|
 |
 |
|
|
 |
Student Publications
Author: Festus Olubukunmi Ajibuwa
Title:
Data And Information Security In Modern Day Businesses (Thesis)
Area:
Country :
Profile:
Program:
Available for Download:
Yes
Sharing knowledge is a vital component in
the growth and advancement of our society
in a sustainable and responsible way. Through
Open Access, AIU and other leading institutions
through out the world are tearing down the
barriers to access and use research literature.
Our
organization is interested in the dissemination
of advances in scientific research fundamental
to the proper operation of a modern society,
in terms of community awareness, empowerment,
health and wellness, sustainable development,
economic advancement, and optimal functioning
of health, education and other vital services.
AIU’s mission
and vision is consistent with
the vision expressed in the Budapest Open
Access Initiative and Berlin Declaration
on Open Access to Knowledge in the Sciences
and Humanities. Do you have something you
would like to share, or just a question
or comment? We would be happy to hear from
you, please use the Request Info link below.
For more information on the AIU's Open Access
Initiative, click
here.
|
|
| |
|
|
| |
Table of Contents
1. Title page
..........................................................................................
1
2. Acknowledgement
...............................................................................
2
3. Table of Contents
.................................................................................
3
4. Abstract
............................................................................................
4
5. Chapter 1 General Introduction
............................................................... 5
6. Data Classification
.................................................................................6
7. Information Asset
..................................................................................
8
8
Chapter 2 Categorizing Security
.............................................................. 10
9. History of Information Security
..................................................................12
10. Chapter 3 Principles of Information Security
............................................... 13
11. Crimes and Instructions on Automated Information Systems
.............................. 15
12. Chapter 4 Risk Management
..................................................................
19
13. Security Classification of Information
.......................................................... 21
14. Chapter 5 Analysis (Information Security as a process)
.................................... 25
15. Laws and Regulations governing Information Security
....................................... 27
16. Sources of Standards for Information Security
................................................. 29
17. Types of Data Theft
................................................................................
33
18. Security Administration
............................................................................
36
19. Management Systems for Employee Turnover
..................................................39
20. Reporting Data Security Breaches
................................................................. 41
21. Chapter 6 Conclusion
.............................................................................
44
22. Information Security Plan for Organizations
..................................................... 54
23. Information Security Policy for Universities
.................................................... 56
24. References
............................................................................................
62
25. Appendices
.........................................................................................
63
26. Glossary of Terms
...................................................................................
65
3
Abstract
Information security is the process of protecting data from
unauthorized access, use, disclosure,
destruction, modification, or disruption. The terms information
security,
computer security and
information assurance are frequently used interchangeably. These
fields are interrelated and share the
common goals of protecting the confidentiality, integrity and
availability of information; however,
there are some subtle differences between them. These differences
lie primarily in the approach to the
subject, the methodologies used, and the areas of concentration.
Information security is concerned
with the confidentiality, integrity and availability of data
regardless of the form the data may take:
electronic, print, or other forms.
This Thesis reveals a comprehensive analysis of Data and Information
Security in modern-day
businesses. It covers the Meaning and Background history of Data
Security, Categories of Data
Security, Security Concepts, Security Standards, Principles of
Information Security, The negative
impact of breaching organization`s security, Data Protection and
Risk Management; Laws and
Regulations governing Information Security.
It equally covers some verse areas of Information Security as a
process, Information Security at
Management level, Sources of Standards for Information Security,
Protecting Privacy in Information
Systems, Data Theft, Database Security, Managing Systems for
Employee Turn-over, Laws and
Regulations governing Information Security, Sources of Standards for
Information Security, Types of
Data Theft, Security Administration, Reporting Data Security
Breaches and the Responsibilities of
everyone that has to do with Data and Information Security. Detailed
analyses of these sub-headings
are well arranged and simplified within the write-up.
4
Chapter 1
General Introduction
Data / Information
In the area of Information Security, data (and the individual
elements that comprise the data) is
processed, formatted and re-presented, so that it gains meaning and
thereby becomes information.
Information Security is concerned with the protection and safeguard
of that information which, in its
various forms can be identified as Business Assets or Information
Assets.
The terms data and information can be used somewhat interchangeably;
but, as a general rule,
information always comprises data, but data is not always
information.
Information security is the ongoing process of exercising due care
and due diligence to protect
information, and information systems, from unauthorized access, use,
disclosure, destruction,
modification, or disruption. The never ending process of information
security involves ongoing
training, assessment, protection, monitoring & detection, incident
response & repair, documentation,
and review.
In 1989, Carnegie Mellon University established the
Information Networking Institute, the United
State's first research and education center devoted to information
networking. The academic
disciplines of computer security, information security and
information assurance emerged along with
numerous professional organizations during the later years of the
20th century and early years of the
21st century.
Entry into the field can be accomplished through self-study, college
or university schooling in the
field or through week long focused training camps. Many colleges,
universities and training
companies offer many of their programs on- line. The
GIAC-GSEC and
Security+ certifications are
both respected entry level security certifications. The Certified
Information Systems Security
Professional (CISSP) is
a well respected mid- to senior-level information security
certification.
The profession of information security has seen an increased demand
for security professionals who
are experienced in network security auditing, penetration testing,
and digital forensics investigation.
Definitions of Data Security
Security according to Collins English Dictionary is the state of
being secure. Precautions taken to
ensure against theft, espionage, etc; Data security is very
important, data that contain personal
information has to be protected under the data protection act, and
data that could be useful for
commercial competitors has to be safeguarded from theft.
The Higher National Computing (page 226) declares that data security
as an essential aspect of
computing especially with database system to ensure privacy of
sensitive and personal information.
Data security is also paramount in complying with legislation that
protects users and third parties of
data.
5
According to Terence Driscoll and Bob Dolden Security in information
management terms means the
protection of data from accident or deliberate threats which might
cause unauthorized modification,
disclosure or destruction of data, and the protection of information
system from the degradation or non
availability of services.
Security refers to technical issues related to the computer system,
psychological and behavioral factors
in the organization and its employees, and protection against the
unpredictable occurrences of the
natural world.
Kelvin Townsend (editor, Information Security Bulletin) mentioned on
page 10 of the IMIS IT
Security journal that people frequently asked him What is the best
security system to install? And
his answer is The best security system is the one that allows you to
fulfill your security policy. He
further said that A formal security policy is the key to a secure
system.
Security is the condition of being protected against danger or loss.
In the general sense, security is a
concept similar to
safety. The nuance between the two is an added emphasis on being
protected from
dangers that originate from outside. Individuals or actions that
encroach upon the condition of
protection are responsible for the breach of security.
The word "security" in general usage is synonymous with "safety,"
but as a technical term "security"
means that something not only is secure but that it has
been secured. In
telecommunications, the term
security has the following meanings:
(a)
A condition that results from the establishment and
maintenance of protective measures that
ensures a state of inviolability from hostile acts or influences.
(b)
With respect to classified matter, the condition that prevents
unauthorized persons from having
access to official
information that is safeguarded in the interests
of national security.
(c)
Measures taken by a military unit, an activity or installation to
protect itself against all acts
designed to, or which may, impair its effectiveness. (Sources: from
Federal Standard 1037C and
adapted from
the Department of Defense Dictionary of Military and Associated
Terms)
Security has to be compared and contrasted with other related
concepts: Safety,
continuity,
reliability. The
key difference between security and reliability is that security
must take into
account the actions of active malicious agents attempting to cause
destruction.
