Professional Documents
Culture Documents
Chapter 7 AIS
Chapter 7 AIS
1. Security—access (both physical and logical) to the system and its data is controlled and
restricted to legitimate users.
2. Confidentiality—sensitive organizational information (e.g., marketing plans, trade se-
crets) is protected from unauthorized disclosure.
3. Privacy—personal information about customers, employees, suppliers, or business part-
ners is collected, used, disclosed, and maintained only in compliance with internal poli-
cies and external regulatory requirements and is protected from unauthorized disclosure.
4. Processing Integrity—data are processed accurately, completely, in a timely manner, and
only with proper authorization.
5. Availability—the system and its information are available to meet operational and con-
tractual obligations.
The idea of defense-in-depth is to employ multiple layers of controls in order to avoid having
a single point of failure.
For example, many organizations use not only firewalls but also mul-
tiple authentication methods (passwords, tokens, and biometrics) to restrict access to their in-
formation systems. The use of overlapping, complementary, and redundant controls increases
overall effectiveness because if one control fails or gets circumvented, another may function
as planned.
This objective can be expressed in a formula that uses the following three
variables:
P = the time it takes an attacker to break through the organization’s preventive controls
D = the time it takes to detect that an attack is in progress
C = the time it takes to respond to the attack and take corrective action
Those three variables are then evaluated as follows: If P 7 D + C, then the organization’s
security procedures are effective. Otherwise, security is ineffective.