MANAGERIAL CONTROLS.- Managerial controls tie everything together. They concern planning and evaluation. They include audits to review the effectiveness and efficiency of the countermeasures. They check to make sure that the measures are actually in place, being followed, and working. Problems found require replanning and reevaluation to see that corrections are made.

RISK MANAGEMENT

Risk management involves assessing the risks, determining loss potential estimates, and selecting countermeasures appropriate to prevent, detect, minimize, and recover from successful attacks and adverse events. Management selects the countermeasures, making sure that the cost of the measure is less than the cost of the risk. The trick is to select the countermeasure that will result in the lowest total cost while taking all reasonable measures to protect our AIS assets.

Keep in mind that the presence of a vulnerability does not in itself cause harm. A vulnerability is merely a condition or set of conditions that may allow the computer system or AIS activity to be harmed by an attack or event. Also, keep in mind that an attack made does not necessarily mean it will succeed. The degree of success depends on the vulnerability of the system or activity and the effectiveness of existing countermeasures. Countermeasures may be any action, device, procedure, technique, or other measure that reduces the vulnerability of an AIS activity or computer system to the realization of a threat.

Figure 4-4.-An example of countermeasures against fire loss.

Figure 4-5.-Threats, vulnerabilities, and countermeasures.

Not all attacks and events can be avoided. If we cannot reasonably prevent something, we want to detect the problem as early as possible, minimize the damage and destruction, and recover as quickly and efficiently as possible. To help us minimize and recover, we develop contingency plans.

Contingency plans (backup plans) provide for the continuation of an activity's mission during abnormal operating conditions. These are plans for emergency response, backup operations, and post-disaster recovery. They include a preparation phase that includes the steps to be taken in anticipation of a loss to

^{Figure 4-6.-Types of AIS security countermeasures.}

lessen damage or assist recovery. The action phase includes the steps to be taken after a successful attack or adverse event to minimize the cost and disruption to the AIS environment.