Data Classification
Data Classification is the conscious decision to assign a level of
sensitivity to data as it is being
created, amended, enhanced, stored, or transmitted. The
classification of the data should then
determine the extent to which the data needs to be controlled /
secured and is also indicative of
its value in terms of
Business Assets.
The classification of data and documents is essential if you are to
differentiate between that
which is a little (if any) value, and that which is highly sensitive
and confidential. When data is
stored, whether received, created or amended, it should always be
classified into an appropriate
sensitivity level. For many organizations, a simple 5 scale grade
will suffice as follows:-
6
Document / Data Classification
Description
Highly sensitive internal documents e.g.
pending mergers or acquisitions; investment
strategies; plans or designs; that could
seriously damage the organization if such
Top Secret
information were lost or made public.
Information classified as Top Secret has very
restricted distribution and must be protected at
all times. Security at this level is the highest
possible.
Information that, if made public or even shared
around the organization, could seriously
impede the organization`s operations and is
considered critical to its ongoing operations.
Information would include accounting
information, business plans, sensitive customer
Highly Confidential
information of banks, solicitors and
accountants etc., patient's medical records and
similar highly sensitive data. Such information
should not be copied or removed from the
organization`s operational control without
specific authority. Security at this level should
be very high.
Information of a proprietary nature;
procedures, operational work routines, project
plans, designs and specifications that define
Proprietary
the way in which the organization operates.
Such information is normally for proprietary
use to authorized personnel only. Security at
this level is high.
Information not approved for general
circulation outside the organization where its
loss would inconvenience the organization or
management but where disclosure is unlikely
Internal Use only
to result in financial loss or serious damage to
credibility. Examples would include, internal
memos, minutes of meetings, internal project
reports. Security at this level is controlled but
normal.
Information in the public domain; annual
Public Documents
reports, press statements etc.; which has been
7
approved for public use. Security at this level
is minimal.
Information Asset
An Information Asset is a definable piece of information, stored in
any manner which is
recognized as 'valuable' to the organization. The information which
comprises an Information
Asset may be little more than a prospect name and address file; or
it may be the plans for the
release of the latest in a range of products to compete with
competitors.
Irrespective, the nature of the information assets themselves, they
all have one or more of the
following characteristics:-
They are recognized to be of value to the organization.
They are not easily replaceable without cost, skill, time, resources
or a combination.
They form a part of the organization`s corporate identity, without
which, the organization
may be threatened.
Their
Data Classification would normally be Proprietary, Highly
Confidential or even
Top Secret.
It is the purpose of Information Security to identify the threats
against, the risks and the
associated potential damage to, and the safeguarding of Information
Assets.
Information Custodian
An Information Custodian is the person responsible for overseeing
and implementing the
necessary safeguards to protect the information assets, at the level
classified by the Information
Owner.
This could be the System Administrator, controlling access to a
computer network; or a specific
application program or even a standard filing cabinet.
Information Owner
The person who creates, or initiates the creation or storage of the
information, is the initial
owner. In an organization, possibly with divisions, departments and
sections, the owner becomes
the unit itself with the person responsible, being the designated
'head' of that unit.
The Information owner is responsible for ensuring that:
An agreed classification hierarchy is agreed and that this is
appropriate for the types of
information processed for that business / unit.
8
Classify all information stored into the agreed types and create an
inventory (listing) of
each type.
For each document or file within each of the classification
categories, append its agreed
(confidentiality) classification. Its availability should be
determined by the respective
classification.
Ensure that, for each classification type, the appropriate level of
information security
safeguards are available e.g. the logon controls and access
permissions applied by the
Information Custodian provide the required levels of
confidentiality.
Periodically, check to ensure that information continues to be
classified appropriately and
that the safeguards remain valid and operative.
Perceived security compared to real security
It is very often true that people's perception of security is not
directly related to actual security.
For example, a fear of flying is much more common than a fear of
driving; however, driving is
generally a much more dangerous form of transport.
Another side of this is a phenomenon called
security theatre where ineffective security measures
such as screening of airline passengers based on static databases
are introduced with little real
increase in security or even, according to the critics of one such
measure -
Computer Assisted
Passenger Prescreening System - with an actual decrease in real
security.
9
Chapter 2
Categorizing security
There is an immense literature on the analysis and categorization of
security. Part of the reason
for this is that, in most security systems, the "weakest link in the
chain" is the most important.
The situation is asymmetric since the defender must cover all points
of attack while the attacker
can simply identify a single weak point upon which to concentrate
their efforts.
Types of security
The following are some major types of securities:
international security
national
security
physical
security
home security
information security
network
security
computing
security
application security
financial security
human security
food security
airport
security
shopping
centre security
humanitarian Security
Security concepts
Certain concepts recur throughout different fields of security.
risk - a risk is a
possible event which could cause a loss
threat - a threat
is a method of triggering a risk event that is dangerous
countermeasure
- a countermeasure is a way to stop a threat from triggering a
risk event
defense in
depth - never rely on one single security measure alone
assurance
- assurance is the level of guarantee that a security system
will behave as
expected
Information security
Information security is the process of protecting data from
unauthorized access, use, disclosure,
destruction, modification, or disruption. The terms information
security,
computer security and
information assurance are frequently used interchangeably. These
fields are interrelated and
share the common goals of protecting the confidentiality, integrity
and availability of
information; however, there are some subtle differences between
them. These differences lie
primarily in the approach to the subject, the methodologies used,
and the areas of concentration.
Information security is concerned with the confidentiality,
integrity and availability of data
regardless of the form the data may take: electronic, print, or
other forms.
Heads of state and military commanders have long understood the
importance and necessity of
protecting information about their military capabilities, number of
troops and troop movements.
Such information falling into the hands of the enemy could be
disastrous. Governments, military,
10
financial institutions, hospitals, and private businesses amass a
great deal of confidential
information about their employees, customers, products, research,
and financial status. Most of
this information is now collected, processed and stored on
electronic computers and transmitted
across networks to other computers. Should confidential information
about a businesses
customers or finances or new product line fall into the hands of a
competitor, such a breach of
security could lead to lost business, law suits or even bankruptcy
of the business. Protecting
confidential information is a business requirement, and in many
cases also an ethical and legal
requirement. For the individual, information security has a
significant effect on
Privacy, which is
viewed very differently in different cultures.
The field of information security has grown and evolved
significantly in recent years. As a career
choice there are many ways of gaining entry into the field. It
offers many areas for specialization
including Information Systems Auditing, Business Continuity Planning
and Digital Forensics
Science, to name a few.
This article presents a general overview of information security and
its core concepts.
IT Security standards
ISO/IEC 15443 A framework for IT security assurance (covering many
methods, i.e.
TCSEC,
Common
Criteria,
ISO/IEC 17799)
o
ISO/IEC 15443-1: Overview and framework
o
ISO/IEC 15443-2: Assurance methods
o
[ISO/IEC 15443-3: Analysis of assurance methods (expected in 2007)]
ISO/IEC 15408 refer also
to Common Criteria
ISO/IEC 17799:2005 Code of practice for information security
management refer also to
ISO/IEC 17799
refer also to TCSEC
Trusted Computer System Evaluation Criteria (Orange Book)
Information security
Security is everyone`s responsibility. Security awareness poster.
