Example:

Company ZYX developed procedures for system development, access control, and disaster recovery planning within the Information Technology department. These procedures, however, were not the result of management establishing sound policy. They were the result of IT management=92s perception that it should have documented procedures for some of the more complex activities. During routine system maintenance, "Jack Black", who was unhappy with his manager and the company, realized there was no prohibition of Trojan Horses or other similarly malicious activity. Jack thus built a Trojan Horse into a modification of the Accounts Receivable application system that he routinely maintained. He then submitted his resignation and left the company. Six months later, the Trojan Horse, a logic bomb, began to systematically corrupt files on the birthday of his former manager. At first this corruption appeared to be minor user errors and was ignored. But within a few weeks, the file was severely contaminated, as were all backup files. The result was a sustained inability to generate invoices and related accounts receivable.

ZYX=92s ability to prosecute Jack was thwarted by the complete lack of policy articulating management and ownership perception of the value of the information assets. Jack was thus successful in his vengeful attack at great cost and embarrassment to ZYX.

2.2.2 Education and Awareness

Management shall communicate information security policy to all personnel and ensure that all are appropriately aware. Education shall include standards, baselines, procedures, guidelines, responsibilities, related enforcement measures, and consequences of failure to comply.

Rationale:

In order to ensure that all personnel are effectively aware of security policy, management must effectively and re gularly communicate its requirements. When personnel fail to do what management expects, it is more often the result of an ineffective or imperfect communication of what management expects, rather than from the result of wrongful motive or intent on the part of the personnel. The failure to regularly and effectively communicate information security policy, standards, baselines, procedures, guidelines, responsibilities, related enforcement measures, and the consequences of failing to comply, to all relevant parties can cause the unintentional breach of policy by parties to whom the policy has not been effectively communicated. Such failure can also result in the intentional breach of policy by parties to whom the adverse consequences of such a breach have not been effectively communicated.

In both cases, the potential for harm, liability, or loss to the organization or other relevant parties can be significant. The failure to effectively communicate information security policy can also impair the ability to successfully apply enforcement measures, prosecute criminal activity, or seek civil redress.

Example:

ZYX Corp. decides to allow dial-up access to its Information Technology environment but fails to put a public notice on the logon screen advising all parties of its information security policy. Subsequently, an individual hostile to ZYX accessed the organization's information assets through the dial-up path and modified critical product formulae information, resulting in a substantial loss to the organization. In the civil litigation that followed, the court found in favor of the defendant, because there was no notice that the information was a valued asset and that unauthorized access was prohibited and would be prosecuted.

2.2.3 Accountability

Management shall hold all parties accountable for their access to and use of information, e.g., additions, modifications, copying and deletions, and supporting Information Technology resources. It must be possible to affix the date, time, and responsibility, to the level of an individual, for all significant events.

Rationale:

In order to assure that people behave as expected, it is necessary to know who did what and when it was done.

It is essential that organizations establish and maintain a basis of control for information assets. Such a control framework requires individual and organizational accountability at all levels. The concept of "accountability" refers to the accepting of responsibility by all relevant parties or entities. Holding all parties thusly accountable is intended to assure that any use made of or actions taken on information assets and supporting Information Technology resources shall be for authorized "business/mission purposes only" and that such use or action can be reliably traced to the responsible party or parties, who will be held "accountable."

Example:

When reviewing the daily access audit report, "Henry," the Information Security Officer (ISO), found several invalid Payroll file access attempts by "Edwina" in Personnel. When the ISO spoke with her and her manager concerning this, it became obvious that she did in fact require access to the particular file. She was accordingly granted limited access. However, three other invalid attempts were found against the same file, and the owner of the userid was in the Graphics Arts Department. When the ISO spoke with Jason and his manager, it was determined that Jason was planning to ask for a raise, and his invalid accesses resulted from his attempting to learn what others in his department were being paid. Jason stated that, armed with such information, he would have an idea of what an acceptable pay increase might be. He would thus have an advantage in the raise negotiations. The ISO turned the matter over to Jason's manager for disciplinary action.

2.2.4 Information Management

Management shall routinely catalog and value information assets, and assign levels of sensitivity and criticality. Information, as an asset, must be uniquely identified and responsibility for it assigned.

Rationale:

In order to manage information assets efficiently, management must know what to protect. In order to be effectively managed, it is essential to identify and enumerate the core attributes of information as assets. These information asset attributes include:

• Identity,
• Ownership,
• Custody,
• Content,
• Value (ideally expressed in monetary terms) of the confidentiality, availability, and integrity of the information assets
• Sensitivity (which relates directly to confidentiality), and
• Criticality (which relates directly to availability and integrity).

