International review of criminal policy - Nos. 43 and 44/Security in the electronic data processing environment


 * A. Security in the electronic data-processing environment

186. Society increasingly relies on automated systems to carry out many essential functions in day-to-day life. If these systems are to be depended upon, it is essential that the persons responsible for their operation recognize the vulnerabilities to which they are subject and take steps to implement appropriate safeguards.

187. An EDP system can be considered as a group of assets of varying sensitivity related to the maintenance of tree basic requirements: confidentiality, integrity and availability.

188. EDP security, while a relatively recent discipline, is subject to a variety of interpretations. Historically, security measures have been applied to the protection of classified information from the threat of disclosure in a national security context. Recently, much attention has been directed to the issue of individual privacy as it relates to personal information stored in computerized data systems. Another consideration is data integrity in financial, scientific and process control applications. The security of computer installations themselves is of great concern to many organizations, owing to the significant financial investment involved.

189. Since all of these interpretations of EDP security may have significance to different users, a practical definition is needed to account for the wide range of concerns. For the purpose of this Manual, EDP security is defined as that state reached when automated systems, data and services are receiving appropriate protection against accidental and deliberate threats to confidentiality, integrity or availability.

190. Security, like insurance, is to a large extent applied risk management, defined as the attempt to archive a tolerable level of risk at the lowest possible cost. The goal is to reduce the risk exposure of the facility to an acceptable level, best achieved by a formal assessment of risk. This includes a number of components, such as the identification of EDP assets, values, threats and vulnerabilities and the financial impact of each threat-asset combination; estimation of the frequency of occurrence for each chosen threat-asset pair; and choice of safe-guards and implementation priorities for security measures. Safeguards should not only be cost-effective but should also provide a judicious balance between those designed to prevent threats, those to detect threats occurrences or security infractions and those to respond to the threats that inevitably occur. Risk analysis is a team function that must involve managers from user, application, systems and operations areas in the establishment of priorities and the allocation of funds for security measures. In some cases, where confidentiality is a specific concern, additional protection must be provided through the application of mandatory regulatory requirements. Government classified information is subject to such regulations.