U.S.
Department of
Commerce/Office of Security.
11
A brief history of Information Security
This write-up describes the earliest roots and key developments of
what is now known as
information security.
Since the early days of writing, heads of state and military
commanders understood that it was
necessary to provide some mechanism to protect the confidentiality
of written correspondence
and to have some means of detecting tampering. Persons desiring
secure communications have
used wax
seals and other sealing devices since the early days of writing
to signify the
authenticity of documents, prevent tampering, and ensure
confidentiality of correspondence.
Julius Caesar
is credited with the invention of the
Caesar cipher c50 B.C. to prevent his secret
messages from being read should a message fall into the wrong hands.
World War II brought about much advancement in information security
and may mark the
beginning of information security as a professional field. WWII saw
advancements in the
physical protection of information with barricades and armed guards
controlling access into
information centers. It also saw the introduction of formalized
classification of data based upon
the sensitivity of the information and who could have access to the
information. During WWII
background checks were also conducted before granting clearance to
classified information.
The end of the 20th century and early years of the 21st century saw
rapid advancements in
telecommunications, computing hardware and software, and data
encryption. The availability of
smaller, more powerful and less expensive computing equipment made
electronic data
processing
within the reach of small business and the home user. These
computers quickly
became interconnected through a network generically called
the Internet or World Wide Web.
The rapid growth and wide spread use of electronic data processing
and electronic business
conducted through the Internet, along with numerous occurrences of
international
terrorism,
fueled the need for better methods of protecting these computers and
the information they store,
process and transmit. The academic disciplines of computer security,
information security and
information assurance emerged along with numerous professional
organizations - all sharing the
common goals of insuring the security and reliability of information
systems.
12
Chapter 3
Basic principles of Information Security
Confidentiality, integrity, availability
For over twenty years information security has held that three key
concepts form the core
principles of information security: confidentiality, integrity and
availability. These are known as
the CIA Triad.
Confidentiality
It is virtually impossible to get a drivers license, rent an
apartment, obtain medical care, or take
out a loan without disclosing a great deal of very personal
information about ourselves, such as
our name, address, telephone number, date of birth,
Social Security number, marital status,
number of children, mother's maiden name, income, place of
employment, medical history, etc.
This is all very personal and private information, yet we are often
required to provide such
information in order to transact business. We generally take it on
faith that the person, business,
or institution to whom we disclose such personal information have
taken measures to ensure that
our information will be protected from unauthorized discloser,
either accidental or intentional,
and that our information will only be shared with other people,
businesses or institutions who are
authorized to have access to the information and who have a genuine
need to know the
information.
The CIA Triad.
Information that is considered to be confidential in nature must
only be accessed, used, copied,
or disclosed by persons who have been authorized to access, use,
copy, or disclose the
information, and then only when there is a genuine need to access,
use, copy or disclose the
information. A breach of confidentiality occurs when information
that is considered to be
confidential in nature has been, or may have been, accessed, used,
copied, or disclosed to, or by,
someone who was not authorized to have access to the information.
For example: permitting someone to look over your shoulder at your
computer screen while you
have confidential data displayed on it would be a breach of
confidentiality if they were not
authorized to have the information. If a laptop computer, which
contains employment and benefit
13
information about 100,000 employees, is stolen from a car (or is sold
on eBay) could result in a
breach of confidentiality because the information is now in the
hands of someone who is not
authorized to have it. Giving out confidential information over the
telephone is a breach of
confidentiality if the caller is not authorized to have the
information.
Confidentiality is a requisite for maintaining
the privacy of the people whose personal
information the organization holds.
Integrity
In information security, integrity means that data can not be
created, changed, or deleted without
authorization. It also means that data stored in one part of a
database system is in agreement with
other related data stored in another part of the database system (or
another system). For example:
a loss of integrity can occur when a database system is not properly
shut down before
maintenance is performed or the database server suddenly loses
electrical power. A loss of
integrity occurs when an employee accidentally, or with malicious
intent, deletes important data
files. A loss of integrity can occur if a computer virus is released
onto the computer. A loss of
integrity can occur when an on-line shopper is able to change the
price of the product they are
purchasing.
Availability
The concept of availability means that the information, the
computing systems used to process
the information, and the security controls used to protect the
information are all available and
functioning correctly when the information is needed. The opposite
of availability is denial of
service (DOS)
In 2002, Mr. Donn Parker proposed an alternative model for the
classic CIA triad that he called
the six
atomic elements of information. His alternative model includes
confidentiality,
possession or control, integrity, authenticity, availability, and
utility. The merits of the
Parkerian-
hexad are
a subject of debate amongst security professionals.
Risk management
A comprehensive treatment of the topic of risk management is beyond
the scope of this article.
We will however, provide a useful definition of risk management,
outline a commonly used
process for risk management, and define some basic terminology.
Breaching Organizational Security
A number of organizational security breaches can occur; some of
these are amplified by the use
of a database because of the integrated approach to data storage and
retrieval. Some of these
breaches and security issues include:
Virus
Unauthorized access (hacking)
Industrial and/or individual sabotage
Accidents by users (incompetence)
And in his analysis of some of the threats and risks to data, he
mentioned the following:
14
Loss of access to your company data
Unproductive workforce
Viral infection
Theft of company secrets
Inadvertent law breaking
Security can be divided into a number of aspects:
(a)
Prevention
(b)
Detection
(c)
Deterrence
(d)
Recovery procedures
(e)
Correction procedures
(f)
Threat avoidance.
Crimes and instructions on automated information systems
Computer crime encompasses any unauthorized use of a computer system
including software
piracy or theft of system resources for personal use including
computer processing time and
network access time. It is also a crime to take any action intended
to alter data programs or to
damage or destroy data, software, or equipment. All these crimes are
committed through
intrusion, the forced and unauthorized entry into a system.
Computer crime through intrusion can occur in one of two ways, which
is either by hackers
break into a system to destroy the data or the network, or software
viruses inserted into a system
to destroy programs and data.
Software Piracy
Piracy is the act of making of illegal copies of copyright
information, and software piracy is the
making of illegal copies of software. This is one of the most
serious issues in IT today because it
is so widespread that it is responsible for an enormous loss of
revenue to software originators.
Protections against Software Piracy
Software Copyright Protection: This is the legal protection of
original works against
unauthorized use, including duplication, provided the owner visibly
displays a notice on the
product. This method has been used for many yeas for the protection
of books, magazines, music
and other commercial original works, but today it also applies to
computer software, database
etc.
Copyright Protection: This is a software protection scheme that
defeats attempts to copy a
program or makes the copied software unreliable.
Software Site Licensing: This is an agreement under which a software
purchaser pays a fee to the
manufacturer to make a specified number of copies of a particular
program.
15
Hackers
Hackers are people that attack/gain access into system/networks
illegally to see what is there and
mostly to destroy data for their profits, to be malicious or just
because it is there. Hackers usually
gain access to a system through a network, but sometimes they
physically enter a computer or
network facility.