The organizational ownership of an information asset must be established. The person or agent/custodian legitimately established as the owner of an information asset has the authority and responsibility to make - or delegate - decisions regarding the security of the information asset. It is typically the organization that will ultimately suffer liability, loss, or other harm if the confidentiality, availability, or integrity of the information asset is compromised, though others may suffer harm or loss as well.

The identity and content of the information asset must be clearly established for the owner to make informed decisions regarding it=92s security. Knowing the value of the information asset, as related to its confidentiality, availability, and integrity, enables the owner to understand the financial risks and associated threats that must be mitigated when establishing security requirements for the information asset.

Finally, these attributes should be reviewed regularly, because most information attributes change value over time - in some cases increasing and in others, decreasing.

Example:

XYZ, Inc., a Silicon Valley startup with breakthrough technology, the Cyberwidget, established "Mr. Doe," Vice President of Production, as the owner of its Materials Requirements Planning (MRP) systems. The MRP system included functions addressing inventory and shipping document production, and input to Accounts Receivable invoicing process. Mr. Doe was already heavily tasked - and stressed - with meeting an increasing demand for the Cyberwidget. He repeatedly postponed meetings with the Information Security Officer (ISO) to discuss valuing the system and the supported information asset.

Because there was no financial case in place reflecting the value of the MRP system and supported information assets, management did not fund the ISO's previous year=92s budget request for improved information security and contingency planning. In the following winter, a mudslide from a nearby hill swept into the Information Technology area dedicated to production and destroyed much of the equipment. The production floor, however, suffered no direct impact.

The result was that the Just-In-Time (JIT) production process was interrupted, even though the production equipment was not damaged. Production was halted and finished production could not be shipped for weeks because the MRP, with inventory control, parts ordering and positioning, shipping documents, and supported invoicing process, was inoperable. Management panicked, the system recovery effort was severely impaired - there was no policy, recovery plan, or designation of responsibility - and clients canceled orders. Many clients reverted to proven vendors of similar, though less efficient, products. Consequently, the promising startup company went into bankruptcy and never recovered.

2.2.5 Environmental Management

Management shall consider and compensate for the risks inherent to the internal and external physical environment where information assets and supporting Information Technology resources and assets are stored, transmitted, or used.

Rationale:

In order to effectively protect the organizational mission, it is necessary to identify and address environmental threats that can disrupt Information Technology functionality. There are significant threats - and vulnerabilities - associated with the location, construction, and equipping of Information Technology facilities. These threats include:

Natural disaster threats (earthquake, flood, hurricane, tornado, landslides, etc.), and

Unintentional or intentional physical threats (e.g., power outage, equipment failure, fire, proximity of potentially toxic or explosive industrial facilities and transportation infrastructures, local crime, and a wide array of accidents that could "exploit" unrecognized or inadequately addressed vulnerabilities of the physical environment.).

For the optimum security strategy implementation, it is essential to coordinate and integrate information security efforts with overall organizational security measures and management. Failure to recognize and effectively address local threats and associated vulnerabilities, both internal and external, can result in a potentially disastrous disruption of Information Technology functionality.

Example:

In the dead of winter, an organization impacted by natural disaster contacted its contracted Information Technology Disaster Recovery hot site provider, which offered a Disaster Recovery facility in the same geographic region. Just before the client's Information Technology recovery staff boarded an airplane to fly to the hot site, the roof of the facility collapsed from the weight of snow and ice on it. The hot site provider had not considered the ability of the facility roof to cope with the load of a major snow and ice accumulation. Thus, the hot site provider=92s building was not suitable to the mission, and no compensating provisions were made. Consequently, the hot site provider lost the client - and credibility - and had to rebuild the Disaster Recovery hot site. A competing provider quickly rescued the client.

2.2.6 Personnel Qualifications

Management shall establish and verify the qualifications related to integrity, need-to- know, and technical competence of all parties provided access to information assets or supporting Information Technology resources.

Rationale:

In order to effectively implement security for information assets and supporting Information Technology resources, it is necessary that the personnel involved are competent with respect to the knowledge and technical skill needed to perform their roles reliably, that their integrity (as demonstrated by work history, academic and training certification, and references) meets organizational requirements, and that their need-to-know is authoritatively established. Such personnel include, at a minimum:

• Owners (as representatives of the organization and its interests),
• Users,
• Contractors and supplemental staff,
• Custodians, and
• Information security personnel.

