Databases Reference
In-Depth Information
• Determining the types of security control required.
• Assessing the efficacy of existing safeguards.
• Identifying necessary additions and improvements in security measures.
• Determining the availability of resources.
• Determining the level of security coverage needed.
Managers should understand that at this point, probably the most seri-
ous threats are from the employees within the organization.
Finally, data must be classified according to its sensitivity and impor-
tance. For example, the data can be classified as routine, private, confiden-
tial, or strictly confidential. Depending on the sensitivity level, different
types of security mechanisms may be needed. This classification can also
be used as a significant determinant in measuring the resource require-
ments for the security model. Data must be examined and evaluated
according to the three classifications — location, sensitivity, and vulnera-
bility — to determine the organization's basic security needs.
Step 2: Determining Security Needs
After the data has been classified, the next step in the model is to deter-
mine and formalize the organization's general security needs. At this stage,
general decisions regarding such issues as the security level of preventive
and detective controls. Total security is hardly attainable or economical. It
would be meaningless to spend, for example, $1 million to protect informa-
tion that is worth only half that amount. An organization needs protection
that is reasonable in view of the importance and value of the object of pro-
tection (i.e., data). As a general rule, data security should be acquired as
long as benefits exceed costs.
The nature and types of security needs of an organization depend on
such factors as the characteristics of the organization and its employees or
users, and the sensitivity of its data to security violations. An organization
that is not significantly affected by the disclosure of its information
resource to competitors and adversaries would not be inclined to spend a
significant amount of money on security. As this information becomes crit-
ical to the business and survival of the organization, the organization
becomes more willing to spend for the sake of protecting its data.
Another important decision is to determine the security methods an
organization needs (e.g., tolerance, avoidance, or a combination of both).
This decision depends on the types and nature of the distributed data-
bases and available resources. These two methods involve different sets of
protection tools with different costs, which is discussed in more detail in
the following section of the chapter. The suggested model serves only as a
guidepost and does not propose to define exactly how to select from
among the two methods.
Search WWH ::
Custom Search