Contents

Federal Information Security Is A Growing Concern

Leading Organizations Apply Fundamental Risk Management Principles

Assess Risk and Determine Needs

Practice 1: Recognize Information Resources as Essential Organizational Assets That Must Be Protected

Practice 2: Develop Practical Risk Assessment Procedures That Link Security to Business Needs

Practice 3: Hold Program or Business Managers Accountable

Case Example: A Practical Method for Involving Business Managers in Risk Assessment

Practice 4: Manage Risk on a Continuing Basis

Getting Started--Assessing Risk and Determining Needs

Establish a Central Management Focal Point

Case Example: Transforming an Organization's Central Security Focal Point

Practice 5: Designate a Central Group to Carry Out Key Activities

Practice 6: Provide the Central Group Ready and Independent Access to Senior Executives

Practice 7: Designate Dedicated Funding and Staff

Practice 8: Enhance Staff Professionalism and Technical Skills

Getting Started--Establishing a Central Focal Point

Implement Appropriate Policies and Related Controls

Practice 9: Link Policies to Business Risks

Practice 10: Distinguish Between Policies and Guidelines

Practice 11: Support Policies Through the Central Security Group

Getting Started--Implementing Appropriate Policies and Related Controls

Promote Awareness

Practice 12: Continually Educate Users and Others on Risks and Related Policies

Practice 13: Use Attention-Getting and User-Friendly Techniques

Case Example: Coordinating Policy Development and Awareness Activities

Getting Started--Promoting Awareness

Monitor and Evaluate Policy and Control Effectiveness

Practice 14: Monitor Factors that Affect Risk and Indicate Security Effectiveness

Case Example: Developing an Incident Database

Practice 15: Use Results to Direct Future Efforts and Hold Managers Accountable

Case Example: Measuring Control Effectiveness and Management Awareness

Practice 16: Be Alert to New Monitoring Tools and Techniques

Getting Started--Monitoring and Evaluating Policy and Control Effectiveness

Conclusion

GAO Guides on Information Technology Management

NIST's Generally Accepted Principles and Practices for Securing Information Technology Systems

Major Contributors to This Executive Guide

GAO Reports and Testimonies on Information Security Issued Since September 1993

Abbreviations