Business people should always keep their intellectual property from
the eyes of their competitors
or hackers, because much of the data is very difficult and expensive
to generate. Therefore if care
is not taken loss or damages can put the individual out of business
because networks are attack
by morons. Consider what will happen when an enemy/hacker gains
access to your network.
Network Security Measures Against Hackers
There are various ways and methods of protecting networks from
dangers or hackers, and it is
always very wise for not to rely on a single protection method and
deploy them in layers
designed so that an attacker has to defeat multiple defense
mechanisms to perform a successful
attack.
Below are some security measures that should be adhered to by all
users of a network system:
Physical Access Control is the most basic level of security, but it
is frequently forgotten. The
most trivial way of stealing data or disrupting IT operations is to
physically take or destroy
pieces of equipment. Instead of spending more effort and resources
securing your data against
threats coming from the network, make sure to control physical
access to critical servers and
network infrastructure.
This involves the employing of security guards to monitor and guard
the IT room/office so that
nobody will have the direct access of stealing or damaging data or
equipment and theft will not
take place. Therefore the workplace should have tight security
measure to prevent un-authorized
people from invading the place. A padlock may be your most effective
network security
investment.
User authentication mechanisms are designed to uniquely identify
users, assign their
corresponding access rights to information, and track their
activities. Workers should know that
the security of the organization must not be compromised. User`s ID
and passwords are the
primary means of safeguarding organizational assets.
Authentication is usually performed by challenging the user to
provide access keys (passwords,
biometric information, tokens, ID cards, etc) and checking their
access privileges against a
RADIUS, LDAP or SLDAP database.
Data Encryption is the process of encoding data through a series of
mathematical functions to
prevent unauthorized parties from viewing or modifying it. It has
the objective to protect the
confidentiality and integrity of the information, even when the
encrypted data is in transit over
unsecured media such as the Internet.
Data encryption works so that only the recipient can decode the data
using the decoding
algorithm that is not necessarily secret and an encryption key that
is secret.
Network Packet Filtering is performed at network level and can be
performed at routers and
gateways by analyzing headers of IP packets and allowing or denying
forwarding based on
source or destination address, protocol type, TCP port number,
packet length, etc. This is useful
to prevent access even before there is an attempt to authenticate or
look at system data.
16
Firewalls are devices that perform packet filtering but look beyond
the Internet Protocol headers
and also analyze the packet payload for patterns to deny/allow user.
The use of Passwords on data or the entire computer system can act
as a protection from
unauthorized people. A password has to be keyed in to gain access to
the data or computer
system and this is made up of characters, numbers, or in an
alphanumeric form and the password
is issued only to people authorized to use the system and this
should be changed frequently to
keep the data secure.
It is not advisable to use the name of the company or the owner`s
name or his/her family name as
a password because many people might know this and others might try
this to gain access to the
data.
Restricted Access (privileges) to different data areas can be set up
so that only authorized users
can gain access to certain data. In this case all the users may be
able to access the company`s
files, but access to certain data will be restricted to certain
members, and this is done through the
use of additional passwords or by setting up the system so that only
certain terminals can gain
access to certain data.
Back Ups: This is the act of duplicating files so that incase of any
accident such as loss of
original file, there will be copies/duplicates of the original, and
if possible this duplicate will not
be kept in the computer system alone or at workplaces but there
should be more secured places
to keep it.
Computer Viruses
A virus is defined as a small computer program that is capable of
copying itself from one
computer to another, thus emulating a biological virus that infects
new hosts. Viruses are almost
always written with malicious intent, and may inflict damage ranging
from temporarily
corrupting the screen display or slowing down the computer
operation, through deleting certain
files, up to erasing the entire hard disk content.
In certain cases intrusions occurs by way of software. According to
Wikipedia, A computer
virus is a hidden program that alters, without the user`s knowledge
the way the computer
operates or modifies the data and programs stored on the computer.
It is said to be a virus
because it reproduces itself, passing from one computer to another,
or it can also enter a
computer when a file to which it attaches itself is being
transferred to a remote computer through
a communication network and an infected disk or diskette will
continue to spread the virus each
time it is used. Other viruses take control of the operating system
and stop it from functioning.
The most dangerous viruses do not act immediately after infection
but often lie dormant for a
long period until it is triggered by some event; such as reaching a
particular date (Friday the 13th
is popular) or running a certain program.
Writing a virus is technically demanding, so they are always written
for the most popular brands
of computer, where there exists a reasonable chance that they will
replicate. Historically they
have been mainly confined to IBM compatibles Personal Computers
and the Apple Macintosh.
17
The first virus was probably the 1987 Lehigh virus, followed by the
more widely infectious
stoned, Jerusalem and Cascade viruses, all of which infected PCs
running MS-DOS. These early
viruses disseminated themselves via a floppy disk, copying
themselves into the Boot Sector of
the hard disk of any computer that was booted from that floppy.
Their spread was exacerbated by
the people taking floppy disks to work to play games, and exchanging
pirated software on
floppies. Once software became too big for floppies, this class of
virus almost died out, as they
can not infect the read-only Compact Disk Read Only Memory
(CD-ROM). Now almost all
viruses are disseminated via the Internet, either by the
down-loading of files that they have
infected, or hidden in an attachment to an Email.
There are three main categories of virus:
(a) File viruses
(b) Script or Macro viruses
(c) Boot Sector viruses.
Protections against viruses
Scanning: This is a method by which virus-checking programs such as
Norton Anti-virus
searches disks and memory for known viruses.
Interception: This is a virus checking program that monitors
processing, seeking to spot virus
program in action.
Digital signature encryption: These are published programs that are
encoded with mathematical
key, making it difficult for virus to attack data or programs.
Health hazards & safety precautions associated with computer
workplaces
Having a proper workplace and ensuring that workers enjoy the
benefits a good and accident-free
workplace is a good motivation for employees. It is very clear that
a healthy and happy worker is
more productive to any business. The key to designing a proper
workplace for the knowledge
worker is flexibility.
Computer operators/users are also covered by the health and safety
act 1974. Therefore to
comply with this act, employers are required to make sure that their
places of work are safe
environments. Issues related to the use of computers include the
regular checking of all electrical
equipment to make sure that it is safe to use.
It is also the duty of employees to undertake safe working practices
and they are required to:
(a) Report any hazards relating to computers immediately and this
could include trailing
computer leads, loose wiring etc.
(b) Avoid lifting heavy equipments unless the individual is trained
to do so.
(c) Take breaks at regular intervals.
(d) Maintain good posture when sitting at terminals.
18
Chapter 4
Risk Management
The CISA Review Manual 2006 provides the following definition of
risk management: "Risk
management is the process of identifying vulnerabilities and threats
to the information resources
used by an organization in achieving business objectives, and
deciding what countermeasures, if
any, to take in reducing risk to an acceptable level, based on the
value of the information
resource to the organization."
There are two things in this definition that may need some
clarification. First, the process of risk
management is an ongoing iterative process. It must be repeated
indefinitely. The business
environment is constantly changing and new threats and
vulnerabilities emerge every day.
Second, the choice of countermeasures (controls) used to manage
risks must strike a balance
between productivity, cost, effectiveness of the countermeasure, and
the value of the
informational asset being protected.
Risk is the likelihood that something bad will happen that causes
harm to an informational asset
(or the loss of the asset). Vulnerability is a weakness that could
be used to endanger or cause
harm to an informational asset. A threat is anything (man made or
act of nature) that has the
potential to cause harm.
