Defining a Technical Architecture for Health Care Security

Abstract

In the previous article, “Preparing for Health Care Legislation,” we established the need for Health Care security concerns and emphasized an enterprise approach to properly, effectively, establishing security for Electronic Medical Records (EMRs). In this article we present a technical architecture addressing Health Insurance Portability and Accountability Act (HIPAA) of 1996.     

Sarbanes—Oxley and Enterprise Security: IT Governance — What It Takes to Get the Job Done

Abstract

Several sections of the Sarbanes— Oxley Act of 2002 (SOX) directly affect the governance of the information technology (IT) organization, including potential SOX certification by the chief information officer, Section 404 internal control assessments, “rapid and current” disclosures to the public of material changes, and authentic and immutable record retention. The Securities and Exchange Commission (SEC) requires publicly traded companies to comply with the Treadway Commission's Committee of Sponsoring Organizations (COSO) that defines enterprise risk and places security as a critical variable in enterprise risk assessment. Effective IT and security governance are examined in terms of SOX compliance. Motorola IT security governance demonstrates effective structures, processes, and communications; centralized security leaders participate with Motorola's Management Board to create an enabling security organization to sustain long-term change.     

Secure Global Collaboration Among Critical Infrastructures

ABSTRACT

Information sharing and collaboration on critical infrastructure protection efforts are major drivers of interest for national security, law enforcement, first responders, and environmental regulators. Critical infrastructure protection information, as stated in the U.S. Patriot Act, are “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health, or any combination of those matters.” Due to the unique, blended nature among customers, suppliers, and contractors within the aerospace and defense industry, a secure method for collaboration is a critical issue that requires remediation.     

A Guide to Selecting and Implementing Security Controls

ABSTRACT

The purpose of this article is to inform and educate the Information Security (IS) professional about some of the key/fundamental tenets of Sarbanes-Oxley (SOX), especially in the context of Confidentiality, Integrity and Availability of information, the three cornerstones of every security initiative. The focus is on such Sections of the Act as 404 (Internal Controls), 302 (Management Certifications), 806 (Whistleblower Protections), 409 (Real Time Disclosures), 802 (Alteration of Documents), amongst others. The purpose is to develop an appreciation and understanding of IS requirements and implications of SOX, and likewise to better understand how SOX can provide a basic roadmap for IS that every professional, department and organization may be able to use.     

Copyright and the Delivery of Library Services to Distance Learners

SUMMARY

Library service for distance education necessitates knowledge of important new regulations that were enforced by recent amendments to copyright law. This article begins with an overview of the copyright law of 1976 related to nonprofit educational institutions. Then the Digital Millennium Copyright Act (DMCA) of 1998 and the Technology, Education and Copyright Harmonization Act (TEACH Act) of 2002 are discussed. These acts, which amended the Copyright Act of 1976, require more rigorous measures by nonprofit educational institutions to ensure compliance. The article concludes with how to avoid copyright infringement and the necessity to educate library personnel about copyright law.     

Letters to the Editor

Abstract

On October 12, 1998, the U.S. Congress passed the controversial Digital Millennium Copyright Act (DMCA), ending many months of negotiations. President Clinton signed the Act into law on October 28. The DMCA made major changes in U.S. copyright law to address new issues created by the Internet and other new technologies. The Act also amended U.S. copyright law to comply with the World Intellectual Property Organization (WIPO) Copyright Treaty adopted at the WIPO Diplomatic Conference in December 1996.     

Anatomy of a Data Breach

ABSTRACT

In the wake of undiscovered data breaches and subsequent public exposure, regulatory compliance and security audit standards are becoming more important to protecting critical assets. Despite the increase in the number of data breaches via illicit means, internal controls seem to fail when it comes to the assurance that critical assets remain uncompromised. According to the Identity Theft Resource Center, 336 breaches have been reported in 2008 alone, 69%?greater than this time last year ¹ 1. Identity Theft Resource Center. (2008, July 15). IRTC 2008 Breach List. . This is a concern for security teams, especially since a lack of dedicated resources exists to combat and revert this trend.

