This section is intended to introduce the student to System Security and to provide the definition of specific terms that will be used throughout this section: criticality addresses the impact of computer capability loss; while sensitivity represents the value of the integrity and protection of the information in the system. These factors together, define the importance of a computer system, and the data that it contains, to the organization.
These factors also define the level of protection or security that is cost justified for a specific system. Fundamentally, the implementation of security countermeasures results in the certification by a knowledgeable authority that adequate measures are in place and includes the ultimate approval or accreditation of the system. The sensitivity of the system and the organization’s culture determines the level of formality of this process.
Examine the reasons for increasing levels of security by briefly discussing current threats, both natural and man made, that have been reported in the news media. Use these events to illustrate the vulnerability of computer systems in terms of the basic concepts of system protection. The Computer Security Act of 1987 demonstrates the role that the Federal Government plays both in defining basic concepts and articulating current thinking on the subject. Stress the responsibilities for the following tasks:
- Identifying sensitive systems
- Developing a security program and plan, and
- Training appropriate people concerned with both development and operation of systems.
Responsibility for computer security is broad based: people in all organizational elements must take part. Management must direct and coordinate this effort and provide the impetus to make it work.