Security Planning
Years ago, when most
computing was done on mainframe computers, data processing centers were
responsible for protection. Responsibility for security rested neither with the
programmers nor the users but instead with the computing centers themselves.
These centers developed expertise in security, and they implemented many
protection activities in the background, without users having to be conscious
of protection needs and practices.
Since the early 1980s, the
introduction of personal computers and the general ubiquity of computing have
changed the way many of us work and interact with computers. In particular, a
significant amount of the responsibility for security has shifted to the user
and away from the computing center. But many users are unaware of (or choose to
ignore) this responsibility, so they do not deal with the risks posed or do not
implement simple measures to prevent or mitigate problems.
Unfortunately, there are many
common examples of this neglect. Moreover, it is exacerbated by the seemingly
hidden nature of important data: Things we would protect if they were on paper
are ignored when they are stored electronically. For example, a person who
carefully locks up paper copies of company confidential records overnight may
leave running a personal computer or terminal on an assistant's or manager's
desk. In this situation, a curious or malicious person walking past can
retrieve confidential memoranda and data. Similarly, the data on laptops and
workstations are often more easily available than on older, more isolated
systems. For instance, the large and cumbersome disk packs and tapes from a few
years ago have been replaced by media such as diskettes, zip disks, and CDs,
which hold a similar volume of data but fit easily in a pocket or briefcase.
Moreover, we all recognize that a box of CDs or diskettes may contain many
times more data than a printed report. But since the report is an apparent,
visible exposure and the CD or diskette is not, we leave the computer media in
plain view, easy to borrow or steal.
In all cases, whether the
user initiates some computing action or simply interacts with an active
application, every application has confidentiality, integrity, and availability
requirements that relate to the data, programs, and computing machinery. In
these situations, users suffer from lack of sensitivity: They often do not
appreciate the security risks associated with using computers.
For these reasons, every
organization using computers to create and store valuable assets should perform
thorough and effective security planning. A security plan is a document that describes how an organization will
address its security needs. The plan is subject to periodic review and revision
as the organization's security needs change.
A good security plan is an
official record of current security practices, plus a blueprint for orderly change
to improve those practices. By following the plan, developers and users can
measure the effect of proposed changes, leading eventually to further
improvements. The impact of the security plan is important, too. A carefully
written plan, supported by management, notifies employees that security is
important to management (and therefore to everyone). Thus, the security plan
has to have the appropriate content and produce the desired effects.
In this section we study how
to define and implement a security plan. We focus on three aspects of writing a
security plan: what it should contain, who writes it, and how to obtain support
for it. Then, we address two specific cases of security plans: business
continuity plans, to ensure that an organization continues to function in spite
of a computer security incident, and incident response plans, to organize
activity to deal with the crisis of an incident.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2024 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.