This is significantly important to take into consideration when going through the formal audit process to certify adherence to Sarbanes-Oxley (SOX), Graham Leach Bliley (GLBA), Payment Card Industry (PCI), or the Health Insurance and Portability and Accountability Act (HIPAA). With the significant increase in data exposure corporations cannot afford to take shortcuts when it comes to information assurance. Otherwise it is almost certain that one will become a victim of a serious exposure of sensitive information. This paper will explore the several disconnects between established and accepted security audit framework and the variable of hidden infections.     

视频局部特征描述子的紧凑表示方法

目的 随着手持移动设备的迅猛发展和大数据时代的到来,以多媒体数据为核心的视觉搜索等研究和应用得到了广泛关注。其中局部特征描述子的压缩、存储和传输起到了举足轻重的作用。为此在传统图像/视频压缩框架中,提出一种高效的视觉局部特征的紧凑表示方法,使得传统内容编码可以适应广泛的检索分析等需求。方法 为了得到紧凑、有区分度、同时高效的局部特征表示,首先引入了多参考的预测机制,在消除了时空冗余的同时,通过充分利用视频纹理编码的信息,消除了来自纹理-特征之间的冗余。此外,还提出了一种新的率失真优化方法——码率-准确率最优化方法,使得基于匹配/检索应用的性能达到最优。结果 在不同数据集上进行验证实验,和最新的视频局部描述子压缩框架进行比较,本文方法能够在保证匹配和检索性能的基础上,显著地减少特征带来的比特消耗,达到大约150:1的压缩比。结论 本文方法适用于传统图像/视频编码框架,通过在码流中嵌入少量表示特征的信息,即可实现高效的检索性能,是一种面向检索等智能设备应用的新型多媒体内容编码框架。     

Serious gaming as a means of facilitating truly smart cities: a narrative review

ABSTRACT

The term ‘smart cities’ is contested: its interpretation is becoming ever broader, often to accommodate commercial interests. Since cities are made up of individuals, all of whom are guided by their own world views and attitudes, the residual question is not ‘what should we do?’ but ‘how should we do it and how should we encourage and enable everyone to join in?’ By exploring the ways that gamification can be used to understand the effects of ‘smart initiatives’ on cities and their operation, it was concluded that gaming has considerable potential to affect individual and societal practices by profoundly influencing the gamers themselves, while technology and the game design itself play a central role to how gamification is implemented and used. This paper proposes one way of both creating cities to which citizens aspire and delivering a beneficial change in attitudes and behaviours to make such cities work. We propose that way-finding games should be developed as the most appropriate tools for participation. Designing such serious games with sustainability, resilience and liveability agendas in mind, encouraging widespread citizen participation as gamers, and taking cognisance of the outcomes would lead to both smarter citizens and smarter cities.     

Eliminating the Volume of Spam E-Mails Using a Hashcash-Based Solution

Abstract

Spam can be defined as unsolicited e- mail, often of a commercial nature, sent indiscriminately to multiple mailing lists, individuals, or newsgroups. Spoofing (Templeton and Levitt, 2003) is a technique often used by spammers to make them harder to trace. Trojan viruses embedded in e-mail messages also employ spoofing techniques to ensure the source of the message is more difficult to locate (Ishibashi et al., 2003). Spam filters and virus scanners can eliminate only a certain amount of spam and also risk catching legitimate e-mails. As the SoBig virus has demonstrated, virus scanners themselves actually add to the e-mail traffic, through notification and bounceback messages. Simple Mail Transfer Protocol (SMTP) is flawed in that it allows these e-mail headers to be faked and does not allow for the sender to be authenticated as the real sender of the message. If this problem can be solved, it will result in a reduction in spam e-mail messages and more security for existing e-mails, and it will allow e-mail viruses to be tracked down and stopped more effectively (Schwartz and Garfinkel, 1998). This approach is known as “trusted e-mail.”     