The likelihood that a threat will use a vulnerability to cause harm
creates a risk. When a threat
does use a vulnerability to inflict harm, it has an impact. In the
context of information security,
the impact is a loss of availability, integrity, and
confidentiality, and possibly other losses (lost
income, loss of life, loss of real property). It should be pointed
out that it is not possible to
identify all risks, nor is it possible to eliminate all risk. The
remaining risk is called residual risk.
A risk assessment is carried out by a team of people who have
knowledge of specific areas of the
business. Membership of the team may vary over time as different
parts of the business are
assessed. The assessment may use a subjective qualitative analysis
based on informed opinion, or
where reliable dollar figures and historical information is
available, the analysis may use
quantitative analysis.
The
ISO-17799:2005 Code of practice for information security
management recommends the
following be examined during a risk assessment: security policy,
organization of information
security, asset management, human resources security, physical and
environmental security,
communications and operations management, access control,
information systems acquisition,
development and maintenance, information security incident
management, business continuity
management, and regulatory compliance.
In broad terms the risk management process consists of:
(a) Identification of assets and estimating their value. Include:
people, buildings, hardware,
software, data (electronic, print, and other), and supplies.
(b) Conduct a threat assessment. Include: Acts of nature, acts of
war, accidents, and malicious
acts originating from inside or outside the organization.
19
(c) Conduct a vulnerability assessment, and for each vulnerability,
calculate the probability that
it will be exploited. Evaluate policies, procedures, standards,
training, physical security, quality
control, technical security.
(d) Calculate the impact that each threat would have on each asset.
Use qualitative analysis or
quantitative analysis.
Identify, select and implement appropriate controls. Provide a
proportional response. Consider
productivity, cost effectiveness, and value of the asset.
Evaluate the effectiveness of the control measures. Ensure the
controls provide the required cost
effective protection without discernable loss of productivity.
For any given risk, Executive Management can choose to accept the
risk based upon the relative
low value of the asset, the relative low frequency of occurrence,
and the relative low impact on
the business. Or, leadership may choose to mitigate the risk by
selecting and implementing
appropriate control measures to reduce the risk. In some cases, the
risk can be transferred to
another business by buying insurance or out-sourcing to another
business. The reality of some
risks may be disputed. In such cases leadership may choose to deny
the risk. This is itself a
potential risk.
Three types of controls
When Management chooses to mitigate a risk, they will do so by
implementing one or more of
three different types of controls.
1. Administrative controls are comprised of approved written
policies, procedures, standards and
guidelines. Administrative controls form the framework for running
the business and managing
people. They inform people on how the business is to be run and how
day to day operations are
to be conducted. Laws and regulations created by government bodies
are also a type of
administrative control because they inform the business. Some
industry sectors have policies,
procedures, standards and guidelines that must be followed - the
Payment Card Industry (PCI)
Data Security Standard required by Visa and Master Card is such an
example. Other examples of
administrative controls include the corporate security policy,
password policy, hiring policies,
and disciplinary policies.
Administrative controls form the basis for the selection and
implementation of logical and
physical controls. Logical and physical controls are manifestations
of administrative controls.
Administrative controls are of paramount importance.
2. Logical controls (also called technical controls) use software
and data to monitor and control
access to information and computing systems. For example: passwords,
network and host based
firewalls, network intrusion detection systems, access control
lists, and data encryption are
logical controls.
An important logical control that is frequently overlooked is the
principle of least privilege. The
principle of least privilege requires that an individual, program or
system process is not granted
any more access privileges than are necessary to perform the task. A
blatant example of the
failure to adhere to the principle of least privilege is logging
into Windows as user Administrator
to read Email and surf the Web. Violations of this principle can
also occur when an individual
collects additional access privileges over time. This happens when
employees' job duties change,
20
or they are promoted to a new position, or they transfer to another
department. The access
privileges required by their new duties are frequently added onto
their already existing access
privileges which may no longer be necessary or appropriate.
3. Physical controls monitor and control the environment of the work
place and computing
facilities. They also monitor and control access to and from such
facilities. For example: doors,
locks, heating and air conditioning, smoke and fire alarms, fire
suppression systems, cameras,
barricades, fencing, security guards, cable locks, etc. Separating
the network and work place into
functional areas are also physical controls.
An important physical control that is frequently overlooked is the
separation of duties.
Separation of duties ensures that an individual can not complete a
critical task by himself. For
example: an employee who submits a request for reimbursement should
not also be able to
authorize payment or print the check. An applications programmer
should not also be the server
administrator or the database administrator - these roles and
responsibilities must be separated
from one another.
Security classification for information
An important aspect of information security and risk management is
recognizing the value of
information and defining appropriate procedures and protection
requirements for the
information. Not all information is equal and so not all information
requires the same degree of
protection. This requires information to be assigned a
security classification.
The first step in information classification is to identify a member
of senior management as the
owner of the particular information to be classified. Next, develop
a classification policy. The
policy should describe the different classification labels, define
the criteria for information to be
assigned a particular label, and list the required security controls
for each classification.
Some factors that influence which classification information should
be assigned include how
much value that information has to the organization, how old the
information is and whether or
not the information has become obsolete. Laws and other regulatory
requirements are also
important considerations when classifying information.
Common information security classification labels used by the
business sector are: public,
sensitive, private, confidential. Common information security
classification labels used by
government are: unclassified, sensitive but unclassified,
confidential, secret, top secret.
All employees in the organization, as well as business partners,
must be trained on the
classification schema and understand the required security controls
and handling procedures for
each classification. The classification a particular information
asset has been assigned should be
reviewed periodically to ensure the classification is still
appropriate for the information and to
ensure the security controls required by the classification are in
place.[3]
Access control
Access to protected information must be restricted to people who are
authorized to access the
information. The computer programs, and in many cases the computers
that process the
information, must also be authorized. This requires that mechanisms
be in place to control the
access to protected information. The sophistication of the access
control mechanisms should be
in parity with the value of the information being protected - the
more sensitive or valuable the
information the stronger the control mechanisms need to be. The
foundation on which access
control mechanisms are built start with identification and
authentication.
21
Identification is an assertion of who someone is or what something is.
If a person makes the
statement "Hello, my name is Festus Ajibuwa." Such a person is
making a claim of who he is.
However, his claim may or may not be true. Before Festus Ajibuwa can
be granted access to
protected information it will be necessary to verify that the person
claiming to be Festus Ajibuwa
is really Festus Ajibuwa.
Authentication is the act of verifying a claim of identity. When
Festus Ajibuwa goes into a bank
to make a withdrawal, he tells the bank teller he is Festus Ajibuwa
(a claim of identity). The
bank teller asks to see a photo ID, so he hands the teller his
driver`s license. The bank teller
checks the license to make sure it has Festus Ajibuwa printed on it
and compares the photograph
on the license against the person claiming to be Festus Ajibuwa. If
the photo and name match the
person, then the teller has authenticated that Festus Ajibuwa is who
he claimed to be.
