Viewing Security Management as a Business Practice, Part 2: Lessons Learned in a Small Nonprofit Organization
Assets and Security Requirements
Phase 1 of OCTAVE requires an organization to identify organizational information, including information-related assets and their corresponding security requirements. Analysis team members started with asset identification and collectively identified about 40 information-related assets. However, they also realized that none of them had insight into one area of the organization: the publishing group. After the team completed the asset-identification activity, the CFO met with two members of the publishing group, and identified four more assets.
The team next used its collective knowledge of the organization's business processes to select the following critical assets for the professional society:
Customer Relationship Management System (CRMS)CRMS contains sensitive membership data, including dues receipts, advertising receipts, and attendance lists for events.
Accounting Management System (AMS)This system is used to manage cashflow throughout the organization.
The information technology (IT) groupThis group is responsible for maintaining the computing infrastructure, keeping systems running, upgrading systems, and securing the infrastructure.
Project Data Management System (PDMS)PDMS contains monthly timesheets for all employees.
Human Resources Management System (HRMS)This system is the organization's personnel database, containing salary and employment history information.
Although the team analyzed five critical assets, this article focuses on only one of those assets, the Customer Relationship Management System (CRMS). The team identified CRMS as the most critical system in the organization, because it contained sensitive membership data. The professional society used its customer information to market services to its members. If this information fell into the wrong hands, the society could face lawsuits and lose its reputation in the community. The analysis team identified the following security requirements for CRMS:
Confidentiality. Only authorized personnel can view information on CRMS.
Integrity. Only authorized personnel can modify information on CRMS.
Availability. CRMS must be available for personnel to perform their jobs. Unavailability cannot exceed 1 hour per every 12 extended business hours.
As it compared various tradeoffs among the security requirements, the analysis team determined that confidentiality was the most important requirement for CRMS. Team members reasoned that member organizations and individuals trusted that their organizational and personal information would be protected by the society.