Professional Documents
Culture Documents
The first precaution against unauthorized instrusions was to lock the computer room door. Subsequent
refinements led to more sophisticated locks,opened by plam prints and voice prints,and to surveillance
cameras and security guards. Firms can carry physical controls to the limit by locating their computer
centers in remote areas far from cities and far from areas especially sensitive to such natural disasters
are earthquakes,floods,and hurricanes.
You can see from this long list of technical controls (and we did not list them all),that much attention has
been directed at using technology to safeguard information. The technical controls are recognized as
being the best for security. Firms typically select from the list and implement a combination that is
considered to offer the most realistic safeguard.
Formal Controls
There in universal agreement that if formal controls are to be effective,top management must
participate actively in their establishment and enforcement.
Informal Controls
Informal controls include education and training programs and management development programs.
These controls are intend to ensure that the firm’s employees both understand and support the security
program.
All three types of controls technical,formal,and informal cost money. Because it is not a good business
practice to spend more for a control than the expected cost of the risk that it addresses,the idea is to
establish controls at the proper level. Thus,,the control decision boilsdown to cost versus return,but in
some industries other considerations must be addressed. In banking,for example,when enganging in risk
management for ATMs,controls must keep the system secure but not at the cost of diminishing
customer convenience.
Also,in health care,the questions of patient health anf right to privacy must be considered. The System
should not be mad so secure as to reduce the amount of patient information that can be made available
to hospitals and physicians who are responsible for patient’s health.
Government and industry assistance
Several governments and international organizations have established standards that are intended to
serve as guidelines for organizations seeking to achieve information security. Some of the standard are
in the form of benchmarks,which we identified earlier as providing an alternate strategy to risk
management. Some of the standard setting entities use the term baseline rather than benchmark.
Organizations are not required to adhere to the standards. Rather,the standards are intended to provide
the firm eith assistance in establishing a target level of security. The following are some examples :
None of the standards offer complete converage of the subject,but,when taken together,they form a
good basis for the firm to follow in establishing its own information security policy that support its
organizational culture.
Government Legislation
Government in both the United States and the United Kingdom have established standards and passed
legislation aimed at addressing the increasing mportance of information security,especially in light of
9/11 and the pervasive nature of the internet and the opportunities it provides for computer crime.
Among these are:
Industry Standards
The centers for Internet Security(CIS) is a non-profit organization dedicated to assisting computer users
to make their systems more secure. Assistance is provided by two products-CIS Benchmarks and CIS
Scoring tools. CIS Benchmarks helps users secure their information systems by implementing
technology-spesific controls. CIS Scoring Tools enables users to calculate their security level, compare it
to benchmarks, and prepare reports that guide users and system administrators to secure systems.
Professional Certification
Beginning in the 1960s, the IT profession began offering certification programs. The three following
examples illustrate the breadth of the subject matter covered by such programs.
The first security certification program was the Certified Information System Auditor, offered by the
Information Systems Auidt and Control Association (ISACA). Subsequently, ISACA developed the
Certified Information Security Manager designation. In order to earn this certification, the applicant
must complete an exam (offered for the first time in June 2003), adhere to a code of ethics, and verify
work experience in information security. Information on ISACA can be found at WWW.ISACA.ORG.
The Certification Information System Security Professional (CISSP) is offered by the International
Information System Security Certification Consortium (ISC). The CISSP certification verifies that the
holder has general expertise in information security that encompasses such topics as access control,
cryptography, security architecture, Internet security,and security management practices. Certification is
based on performance on an exam of 250 multiple-choice questions. More information can be found at
WWW.ISC2.ORG.