Shon Harris asks If different user groups with different security access levels need to access the same information, which actions should management take?
Increase the security controls on the information.
Chad Salinas would say that it depends on your view of the AIC triad. A tradeoff exists amont Availability (A), Integrity (I), and Confidentiality (C). If your view is that A is more important than C as it is in most commercial, as opposed to military, settings, then you may actually implement the complete antithesis of what Mr. Harris suggests; you might decrease the security level on the information to ensure accessibility and usability by both user groups.
Shon Harris asks what are security policies? He gives the definition as broad, high-level statements from management. Chad Salinas would ask to define terms. If by "management" you mean senior management, then yes you can sift through the platitudes to derive some abstract notion of a security policy. "We shall endeavor to protect our client's data using best efforts". Operationalizing this eg. you are in violation of the "Security Policy" would be non-sensical. Futher, complying with "Security Policy" would be uncertain, eg. I maintain that our client database is in compliance with the company's security policy. How can you be sure? What level of confidence do you have? How would you derive a confidence factor?
So, perhaps "management" is generally meant to be everyone in the corporate structure who is not a leaf not to borrow an analogy from computer science. In this instance I would say you are likely to have as many diffent definitions of security policy as you have nodes.
Final note: Chad Salinas encourages you to use your ALE calculation and your cost/benefit analysis.
About Me
- Chad Salinas
- BA Economics, NYU MBA Finance, NYU Computer Security, Stanford