Introduction

IWC's information and information systems are some of IWC's most vital assets. These valuable assets must be consistently protected by all IWC employees, contracted personnel, associate companies, subcontractors, and in fact everyone who has authorized access to these assets. They must be protected regardless of the information environment (IE), whether through faxes, telephones, cellular phones, local area networks, Internet e-mails, hard copies, scanners, personal digital assistants—any device which processes, transmits, displays, or stores IWC's sensitive information. By sensitive we mean all information that has been determined to require protection. That determination is based on basic, common business sense—for example, a marketing plan for next year's product must be protected, and it doesn't take a risk assessment to determine that—as well as the use of risk management techniques. Some information must also be protected because there are laws that make that information protection a requirement—for example, private information about employees.

In order to provide that consistent protection, those individuals who have authorized access to the information and information systems must therefore do the following:

• Be provided with guidance;

• Understand how to apply information asset protection;

• Understand why such information asset protection is required; and

• Understand IWC policy regarding that protection.

IWC's executive management had decided that a policy document was needed. So, the IWC ISSO was hired primarily to fulfill that requirement as stated in the IWC plans, such as the IWC Strategic Business Plan.