Generally Accepted Information Security Principles
Statement:
Management shall ensure that information security measures are appropriate to the value of the assets and the threats to which they are vulnerable.
Rationale:
In order to choose effective and efficient information security measures, management must identify the assets to be protected, the threats to the assets, and the vulnerability of the assets or their environment to the threats.
The security of information assets, with regard to the value of their confidentiality, integrity, and availability, and the security of the supporting Information Technology resources, must be assured by well-informed owners, managers, custodians, or other responsible parties. Such an approach (performed strategically, on an on-going basis, or as changes dictate) must enable well-informed decisions regarding whether to accept, mitigate, or transfer the risks associated with the information assets and supporting Information Technology resources. These decisions should be based on the monetary value of the assets, probability and consequences of direct or indirect harm or loss, related threats, effectiveness of existing safeguards and controls, and whether additional safeguards or controls could be expected to provide cost-effective incremental risk mitigation.
Example:
In migrating to a newer version of the standard corporate e-mail, a team of analysts working for ABC, Inc., assessed whether or not the in-place access rules would migrate intact. This was regarded as a critical factor, since highly confidential project information was passed regularly from one department head to another. In the post-migration test analysis, the team found that proxy rules did not transfer, with the result that mail became visible to "public." Also found was a failure of the encryption feature, due to version incompatibilities, when applied to mail sent externally.
The Directors of Internal Audit and Corporate Legal reviewed the matter for potential ramifications. Given the kind of information that could have been compromised, their consensus was that exposure to loss of intellectual property, and possible violation of employee privacy, could have exposed the company to an estimated $39M in total losses. $9M of loss would stem from a combination of litigation costs and settlements in privacy matters, and another $30M from redevelopment costs due to exposure of proprietary process details while in transit to remote corporate sites. Consequently, the transition effort was halted until the problem was fully resolved, and effective security measures were implemented and successfully tested.
More information can be found at: GAISP