next up previous
Next: 2.2.4 Control decisions Up: 2.2 Local Computing Environment Previous: 2.2.2 The risks

2.2.3 The goals

* Achieve cost-effective security

The dollars spent for security measures to control or contain losses should never be more than the projected dollar loss if something adverse happened to the information resource. Cost-effective security results when reduction in risk through implementation of safeguards is balanced with costs. The greater the value of information processed, or the more severe the consequences if something happens to it, the greater the need for control measures to protect it. The person who can best determine the value or importance of data is the functional manager who is responsible for the data. For example, the manager responsible for the company's budget program is the one who should establish requirements for the protection of the automated data which supports the program. This manager knows better than anyone else in the organization what the impact will be if the data is inaccurate or unavailable. Additionally, this manager usually is the supervisor of most of the users of the data.

It is important that these trade-offs of cost versus risk reduction be explicitly considered, and that management understand the degree of risk remaining after selected controls are implemented.

* Assure operational continuity

With ever-increasing demands for timely information and greater volumes of information being processed, the threat of information system disruption is a very serious one. In some cases, interruptions of only a few hours are unacceptable. The impact due to inability to process data should be assessed, and actions should be taken to assure availability of those systems considered essential to agency operation. Functional management must identify critical computer applications and develop contingency plans so that the probability of loss of data processing and telecommunications support is minimized.

* Maintain integrity

Integrity of information means you can trust the data and the processes that manipulate it. Not only does this mean that errors and omissions are minimized, but also that the information system is protected from deliberate actions to wrongfully change the data. Information can be said to have integrity when it corresponds to the expectations and assumptions of the users.

* Assure confidentiality

Confidentiality of sensitive data is often, but not always, a requirement of company systems. Privacy requirements for personal information is dictated by statute, while confidentiality of other company information is determined by the nature of that information, e.g., information submitted by the company to its resellers. The impact of wrongful disclosure must be considered in understanding confidentiality requirements.


next up previous
Next: 2.2.4 Control decisions Up: 2.2 Local Computing Environment Previous: 2.2.2 The risks
Denis Arnaud
12/19/1997