Security Policies: Rules vs. Risk

I recently ran across an article entitled Developing Security Policies: Rules vs. Risk in For example:

For example, you’ll find a statement like this in a rule-based policy, “No person shall access data that is classified at a level higher than their current role.” Whereas a risk-based policy may state something like this, “Risks associated with data availability, confidentiality and integrity shall be classified by the business process owner and mitigated by adhering to templates, forms and documents that support the security process.”

The premise of the article is to utilize a risk-based approach in which the system owner has a certification and accreditation process allowing for risk assessment, management, and cost benefit analysis.

Key to this approach is

classifying all data in the enterprise against a pre-determined standard. For example, data owners would classify the value of their data as low, medium, or high, for confidentiality, integrity, and availability.

A good resource for classifying the value of data and the associated availability, confidentiality, and integrity are the NIST documents FIPS Publication 199 and Special Publication 800-60.


Steve Mullen has been involved in information technology for over 35 years. He is also actively involved in the music program (voice and English hand bells) and Vestry of St. Anne’s Episcopal Church in Damascus, MD.

Posted in Blog, IT Management, Security

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

September 2006
« Aug   Jan »
%d bloggers like this: