Gunnar Peterson has a brief post up on the two most important rules in information security:

1) Protect your assets
2) See rule 1

I would like to add a rule 0 to that:

0) Do not store what you do not use

I know this is just about as perpendicular to the data warehousing approach that many organizations are taking, but face it: if you don't have it, you don't have to secure it.

Having said this; it is ignorant to assume that protection equals prevention, and any organization should also plan for failure in addition to protection its essential assets.

PS: I am not accusing Gunnar Peterson of being ignorant :-) Unlike many others, he seems to include prevention in protection.