Information Technology Reference
In-Depth Information
n
−
−
Employees
Employment contracts
Employee behavior, including defamation and objectionable materials
and speech
Ownership of end products or parts of products (intellectual property
management)
Customers
Reselling agreements (selling products/services to a customer)
Advisor agreements (usually in the form of limited liability disclaimers)
For example, interpretation of cyber-laws, assessing these laws for
customers, and providing recommendations on compliance actions
Vendors
For example, software licensing for Company X use as well as its
customers
Strategic partnerships
Co-development projects and intellectual property management
−
n
−
−
n
n
−
n
−
The same compliance management program that addresses legislative and regu-
latory compliance may also address legal obligations. A contract or an SLA is a
compliance obligation. The organization must maintain a list of these compliance
obligations and decompose them into terms understandable by management and
operations. Compliance management is a justification for IA.
13.10 iA Justification Summary
There are many sound business arguments for the acquisition and ongoing opera-
tions of information assurance measures. Given the premise that security can never
protect 100 percent of assets against 100 percent of threats 100 percent of the time,
risk assessment must determine what assets to protect, and IA must select the right
tools for the right job and the right safeguards for the risk level.
To be accepted, IA must be justified in real business terms. There are many real
threats the organization needs to recognize and deal with to maintain viable opera-
tions. The credibility of the IA professional depends on identifying the real threats
and dealing with them in a way that promotes the organization's success.
The following are some useful aphorisms to help deliver the IA message:
n
n
n
Security is no longer a nice-to-have, it is a legislative mandate.
Security is a process, not a destination.
Corporate executives do not buy security; they invest in solutions for business
risk management.
IA's primary goal is to maintain mission integrity within acceptable service
levels.
n
