Deputizing US information security personnel

On 24 November 1998, the large intelligence and military contractor, SAIC, announced a certificate programme for information security personnel. The company also unveiled its Center for Information Security Education. The certificate programme is being offered in conjunction with George Washington University with a follow-on master's degree programme. SAIC and George Washington envisage college and graduate students working on ‘real world’ information security projects, presumably including projects contracted to SAIC by Federal agencies like NSA, CIA, and the Defense Department. Participants in the SAIC/GWU programme will also be invited to take part in blue ribbon panels formed under the aegis of the White House's Critical Infrastructure/ National Information Infrastructure Assurance programmes.     

The Advanced Encryption Standard

In October 2000, the National Institute of Standards and Technology (NIST) announced that the Rijndael algorithm had been selected to be the new Advanced Encryption Standard (AES). NIST’s announcement concluded a three and a half year search process in which fifteen candidate algorithms from twelve countries were evaluated on the basis of security, computational efficiency, algorithm simplicity, and flexibility. The AES will become a Federal Information Processing Standard (FIPS), thereby replacing the aging and obsolete Data Encryption Standard (DES) as the cryptographic algorithm employed by US Government agencies and the private sector to encrypt sensitive information.     

Managed Vulnerability Assessment (MVA) — Improve Security By Understanding Your Own Vulnerabilities!

According to Ernst & Young’s information security survey last year, security remains the biggest inhibitor to companies expanding their E-commerce plans. Such fears are not irrational — some 85% of the US corporate respondents to a Federal Bureau of Investigation/CSI survey last year detected computer security breaches within the last 12 months — and the analyst community believes that Europe is not lagging very far behind in this unenviable league table.     

Applying the common criteria in systems engineering

The National Institute of Standards and Technology has proposed using the common criteria and system-level protection profiles (SLPPs) to specify security requirements in large systems, such as those used in air traffic management. This article summarizes experience with SLPP and security targets for the US Federal Aviation Administration's National Airspace System. The authors review the FAA efforts, highlight the problems encountered, and offer suggestions for future work, calling for more research on linking systems, software, and security requirements engineering with SLPP; clearer ties between security specifications and system certification; and better guidance on the appropriate use of SLPP as a prerequisite to widespread use.     

Bush Administration's Push For Cybercrime Cooperation

US President George W. Bush's top national security advisor recently called for an ‘unprecedented’ partnership with the private sector to defend the nation’s critical computer networks from attack.     

Guest Editors' Introduction: Research in the Digital Government Realm

As they focus on the challenges that those who implement digital government face, computer science researchers practice nearly the entire spectrum of their discipline, working in collaboration with scientists from other disciplines in pursuit of answers to questions about information management, policy, and technology in government. Sidebar, p. 27. An IT View of Emergency ManagementJosé H. Canós, Technical University of Valencia, SpainMarcos R.S. Borges, Federal University of Rio de Janeiro, Brazil Gustavo Alonso, Swiss Federal Institute of Technology Zurich (ETHZ), Switzerland An emergency plan provides guidelines that government agencies can use for making management decisions promptly and efficiently when a critical emergency occurs. Sidebar, p. 28.Public Safety and Cross-Boundary Data Sharing: Lessons from the CapWin ProjectChristine B. Williams, Janis L. Gogan, and Jane Fedorowicz, Bentley CollegeThe CapWIN project represents one of the first integrated multistate transportation and public safety wireless networks in the US, enabling data interoperability for first responders wherever they are. Sidebar, p. 29.In the Real World of Digital Government: Successes and Challenges of E-RulemakingNeil Eisner, US Department of TransportationThe government currently uses electronic technology in all aspects of the e-rulemaking process, and it is working to develop additional methods that will help the public provide good data to use in making governmental decisions. Sidebar, p. 30.Research Issues in Healthcare InformaticsSylvia J. Spengler, US National Science FoundationAddressing both citizen needs and professional interests, which will be critical to gaining acceptance of a multifaceted approach to healthcare informatics, requires the kind of multifaceted approach that has been a hallmark of the NSF digital government program.     

