The dollars spent for security measures to control or contain losses
should never be more than the projected dollar loss if something
adverse happened to the information resource. Cost-effective security
results when reduction in risk through implementation of safeguards is
balanced with costs. The greater the value of information processed, or
the more severe the consequences if something happens to it, the
greater the need for control measures to protect it. The person who can
best determine the value or importance of data is the functional
manager who is responsible for the data. For example, the manager
responsible for the company's budget program is the one who should
establish requirements for the protection of the automated data which
supports the program. This manager knows better than anyone else in the
organization what the impact will be if the data is inaccurate or
unavailable. Additionally, this manager usually is the supervisor of
most of the users of the data.
It is important that these trade-offs of cost versus risk reduction be explicitly considered, and that management understand the degree of risk remaining after selected controls are implemented.
With ever-increasing demands for timely information and greater volumes of information being processed, the threat of information system disruption is a very serious one. In some cases, interruptions of only a few hours are unacceptable. The impact due to inability to process data should be assessed, and actions should be taken to assure availability of those systems considered essential to agency operation. Functional management must identify critical computer applications and develop contingency plans so that the probability of loss of data processing and telecommunications support is minimized.
Integrity of information means you can trust the data and the processes that manipulate it. Not only does this mean that errors and omissions are minimized, but also that the information system is protected from deliberate actions to wrongfully change the data. Information can be said to have integrity when it corresponds to the expectations and assumptions of the users.
Confidentiality of sensitive data is often, but not always, a requirement of company systems. Privacy requirements for personal information is dictated by statute, while confidentiality of other company information is determined by the nature of that information, e.g., information submitted by the company to its resellers. The impact of wrongful disclosure must be considered in understanding confidentiality requirements.