Short/Long Term Solutions to Address Security Problems

In May 1998, the GAO issued an executive guide titled, GAO/AIMD-98-68 -- EXECUTIVE GUIDE: Information Security Management -- Learning From Leading Organizations, based on the best practices of of organizations noted for superior information security.

By adopting these best practices recommended in the guide, agencies can be better prepared to protect their systems, detect attacks, and react to security breaches.

(Source: GAO/T-AIMD-99-223)

Principles
Practices
Assess risk and determine needs 1. Recognize information resources as essential organizational assets
2. Develop practical risk assessment procedures that link security to business needs
3. Hold program and business managers accountable
4. Manage risk on a continuing basis
Establish a central management focal point 5. Designate a central group to carry out key activities
6. Provide the central group ready and independent access to senior executives
7. Designate dedicated funding and staff
8. Enhance staff professionalism and technical skills
Implement appropriate policies and related controls 9. Link policies to business needs
10. Distinguish between policies and guidelines
11. Support policies through a central security group
Promote awareness 12. Continually educate users and others on risks and related policies
13. Use attention-getting and user-friendly techniques
Monitor and evaluate policy control and effectiveness 14. Monitor factors that affect risk and indicate security effectiveness
15. Use results to direct future efforts and hold managers accountable
16. Be alert to new monitoring tools and techniques

[Next] | [Prev] | [Top]


Dave Dittrich <dittrich@cac.washington.edu>
Last modified: Mon Aug 2 11:58:20 1999