Centers of academic excellence: a case study

The US National Security Agency's Centers of Academic Excellence (CAEs) in Information Assurance Education program is in its seventh year, and 59 educational institutions have received the coveted "CAE" designation. The program was originally designed to jump-start education of an information security workforce by providing incentives to academic institutions to form information assurance programs and to students by providing scholarships. It has since been augmented by scholarship programs from the US National Science Foundation and the US Department of Defense. Several hundred graduates from these scholarship programs are already in the federal workforce. Indeed, information security and assurance has quickly become an important topic in computer science departments worldwide, with increasing numbers of information security specialists earning associate, undergraduate, masters, and doctoral degrees in the subject     

The first fraud settlement

In its first Y2K-related case, the US Federal Trade Commision (FTC) and a Canadian-based company, National Credit Card Protection (NCCP Ltd.) have reached a $100 000 settlement.     

Hidden assumptions and their influence on clinicians’ acceptance of new IT systems in the NHS

The UK National Health Service (NHS) is embarking on the largest investment programme in Information Technology (IT). The National Programme for IT (NPfIT) in the NHS is the biggest civil IT project in the world and seeks to revolutionise the way care is delivered, drive up quality and make more effective use of resources of the NHS. Despite these high expectations, the NHS has historically experienced some high profile IT failures and the sponsors of the programme admitted that there remain a number of critical barriers to the implementation of the programme. Clinicians’ reluctance to accept new IT systems at a local level is seen to be a major factor in this respect. Focusing on such barriers, this paper reports research that explored and explained why such reluctance occurs in the NHS. The main contribution of this research derives from the distinctive approach based on Kelly’s Personal Construct Theory (PCT) to understand the ‘reluctance’. The argument presented in the paper indicates that such reluctance should be viewed not as deliberate resistance imposed by clinicians, but as their inability of changing their established group personal constructs related to ISDD activities. Therefore, this paper argues that the means that could occur to reduce the ‘reluctance’ are creative rather than corrective or normative. The research took place in a NHS Trust and the paper pays considerable attention to technological, behavioural and clinical perspectives that emerged from the study. The research was conducted as a case study in a NHS trust and data was collected from two local NHS IT project. The main research participants in this study were: (a) IT professionals including IT project managers and senior IT managers; and (b) senior clinicians.     

Security, wiretapping, and the Internet

In a move that is dangerous to network security, the US Federal Bureau of Investigation is seeking to extend the Communications for Law Enforcement Act to voice over IP. Such an extension poses national security risks.     

US national lab fights viruses

Sandia National Laboratories already lists the fastest computer in the world (ASCI Red) and the fastest home-assembled computer in the world (C-Plant) among its credentials. Now, the people at Sandia’s US Department of Energy National Security Laboratory are turning their attention toward another arena: developing an intelligent software agent capable of defending against network hackers and computer viruses.     

The Golden Circle: a way of arguing and acting about technology in the London Ambulance Service

This paper analyses the way in which the London Ambulance Service recovered from the events of October 1992, when it implemented a computer-aided despatch system (LASCAD) that remained in service for less than 2 weeks. It examines the enactment of a programme of long-term organizational change, focusing on the implementation of an alternative computer system in 1996. The analysis in this paper is informed by actor-network theory, both by an early statement of this approach developed by Callon in the sociology of translation, and also by concepts and ideas from Latour's more recent restatement of his own position. The paper examines how alternative interests emerged and were stabilized over time, in a way of arguing and acting among key players in the change programme, christened the Golden Circle. The story traces 4 years in the history of the London Ambulance Service, from the aftermath of October 1992 through the birth of the Golden Circle to the achievement of National Health Service (NHS) trust status. LASCAD was the beginning of the story, this is the middle, an end lies in the future, when the remaining elements of the change programme are enacted beyond the Golden Circle.     

Japanese government acts on hacker attacks

Computer systems at Japan’s Science and Technology Agency (JSTA) have recently suffered two hacker attacks — only days after Japanese officials had determined to bring the country’s computer systems up to US security standards by 2003.     

