The four objectives of information security are confidentiality, integrity, availability, and nonrepudiation. Confidentiality is making sure that unauthorized people can't read your sensitive data. Integrity makes sure that unauthorized people can't change your data. Availability means that your computers and data are available when you need them. Finally, nonrepudiation means that you can form a binding contract between parties over a computer link that can't be denied (repudiated) by either party.
A good security officer will endeavor to work with business unit managers to determine security requirements that mesh effectively with business objectives. Policy is created from these requirements and a classification of mission-critical data within the organization. Policy drives implementation, including technology, process, and procedures, to create an effective information security program.
Enforcement technologies include access control, identification, authentication, firewalls, PKI, SSL, SSO, and VPNs. Operations technology includes secure user administration, intrusion detection, vulnerability scanners, and virus controls. Security services include risk assessment, architecture, configuration, deployment, response, and forensics.
Technology is not the most important aspect of computer security, and outside hackers are not as much of a threat as internal misuse. Security is a process, not a destination. Security is relative and effective only when it is balanced with business requirements, cost, and risk mitigation.