- controllers and processors are obliged to take adequate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network. Furthermore, controllers are obliged to have regard to the state of the art with respect to security measures, and see that such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. ■ The Data Protection Act 1998 (Principle 7) states that appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. ■ The Companies Act 1985 (s.722) states that companies are required to take adequate precautions against the falsification of accounting records, including those of a computerized nature. ■ The Financial Services Act 1986 contains provisions regulating the use of computerized accounting information systems, which require effective access control, and adequate up-todate and well tested disaster recovery plans. Similar provisions exist in the Banking Act 1987 and Building Societies Act 1986.
So exactly what is meant by the term "adequate", "appropriate" or "effective" computer security and how can one quantify this metric?