Introduction+to+Computer+Security_Part4 - 8. Life Cycle...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
8. Life Cycle Security 79 The definition of sensitive is often misconstrued. Sensitive is synonymous with important or valuable . Some data is sensitive because it must be kept confidential. Much more data, however, is sensitive because its integrity or availability must be assured. The Computer Security Act and OMB Circular A- 130 clearly state that information is sensitive if its unauthorized disclosure, modification (i.e., loss of integrity), or unavailability would harm the agency. In general, the more important a system is to the mission of the agency, the more sensitive it is. Conducting a Sensitivity Assessment A sensitivity assessment looks at the sensitivity of both the information to be processed and the system itself. The assessment should consider legal implications, organization policy (including federal and agency policy if a federal system), and the functional needs of the system. Sensitivity is normally expressed in terms of integrity, availability, and confidentiality. Such factors as the importance of the system to the organization's mission and the consequences of unauthorized modification, unauthorized disclosure, or unavailability of the system or data need to be examined when assessing sensitivity. To address these types of issues, the people who use or own the system or information should participate in the assessment. A sensitivity assessment should answer the following questions: What information is handled by the system? What kind of potential damage could occur through error, unauthorized disclosure or modification, or unavailability of data or the system? What laws or regulations affect security (e.g., the Privacy Act or the Fair Trade Practices Act)? To what threats is the system or information particularly vulnerable? Are there significant environmental considerations (e.g., hazardous location of system)? What are the security-relevant characteristics of the user community (e.g., level of technical sophistication and training or security clearances)? What internal security standards, regulations, or guidelines apply to this system? The sensitivity assessment starts an analysis of security that continues throughout the life cycle. The assessment helps determine if the project needs special security oversight, if further analysis is
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
II. Management Controls 80 needed before committing to begin system development (to ensure feasibility at a reasonable cost), or in rare instances, whether the security requirements are so strenuous and costly that system development or acquisition will not be pursued. The sensitivity assessment can be included with the system initiation documentation either as a separate document or as a section of another planning document. The development of security features, procedures, and assurances, described in the next section, builds on the sensitivity assessment. A sensitivity assessment can also be performed during the planning stages of system upgrades (for
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

This document was uploaded on 08/10/2011.

Page1 / 30

Introduction+to+Computer+Security_Part4 - 8. Life Cycle...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online