Effective security management depends upon good risk management, which is itself based upon a reliable risk assessment, involving data collection of all the facets influencing system risk. Such data collection is often an extremely onerous task, particularly if a substantial proportion of the required information is not adequately documented. Hence comprehensive, updated information security documentation is a keystone of good information security management. Whilst the recently emerging information security management standards provide some implicit guidance on the development of documentation; there is relatively little support available for security officers attempting to develop and maintain such documentation. Traditionally textual security documents are not necessarily the most appropriate format for describing the security of large complex, networked systems, subject to frequent updates. It has been suggested [1], [2] that a security officer’s workstation, with a database and...
Lam-for Kwok, Peggy P. K. Fung, Dennis Longley