The IRMA Community
Newsletters
Research IRM
Click a keyword to search titles using our InfoSci-OnDemand powered search:
|
Assurance Through Control Objectives, A Governance Basis for Managing Corporate Information Assets
Abstract
Information security systems have to meet two logical criteria to be effective. First the protection must be complete, in the sense that the response should address the entire problem (e.g., everything that requires assurance secured). And second the safeguards have to be uniform. That is, there should be an organization-wide commitment to security. The first principle is established through a systematic implementation strategy. The second requires the organization to define substantive policies, roles and responsibilities, educate employees and describe and enforce accountability. The problem is that this effort takes time and precious resources. Nevertheless there are very real and substantive consequences if the security protection scheme is inconsistent. For example, a secure network without policies to control the people who operate it can be breached no matter how sophisticated the technology employed. One recent illustration of how that exact scenario played out is the national database, which was raided four inside employees for the credit information of 30,000 individuals. That information was sold to an identity theft ring, which subsequently used it commit massive credit card fraud. As a matter of fact there are actually very few breaches of corporate information security that directly involve the technology. Specifically, seventy two percent of the serious losses recorded by the FBI in 2001 originated from the actions of inside people rather than hackers (CSI 2002). Which underscores the principle that, no matter how robust the encryption scheme, there are no practical safeguards unless everybody involved understands what constitutes a violation and what the consequences are for committing one. So, the correct response in nearly three-quarters of the cases last year should have been a systematic set of organizational control procedures, not a more sophisticated firewall.
|
|