Information Technology Reference
In-Depth Information
istrators, and network administrators. The gap analysis and remediation analysis
provide insight into weak areas. Moreover, the compliance assessment results may
provide insight into intelligent resource allocations to produce the highest return
on investment (ROI) for remediation investments. This phrase addresses manage-
ment and executives who are not interested in the specifics of firewall updates or
patch management; they are interested in how much remediation is going to cost
and what the effect is on business risk. Compliance quantification goes a long way
in providing this answer at the enterprise level.
5.5.2.2 Security Policies
The Organization for Economic Co-operation and Development's (OECD)
OECD Guidelines for the Security of Information Systems and Networks
provides
nine principles for participants at all levels in the use of information systems
(Table 5.7).
As a complement to compliance managements, consider the concept of litiga-
tion management. The intent of compliance management is to
avoid
litigation.
Compliance management identifies applicable legislation and works through
increasing compliance with that legislation. Even the best preparations still result
in incidents that end up in court. Litigation management attempts to minimize
the risks of the organization being found guilty as well as minimizing their cul-
pability in the event they are found guilty. The lower the culpability, the lower
the potential fines and potential jail time for officers. Chapter 8 of the Federal
Sentencing Guidelines, “Sentencing of Organizations,” contains guidelines on
culpability calculations. Two major factors in calculating culpability are the pres-
ence and quality of an ethics program and the presence and quality of a security
program. he
Norwich University Journal of Information Assurance
(NUJIA) con-
tains a paper “Litigation Management as Part of a Comprehensive Compliance
Management Program” (http://nujia.norwich.edu/2_1/2_1_art02.html) with
more details on this subject.
5.6 Builders and iA
Builders create. IA
2
provides many tools for builders and provides insight on how
to create tools for organization-specific solutions. Chapters 8 and 9 offer many
insights and tools for builders of IA solutions.
OECD Guidelines for the Security of Information Systems and Networks
, pp.10-12.
Last accessed July 2007.
