Maximizing business information security's educational value

A business information security course's goals and objectives are quite different from most traditional security courses, which focus on designing and developing new security technologies. Business information security primarily concerns the strategic, tactical, and operational management issues surrounding the planning, analysis, design, implementation, and maintenance of an organization's information security program. Core issues include asset valuation, auditing, business continuity planning, disaster recovery planning, ethics, organizational communication, policy development, project planning, risk management, security awareness education and training, and various legal issues such as liability and regulatory compliance. Because businesses can't afford to mitigate all security risks, students must learn methods to identify and justify the optimal amount of expenditures to ensure that their information assets are sufficiently protected. Students should also understand the technical components of security so they can appreciate the problems experienced by the people they manage. This paper describes my experiences in developing a business information security course that provides students the knowledge arid experience to succeed in today's competitive information-intensive corporate environment.     

Managing Your Security Future

ABSTRACT

Information technology organizations within most corporations are spending significant time and resources securing IT infrastructure. This increased need for security is driven by a number of factors. These factors include increased dependency on the Internet, financial and legal liability, protection of personal identity information and sensitive corporate data, increased numbers and age of legacy systems with limited vendor support, deploying complex systems, and new regulations governing corporate transactions. There a number of technologies on the market today that can mitigate most of these security factors. However, managers in IT organizations need to identify potential future threats and security technologies to assess and potentially mitigate risk through the deployment of those technologies. This article investigates three areas critical to the successful deployment and securing of information technology.     

基于DRM技术数字文档保护系统集成的研究与应用设计

当用户通过合法或非法途径获取了企业信息系统中数字文档的访问权限,即可以不受限地通过下载、拷贝、网络等方式传播他人,而导致带有企业机密的泄密,使得共享与保密之间存在突出的问题,集成基于DRM技术构建的文档安全管理系统,对于已联网的企业存储信息的机密性和完整性是一个快速有效的解决方法。在本文中,对企业非结构化数字文档信息安全现状与存在问题进行了分析,研究了使用DRM对数字文档在线与离线应用信息防泄密进行保护的技术原理,提出了一种在企业现有信息系统体系下,通过二次开发集成基于DRM技术专业机密文档保护产品的嵌入式架构设计。     

Can control and creativity coexist?

By necessity, corporate computing environments heavily restrict users in an attempt to limit corporate legal liability and to control cost and maintenance efforts. Academia, on the other hand, has long tolerated wide-ranging capabilities for users, all in the name of academic freedom. If corporations want employees to use technology creatively, it seems as if they should take a lesson or two from academia.     

How to shrink holes in corporate data dikes

The security of computer systems is a very hard and complex problem. IT staffers who apply security patches or use layered approaches have lulled themselves into a false sense of security. This perceived security is illusionary at best and destructive in the extreme. True security will increasingly require the use of hardened servers and guards. Defense in depth with distributed guards serving as penetration detectors and reporting attacks on corporate systems provides strong protection against both external and internal attackers. This strategy lets system managers minimize damage and greatly improve the recovery of damaged systems and data. Corporations that choose not to appropriately secure their systems will likely regret it. In the future, companies will probably face liability for third-party losses that arise from system compromises     

Hungary's Electronic Signature Act: Enhancing economic development with Secure Electronic Commerce transactions

Hungary's Electronic Signature Act (ESA) became effective in 2001 and provides for legal recognition of electronic signatures (e-signatures) and electronic documents. Electronic documents and e-signatures are presumed to be admissible evidence in court and may not be challenged successfully based on the mere fact of their electronic form. An electronic document signed with an e-signature is deemed to be in compliance with a statutory requirement for a handwritten signature on a paper document. However, the ESA excludes family-related documents (e.g., marriage certificates and divorce decrees), and those documents must continue to be in paper form to have legal validity. Also, consumers are not obligated to accept the electronic form; if a consumer objects, a business firm must use paper documents. Hungarian government departments may elect to issue or accept electronic documents. Although all types of e-signatures are recognized, the digital signature enjoys most-favored status because it utilizes cryptographic methods resulting in a heightened degree of reliability and security. The ESA provides for the licensure of certification authorities (CAs). In order to get a CA license, an applicant applies to the Hungarian Communications Inspector (Authority) and must meet financial and knowledge requirements and not have a prior criminal record. The principal duties of CAs are to issue certificates to successful applicants and confirm the authenticity and integrity of e-signatures (and the electronic documents to which they are attached) to relying third parties. Before issuance of the certificate, the CA must confirm the identity of the applicant and ensure that all information received on the application is accurate. The CA is responsible for maintaining the security of all information that it receives from the applicant. For a CA to issue a 'qualified' certificate it must comply with higher security standards; the only type of e-signature that can meet these standards is the digital signature. When a qualified certificate is issued, the subscriber will be given the private key that will enable them to 'sign' electronic documents. CAs must maintain a publicly accessible repository of certificates and public keys that can be used to decrypt a subscriber's message. A CA may incur legal liability for publishing a certificate with inaccurate information or for issuing a private key that does not have an interactive relationship with its public key. The ESA provides for legal recognition of certificates issued by CAs in foreign countries if the foreign CA meets one of the five criteria.     

