Handbook of Information Security Management:Computer Architecture and System Security

Previous Table of Contents Next


MOTIVATIONAL BUSINESS VALUES AND ISSUES

The business values, issues, and management challenges that drive integrity initiatives and commitments are primarily comprised of, but are not limited to the following:

  The value of a surprise-free future.
  The value of system survivability and processing integrity.
  The value of information availability.
  The issue of the sensitivity and/or the programmatic criticality of information.
  The issue of trust.
  The issue of uncertainty.
  The issue of measurability of risk.
  The challenges in managing critical resources.
  The administrative challenge of controlling and safeguarding access to and usage of proprietary information.
  The challenge of technology infusion.

Value of a surprise-free future — If management is continually addressing unwelcome surprises, denials of services, and impacts to its processing objectives, the enterprise will experience (1) loss of credibility, (2) investment in less than optimum resource commitments and unnecessary expenditures, (3) and unproductive reactive management decisions. The optimum value is a surprise-free future which can be proactively managed. The ideal can and should be approached through substantiation of both strategic and tactical countermeasures and protection mechanisms that safeguard against those factors that contribute to the uncertainty of resources and assets These countermeasures cover a wide spectrum ranging from administrative manual procedures and processes to sophisticated engineering processes and tools that focus on disparate heteromorphic processing environments and the complexity of the domains, components, and subcomponents that comprise a corporation’s overall processing program.

Value of system survivability and processing integrity — This is attained through the management of uncertainty surrounding the robustness of critical information processes and resources, their identification, quantification, assessment, and use. A system’s robustness is a relational correlation of the system’s components, to each component’s “built in” resistance capability (including processing redundancy, logical self propagation, and accessibility to, and deployment of, additional sustaining countermeasures and protection mechanisms), to internal and external threats of misuse, abuse, espionage, or attack(s). In complex intra/Internetworked systems or systems of systems, the capability to maintain the referential integrity of the information created, used, stored, and/or transmitted is imperative.

Value of information availability — This focuses on the demand, responsiveness, and accessibility of information resources, as needed, including preservation and recoverability following the manifestation of a disruption or denial of service.

Issue of sensitivity and/or programmatic functional criticality of information — This is determined by an enterprise-wide programmatic assessment of the values of information resources and operational performance(s). The valuation items and/or issues identified are used by management to determine the relevant consequences of both real and perceived loss of information integrity, availability, and confidentiality; and are assigned a weighting factor(s) as to their significance or perceived significance. These valuation items are imperative in determining appropriate strategic and tactical control deployments and justification of associated expenditures to meet business objectives.

Issue of trust — This is a determination resulting from the identification and assessment of where and/or how information resources are assembled, stored, and processed by human or electronic entities/agents/systems. Each process and/or associated agent normally has differing levels of privileges that may impact the integrity of the information resources. The use of trusted agents and systems to establish “webs of trust” for intra/Internetworked systems demands proactive management of uncertainty in using information resources, and is based upon the assumption that:

1.  The trust level or the “need to know” and privileges of agents accessing and using information resources are assignable, verifiable, and controlled at all times.
2.  Agents have certifiable skills for correctly operating interfaces to information resources.
3.  The state and attributes of information environments, processing capabilities, and carriers are identifiable, accountable, and assignable at all times.
4.  Systems in which uncertainties in these attributes exist have been (or are in the process of being) reduced to acceptable levels which may be independently verified.
5.  Penetration testing procedures and processes will be implemented as a normal suite of tests to simulate real-world tests of the web of trust and to determine true protection limitations.

Issue of uncertainty — This is the motivational factor in which full certainty of information processing agents, systems, and information resources may not be practically achievable. Proactive minimization of uncertainty demands accountability for risk acceptance. Acceptable levels of risk are measured in terms of those exposures that do not have corresponding safeguards to reduce or eliminate risk(s) due to weaknesses in existing or recently deployed safeguards or protection mechanism design faults, inappropriate application, or issues identified as anomolies resulting from new technology implementations.

Issue of measurability of risk — This focuses on the management of uncertainty surrounding the state of information resources. Uncertainty is identified, quantified, assessed, and is used to ascertain residual risk resulting from unavailable or improperly deployed safeguards and protection mechanisms, implementation of new technology, or speculative change (e.g., legislative or regulatory mandates, politics, etc.).


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.