X hits on this document

PDF document

The New Law of Information Security: - page 14 / 29

139 views

0 shares

0 downloads

0 comments

14 / 29

design, information processing, storage and disposal, prevention, detection, and response to attacks, intrusions, and other system failures, as well as employee training and management. 64

For each identified threat, the organization should then evaluate the risk posed by the threat by:

65 Assessing the likelihood that the threat will materialize; Evaluating the potential damage that will result if it materializes; and Assessing the sufficiency of the policies, procedures, and safeguards in place to guard against the threat.

Such risk should be evaluated in light of the nature of the organization, its transactional capabilities, the sensitivity and value of the stored information to the organization and its trading partners, and the size and volume of its transactions. 66

This process will be the baseline against which security measures can be selected, implemented, measured, and validated. The goal is to understand the risks the business faces, and determine what level of risk is acceptable, in order to identify appropriate and cost-effective safeguards to combat that risk.

(c)

Develop Security Program to Manage and Control Risk

Based on the results of the risk assessment, a business should design and

implement a security program consisting of reasonable physical, technical, and administrative security measures to manage and control the risks identified during the risk assessment.67 The security program should be in writing,68 and should be coordinated among all parts of the organization.69 It should be designed to provide reasonable safeguards to control the identified risks70 (i.e., to protect against any

64

See, e.g., Microsoft Consent Decree at II, p. 4; Eli Lilly Decision at II.B.

65 See, e.g., FISMA, 44 U.S.C. Sections 3544(a)(2)(A) and 3544(b)(1); GLB Security Regulations, 12 C.F.R. Part 30, Appendix B, Part III.B(2)

66 See, e.g., Authentication In An Electronic Banking Environment, July 30, 2001, Federal Financial Institutions Examination Council, page 2; available at www.occ.treas.gov/ftp/advisory/2001-8a.pdf.

67 See, e.g., Microsoft Consent Decree at II, p. 4; GLB Security Regulations (OCC), 12 C.F.R. Part 30 Appendix B, Part II.A; Eli Lilly Decision at II.B; HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(1)(i); Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. Section 3544(b).

68 See, e.g., Microsoft Consent Decree at II, p. 4; GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part II.A; HIPAA Security Regulations, 45 C.F.R. Section 164.316(b)(1); Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. Section 3544(b).

69 See, e.g., GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part II.A; Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. Section 3544(b).

70 See, e.g., Microsoft Consent Decree at II, p. 4; GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part II.B

14

Document info
Document views139
Page views141
Page last viewedWed Dec 07 17:50:55 UTC 2016
Pages29
Paragraphs577
Words11953

Comments