The burden of proof and the optimal security investment of firms in ubiquitous computing

Recently security vulnerabilities and fraudulent transactions have simultaneously increase with the rise in use of smart mobile handsets for electronic transactions. Also, the governing liability rule on disputes arising from security breaches is becoming a practical issue as users get accustomed to doing transactions using various smart and intelligent computing devices in ubiquitous computing environments. Although there have been debates in law and computer science literature, there has been little research on legal issues in comparison with the amount of research on technical issues for electronic transactions. This paper analyzes how a burden of proof can play a role in preventing fraudulent transactions and investigates how it is related to firms’ investments in security.     

A distributed requirements management framework for legal compliance and accountability

Increasingly, new regulations are governing organizations and their information systems. Individuals responsible for ensuring legal compliance and accountability currently lack sufficient guidance and support to manage their legal obligations within relevant information systems. While software controls provide assurances that business processes adhere to specific requirements, such as those derived from government regulations, there is little support to manage these requirements and their relationships to various policies and regulations. We propose a requirements management framework that enables executives, business managers, software developers and auditors to distribute legal obligations across business units and/or personnel with different roles and technical capabilities. This framework improves accountability by integrating traceability throughout the policy and requirements lifecycle. We illustrate the framework within the context of a concrete healthcare scenario in which obligations incurred from the Health Insurance Portability and Accountability Act (HIPAA) are delegated and refined into software requirements. Additionally, we show how auditing mechanisms can be integrated into the framework and how auditors can certify that specific chains of delegation and refinement decisions comply with government regulations.     

Digital Signatures: A Business View

The technology to create secure digital signatures is proven and workable on PC-level hardware, as well as on mainframes. the issues currently restraining widespread use of digital signatures are primarily legal. This tutorial survey first identifies the functions a digital signature should ideally perform by tracing an example Internet-based electronic business transaction. After an overview of the technology that provides the required functionality, this article presents the current legal status of digital signature use, including a number of unresolved liability issues, and summarizes some precautions for digital signature use.     

Controlling digital signature services using a smartcard

In this paper a number of requirements for the corporate user of digital signature technology have been identified. These appeared at first sight to be demanding security controls and usability requirements over and above those assumed of normal signature systems.However, once the requirements were fully analyzed, an approach was described which not only met the additional requirements, but did so while at the same time reducing the likely implementation cost, by reducing the burden placed on the smartcard, and increasing the effective performance be delegating signature processing to a shared server.This approach appears therefore to be unique in raising levels of security, usability and performance while at the same time reducing potential implementation costs and adhering to external standards. It should therefore be of extreme interest to all corporate users who wish to enter the world of electronic commerce backed by digital signature and non-repudiation.     

The disclosure of evaporating digital trails respecting the combinations of Gmail and IE for pervasive multimedia

Unquestionably, the proliferation of mobile devices has dominated the main streams in contemporary ubiquitous wireless networks. Unfortunately, the misappropriating of those state-of-the-art gadgets has resulted in unprecedented information security issues in next generation cyberspace security arena. This paper illustrates the essence of generic procedures to provide the probative digital evidences for a typical Gmail Chat session in connection with the IE browser under different scenarios. When the computer-related information security issues arise with regard to the company, the corporate information incident response team should be able to disclose and preserve the evaporating digital trails following the right procedures to avoid the volatile characteristics in their natures. Furthermore, the design of the experiments of the paper identifies four cases to demonstrate the feasibility, availability, reliability, and traceability among them, which are essential for the corporate information security staffs to seriously consider when mushrooming cyber crimes are unknowingly and hastily burgeoning in an unparalleled manner. The organizations might have to scrutinize the negligible digital trails with cognitive expertise instead of entirely relying on law enforcement agencies from the public sectors due to the time constraints as well as publicity concerns or the minor computing resource policy violation unwarily occurred by the employees accordingly.     

The cold realities of software insurance

Is your company scrambling to assess its legal and financial vulnerability from online transactions or the Y2K problem? If so, you should know that insurance companies are now tentatively dipping into the waters of software liability. Amidst predictions of huge corporate liabilities and despite reports to the contrary, insurers are offering some coverage. Often, however, the coverage either does not completely protect business holdings or comes with hefty premiums. The availability of even limited, expensive coverage is a trend worth watching. To provide insurance, insurers must be able to accurately predict future disasters     

Secure transfer of measurement data in open systems

The liberalization of different markets which are liable to legal metrology accelerates the need for transferring measuring data over open networks. This increases the involvement of communication technology in measuring systems and raises new security threats in legal metrology. The goal of the SELMA (Secure ELectronic Measurement dAta exchange) project is to create technical procedures according to legal requirements which ensure the secure transfer of measured energy data from decentralized meters to the authorized users via open networks.This paper gives an overall view of the research project SELMA and the developed concepts and technologies. The security architecture is presented and the standards and interfaces are described which were specified and afterwards used to implement and deploy a large-scale field trial. SELMA has developed a security architecture to establish trust in the electronic transfer of data from the meter to data acquisition systems and further to the customers. The introduced security mechanisms are based on asymmetric cryptography and more specifically on digital signatures that enable the signed measurement data to be verified and authenticated in conjunction with a suitable key management. Particular security units have been created that contain the necessary security mechanisms.The SELMA architecture represents a best practice solution of strong cryptographic mechanisms to secure a wide range of metrology applications and is compatible with appropriate European directives and guidelines.     

