The NRL IS Security Course Handbook

Management Solutions

Computer security management standards and guidelines provide for the effective integration of technical, physical, and administrative measures in an overall computer and telecommunications security program.

Risk Management - Risk management is a process through which undesirable events can be identified, measured, controlled and prevented so as to effectively minimize their impact or frequency of occurrence. This identification of the security posture using the assets worth, attraction, the probability of a successful attack, and its vulnerability forms the basis of the Navy's IS security program.
The implementation of effective information security measures must be based on a balance between the cost of controls and the need to reduce risk or expected loss. "Absolute" security could be achieved only at unlimited cost. Risk assessments are used to provide an analysis of the computer system or network assets, vulnerabilities and threats to determine the security requirements which must be satisfied to ensure the system can be operated at an acceptable level of risk. Risk assessments, system test and evaluation, and contingency planning are all parts of the risk management process.
Loss, which can be direct (the effort needed to reconstruct a destroyed file) and indirect (the loss or reduction of an organization's business function or cash flow due to the destroyed file) is the impact a harmful event has on the organization. Impact is usually measured in monetary values, but may also be measured in qualitative terms. The process of estimating potential loss is called risk analysis.
Risk analysis is the cornerstone of the risk management process for computer applications. While risk analysis can be applied to operational systems, it is most useful when applied to prior to requirements definition of a computer application. In this way, the resulting estimates of potential loss can be used to form the basis for the computer security requirements and countermeasures being developed.

Audit and Evaluation - Because security requirements should be a consideration throughout the entire life cycle of a system, security measures are best when designed into systems from the start. Steps should be taken to assure that planned security mechanisms are implemented and working as intended. Effective processes for audit recording and review security should be in place to ensure accountability and to provide a means of monitoring potential threats to operational systems.

Contingency Planning - Since computers and networks fail, often leaving users unable to accomplish critical processing, NRL has developed guidance to assist users and managers in providing effective contingency planning. Effective planning and operational procedures are needed to assure that critical applications and data are available in a timely manner.