Applying elliptic curve cryptography to a chaotic synchronisation system: neural-network-based approach

In order to obtain double encryption via elliptic curve cryptography (ECC) and chaotic synchronisation, this study presents a design methodology for neural-network (NN)-based secure communications in multiple time-delay chaotic systems. ECC is an asymmetric encryption and its strength is based on the difficulty of solving the elliptic curve discrete logarithm problem which is a much harder problem than factoring integers. Because it is much harder, we can get away with fewer bits to provide the same level of security. To enhance the strength of the cryptosystem, we conduct double encryption that combines chaotic synchronisation with ECC. According to the improved genetic algorithm, a fuzzy controller is synthesised to realise the exponential synchronisation and achieves optimal H^∞ performance by minimising the disturbances attenuation level. Finally, a numerical example with simulations is given to demonstrate the effectiveness of the proposed approach.     

A systematic review on security in Process-Aware Information Systems – Constitution,challenges, and future directions

ContextSecurity in Process-Aware Information Systems (PAIS) has gained increased attention in current research and practice. However, a common understanding and agreement on security is still missing. In addition, the proliferation of literature makes it cumbersome to overlook and determine state of the art and further to identify research challenges and gaps. In summary, a comprehensive and systematic overview of state of the art in research and practice in the area of security in PAIS is missing.ObjectiveThis paper investigates research on security in PAIS and aims at establishing a common understanding of terminology in this context. Further it investigates which security controls are currently applied in PAIS.MethodA systematic literature review is conducted in order to classify and define security and security controls in PAIS. From initially 424 papers, we selected in total 275 publications that related to security and PAIS between 1993 and 2012. Furthermore, we analyzed and categorized the papers using a systematic mapping approach which resulted into 5 categories and 12 security controls.ResultsIn literature, security in PAIS often centers on specific (security) aspects such as security policies, security requirements, authorization and access control mechanisms, or inter-organizational scenarios. In addition, we identified 12 security controls in the area of security concepts, authorization and access control, applications, verification, and failure handling in PAIS. Based on the results, open research challenges and gaps are identified and discussed with respect to possible solutions.ConclusionThis survey provides a comprehensive review of current security practice in PAIS and shows that security in PAIS is a challenging interdisciplinary research field that assembles research methods and principles from security and PAIS. We show that state of the art provides a rich set of methods such as access control models but still several open research challenges remain.     

Of Interest

Abstract

Over the past few years, cases of miserable failure in corporate governance have shocked the financial world. Enron and WorldCom are just two examples of how a few people in a position of power can cause unprecedented damage to hundreds of thousands of people, including investors, employees, and retirees. Lessons thus learned created a wave of regulations, the most significant being the Sarbanes-Oxley Act of 2002, the first major overhaul in the area of securities since the Securities Exchange Act of 1934.     

面向智慧城市的3维城市在线可视化

目的 3维城市可视化是智慧城市信息显示的基础,对城市信息的实时准确传递起着重要作用。而现有的3维城市可视化方法和系统存在两点局限性:一是数据模型不适合于海量建筑物显示;二是对整个城市采用单一绘制方式,而建筑物的纹理、结构、高度等特征相似,绘制结果容易引起视觉混淆,为此提出一种基于人类感知理论的3维城市在线可视化技术。方法在预处理阶段,系统采用建筑综合算法建立3维城市建筑物的多分辨率表示;在运行时刻,系统根据用户交互,自适应选择建筑物相应的层次进行显示。结果采用几个3维城市数据对系统进行了测试,实验结果证明,该系统有效地提高了3维城市绘制效率。Leverkusen城市的5 530座建筑物,绘制效率达到19.4帧/s。结论基于感知的3维城市多分辨率表示,有效提高了3维城市系统的显示效率以及用户获取信息的效率,同时提高了用户的交互效率。     

One-Up,One-Back ERM in the Food Supply Chain

ABSTRACT

Repeated outbreaks of E. coli and other food poisonings call attention to the need for fast, accurate tracing capabilities to identify sources of contamination and track contaminated foods to their destinations. Concerns about biological agents contaminating food or beverages led to the U.S. Bioterrorism Act of 2002. This Act requires those in the food supply chain to identify the immediate previous source (“one-back”) of all food received and the immediate subsequent recipient (“one-up”) of all food released, but recordkeeping remains seriously inadequate. In this article, we examine the role of radio frequency identification (RFID) in electronic record management (ERM) to improve supply chain operations and responses to public health crises.     

