Page 9 - DCAP516_COMPUTER_SECURITY
P. 9
Unit 1: Introduction to Computer Security
1.2 Essentials of Computer Security Notes
1. Computer Security Supports the Mission of the Organization: The purpose of computer
security is to protect an organization’s valuable resources, such as information, hardware,
and software. Through the selection and application of appropriate safeguards, security
helps the organization’s mission by protecting its physical and financial resources,
reputation, legal position, employees, and other tangible and intangible assets.
Unfortunately, security is sometimes viewed as thwarting the mission of the organization
by imposing poorly selected, bothersome rules and procedures on users, managers, and
systems. On the contrary, well-chosen security rules and procedures do not exist for their
own sake they are put in place to protect important assets and thereby support the overall
organizational mission. Security, therefore, is a means to an end and not an end in itself.
For example, in a private sector business, having good security is usually secondary to the
need to make a profit. Security, then, ought to increase the firm’s ability to make a profit. In
a public sector agency, security is usually secondary to the agency’s service provided to
citizens. Security, then, ought to help improve the service provided to the citizen.
2. Computer Security Should Be Cost-Effective: The costs and benefits of security should be
carefully examined in both monetary and nonmonetary terms to ensure that the cost of controls
does not exceed expected benefits. Security should be appropriate and proportionate to
the value of and degree of reliance on the computer systems and to the severity, probability
and extent of potential harm. Requirements for security vary, depending upon the particular
computer system.
In general, security is a smart business practice. By investing in security measures, an
organization can reduce the frequency and severity of computer security-related losses.
For example, an organization may estimate that it is experiencing significant losses per
year in inventory through fraudulent manipulation of its computer system. Security
measures, such as an improved access control system, may significantly reduce the loss.
Moreover, a sound security program can thwart hackers and can reduce the frequency of
viruses. Elimination of these kinds of threats can reduce unfavorable publicity as well as
increase morale and productivity.
Notes Security benefits, however, do have both direct and indirect costs. Direct costs
include purchasing, installing, and administering security measures, such as access control
software or fire-suppression systems. Additionally, security measures can sometimes
affect system performance, employee morale, or retraining requirements. All of these
have to be considered in addition to the basic cost of the control itself. In many cases, these
additional costs may well exceed the initial cost of the control (as is often seen, for example,
in the costs of administering an access control package). Solutions to security problems
should not be chosen if they cost more, directly or indirectly, than simply tolerating the
problem.
3. Computer Security Responsibilities and Accountability Should Be Made Explicit: The
responsibilities and accountability of owners, providers, and users of computer systems
and other parties concerned with the security of computer systems should be explicit. The
assignment of responsibilities may be internal to an organization or may extend across
organizational boundaries.
LOVELY PROFESSIONAL UNIVERSITY 3
