Define How Much Protection Is Required

The environment in which the organization operates can make a huge difference in what is the appropriate level of security. The business environment will indicate the level of threat to the organization. An organization can become a target if its customers are targets. An organization which caters to a famous or highly visible clientele will be of more interest to a hacker than another organization.

Compliance with Legal Requirements

Certain industries are regulated and have specific laws which define the level of protection required for the information entrusted to a company. In the United States, the financial services and health care industries have the most regulations on the proper handling of information and security procedures to prevent disclosure of private information. Protection of information has been the primary focus of the information security regulations.

In the wake of terrorist activities in the United States, and numerous reports detailing the country's dependency on infrastructure which is in the control of private industry, it is expected that these providers of critical infrastructure will be required to meet specific security requirements. These industries include communications, transportation, and energy. Cyber-attacks against these industries which would cause a loss of service could be a matter of national security.

Compliance with Industry Standards

Industries which are not as regulated depend on standards within the industry to set the level of protection which is appropriate for the information which is common to the industry. Professional organizations within each industry are the common place to find information on best practices. These practices describe how the leaders and the longtime players in the industry handle the process of security. These can be used as a model or a baseline to build the organization's specific security environment.

Compliance to Security Policy

Each organization has unique needs which have to be addressed by policy. Most companies have defined their specific critical resources which need protecting. These specifics will dictate the specific details of the security environment. The organization's existing policies and procedures must be inspected to determine what is the correct level of security for the organization.

Corporate culture has a large impact on the security practices which are put in place. How a company conducts itself in business transactions and with its employees will mold how its security will be implemented.