Example:

"Joe B.," who represented himself as a CISSP, was hired by XYZ Corporation to develop and implement a corporate-wide information security program. His first assignment was to conduct a risk assessment to determine the current state of information security in the corporation. After several weeks of effort, Joe submitted his report. Knowledgeable management, upon reviewing his report, noted that an obvious exposure was not documented in the report. XYZ Corporation had failed to implement policy and related standards, baselines, and procedures that would have addressed the prevention, detection, or containment of network attacks. Top management was advised of the risk to information assets and information processing confidentiality, integrity, and availability.

Subsequent investigation disclosed that Joe had not passed the CISSP examination and had not previously performed a risk assessment. Closer review of his report revealed numerous errors and misrepresentations. Joe was dismissed immediately, and personnel policy regarding the verification of credentials was augmented to assure that all qualifications upon which management relied to select staff were effectively validated.

Policy, standards, and procedures were then developed to ensure that appropriate countermeasures, safeguards, or controls were in place and used effectively to reduce risk to an acceptable level. Training sessions were provided to owners, custodians, and users to ensure that all concerned understood the need for and use of the countermeasures.

2.2.7 System Integrity

Management shall ensure that all properties of systems and applications that are essential to or relied upon to support the organization=92s mission are established, preserved, and safeguarded.

Rationale:

In order for Management to be able to rely upon the correct performance of Information Technology resources, it is necessary to ensure that they are implemented as intended and are not subsequently contaminated or corrupted by malicious acts, uncorrected error conditions, or other failures. Unless controls are in place to protect systems and applications from unauthorized modifications and to ensure that authorized changes are tracked and perform as intended, systems can fail in a way that impairs efficiency ore even the health of the organization. Further, such failures may not be detected on a timely basis, because management assumes the integrity of the Information Technology resources.

Example:

During month-end general ledger processing, the closing account levels for the Purchasing Department showed an unexpected surplus of cash. All subsidiary ledger, journal, and accrual accounts relating to Purchasing were then opened for additional verification and validation checking. During this review, it appeared that the Sales Tax Accrual and Posting ledger accounts were not as high as expected. When compared to earlier periods, it was found that accruals were substantially less (30%), given that activity levels were typically within 10% from one period to the next.

A final validation run was executed, and it was found that the cash surplus was the amount that should have been posted to the subsidiary ledger account with the entry of each purchase. All required adjusting entries were then performed, trial balances were calculated, and the results produced the correct balances in all related accounts.

A review was made to determine the cause of the errors. It was found that changes made to the Accounting System thirty-three days earlier produced the errors, due to the omission of critical internal control functions. The routines necessary to perform posting and validation performed correctly, but the account numbers used by the routines were invalid. Thus the entries to be posted were retained in the original accounts, and, because no error checking was included in the changes, no error reporting output was generated to alert anyone to the problem.

The necessary internal control functions were subsequently re-established, and the problem did not recur. Change control procedures were revisited and updated to prevent the omission of necessary control in the future.

2.2.8 Information Systems Life Cycle

Management shall ensure that security is addressed at all stages of the system life cycle.

Rationale:

In order for management to be able to rely upon controls, they must be continuous. In order to be efficient, controls must be comprehensive and applied early. The security function must be fully integrated with system life cycle processes. Retrofit, repair, and other late remedies are always inefficient and may be ineffective. Late application of a control may be insufficient to restore a system to a desired or required robustness.

All in-place controls and countermeasures must be fully documented and periodically reviewed. For pre-production systems, phase reviews must assess intended security feature design, integration, and effectiveness. For in-production systems, maintenance phase reviews must be performed at every step to ensure consistent and correct performance, continued effectiveness and efficiency, accurate interface(s) with other applications, and the comprehensive maintenance of all contingency planning measures.

All reviews must be conducted in conformance with established guidelines that define minimum acceptable requirements for controls=92 effectiveness in support of organizational standards for information confidentiality, system and data integrity, and the availability of the information asset and supporting Information Technology resources.

Example:

Operating System (OS) maintenance was planned for the Engineering Design Control Section system. It was known that the system held planning data for all new plant designs, including details of proprietary processes, specifications of valve prototypes under consideration for inclusion, and other highly confidential data. The Systems Administrator knew from his analysis that three modules of the OS would be over-written by new versions. He expressed concern that the in-place modules would revert to the original installation parameters, thus erasing all file access rules and potentially exposing sensitive data to users having no authority to access the information. The maintenance team agreed to test this concern in an isolated but identically configured environment before conversion.

