From information security baselines to information security profiles

Thumbnail Image

Files

1999_SACJ_24_Von Solms.pdf (2.11 MB)

Authors

Von Solms, R
Van de Haar, H

Issue Date

1999

Type

Article

Language

en

Keywords

Research Projects

Organizational Units

Journal Issue

Alternative Title

Abstract

To protect the information systems of an organization an appropriate set of security controls needs to be installed and managed properly. Many organizations that can afford it conduct either a risk analysis exercise themselves or outsource the process to some consultant. Through such an exercise, the most effective set of controls are recommended. Organizations that cannot afford a risk analysis exercise or cannot conduct it themselves, install controls on an ad hoc basis, with the result that many important business areas may be under- or over-protected. Security baselines have provided some guidelines to these organizations on which controls are, under general circum­stances, the most effective to install in order to provide an acceptable level of protection. Although security baselines have contributed towards a more secure information technology fraternity, most security baselines prescribe some analysis or identification process to determine the most applicable set of security controls for that specific situation. This analysis or identification process can be subjective. A possible solution to this subjective analysis or identification of applicable controls, may be the definition of suitable protection profiles that will include the best suitable security controls for specific information technology environments. A simple selection of the most suitable protection profile for the specific environment will free the specific organization from a subjective analysis or identification process. However, the protection profile as defined by the Common Criteria, makes assumptions about the surrounding environment. This paper will provide some guidelines in the determination of an information security profile that will encompass all aspects of security such that no assumptions need to be made, thereby leading towards a totally secure organization.

Description

Citation

Von Solms R & Van de Haar H (1999) From information security baselines to information security profiles. South African Computer Journal, Number 24, 1999

Publisher

South African Computer Society (SAICSIT)

License

Journal

Volume

Issue

URI

https://uir.unisa.ac.za/handle/10500/24381

PubMed ID

DOI

ISSN

2313-7835

EISSN

Collections

South African Computer Journal 1999(24)