Coordinating for Contingencies: Taking Stock of Post‐9/11 Homeland Security Reforms

Over a decade after September 11, American citizens are still asking themselves: ‘how much safer are we today?’ This question is also pertinent for scholars seeking to understand the post‐September 11 homeland security reforms. This paper, drawing on the public administration literature and using Don Kettl's ‘contingent coordination’ framework, sets out to discuss how well these efforts have addressed the central coordination challenges posed by homeland security. In doing so, it makes two contributions: one methodological (e.g., operationalizing the contingent coordination framework) and one empirical (e.g., assessing the effectiveness of post‐9/11 homeland security reforms). The paper concludes with an overall assessment of how to find ways to further strengthen the capacity of the US homeland security system.     

A novel approach to manage cloud security SLA incidents

Cloud computing is increasingly playing an important role in the service provisioning domain given the economic and technological benefits it offers. The popularity of cloud services is increasing but so are their customers’ concerns about security assurance and transparency of the Cloud Service Providers (CSPs). This is especially relevant in the case of critical services that are progressively moving to the cloud. Examples include the integrated European air traffic control system or public administrations through the governmental clouds. Recent efforts aim to specify security in cloud by using security service level agreements (secSLAs). However, the paucity of approaches to actually control the fulfillment of secSLAs and to react in case of security breaches, often results in distrust in cloud services. In this paper, we present a solution to monitor and enforce the fulfillment of secSLAs. Our framework is able to (a) detect occurrences that lead to unfulfillment of commitments, and (b) also provide mitigation to the harmful events that may or do compromise the validity of secSLAs.     

US Government agencies struggle at patch management

US Federal Government agencies are failing to tackle security patch management adequately, despite being a high profile target and widespread fears of a cyber-terrorist attack, according to the Congressional watchdog.     

基于SAML的单点登录技术研究

对于Web服务的发展,安全是一个重要课题,安全声明标记语言SAML提供了基于属性的身份认证,可令不同类型的安全服务系统之间实现交互。文章阐述了SAML的主要内容,讨论了SAML实现SSO的两种认证授权方式和一个具体实现实例JSAML,最后对SAML的安全性进行了分析。     

Bank EDP Audit Group Formed

Abstract

PC Taming: The Audit And Control Of Microcomputers: A Guide To IBM-PC Compatibles For Auditors, Managers And Those Interested In Discovery, 2nd Edition, by M. J. A. Parkinson and R. G. Paul. Institute of Internal Auditors and EDP Auditors Association, Australia (c/o Frank Bowles, GPO Box 2601, Canberra City Australia 2601. Fax: 011-616-275-3320.) 1989, 204 pp; in looseleaf binder with 2 microcomputer diskettes. Price: A$35.00 in Australia; A$54.50, elsewhere, including postage; payable in Australian funds. (Allow eight days for standard airmail shipment travel between Australia and the continental US.)

The Virus Control Handbook: A Technical Guide to Detection, Identification, Disinfection, and Investigation, by Robert V. Jacobson. International Security Technology (Suite 3200, 515 Madison Avenue, New York NY 10022), 1990, 83 pp, virus cross reference, bibliography. Price: $39.95 in the US; $50.95 elsewhere; payable in US funds.

US Department of Energy Risk Assessment: Volumes 1 and 2. US National Institute of Standards and Technology Interagency Report 4325. 409 pp, 1990; glossary, bibliography. Price: $23.00, US, Canada, and Mexico, payable in US funds; elsewhere, inquire.

US Department of Transportation Automated Information Systems Security Accreditation Guidelines. US National Institute of Standards and Technology Interagency Report 4378. 1990, 48 pp. Price: $15.00, US, Canada, and Mexico, payable in US funds; elsewhere, inquire.

US Department of Justice Simplified Risk Analysis Guidelines. US National Institute of Standards and Technology Interagency Report 4387. 1990, 60 pp. Price: $17.00, US, Canada, and Mexico, payable in US funds; elsewhere, inquire. Source for all three: US National Technical Information Service (5285 Port Royal Road, Springfield VA 22161). Fax: (703) 321-8547.     

Outsourcing of IT services threatens Australia's security

Australian Government plans to contract out information technology services could compromise national security, a defense expert at the Australian National University (ANU) has warned. In April, the Government said that it would put out to tender Federal Government infrastructure, including computer mainframes and desktop equipment in a bid to improve cost efficiency.