Control Measures to Reduce Potential Losses

Losses can come from any of the following hazards:

Environmental Hazards - damage from fire, flood, dust, static electricity, or electrical storms;

Hardware and Equipment Failure - mechanical or electrical failure of the computer, its storage capacity, or its communications devices

Software Errors - programming bugs to simple typos in spreadsheet formulas

Accidents, Errors, and Omissions - by anyone using computers or the information that they process

Intentional Acts - fraud, theft, sabotage, and misuse of information by competitors and employees

The controls that should be considered for implementation to prevent losses include:

Administrative Controls - controls include establishing policies and procedures which assign management and individual responsibilities, and conducting computer security training

Physical and Environmental - controls include limiting physical access to information resources to only authorized personnel, and protecting computers from water and fire damage, power outages, and hazardous environmental conditions

Information and Data Controls - controls include authenticating users, establishing and enforcing authorization rules for what information and processes may be accessed, and maintaining a record of user actions

Software Development and Acquisition Controls - controls include purchasing off-the-shelf software from reputable vendors, establishing rigorous controls over the development and use of programs and data for sensitive applications, and applying caution when using public domain software

Backup and Contingency Planning Controls - controls include training employees to respond to emergency conditions, maintaining backup copies of information and programs, and assuring that alternative equipment and software are available for processing if needed.