During the test procedure, the maintenance team found that the System Administrator's concerns were well founded - the file access rules were indeed erased. The team found a solution, which was to make archival copies of the rules database, perform the conversion, then lay in the rules database following conversion. Extensive testing in the isolated environment proved that this option performed correctly, and the system maintenance subsequently proceeded successfully.

2.2.9 Access Control

Management shall establish appropriate controls to balance access to information assets and supporting Information Technology resources against the risk.

Rationale:

In order to achieve a level of risk mitigation commensurate with the value of the information asset to be secured, access to information assets and supporting Information Technology resources should be restricted to the smallest population consistent with other business needs, based on the criteria of a clearly delineated "need-to-know." Through this standard, the information systems-dependent workforce is facilitated in the accomplishment of assigned tasks by ensuring that all required information is available only through appropriately controlled means. Specifically, individual employees and other parties are restricted from access to information assets and supporting Information Technology resources that do not directly relate to their work requirements, assigned objectives, or legitimate, authorized need.

By enforcing such a standard, the owner or custodian limits the exposure of potentially sensitive information assets and supporting Information Technology resources and enables management to assert appropriate control over the access to, modification of, or the dissemination of sensitive information assets in terms of content and recipient. Therefore, potentially adverse consequences resulting from uncontrolled access or distribution are minimized.

Example:

"Diane Thomas," Director of Benefits and Compensation for XYZ, Inc., was reviewing salary plans from all departments, and found that proposed salary increases for the next fiscal year were 15% higher than had been discussed at a budgetary planning meeting earlier that year. She met with the Compensation Manager to discuss the unexpected figures before returning them to the department managers to be re-worked. Dave questioned the figures and where the department managers got their justification. The manager responded that the justification used was the forecasted 25% increase in Company revenues over last year. Probing further, Diane asked where that information was obtained and was told it was available on-line from the Accounting System. Diane ended the meeting and went to see "Jay Brock," Director of Finance.

After hearing the situation, Jay became very concerned that confidential budget forecast information seemed to be freely available instead of being limited to Directors and Senior Corporate Officers. Diane requested that "Maurice McDonnell," the Director of Information Systems, join them immediately. When Maurice arrived, and the situation was explained to him, he promptly left to look into it. Maurice called his System Security Officer (SSO) in and asked for a report on the access control rules for the Accounting System. Two hours later, the SSO returned with the report, and, in reviewing it, they found no rule in place for the file containing the forecast information.

To remedy this, Maurice called Jay, and they agreed to take the file off-line until an appropriate rule could be put in place. Thus, future inappropriate access was prevented, and what could have been the costly disclosure of highly sensitive strategic information was limited to the discovery of an embarrassing lapse in access control management.

2.2.10 Operational Continuity and Contingency Planning

Management shall plan for and operate Information Technology in such a way as to preserve the continuity of organizational operations.

Rationale:

In order to protect information assets and supporting Information Technology resources from disruptive events, or to be able to rapidly restore their proper functioning in the case that such a disruptive event is unavoidable, it is essential that organizations establish a cohesive set of preventive, mitigative, and restorative measures, as determined to be appropriate and cost-effective by risk assessment.

Organizational entities depend on their Information Technology resource infrastructure now more than at any previous time in history to deliver mission-critical information in a timely fashion. The operational importance of information assets, whether based on cost or time factors, is such that organizations can ill afford to endure the consequences of significantly disruptive events impacting supporting Information Technology resources or the information assets directly.

Example:

A risk assessment performed at XYZ, Inc. showed that the ground floor Central Computing Services Complex (CCSC) was well isolated from most major disruptive agents, except for flooding. The executive in charge of Information Technology stated that when the ten-story structure was built, area flooding had occurred no more recently than fifteen years ago, and all steps then believed appropriate to mitigate this threat were taken. The System Security Officer, "Joe B." CISSP, pointed out that in the intervening period, additional construction had occurred, but no corresponding flood control measures had been taken. Additionally, Joe mentioned that weather statistics showed that each year the tropical storm count increased, as had the attendant rainfall amounts, with the result that larger amounts of water pooled for longer periods in places where they had not fifteen years earlier.

It was generally recognized that a flood would damage or destroy the Information Technology facilities on the first floor. Historically, flood cleanup had required four to six weeks in this area. Also, a service outage of greater than fourteen days would render XYZ, Inc. financially insolvent. When asked for recommendations, Joe stated that XYZ's flood insurance must be reviewed to ensure that it is commensurate with asset values and corporate requirements as they currently stand.

