Chapter 19. Preparation

I l @ ve RuBoard

Chapter 19. Preparation

The quality of any project is built upon the quality of its preparation. For computer systems, preparation is the definition of the function of that system. It must include what services the system will provide and what software will be used to provide those services. It will define what communications to other systems are required, who the users are, and what data will be contained or manipulated.

I l @ ve RuBoard

Define What Needs Protection

An organization's assets are those things that add value to the organization or whose loss would remove value from the organization. Information resources are those resources that either store information, transport information, create information, use information, or are information.

One must adequately identify the organization's resources that are to be protected to appropriately evaluate risks and apply proper security measures.

The following types of losses are commonplace:

Denial of service is the loss of availability and is the most visible of all losses. The loss of availability is immediately apparent to any entity that needs access and is unable to get access. Availability is often considered the most important attribute in service-oriented businesses that depend on information (e.g., airline schedules and online inventory systems).
Disclosure is the loss of confidentiality and indicates that the resource has the potential to release information to unauthorized entities. For some types of information, confidentiality is a very important attribute. Examples include research data, medical and insurance records, new product specifications, and corporate investment strategies. In some locations, there may be a legal obligation to protect the privacy of individuals. This is particularly true for banks and loan companies; debt collectors; businesses that extend credit to their customers or issue credit cards; hospitals , doctors ' offices, and medical testing laboratories; individuals or agencies that offer services such as psychological counseling or drug treatment; and agencies that collect taxes. Information disclosure is generally the area of greatest concern to an organization.
Destruction or corruption is the loss of integrity and indicates that unauthorized changes have been made to information, whether by human error or intentional tampering. Integrity is particularly important for critical safety and financial data used in activities such as electronic funds transfers, air traffic control, and financial accounting. If the quality of the resource is in question, then all the decisions that utilize that resource must also be in question. Information corruption may be the most devastating type of loss to an organization.

I l @ ve RuBoard

Define How Much Protection Is Required

The environment in which the organization operates can make a huge difference in what is the appropriate level of security. The business environment will indicate the level of threat to the organization. An organization can become a target if its customers are targets. An organization which caters to a famous or highly visible clientele will be of more interest to a hacker than another organization.

Compliance with Legal Requirements

Certain industries are regulated and have specific laws which define the level of protection required for the information entrusted to a company. In the United States, the financial services and health care industries have the most regulations on the proper handling of information and security procedures to prevent disclosure of private information. Protection of information has been the primary focus of the information security regulations.

In the wake of terrorist activities in the United States, and numerous reports detailing the country's dependency on infrastructure which is in the control of private industry, it is expected that these providers of critical infrastructure will be required to meet specific security requirements. These industries include communications, transportation, and energy. Cyber-attacks against these industries which would cause a loss of service could be a matter of national security.

Compliance with Industry Standards

Industries which are not as regulated depend on standards within the industry to set the level of protection which is appropriate for the information which is common to the industry. Professional organizations within each industry are the common place to find information on best practices. These practices describe how the leaders and the longtime players in the industry handle the process of security. These can be used as a model or a baseline to build the organization's specific security environment.

Compliance to Security Policy

Each organization has unique needs which have to be addressed by policy. Most companies have defined their specific critical resources which need protecting. These specifics will dictate the specific details of the security environment. The organization's existing policies and procedures must be inspected to determine what is the correct level of security for the organization.

Corporate culture has a large impact on the security practices which are put in place. How a company conducts itself in business transactions and with its employees will mold how its security will be implemented.

I l @ ve RuBoard