As systems and uses become more sophisticated, new and more advanced controls will be needed to protect computer information. Even now, many basic controls are available that can be implemented to enhance the security profile of any organization. These controls should be cost-effective, and appropriate for the level of information and systems being protected. Controls that are more expensive than the value of the information they protect are not cost-effective.
To achieve acceptable levels of computer security for classified, sensitive unclassified, and unclassified information, organizations must establish a systematic approach that includes making information security a management priority; identifying information resources and determining threats and potential losses; and auditing and monitoring results.
The Navy's IS Security Program is designed to ensure the confidentiality, integrity, and availability of its computing assets. It is driven by a primary need. The need to maintain configuration management controls over equipment that may be susceptible to identified threats.
The potential risks to Navy computers posed by potential threats, such as those in Table 1, establishes the basis for controlling the configuration management of all IS which process classified and unclassified but sensitive information. The Navy has chosen to address this control need through the establishment of a Risk Management Program.