Question

Explain four methods for identifying and selecting is projects. Compare the characteristics of each and identify the strengths and weaknesses of each method.

Answer 1

Organizations and folks that use computers will describe their desires for info security and trust in systems in terms of 3 major requirements:

Confidentiality: dominant UN agency gets to scan information;

Integrity: reassuring that info and programs ar modified solely during a such as and licensed manner; and

Availability: reassuring that licensed users have continued access to info and resources.

These 3 necessities could also be emphasised otherwise in numerous applications. For a national arms, the chief concern could also be guaranteeing the confidentiality of classified info, whereas a funds transfer system might need sturdy integrity controls. the necessities for applications that ar connected to external systems can disagree from those for applications while not such interconnection. so the precise necessities and controls for info security will vary.
The framework among that a corporation strives to satisfy its desires for info security is written as security policy. A security policy may be a summary statement, by those chargeable for a system (e.g., senior management), of data values, protection responsibilities, and structure commitment. One will implement that policy by taking specific actions radio-controlled by internal control principles and utilizing specific security standards, procedures, and mechanisms. Conversely, the choice of standards, procedures, and mechanisms ought to be radio-controlled by policy to be simplest.

To be helpful, a security policy should not solely state the protection want (e.g., for confidentiality—that knowledge shall be disclosed solely to licensed individuals), however additionally address the vary of circumstances underneath that that require should be met and also the associated in operation standards. while not this second half, a security policy is thus general on be useless (although the second half could also be accomplished through procedures and standards set to implement the policy). In any specific circumstance, some threats ar additional probable than others, and a prudent policy setter should assess the threats, assign level of concern to every, and state a policy in terms of that threats ar to be resisted. as an example, till recently most policies for security didn't need that security desires be met within the face of a pestilence attack, as a result of that sort of attack was uncommon and not wide understood. As viruses have escalated from a hypothetic to a commonplace threat, it's become necessary to rethink such policies in relation to strategies of distribution and acquisition of code. inexplicit this method is management's selection of level of residual risk that it'll tolerate, level that varies among organizations.

Management controls ar the mechanisms and techniques—administrative, procedural, and technical—that ar instituted to implement a security policy. Some management controls ar expressly involved with protective info and data systems, however the construct of management controls includes far more than a computer's specific role in implementing security. Note that management controls not solely ar employed by managers, however additionally could also be exercised by users. an efficient program of management controls is required to hide all aspects of data security, as well as physical security, classification of data, the means that of convalescent from breaches of security, and particularly coaching to instill awareness and acceptance by individuals. There ar trade-offs among controls. as an example, if technical controls aren't obtainable, then procedural controls may be used till a technical answer is found.