Joe further recommended that management consider relocating the CCSC to a higher floor in the building, or away from the current building, where the threat of flooding could be reduced or eliminated. When questioned concerning the cost of these and other measures, Joe stated that the most costly recommendation was less than $700K, while the estimated cost to clean up the facility and replace all damaged equipment in the event of total loss exceeded $15M. He further stated that an appropriate increase in Flood Insurance would add less than 0.5% to the Insurance Expense line of the Corporate Operational Budget.

2.2.11 Information Risk Management

Management shall ensure that information security measures are appropriate to the value of the assets and the threats to which they are vulnerable.

Rationale:

In order to choose effective and efficient information security measures, management must identify the assets to be protected, the threats to the assets, and the vulnerability of the assets or their environment to the threats.

The security of information assets, with regard to the value of their confidentiality, integrity, and availability, and the security of the supporting Information Technology resources, must be assured by well-informed owners, managers, custodians, or other responsible parties. Such an approach (performed strategically, on an on-going basis, or as changes dictate) must enable well-informed decisions regarding whether to accept, mitigate, or transfer the risks associated with the information assets and supporting Information Technology resources. These decisions should be based on the monetary value of the assets, probability and consequences of direct or indirect harm or loss, related threats, effectiveness of existing safeguards and controls, and whether additional safeguards or controls could be expected to provide cost-effective incremental risk mitigation.

Example:

In migrating to a newer version of the standard corporate e-mail, a team of analysts working for ABC, Inc., ass essed whether or not the in-place access rules would migrate intact. This was regarded as a critical factor, since highly confidential project information was passed regularly from one department head to another. In the post-migration test analysis, the team found that proxy rules did not transfer, with the result that mail became visible to "public." Also found was a failure of the encryption feature, due to version incompatibilities, when applied to mail sent externally.

The Directors of Internal Audit and Corporate Legal reviewed the matter for potential ramifications. Given the kind of information that could have been compromised, their consensus was that exposure to loss of intellectual property, and possible violation of employee privacy, could have exposed the company to an estimated $39M in total losses. $9M of loss would stem from a combination of litigation costs and settlements in privacy matters, and another $30M from redevelopment costs due to exposure of proprietary process details while in transit to remote corporate sites. Consequently, the transition effort was halted until the problem was fully resolved, and effective security measures were implemented and successfully tested.

2.2.12 Network and Infrastructure Security

Management shall consider the potential impact on the shared global infrastructure, e.g., the Internet, public switched networks, and other connected systems when establishing network security measures.

Rationale:

In order to compensate for the increased vulnerability from and to things outside of the organization, as created by connection to systems beyond the organization, the threat and risk model must be changed to reflect the threat from and to things outside the organization. For example, connecting a UNIX system to the public switched network puts the UNIX system at risk, and connecting the UNIX system to the Internet puts other systems at risk.

All methods for accessing Information Technology resource connectivity must contain controls and counter-measures that implement the established security policy of the organization appropriate to the sensitivity or criticality level of the Information Technology resources and supported information assets. Such controls must, at a minimum, reflect the same security level as the information itself to ensure consistency and cohesiveness of overall policy implementation. This consideration must extend to the physical as well as the logical aspect of the connectivity.

The potential to subvert access to the Information Technology resources and supported information assets is greatest in terms of connectivity through persistent connections, but increases with temporary connections. This same potential exists, however, through in-house networks, though these are inherently less flexible in their vulnerability to exploitation. Therefore, the security implementation must first identify the specific weaknesses in each access method and the potential consequences of their exploitation. Then each weakness can be addressed through the application of measures intended to achieve a level of protection commensurate with the sensitivity/criticality of the Information Technology resource and the supported information assets.

Example:

Having received the first request for dial-in access, "Joe A." carefully assessed the stated need and the description of the resources required. The National Sales Manager carried a laptop and required access from several company locations throughout the country, some of which had no in-house computer access. The data he would transmit was going to be sales volumes and dollar amounts, both considered very confidential. Joe knew that strong security steps would be required to meet this unique situation.

Looking at several options, Joe selected a combination of SmartCard, encryption, and callback measures to secure the dial access port link. The callback would confirm physical location (linked to a telephone line with no "Call-Forward" feature), encryption would provide data confidentiality, and the SmartCard facility would serve to provide user identification and authentication. Given that the database that the National Sales Manager would access had its own built-in userid and password routine, Joe believed that together these measures would provide proper security.

