The security of information should be understood as the provision of confidentiality, accessibility, integrity, authenticity, and accountability of information (A. Białas 2007, p. 34). Within a modern organisation it is often misunderstood to be the field of computer specialists who install hardware and software. Companies and offices invest in firewalls, anti-virus software, data encryption systems, etc. Thus, the top management is convinced about the high level of security.

The basic criteria of assessing technical security controls relate to their costs and the time needed to break them. It is impossible to develop a system that will be fully secure (R. Anderson 2005). The majority of technical security controls may be bypassed, if there are no organisational security controls in place. Companies and offices are not able to cope with the implementation of such controls. Research has shown that over 50% of employees who have been fired or leave,  copies and takes away classified data.
 

You might find interesting:

• Information security management system (ISMS, ISO 27001)
• Rules of implementation of ISO 27001
• Information security in public administration (local government example)

References:

• 
  
  

  Anderson R., Security engineering: a guide to building dependable distributed systems, John Wiley & Sons, 2001

  
  

• Białas A., Bezpieczeństwo informacji i usług w nowoczesnej instytucji i firmie, WNT, Warszawa 2008