لینک پرداخت و دانلود در "پایین مطلب"
فرمت فایل: word (قابل ویرایش و آماده پرینت)
تعداد صفحات:5
The market for information security has long been seen as dysfunctional [1]. The remedy proposed in 1990 by [1] was to create a not-for-profit foundation that would establish Generally Accepted System Security Principles along the lines of similar principles for accounting[1]. The proposed “Information Security Foundation” never really got off the ground, though recent years have witnessed continuing efforts to establish “Best Practices” in the government and elsewhere, and several not-for-profit organizations now offer information security training and guidelines.
Going further back, to the late 70’s and early 80’s, U.S. government officials correctly recognized that they would be driven increasingly to base defense information systems on commercial-off-the-shelf computers and software. These systems clearly lacked the security properties sought, and so those officials tried to influence the market by creating the Trusted Computer Security Evaluation Criteria (TCSEC, the “Orange Book”) and a government-financed scheme to evaluate commercial products submitted voluntarily for review. The idea was to provide a market incentive for commercial vendors to supply improved security throughout their product lines. The Defense Department could then procure competitively the systems it needed.
This attempt to leverage market forces had some good effects, but failed ultimately because:
- The carrot of lucrative government procurements of evaluated systems never really materialized. Initially, there were few evaluated products and procurements that required them were judged non-competitive. Ultimately, officials controlling the procurements demanded the latest operating systems and features as long as there was some evidence of intention to have the product evaluated eventually; this gave vendors an incentive to start the evaluation process, but not necessarily to complete it. Further, governments often procure systems, not single products, and the evaluation criteria proved difficult or impossible to apply to systems – yet security is fundamentally a system property.
[1] Whose enforcement seems also to require renewed attention!
مقاله اصول حسابداری