2.2.13 Legal, Regulatory, and Contractual Requirements of Information Security

Management shall take steps to be aware of and address all legal, regulatory, and contractual requirements pertaining to information assets.

Rationale:

In order for an organization to diligently comply with all legal, regulatory, and contractual requirements associated with its operations, it is necessary to ensure that no requirement exists for which compliance measures have not been put in place. As part of this effort, plans should also be in place to address potential actions against the organization should their policy, processes, or actions be called into question.

Example:

During the final review of XYZ Company's Statement of Work for its Department of Energy (DoE) contract prior to "Best-and-Final" submission, it was noted by the Director of Engineering that no provisions had been included specifically regarding protection of information assets belonging to the Government. There was only general text that reflected awareness of the confidential nature of the work. This prompted a review of the contract to determine what specifications addressed this topic, and what XYZ's potential liability would be by leaving unaddressed any such specifications. The review showed that penalties of up to $10,000 per day would accrue for failure to comply with stated performance requirements. Additionally, until compliance was re-established, the contractor would forfeit all accrued performance awards.

A contract review meeting was called, and the Contracting Officers, along with DoE personnel, discussed information asset protection requirements. Subsequent to the meeting, the Statement of Work was amended to address the stated specifications. It was determined that had XYZ failed to address this matter from the inception of the contract, a four month period would have been required to initiate and complete compliance efforts. This would have resulted in a loss of $120K in penalties, $500K in accrued performance awards, and compliance effort costs of $110K when performed after contract inception. The cost added to the contract to perform the work from inception was, by comparison, estimated to be less than $60K.

2.2.14 Ethical Practices

Management shall respect the rights and dignity of individuals when setting policy and when selecting, implementing, and enforcing security measures.

Rationale:

In order to preserve employee morale and the perception of the organization and its management as fair and ethical, and recognizing that security measures may be or become unduly intrusive, management must be candid, fair, and conservative in developing and enforcing security policy.

Management must carefully consider employee privacy. The key to successful policy is strict observance of fairness and respect for the individual. No policy is complete proof against culpability, but careful construction and consistently unbiased execution contribute positively to the organization=92s overall risk management program.

Policy provisions, including consequences for non-compliance, must be understandable and enforceable, and enforcement must be fairly applied. Candor helps ensure fairness. Security measures that cannot be disclosed should not be applied.

Owner=92s conservative rule: Owners should assume that others would treat their assets as belonging to the public domain. Therefore, they should explicitly declare (in reasonably visible ways) the products of their efforts and their property to be either private or public.

User=92s conservative rule: Assume that any tangible or intangible item belongs to somebody else unless an explicit declaration or convention identifies it as being in the public domain or authorized for your use.

Example:

BCA Corp. hired "Jim Blue" to implement and manage it=92s logical access control policy. Jim promptly found that many userid=92s and passwords belonging to terminated employees were still active, though their owners were gone, some for several years. He also found that one of these userid/password combinations had been used subsequent to the owner=92s departure. Files accessed included confidential personnel and payroll records of a key executive. Though no one had noticed, the executive=92s files had been altered to imply that a medical condition had become a significant risk. This fabricated medical problem could have affected the executive=92s career upon his next review, given the high stress nature of his job.

Assuming that the departed party had violated the company=92s privacy policy, Jim wrote a letter to the executive accusing the former employee of a breach of privacy. The executive was outraged. An investigation ensued, the police were consulted, and the individual accused was interrogated aggressively. In addition, Jim, feeling guilty for having made his accusation perhaps prematurely, carefully reviewed logical access management procedures and practices applied prior to Jim's being hired. The investigation revealed that the management of logical access controls had previously been so poor that a significant number of employees could have executed the inappropriate modification, and determining who was responsible was impossible.

The unethical action of accusing the former employee prior to establishing the facts resulted in substantial embarrassment to the company, which avoided a potentially costly lawsuit only by promptly offering a generous settlement.

2.3 Detailed Security Principles

The Detailed Security Principles specifically address methods of achieving compliance with the Broad Functional Principles with respect to existing environments and available technology. There will be many detailed information security principles supporting one or more Broad Functional Principles. The Detailed Principles will address differing technologies, environments, standards, practices, and concepts that are relevant to the Broad Functional Principles. The Detailed Principles are expected to continuously evolve to meet the challenges of emerging technology and new threats.

Following is an example of a Detailed Principle (and its underlying rationale) supporting a Broad Functional Principle (Access Control), which supports the Pervasive Principle (Proportionality):

Rationale