There are three different types of information that can be used for
authentication: something you
know, something you have, or something you are. Examples of
something you know include
such things as a PIN number, a password, or your mother`s maiden
name. Examples of
something you have include a driver`s license or a magnetic
swipe card. Something you are
refers to biometrics. Examples of biometrics include palm prints,
finger prints, voice prints and
retina (eye) scans. Strong authentication requires providing
information from two of the three
different types of authentication information. For example,
something you know plus something
you have. This is called two-factor authentication.
On computer systems in use today, the Username is the most common
form of identification and
the Password is the most common form of authentication. Usernames
and passwords have served
their purpose but in our modern world they are no longer adequate.
Usernames and passwords
are slowly being replaced with more sophisticated authentication
mechanisms.
After a person, program or computer has successfully been identified
and authenticated then it
must be determined what informational resources they are permitted
to access and what actions
they will be allowed to perform (run, view, create, delete, or
change). This is called
authorization.
Authorization to access information and other computing services
begins with administrative
policies and procedures. The polices prescribe what information and
computing services can be
accessed, by whom, and under what conditions. The access control
mechanisms are then
configured to enforce these policies.
Different computing systems are equipped with different kinds of
access control mechanisms;
some may offer a choice of different access control mechanisms. The
access control mechanism
a system offers will be based upon one of three approaches to access
control or it may be derived
from a combination of the three approaches.
The non-discretionary approach consolidates all access control under
a centralized
administration. The access to information and other resources is
usually based on the individuals
function (role) in the organization or the tasks the individual must
perform. The discretionary
approach gives the creator or owner of the information resource the
ability to control access to
those resources. In the Mandatory access control approach, access is
granted or denied bases
upon the security classification assigned to the information
resource.
22
Examples of common access control mechanisms in use today include
Role-based access control
available in many advanced Database Management Systems, simple
file permissions provided in
the UNIX and Windows operating systems, Group Policy Objects
provided in Windows network
systems, Kerberos, RADIUS, TACACS, and the simple access lists used
in many firewalls and
routers.
To be effective, policies and other security controls must be
enforceable and upheld. Effective
policies ensure that people are held accountable for their actions.
All failed and successful
authentication attempts must be logged, and all access to
information must leave some type of
audit trail.
Cryptography
Information security uses
cryptography to transform usable information into a form that
renders
it unusable by anyone other than an authorized user; this process is
called encryption.
Information that has been encrypted (rendered unusable) can be
transformed back into its
original usable form by an authorized user, who possesses
the
cryptographic key, through the
process of decryption. Cryptography is used in information security
to protect information from
unauthorized or accidental discloser while the information is in
transit (either electronically or
physically) and while information is in storage.
Cryptography provides information security with other useful
applications as well including
improved authentication methods, message digests, digital
signatures,
non-repudiation, and
encrypted network communications. Older less secure application such
as telnet and ftp are
slowly being replaced with more secure applications such as
SSH that use encrypted network
communications. Wireless communications can be encrypted using
the
WPA protocol. Software
applications such as
GNUPG or
PGP can be used to encrypt data files and Email.
Cryptography can introduce security problems when it is not
implemented correctly.
Cryptographic solutions need to be implemented using industry
accepted solutions that have
undergone rigorous peer review by independent experts in
cryptography. The
length and strength
of the encryption key is also an important consideration. A key that
is weak or too
short will
produce weak encryption. The keys used for encryption and decryption
must be protected with
the same degree of rigor as any other confidential information. They
must be protected from
unauthorized disclosure and destruction and they must be available
when needed.
PKI solutions
address many of the problems that surround
key management.
Defense in depth
23
Information security must protect information through out the life
span of the information, from
the initial creation of the information on through to the final
disposal of the information. The
information must be protected while in motion and while at rest.
During its life time, information
may pass through many different information processing systems and
through many different
parts of information processing systems. There are many different
ways the information and
information systems can be threatened. To fully protect the
information during its lifetime, each
component of the information processing system must have its own
protection mechanisms. The
building up, layering on and overlapping of security measures is
called defense in depth. The
strength of any system is no greater than its weakest link. Using a
defense in depth strategy,
should one defensive measure fail there are other defensive measures
in place that continue to
provide protection.
Recall the earlier discussion about administrative controls, logical
controls, and physical
controls. The three types of controls can be used to form the bases
upon which to build a defense
in depth strategy. With this approach, defense in depth can be
conceptualized as three distinct
layers or planes laid one on top of the other. Additional insight
into defense in depth can be
gained by thinking of it as forming the layers of an onion, with
data at the core of the onion,
people as the outer layer of the onion, and network security, host
based security and applications
security forming the inner layers of the onion. Both perspectives
are equally valid and each
provides valuable insight into the implementation of a good defense
in depth strategy.
24
Chapter 5 - Analysis
Information security as a process
The terms reasonable and prudent person, due care and due diligence
have been used in the fields
of Finance, Securities, and Law for many years. In recent years
these terms have found their way
into the fields of computing and information security. U.S.A.
Federal Sentencing Guidelines now
make it possible to hold corporate officers liable for failing to
exercise due care and due
diligence in the management of their information systems.
In the business world, stockholders, customers, business partners
and governments have the
expectation that corporate officers will run the business in
accordance with accepted business
practices and in compliance with laws and other regulatory
requirements. This is often described
as the "reasonable and prudent person" rule. A prudent person takes
due care to ensure that
everything necessary is done to operate the business by sound
business principles and in a legal
ethical manner. A prudent person is also diligent (mindful,
attentive, and ongoing) in their due
care of the business.
In the field of Information Security, Harris offers the following
definitions of due care and due
diligence:
"Due care are steps that are taken to show that a company has taken
responsibility for the
activities that take place within the corporation and has taken the
necessary steps to help protect
the company, its resources, and employees." And, [Due diligence are
the] "continual activities
that make sure the protection mechanisms are continually maintained
and operational."
Attention should be made to two important points in these
definitions. First, in due care, steps are
taken to show - this means that the steps can be verified, measured,
or even produce tangible
artifacts. Second, in due diligence, there are continual activities
- this means that people are
actually doing things to monitor and maintain the protection
mechanisms, and these activities are
ongoing.
Change management
Change management is a formal process for directing and controlling
alterations to the
information processing environment. This includes alterations to
desktop computers, the
network, servers and software. The objectives of change management
are to reduce the risks
posed by changes to the information processing environment and
improve the stability and
reliability of the processing environment as changes are made. It is
not the objective of change
management to prevent or hinder necessary changes from being
implemented.
Any change to the information processing environment introduces an
element of risk. Even
apparently simple changes can have unexpected effects. One of
Managements many
responsibilities is the management of risk. Change management is a
tool for managing the risks
introduced by changes to the information processing environment.
Part of the change
management process ensures that changes are not implemented at
inopportune times when they
may disrupt critical business processes or interfere with other
changes being implemented.
25
Not every change needs to be managed. Some kinds of changes are a part
of the everyday routine
of information processing and adhere to a predefined procedure,
which reduces the overall level
of risk to the processing environment. Creating a new user account
or deploying new desktop
computers are examples of changes that do not generally require
change management. However,
relocating user file shares, or upgrading the Email server pose a
much higher level of risk to the
processing environment and are not a normal everyday activity.
