But even a technically sound system with informed and watchful management and users cannot be free of all possible vulnerabilities.
Thus, to prevent violations of trust rather than just repair the damage that results, one must depend primarily on human awareness of what other human beings in an organization are doing. Technical measures may prevent people from doing unauthorized things but cannot prevent them from doing things that their job functions entitle them to do. Much of the computer security problem in industry to date (see Chapter 6). Technical measures alone cannot prevent violations of the trust people place in individuals, violations that have been the source of For example, if technical controls are not available, then procedural controls might be used until a technical solution is found. An effective program of management controls is needed to cover all aspects of information security, including physical security, classification of information, the means of recovering from breaches of security, and above all training to instill awareness and acceptance by people. Note that management controls not only are used by managers, but also may be exercised by users. Some management controls are explicitly concerned with protecting information and information systems, but the concept of management controls includes much more than a computer's specific role in enforcing security. Management controls are the mechanisms and techniques-administrative, procedural, and technical-that are instituted to implement a security policy. Implicit in this process is management's choice of a level of residual risk that it will live with, a level that varies among organizations. As viruses have escalated from a hypothetical to a commonplace threat, it has become necessary to rethink such policies in regard to methods of distribution and acquisition of software. For example, until recently most policies for security did not require that security needs be met in the face of a virus attack, because that form of attack was uncommon and not widely understood. In any particular circumstance, some threats are more probable than others, and a prudent policy setter must assess the threats, assign a level of concern to each, and state a policy in terms of which threats are to be resisted. Without this second part, a security policy is so general as to be useless (although the second part may be realized through procedures and standards set to implement the policy). To be useful, a security policy must not only state the security need (e.g., for confidentiality-that data shall be disclosed only to authorized individuals), but also address the range of circumstances under which that need must be met and the associated operating standards. Conversely, the selection of standards, procedures, and mechanisms should be guided by policy to be most effective. One can implement that policy by taking specific actions guided by management control principles and utilizing specific security standards, procedures, and mechanisms. A security policy is a concise statement, by those responsible for a system (e.g., senior management), of information values, protection responsibilities, and organizational commitment. The framework within which an organization strives to meet its needs for information security is codified as security policy. Thus the specific requirements and controls for information security can vary.
/cdn.vox-cdn.com/uploads/chorus_image/image/58763035/GettyImages_141322238.0.jpg "er show")
The requirements for applications that are connected to external systems will differ from those for applications without such interconnection. For a national defense system, the chief concern may be ensuring the confidentiality of classified information, whereas a funds transfer system may require strong integrity controls. These three requirements may be emphasized differently in various applications. Integrity: assuring that information and programs are changed only in a specified and authorized manner andĪvailability: assuring that authorized users have continued access to information and resources. Organizations and people that use computers can describe their needs for information security and trust in systems in terms of three major requirements:Ĭonfidentiality: controlling who gets to read information Additional information on privacy issues and detailing the results of an informal survey of commercial security officers is provided in the two chapter appendixes. This chapter discusses security policies in the context of requirements for information security and the circumstances in which those requirements must be met, examines common principles of management control, and reviews typical system vulnerabilities, in order to motivate consideration of the specific sorts of security mechanisms that can be built into computer systems-to complement nontechnical management controls and thus implement policy-and to stress the significance of establishing GSSP.
0 kommentar(er)
