International review of criminal policy - Nos. 43 and 44/Assets

B. Assets

191. Three general categories of assets in the computer environment can be targeted for protection, each posing a distinct protection problem given is unique sensitivities.

1. Software, data and information

192. Protection requirements for software, data and information are based on the need to preserve confidentiality, integrity and availability. Confidentiality, or the need to protect from disclosure, can be required because a system contains personal data, information proprietary to an organisation or data related to national security. Even waste material may require protection up to the time of is destruction.

193. Software and data integrity are also requirements of all computer systems. Users of the system require assurance that unauthorized changes, deliberate or accidental, do not take place. The integrity of all software, utilities and applications must be above question, otherwise the results of manipulating the data will not be practicable.

194. To be of value, software and data must be available for use within an acceptable time-frame. The availability concern is important in both the long and short term. The properties of confidentiality, integrity and availability can also be applied to other information assets, such as system documentation, descriptive materials and procedural manuals, control forms, logs and records.

2. Data-processing services

195. In numerous cases the sensitivity of the information handled may not be as significant as the services performed. Service can be the most important asset requiring protection in cases where national security, the safety or livelihood of individual citizens, or essential services are dependent upon computer systems. Air traffic control, police information service, medical monitoring systems, electronic funds transfer systems and all services where processing is time-sensitive, in which availability is an important goal, are examples of this type of dependency.

3. Electronic data-processing equipment and facilities

196. The third category of assets requiring protection involves tangible property in the EDP environment, including computer equipment and supplies, the physical site facilities, machine rooms, media libraries, data preparation areas and terminal areas, as well as environmental services, such as power, air-conditioning and lightning.

197. Although these three categories represent the features of computer systems that security measures should target, the current limitations of computer security technology require that a much broader view of safe-guards be taken. Computer security is a weak-link phenomenon. To ensure that complete protection is provided to EDP assets, other established security areas, such as administrative, personnel, physical and communication-electronic security, must be taken into consideration. There is little point in emphasizing sophisticated systems features if more basic and perhaps more vulnerable areas are slighted. It also has been noted that, owing to the cost or unavailability of technical features in computer systems, physical or procedural safe-guards are sometimes practical alternatives.