require greater protection than noncritical assets and functions.