Physical Controls

The first precaution against unauthorized instrusions was to lock the computer room door. Subsequent
refinements led to more sophisticated locks,opened by plam prints and voice prints,and to surveillance
cameras and security guards. Firms can carry physical controls to the limit by locating their computer
centers in remote areas far from cities and far from areas especially sensitive to such natural disasters
are earthquakes,floods,and hurricanes.

Putting the Technical Controls in Prespective

You can see from this long list of technical controls (and we did not list them all),that much attention has
been directed at using technology to safeguard information. The technical controls are recognized as
being the best for security. Firms typically select from the list and implement a combination that is
considered to offer the most realistic safeguard.

Formal Controls

Formal controls include the establishment of codes of conduct,documentation of expected procedures

and practices,and monitoring and preventing behaviour that varies from established guidelines. The
controls are formal in that management devotes considerable time to devising them,they are
documented in writing,and they are expected to be in force for the long term.

There in universal agreement that if formal controls are to be effective,top management must
participate actively in their establishment and enforcement.

Informal Controls

Informal controls include education and training programs and management development programs.
These controls are intend to ensure that the firm’s employees both understand and support the security
program.

Achieving the proper level of controls

All three types of controls technical,formal,and informal cost money. Because it is not a good business
practice to spend more for a control than the expected cost of the risk that it addresses,the idea is to
establish controls at the proper level. Thus,,the control decision boilsdown to cost versus return,but in
some industries other considerations must be addressed. In banking,for example,when enganging in risk
management for ATMs,controls must keep the system secure but not at the cost of diminishing
customer convenience.

Also,in health care,the questions of patient health anf right to privacy must be considered. The System
should not be mad so secure as to reduce the amount of patient information that can be made available
to hospitals and physicians who are responsible for patient’s health.
Government and industry assistance

Several governments and international organizations have established standards that are intended to
serve as guidelines for organizations seeking to achieve information security. Some of the standard are
in the form of benchmarks,which we identified earlier as providing an alternate strategy to risk
management. Some of the standard setting entities use the term baseline rather than benchmark.
Organizations are not required to adhere to the standards. Rather,the standards are intended to provide
the firm eith assistance in establishing a target level of security. The following are some examples :

 United Kingdom’s BS779

The UK standards establish a set of baseline controls. They were first published by the British
Standards Institute in 1995, then published by the International Standards Organization as ISO
17799 in 2000, and made available to potential adopters online in 2003.
 BSI IT Baseline Protection Manual
The baseline approach is also followed by the German Bundesamt fur Sicherheit in der
Informationstechnik (BSI). The baselines are intended to provide reasonable security when
normal protection requirements are intended. The baselines can also serve as the basis for
higher degrees of protection when those are desired.
 COBIT
COBIT,from the Information Systems Audit and Control Association &
Foundation(ISACAF),focuses on the process that a firm can follow in developing
standards,paying special attention to the writing and maintaining of the documentation.
 GASSP
Generally Accepted System Security Principles (GASSP) is a product of the U.S National Research
Council. Emphasis is on the rationale for establishing a security policy.
 ISF Standard of Good Practice
The Information Security From Standard of Good Practice taks a baseline appoarch,devoting
considerable attention to the user behaviour that expected if the program is to be successful.
The 2005 edition addresses such topics as secure instant messaging,Web server securitt,and
virus protection.

None of the standards offer complete converage of the subject,but,when taken together,they form a
good basis for the firm to follow in establishing its own information security policy that support its
organizational culture.

Government Legislation

Government in both the United States and the United Kingdom have established standards and passed
legislation aimed at addressing the increasing mportance of information security,especially in light of
9/11 and the pervasive nature of the internet and the opportunities it provides for computer crime.
Among these are:

 U.S. Government Computer Security Standards

A study by the Gartner research firm predicted that through 2005,90 percent of all computer
security attacks would be aimed at the weaknesses for which there is a known protection. The
U.S. government responded with a program aimed at apllying these known protections. The
 program includes a set of security standards that pasticipating organizations should met,plus
the availability of a software program that grades users systems and assists them in configuring
their systems to meet the standards. The National Institute of Standards and Technology (NIST)
makes available a questionnaire that organizations can complete to evaluate the security of
their information systems. Two software systems,ASSET-Manager,provide help in completing
thequestionnaire and assessing the status of the firm’s security plan.
 The U.K. Anti-Terrorism, Crime and Security Act (ATCSA) 2001
In the United Kingdom,Parliament enacted the Anti-Terrorism, Crime and Security Act (ATCSA)
2001. This act has three provisions: (1) ISPs are required to maintain data about all
communications events for 1 year, (2) government taxing authorities are empowered to
disclose information about an individual’s or organization’s financial affairs to authorities
investigating crime or terrorism,and (3) the obligation of confidence is removed for public
bodies even if there is only suspicion of an impreding terrorist act. Since its implementation, the
act has been criticized by such human rights groups as Amnestly International. It will be
interesting to see if such crictism continues in light of the 2005 London train bombings.

Industry Standards

The centers for Internet Security(CIS) is a non-profit organization dedicated to assisting computer users
to make their systems more secure. Assistance is provided by two products-CIS Benchmarks and CIS
Scoring tools. CIS Benchmarks helps users secure their information systems by implementing
technology-spesific controls. CIS Scoring Tools enables users to calculate their security level, compare it
to benchmarks, and prepare reports that guide users and system administrators to secure systems.

Professional Certification

Beginning in the 1960s, the IT profession began offering certification programs. The three following
examples illustrate the breadth of the subject matter covered by such programs.

Information Systems Audit and Control Association

The first security certification program was the Certified Information System Auditor, offered by the
Information Systems Auidt and Control Association (ISACA). Subsequently, ISACA developed the
Certified Information Security Manager designation. In order to earn this certification, the applicant
must complete an exam (offered for the first time in June 2003), adhere to a code of ethics, and verify
work experience in information security. Information on ISACA can be found at WWW.ISACA.ORG.

International Information System Security Certification Consortium

The Certification Information System Security Professional (CISSP) is offered by the International
Information System Security Certification Consortium (ISC). The CISSP certification verifies that the
holder has general expertise in information security that encompasses such topics as access control,
cryptography, security architecture, Internet security,and security management practices. Certification is
based on performance on an exam of 250 multiple-choice questions. More information can be found at
WWW.ISC2.ORG.