Viewing Security Management as a Business Practice, Part 2: Lessons Learned in a Small Nonprofit Organization
A regional professional society with a staff of 80 people provides professional and educational opportunities for people living within its designated region. It also provides subscribing organizations with a variety of benefits, including access to medical plans at reduced rates. As part of its position in the region, it also collects "census" information about its member organizations, including names of corporate officers and yearly revenue information.
The chief information officer (CIO) had been employed by the society for about a year when he became interested in conducting an information-security risk evaluation. Because the society collected a wide variety of information, some of which was considered to be sensitive in nature, the CIO was concerned about what might happen to the organization in the event of a security breach. He proposed to the organization's management team that they conduct an evaluation. The team members endorsed the idea and made available a limited set of funds. In addition, the team suggested that conducting the evaluation should be part of the CIO's goals and objectives for the coming year. This gave the CIO added incentive for completing the evaluation. The CIO reviewed available options and selected a version of the OCTAVE specifically tailored for small organizations.