 |
|
|
|
|
|
|
|
 |
|
Southwest Information AssuranceOpinions |
|
 |
|
|
The opinions posted on this site are those of Southwest Information Assurance and do not necessarily represent the views of our colleagues, business associates, or clients. We welcome your comments whether in support or rebuttal. Comments may be submitted via email at info@southwestia.com. With the respondent's permission, comments may be posted on this site subordinate to the original opinion.
|
|
|
|
|
Opinion 2005.07.24.1An effective information security program is predicated on:- Establishing and maintaining a reasonable and appropriate level of protection and
- Establishing and maintaining a reasonable and appropriate level of compliance
Protection is driven by business, functional, and technical requirements identified through the risk analysis process relevant to safeguarding the confidentiality, integrity, and availability of information assets. Compliance is driven by the nature, scope, and extent of your ability to satisfy applicable federal or state regulatory requirements.
While protection and compliance are by no means mutually exclusive, it is possible, and not uncommon, to have one without the other. An adequate level of protection does not, by itself, ensure an adequate level of compliance, and vice-versa. It is critical that both protection and compliance be understood and managed as complementary yet discrete criteria that must be simultaneously satisfied in an effective information security program.
Keep in mind the use of the term reasonable and appropriate, above, implies that you have the evidence necessary to defend the adequacy of both protection and compliance to an auditor or in a court of law. |
|
|
|
|
|
|
|