Change management is usually overseen by a Change Review Board
comprised of
representatives from key business areas, security, networking,
systems administrators, Database
administration, applications development, desktop support and the
help desk. The tasks of the
Change Review Board can be facilitated with the use of automated
work flow application. The
responsibility of the Change Review Board is to ensure the
organizations documented change
management procedures are followed. The change management process is
as follows:
Requested: Anyone can request a change. The person making the change
request may or may not
be the same person that performs the analysis or implements the
change. When a request for
change is received, it may undergo a preliminary review to determine
if the requested change is
compatible with the organization`s business model and practices, and
to determine the amount of
resources needed to implement the change.
Approved: Management runs the business and controls the allocation
of resources therefore;
Management must approve requests for changes and assign a priority
for every change.
Management might choose to reject a change request if the change is
not compatible with the
business model, industry standards or best practices. Management
might also choose to reject a
change request if the change requires more resources than can be
allocated for the change.
Planned planning a change involves discovering the scope and impact
of the proposed change;
analyzing the complexity of the change; allocation of resources and,
developing, testing and
documenting an implementation plan.
Tested: Every change must be tested in a safe test environment,
which closely reflects the actual
production environment, before the change is applied to the
production environment.
Scheduled: Part of the change review board's responsibility is to
assist in the scheduling of
changes by reviewing the proposed implementation date for potential
conflicts with other
scheduled changes or critical business activities.
Communicated: Once a change has been scheduled it must be
communicated. The
communication is to give others the opportunity to remind the change
review board about other
changes or critical business activities that might have been
overlooked when scheduling the
change. The communication also serves to make the Help Desk and
users aware that a change is
about to occur. Another responsibility of the change review board is
to ensure that scheduled
changes have been properly communicated to those who will be
affected by the change or
otherwise have an interest in the change.
26
Implemented: At the appointed date and time, the changes must be
implemented. Part of the
planning process was to develop an implementation plan, testing plan
and, a back out plan. If the
implementation of the change should fail or, the post implementation
testing fails or, other "drop
dead" criteria have been met, the back out plan should be
implemented.
Documented: All changes must be documented. The documentation
includes the initial request
for change, its approval, the priority assigned to it, the
implementation, testing and back out
plans, the results of the change review board critique, the
date/time the change was implemented,
who implemented it, and whether the change was implemented
successfully, failed or postponed.
Post change review: The change review board should hold a post
implementation review of
changes. It is particularly important to review failed and backed
out changes. The review board
should try to understand the problems that were encountered, and
look for areas for
improvement.
Change management procedures that are simple to follow and easy to
use can greatly reduce the
overall risks created when changes are made to the information
processing environment. Good
change management procedures improve the over all quality and
success of changes as they are
implemented. This is accomplished through planning, peer review,
documentation and
communication.
ISO/IEC 20000,
Visible Ops and
Information Technology Infrastructure Library all provide
valuable guidance on implementing an efficient and effective change
management program.
Laws and regulations governing Information Security
Below is a partial listing of European, United Kingdom, Canadian and
USA governmental laws
and regulations that have, or will have, a significant effect on
data processing and information
security. Important industry sector regulations have also been
included when they have a
significant impact on information security.
UK Data
Protection Act 1998 makes new provisions for the regulation of
the processing of
information relating to individuals, including the obtaining,
holding, use or disclosure of such
information. The
European Union Data Protection Directive (EUDPD) requires that
all EU
members must adopt national regulations to standardize the
protection of data privacy for
citizens throughout the EU.
The
Computer Misuse Act 1990 is an Act of the
UK Parliament making computer crime (e.g.
hacking) a criminal offence. The Act has become a model upon which
several other countries
including Canada
and the
Republic of Ireland, have drawn inspiration when subsequently
drafting their own information security laws.
EU Data Retention laws requires Internet service providers and
phone companies to keep data on
every electronic message sent and phone call made for between six
months and two years.
27
The
Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. §
1232 g; 34 CFR Part 99)
is a USA Federal law that protects the privacy of student education
records. The law applies to
all schools that receive funds under an applicable program of the
U.S. Department of Education.
Generally, schools must have written permission from the parent or
eligible student in order to
release any information from a student's education record.
Health Insurance
Portability and Accountability Act (HIPAA) requires the adoption
of national
standards for electronic health care transactions and national
identifiers for providers, health
insurance plans, and employers. And, it requires health care
providers, insurance providers and
employers to safeguard the security and privacy of health data.
Gramm-Leach-Bliley Act of 1999(GLBA), also know as the Financial
Services Modernization
Act of 1999, protects the privacy and security of private financial
information that financial
institutions collect, hold, and process.
Sarbanes-Oxley Act of 2002 (SOX). Section 404 of the act
requires publicly traded companies to
assess the effectiveness of their internal controls for financial
reporting in annual reports they
submit at the end of each fiscal year. Chief information officers
are responsible for the security,
accuracy and the reliability of the systems that manage and report
the financial data. The act also
requires publicly traded companies to engage independent auditors
who must attest to, and report
on, the validity of their assessments.
Payment Card
Industry Data Security Standard (PCI DSS) establishes
comprehensive
requirements for enhancing payment account data security. It was
developed by the founding
payment brands of the PCI Security Standards Council, including
American Express, Discover
Financial Services, JCB, MasterCard Worldwide and Visa
International, to help facilitate the
broad adoption of consistent data security measures on a global
basis. The PCI DSS is a
multifaceted security standard that includes requirements for
security management, policies,
procedures, network architecture, software design and other critical
protective measures.
State
Security Breach Notification Laws (California and many others)
require businesses,
nonprofits, and state institutions to notify consumers when
unencrypted "personal information"
may have been compromised, lost, or stolen.
Personal Information Protection and Electronics Document Act
(PIPEDA) An Act to support and
promote electronic commerce by protecting personal information that
is collected, used or
disclosed in certain circumstances, by providing for the use of
electronic means to communicate
or record information or transactions and by amending the Canada
Evidence Act, the Statutory
Instruments Act and the Statute Revision Act.
Sources of standards for Information Security
International Organization for
Standardization (ISO) is a consortium of national standards
institutes from 157 countries with a Central Secretariat in Geneva
Switzerland that coordinates
the system. The ISO is the world's largest developer of standards.
The ISO-15443: "Information
technology - Security techniques - A framework for IT security
assurance",
ISO-17799:
"Information technology - Security techniques - Code of practice for
information security
28
management",
ISO-20000: "Information technology - Service management", and
ISO-27001:
"Information technology - Security techniques -
Information security management systems" are
of particular interest to information security professionals.
The USA National Institute of
Standards and Technology (NIST) is a non-regulatory federal
agency within
the U.S. Commerce Department's Technology Administration. The
NIST
Computer Security Division
develops standards, metrics, tests and validation programs as well
as
publishes standards and guidelines to increase secure IT planning,
implementation, management
and operation. NIST is also the custodian of the USA
Federal Information Processing
Standardpublications (FIPS)].
The Internet Society (ISOC) is a
professional membership society with more than 100
organizations and over 20,000 individual members in over 180
countries. It provides leadership
in addressing issues that confront the future of the Internet, and
is the organization home for the
groups responsible for Internet infrastructure standards, including
the
Internet Engineering Task
Force (IETF) and the
Internet Architecture Board (IAB). The ISOC hosts the
Requests for
Comments (RFCs)
which includes
the Official Internet Protocol Standards and
the RFC-2196
Site
Security Handbook.