If someone is watching,I'll do what I'm asked: mandatoriness,control, and information security

Information security has become increasingly important to organizations. Despite the prevalence of technical security measures, individual employees remain the key link – and frequently the weakest link – in corporate defenses. When individuals choose to disregard security policies and procedures, the organization is at risk. How, then, can organizations motivate their employees to follow security guidelines? Using an organizational control lens, we build a model to explain individual information security precaution-taking behavior. Specific hypotheses are developed and tested using a field survey. We examine elements of control and introduce the concept of ‘mandatoriness,’ which we define as the degree to which individuals perceive that compliance with existing security policies and procedures is compulsory or expected by organizational management. We find that the acts of specifying policies and evaluating behaviors are effective in convincing individuals that security policies are mandatory. The perception of mandatoriness is effective in motivating individuals to take security precautions, thus if individuals believe that management watches, they will comply.     

Technical responsibility management— an indispensable element of corporate governance

We define technical responsibility management as the organized fulfillment of all the legal and other responsibilities connected with the use of technical means of production and installations in an enterprise. To act legally responsible even under the condition of permanently changing regulations and to produce cost efficiency at the same time, a responsibility management system (RMS) is being presented, a system that, as it were, automatizes and rationalizes the fulfillment of all liabilities valid at the time. All existing installations in the enterprise, as well as all relevant legal provisions, are represented in adequate form by experts and, resulting from this, software determines optimized schedules that also take into account additional secondary operational conditions. Internet/intranet technology even permits complete outsourcing. RMSs heighten the safety level in the enterprise, provide legal security, and open up hitherto inaccessible savings potentials. The author pleads for the OECD principles for good “Corporate Governance Systems (Management and Controlling)” to demand the future introduction of RMSs. © 2003 Wiley Periodicals, Inc. Hum Factors Man 13: 253–259, 2003.     

大数据背景下高校人事信息安全问题研究

随着信息技术的深入发展,网络安全法律法规不断健全,信息安全和网络安全的重要性持续提高。高校作为一个人员密集程度极高的机构,其数据信息量十分庞杂,数据在传输,应用过程中的信息安全问题日益凸显。文章在分析人事信息安全的重要性和信息安全风险形式基础上,结合不同高校人事信息安全工作方面的做法,从管理和技术两个层面探究高校人事信息安全的问题与成因,以期探索建立人事信息安全管理长效机制,营造良好的人事信息网络生态环境,助力人事管理工作有效推进,为高校教职工信息安全提供参考。     

Policies and procedures to manage employee Internet abuse

Industry analysts estimate that billions of dollars in lost revenue were attributed to employee Internet abuse. Trends also suggest that lost job productivity and corporate liability have emerged as new workplace concerns due to growth of new online technologies and mobile computing. Such employee Internet misuse creates new management dilemmas on how to respond to incidences of such misuse as well poses network security risks and drains on network bandwidth. Within an organization, it is imperative to ensure that employees are using computing resources effectively and appropriately. Utilizing the previous literature in the field, this paper proposed a revised framework to manage employee Internet abuse. The former model proposed did not account for new digital media and recommended screening applicants for Internet addiction, using more of a clinical test than a job performance test. This new model describes both prevention and intervention methods to address incidents of online misuse in the workplace and refocuses hiring decisions into post-employment training. It also examines the new hiring concerns with the new iGeneration of college graduates and it examines how organizations should best utilize acceptable Internet use policies with clear methods of Internet monitoring to enforce that workers are complying with company policies. This paper also talks about the potential benefits of rehabilitation approaches to manage employees who abuse instead of terminating them to decrease job turnover and improve job retention. Implications for current management practices are also discussed.     

企业信息管理系统建设的现存问题与对策简析

企业的信息安全的管理是现代企业管理内容的主要组成部分之一,笔者从信息系统、企业各部门、相关人员等方面分析和讨论当前企业信息安全中存在的问题,并就怎样保障企业信息安全、优化信息管理系统提出相关对策。     

Who is liable for insecure systems?

A survey of security-related liability issues shows that as data crime increases and the costs of hacking and other malicious behavior soar, vendors must make their software more secure or suffer market and legal consequences. The notion of liability for insecure computer systems has shifted. We have seen both the enactment of legislation affecting liability and the appearance of actual liability cases in the courts. For many years, computing professionals have debated the topic of liability for insecure systems.     

Acceptable legal standards for software

The author discusses the legal issues that are involved in software protection. She discusses legal actions open to users who get a system that does not perform as expected and have exhausted all remedies that do not involve litigation. She examines how the law treats software, covering liability limitations and court actions regarding fraud or misrepresentation as well as injury and damage caused by software. The author discusses the inadequacy of current laws and offers recommendations for remedying the situation