Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!samsung!munnari.oz.au!bruce!mlacus!ash From: ash@mlacus.oz (Ash Nallawalla) Newsgroups: comp.infosystems Subject: Re: Data Security Policy Summary: One reference, computer audit book Message-ID: <244@mlacus.oz> Date: 5 Jan 90 07:10:05 GMT References: Distribution: comp Organization: The Australian Centre for Unisys Software Lines: 26 Re computer security policy query: If the "need-to-know" principle sounds offensive to you, I guess you never worked for/with the armed services :-) I still like it, as the end user will not know what the company thinks he ought not to know. Even if the matter is unrelated to confidential information, it may be desirable to limit access to "need-to-know" material, if only to keep the employee occupied with what she/he is paid to do. As an example, although I am "root" at a Xyvision network and onmy Xenix/MS-DOS PC, I do not have similar privileges on the machine that connects me to this newsgroup. I recommend the text "Advanced Auditing - Fundamentals of EDP and Statistical Audit Technology" by Miklos A. Vasarhelyi and THomas W. Lin. Addison-Wesley 1988 ISBN 0 201 05328-4. It is about computer audit, and answers a part of yourquery. The portion you should read is about "internal controls" (the broad topic) and the specific topics of "general control" and "computer application controls". I am writing an internal report for my employers based partly on information in this book. Others on the net may be able torefer you to more specific references. I spent some years in a security-conscious environment and I find thatattitudes outside the government and banking industry are quite different, to put it mildly. It would be helpful to others if you could summarise the responses to your query -- ============================================================================= Ash Nallawalla [D[D[D Tel: +61 3 823-1959 Fax: +61 3 820-1434 ZL4LM/VK3CIT Postal: P.O. Box 539, Werribee VIC 3030, Australia.