Compliance-Based Security Management

The compliance-based approach has been an accepted method of protecting information resources. It yields clear requirements that are easy to audit. However, a compliance-based approach to information security does have notable disadvantages when applied to both classified or unclassified information systems.

A compliance-based approach treats every system the same, protecting all systems against the same threats, whether they exist or not. It also eliminates flexibility on the part of a manager who controls and processes the information and who makes reasonable decisions about accepting risks. Utilization of a compliance-based approach may often leave the owners of the information systems with a false impression that a one-time answer to security makes the system secure forever. Usually, the inflexibility of a compliance-based approach significantly increases the cost of the security program, while failing to provide a higher level or more secure information systems.

Risk-Based Security Management

Management often confuses Risk Management with Risk-Based Management. Risk Management is an analytical decision-making process used to address the identification, implementation, and administration of actions and responses, based upon the propensity for an event to occur that would have a negative effect upon an organization or its functional programs or components. Risk Management address probabilistic threats (e.g., natural disasters, human errors, accidents, technology failures, etc.), but fails to take into account speculative risks (e.g., legal or regulatory changes, economic change, social change, political change, technological change, or management and organizational strategies). In contrast, Risk-Based Management is a methodology that involves the frequent assessment of events (both probabilistic and speculative) affecting an environment.

In managing the security of information systems, a risk-based approach is essentially an integrity failure impact assessment of the environment, program, system, and subsystem components. As such, it must be integrated as a part of the system life cycle. A risk-based approach to security directly places the responsibility for determining the actual threats to a processing environment and for determining how much risk to accept, in the hands of the managers who are most familiar with the environment in which they have to operate.

Both compliance-based security management and risk-based security management take advantage of risk management processes and assessment practices. In contrast to the compliance-based security management discussed above, using a risk-based security management approach allows managers to make decisions based on identified risks rather than on a comprehensive list of risks, many of which may not even exist for the facility in question. Security control requirements for each information system may then be determined throughout the system’s life cycle by iterative risk management processes and summarized as a control architecture under configuration management. Implementation of a security control architecture as a primary point of control ensures that each information system is protected in accordance with organizational policy, and at the levels of integrity, availability, and confidentiality appropriate for the functions of the corporation’s systems.

Exercising Due Care

A standard of due care is the minimum and customary practice of responsible protection of assets that reflects a community or societal norm. In the private sector this norm is usually based on type or line of business (e.g., banking, insurance, oil and gas, medical, etc.), and within the public sector this norm is determined by legislative, federal, and agency requirements. Efforts to develop a universal norm for both the public and private sectors as well as for the international community have been initiated in response to the National Information Infrastructure and the development of the international Common Criteria.

In either sector, failure to achieve minimum standards would be considered negligent and could lead to litigation, higher insurance rates, and loss of assets. Sufficient care of assets should be maintained such that recognized experts in the field would agree that negligence of care is not apparent.

Due care must be exercised to ensure that the type of control, the cost of control, and the deployment of control are appropriate for the system being managed. Due care implies reasonable care and competence, not infallibility or extraordinary performance, providing assurance that management does not overcontrol nor take an unnecessary reactionary, politically motivated, or emotional position.

Due diligence, on the other hand, is simply the prudent management and execution of due care. Failure to achieve the minimum standards would be considered negligent and could lead to loss of assets, life, and/or litigation.

Understanding the Accountability Associated with Exercising a Standard of Due Care

Although significant strides have been made in criminal prosecution of computer and “high tech” crime in the last few years, the civil concepts (contractual and common law) of negligence and exercising a standard of due care for the protection of information of inter/intranetworked systems and the National Information Infrastructure are still in their embryonic state.

Under the standard of Due Care, managers and their organizations have a duty to provide for information security even though they may not be aware they have such obligations. These obligations arise from the portion of U.S. Common Law that deals with issues of negligence.

Since information systems are relied on by a rapidly increasing number of people outside the organizations providing the services, the lives, livelihood, property, and privacy of more and more individuals may be affected. As a result, an increasing number of users and third-party nonusers are being exposed to and are now actually experiencing damages as a result of failures of information security in information systems. If managers take actions that leave their information resources unreasonably insecure, or if they fail to take actions to make their information resources reasonably secure, and as a result someone suffers damages when those systems are penetrated, usurped, or otherwise corrupted, both the managers and their organizations may be sued for negligence.