Intelligent advertising

Digital media is getting smarter. Home electrical goods are getting smarter. This article explores how one aspect of content is beginning to reflect this—digital advertising. It is becoming increasingly important for advertisers to target consumers as individuals and in communities of interest rather than by demographic. This article explores the impact of smart systems and artificial intelligence (AI) on advertising and examines different approaches to creating intelligent and smart content and how behaviour is fast becoming the guiding principle for new content forms.

---

Empirical evaluation of a cloud computing information security governance framework

ContextCloud computing is a thriving paradigm that supports an efficient way to provide IT services by introducing on-demand services and flexible computing resources. However, significant adoption of cloud services is being hindered by security issues that are inherent to this new paradigm. In previous work, we have proposed ISGcloud, a security governance framework to tackle cloud security matters in a comprehensive manner whilst being aligned with an enterprise’s strategy.ObjectiveAlthough a significant body of literature has started to build up related to security aspects of cloud computing, the literature fails to report on evidence and real applications of security governance frameworks designed for cloud computing environments. This paper introduces a detailed application of ISGCloud into a real life case study of a Spanish public organisation, which utilises a cloud storage service in a critical security deployment.MethodThe empirical evaluation has followed a formal process, which includes the definition of research questions previously to the framework’s application. We describe ISGcloud process and attempt to answer these questions gathering results through direct observation and from interviews with related personnel.ResultsThe novelty of the paper is twofold: on the one hand, it presents one of the first applications, in the literature, of a cloud security governance framework to a real-life case study along with an empirical evaluation of the framework that proves its validity; on the other hand, it demonstrates the usefulness of the framework and its impact to the organisation.ConclusionAs discussed on the paper, the application of ISGCloud has resulted in the organisation in question achieving its security governance objectives, minimising the security risks of its storage service and increasing security awareness among its users.     

An advanced approach for modeling and detecting software vulnerabilities

ContextPassive testing is a technique in which traces collected from the execution of a system under test are examined for evidence of flaws in the system.ObjectiveIn this paper we present a method for detecting the presence of security vulnerabilities by detecting evidence of their causes in execution traces. This is a new approach to security vulnerability detection.MethodOur method uses formal models of vulnerability causes, known as security goal models and vulnerability detection conditions (VDCs). The former are used to identify the causes of vulnerabilities and model their dependencies, and the latter to give a formal interpretation that is suitable for vulnerability detection using passive testing techniques. We have implemented modeling tools for security goal models and vulnerability detection conditions, as well as TestInv-Code, a tool that checks execution traces of compiled programs for evidence of VDCs.ResultsWe present the full definitions of security goal models and vulnerability detection conditions, as well as structured methods for creating both. We describe the design and implementation of TestInv-Code. Finally we show results obtained from running TestInv-Code to detect typical vulnerabilities in several open source projects. By testing versions with known vulnerabilities, we can quantify the effectiveness of the approach.ConclusionAlthough the current implementation has some limitations, passive testing for vulnerability detection works well, and using models as the basis for testing ensures that users of the testing tool can easily extend it to handle new vulnerabilities.     

Current Awareness on a Shoe String

ABSTRACT

There is no shortage of articles describing the nature of blogs and RSS feeds and their potential use in libraries. However, articles describing the implementation and evaluation of RSS for library current awareness services and the lessons learned along the way are harder to find. This case study relates the experience of implementing an RSS feed-based current awareness service in a small special library in Canada, and the preliminary uptake and feedback of the staff it serves.