Page 23 - DCAP516_COMPUTER_SECURITY
P. 23
Unit 2: Information Security Policies
A military security policy (also called a governmental security policy) is a security policy Notes
developed primarily to provide confidentiality.
The name comes from the military’s need to keep information, such as the date that a troop ship
will sail, secret. Although integrity and availability are important, organizations using this
class of policies can overcome the loss of either for example, by using orders not sent through a
computer network. But the compromise of confidentiality would be catastrophic, because an
opponent would be able to plan countermeasures (and the organization may not know of the
compromise).
Confidentiality is one of the factors of privacy, an issue recognized in the laws of many
government entities (such as the Privacy Act of the United States and similar legislation in
Sweden). Aside from constraining what information a government entity can legally obtain
from individuals, such acts place constraints on the disclosure and use of that information.
Unauthorized disclosure can result in penalties that include jail or fines; also, such disclosure
undermines the authority and respect that individuals have for the government and inhibits
them from disclosing that type of information to the agencies so compromised.
A commercial security policy is a security policy developed primarily to provide integrity.
The name comes from the need of commercial firms to prevent tampering with their data,
because they could not survive such compromises. For example, if the confidentiality of a bank’s
computer is compromised, a customer’s account balance may be revealed. This would certainly
embarrass the bank and possibly cause the customer to take her business elsewhere. But the loss
to the bank’s “bottom line” would be minor. However, if the integrity of the computer holding
the accounts were compromised, the balances in the customers’ accounts could be altered, with
financially ruinous effects.
Some integrity policies use the notion of a transaction; like database specifications, they require
that actions occur in such a way as to leave the database in a consistent state. These policies,
called transaction-oriented integrity security policies, are critical to organizations that require
consistency of databases.
2.5 Computer Security Policy Categories for an Organization
Once you have determined the value of your data, you need to develop a set of policies to help
protect it. These policies are called security policies and may apply to users, the IT department,
and the organization in general. When writing your policies, consider:
1. What data may a user take home?
2. If a user works from home or remote offices and uses the internet to transmit data, how
secure must the data be when in transmission across the internet?
3. What policies, network structure, and levels of defenses are required to secure your data
depending on its importance, value and the cost of defending it? The first items that
should be defined are the policies related to the use and handling of your data. This will
help you determine defensive measures and procedures. This can be categorized policies
into three different areas listed below:
(i) User Policies: Define what users can do when using your network or data and also
define security settings that affect users such as password policies.
(ii) IT Policies: Define the policies of the IT department used to govern the network for
maximum security and stability.
(iii) General Policies: High level policies defining who is responsible for the policies
along with business continuity planning and policies.
LOVELY PROFESSIONAL UNIVERSITY 17
