system/network. This perspective shows the elements
of a computer system/network, beginning with the
offline storage of personal data in machine-readable
media (for example, tapes and disks) and progressing
through the many possible processing modes. It
includes the use of interactive computer terminals at
local and remote locations and the linking of local
systems via communications networks. It stresses the
value of physical security measures and information
management practices, in relation to computer
system/network controls.
PERSONAL DATA RISK ASSESSMENT
The first step toward improving a system’s security
is to determine its security risks using the criteria
discussed earlier in this chapter. A personal data
security risk assessment benefits a command in three
ways:
It provides a basis for deciding whether
additional security safeguards are needed for
personal data.
It ensures that additional security safeguards
help to counter all the serious personal data
security risks.
It saves money that might have been wasted on
safeguards that do not significantly lower the
overall data risks and exposures.
The goal of a risk assessment is to identify and
prioritize those events that would compromise the
integrity and confidentiality of personal data. The
seriousness of a risk depends both on the potential
impact of the event and its probability of occurrence.
In general, the risk assessment should consider all
risks, not just risks to personal data. While this section
of the chapter emphasizes the security of personal data,
it is best to develop an integrated set of security
safeguards and requirements that protect all classified
and other valuable data in the system wherever possible.
The risk assessment should be conducted by a team
which is fully familiar with the problems that occur in
the daily handling and processing of the personal
information. The participants on the risk assessment
team should include:
A representative of the operating facility
supported by or having jurisdiction over the data
under consideration;
The programmer responsible for support of the
operation or function under consideration;
A representative from the facility responsible for
managing AIS operations;
A system programmer (if the command has
system programmers in a separate fictional
area);
A computer specialist assigned the responsibility
for overseeing or inspecting system security; and
The individual responsible for security.
PERSONAL DATA SECURITY RISKS
4-36
Each command should identify its specific risks and
evaluate the impact of those risks in terms of its
information files. Experience indicates the most
commonly encountered security risks are usually
accidents, errors, and omissions. The damage from
these accidental events far exceeds the damage from all
other personal data security risks. Good information
management practices are necessary to reduce the
damage that can result from these occurrences.
Personal data security risks include:
Input error. Data may not be checked for
consistency and reasonableness at the time they
are entered into the system; or data may be
disclosed, modified, lost, or misidentified during
input processing.
Program errors. Programs can contain many
undetected errors, especially if they were written
using poor programming practices or were not
extensively tested. A program error may result
in undesirable modification, disclosure, or
destruction of sensitive information.
Mistaken processing of data. Processing
requests may update the wrong data; for
example, a tape mounted at the wrong time.
Data loss. Personal data on paper printouts,
magnetic tapes, or other removable storage
media may be lost, misplaced, or destroyed.
Improper data dissemination. Disseminated
data may be misrouted or mislabeled, or it may
contain unexpected personal information.
Careless disposal of data. Personal data can be
retrieved from wastepaper baskets, magnetic
tapes, or discarded files.
