Appendix N
401
Client Response:
18. How is access to valuable data controlled? Do any special requirements
exist for gaining access to this data?
Guidance:
For any company, some differentiation of the value of data
exists. Some data is more valuable than others and as such, requires addi-
tional safeguards to protect it. For example, for a pharmaceutical company,
research and development data is competitive in nature and requires a
higher level of protection than other data does. If the company has data for
which confidentiality, integrity, and availability are critical, the company
should have strict access control with respect to that data. Theoretically, all
access should be given on a “need to have” basis. The reality is that this is
not always done. From a risk perspective, critical data at least should have
the appropriate level of protection. For example, access to critical data may
have special requirements such as executive approval before access is
granted. Critical data might also reside on a dedicated server, to which
only a few people can access.
Risk:
If critical data is not properly restricted, a risk exists of unauthorized
access to it, which can lead to sensitive or competitive data being inappro-
priately exposed. The severity depends on the data in question.
Client Response:
AU1706_book.fm Page 401 Wednesday, July 28, 2004 11:06 AM
AU1706_book.fm Page 402 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.