The
Information Security Forum is a global nonprofit organization of
several hundred leading
organizations in financial services, manufacturing,
telecommunications, consumer goods,
government, and other areas. It provides research into best practice
and practice advice
summarized in its biannual
Standard of Good Practice, incorporating detail specifications
across
many areas.
Sources of standards for Information Security
International Organization for
Standardization (ISO) is a consortium of national standards
institutes
from 157 countries with a Central Secretariat in Geneva Switzerland
that coordinates the system. The
ISO is the world's largest developer of standards. The ISO-15443:
"Information technology - Security
techniques - A framework for IT security assurance",
ISO-17799: "Information technology - Security
techniques - Code of practice for information security management",
ISO-20000:
"Information
technology - Service management", and
ISO-27001: "Information technology - Security techniques -
Information security management systems" are of particular
interest to information security
professionals.
The USA National Institute of
Standards and Technology (NIST) is a non-regulatory federal
agency
within
the
U.S. Commerce Department's Technology Administration. The NIST
Computer Security
Division develops standards,
metrics, tests and validation programs as well as publishes
standards and
guidelines to increase secure IT planning, implementation,
management and operation. NIST is also
the custodian of the USA
Federal Information Processing Standard publications (FIPS)].
The Internet Society (ISOC) is a
professional membership society with more than 100 organizations
and over 20,000 individual members in over 180 countries. It
provides leadership in addressing issues
that confront the future of the Internet, and is the organization
home for the groups responsible for
Internet infrastructure standards, including
the Internet Engineering Task Force (IETF) and
the Internet
29
Architecture Board (IAB). The ISOC hosts the
Requests for Comments (RFCs) which includes the
Official Internet
Protocol Standards and
the RFC-2196 Site Security Handbook.
Protecting privacy in information systems
Increasingly, as heterogeneous information systems with different
privacy rules are interconnected,
technical control and logging mechanisms
(policy
appliances) will be required to reconcile, enforce
and monitor privacy policy rules (and laws) as information is shared
across systems and to ensure
accountability for information use. There are several technologies
to address privacy protection in
enterprise IT systems. These fall into two categories: communication
and enforcement.
Policy Communication
P3P - The Platform
for Privacy Preferences. P3P is a standard for communicating privacy
practices and comparing them to the preferences of individuals.
Policy Enforcement
XACML - The
eXtensible Access Control Markup Language together with its Privacy
Profile is a standard for expressing privacy policies in a
machine-readable language
which a software system can use to enforce the policy in enterprise
IT systems.
EPAL - The Enterprise Privacy Authorization Language is very
similar to XACML, but
is not yet a standard.
WS-Privacy - "Web Service Privacy" will be a specification for
communicating privacy
policy in web
services. For example, it may specify how privacy policy
information can
be embedded in the SOAP
envelope of a web service message.
North America
Data privacy is not highly legislated or regulated in
the U.S..
In the United States, access to
private data is culturally acceptable in many cases, such as credit
reports for employment or
housing purposes. Although partial regulations exist, for instance
the Children's Online Privacy
Protection Act and
HIPAA, there is no all-encompassing law regulating the use of
personal data.
The culture of free speech in the U.S. may be a reason for the
reluctance to trust the government
to protect personal information. In the U.S. the first amendment
protects free speech and in many
instances privacy conflicts with this amendment. In many countries
privacy has been used as a
tool to suppress free speech.
The
safe harbor arrangement was developed by
the
US Department of Commerce in order to
provide a means for US companies to demonstrate compliance with
European Commission
directives and thus to simplify relations between them and European
businesses.
The Supreme Court interpreted the Constitution to grant a right of
privacy to individuals in
Griswold v. Connecticut. Very few states, however, recognize an
individual's right to privacy, a
notable exception being
California. An inalienable right to privacy is enshrined in
the
California
Constitution's article 1, section 1, and the California
legislature has enacted several pieces of
legislation aimed at protecting this right. The California
Online Privacy Protection Act (OPPA)
of 2003 requires operators of commercial web sites or online
services that collect personal
information on California residents through a web site to
conspicuously post a privacy policy on
the site and to comply with its policy.
In Canada,
the Personal Information Protection and Electronic Documents Act
(PIPEDA) went
into effect in relation to federally regulated organizations
on 1 January
2001, and in
relation to
30
all other organizations on
1 January
2004. It brings
Canada into compliance with the
requirements of the European Commission's directive. For more
information, visit the website of
the Privacy
Commissioner of Canada. The text of the Act may be found at
[1].
Europe
The right to data privacy is heavily regulated and rigidly enforced
in Europe. Article 8 of the
European Convention on Human Rights (ECHR) provides a right to
respect for one's "private
and family life, his home and his correspondence", subject to
certain restrictions. The
European
Court of Human Rights has given this article a very broad
interpretation in its
jurisprudence.
According to the Court's case law the collection of information by
officials of the state about an
individual without his consent always falls within the scope of
article 8. Thus, gathering
information for the official
census, recording
fingerprints and
photographs in a police register,
collecting
medical data or details of personal expenditures and
implementing a system of
personal identification have been judged to raise data privacy
issues. Any state interference with
a person's privacy is only acceptable for the Court if three
conditions are fulfilled:
(1) The interference is in accordance with the law
(2) Pursues a legitimate goal and
(3) Is necessary in a democratic society.
.
The government isn't the only one who might pose a threat to data
privacy, far from it. Other
citizens and private companies most importantly, engage in far more
threatening activities,
especially since the automated processing of data became widespread.
The
Convention for the
Protection of Individuals with regard to Automatic Processing of
Personal Data was concluded
within the
Council of Europe in 1981. This convention obliges the
signatories to enact legislation
concerning the automatic processing of personal data, which many
duly did.
As all the member states of
the European
Union are also signatories of
the European Convention
on Human Rights and the
Convention for the Protection of Individuals with regard to
Automatic
Processing of Personal Data, the
European
Commission was concerned that diverging data
protection legislation would emerge and impede the free flow of data
within the EU zone.
Therefore the European Commission decided to harmonize data
protection regulation and
proposed
the Directive on the protection of personal data, which member
states had to transpose
into law by the end of 1998.
The
directive contains a number of key principles which must be
complied with. Anyone
processing personal data must comply with the eight enforceable
principles of good practice.
They say that data must be:
Fairly and lawfully processed.
Processed for limited purposes.
Adequate, relevant and not excessive.
Accurate.
Not kept longer than necessary.
Processed in accordance with the data subject's rights.
Secure.
Not transferred to countries without adequate protection.
31
Personal data covers both facts and opinions about the individual. It
also includes information
regarding the intentions of the data controller towards the
individual, although in some limited
circumstances exemptions will apply. With processing, the definition
is far wider than before.
For example, it incorporates the concepts of 'obtaining', 'holding'
and 'disclosing'. For more
details on these data principles, read the article about
the directive on the protection of personal
data or visit the
EU data protection page.
All EU member-states adopted legislation pursuant this directive or
adapted their existing laws.
Each country also has its own supervisory authority to monitor the
level of protection.
In the United
Kingdom the
Data Protection Act 1984 was repealed by
the
Data Protection
Act
1998. For details, visit
U.K. data protection
page or read the article about the
Information Commissioner
France adapted its
existing law (law no. 78-17 of
6 January 1978
| | | | | | |
