The implementation guidance for practicing network isolation by referring to ISO-17799 standard

In these years, the company budgets are raised dramatically for eliminating the security problems or mitigating the security risks in companies, but the numbers of incidents happening on computer systems in intranet or internet are still increasing. Many researchers proposed the way–to isolate the computers storing sensitive information for preventing information on these computers revealed or vulnerability on these computers exploited. However, there are few materials available for implementing network isolation. In this paper, we define ways of network isolation, “physical isolation” and “logical isolation”. In ISO-17799, there is no implementation guidance for practicing network logical isolation but auditing network physical isolation. This paper also provides the implementation guidance of network isolation in two aspects. One is for the technique viewpoints. The other aspect is for management viewpoints. These proposed implementation outlines and security measures will be considered in revising the security plan, “The Implementation Plan for Information Security Level in Government Departments” [“The implementation plan for information security level in government departments,” National Information and Communication Security Taskforce, Taiwan R.O.C., Programs, Jul. 20 2005].     

Barr offers congressional oversight amendment on ECHELON

On 13 May 1999, Georgia Republican Congressman Bob Barr successfully introduced an amendment to the Intelligence Authorization Act that would require the Department of Justice, the National Security Agency (NSA), and the CIA to provide to the Congress oversight information on America's international eavesdropping of telecommunications. Within 60 days of the amended Bill's enactment a report must be made to Congress setting forth the legal basis and procedures whereby the intelligence community gathers communications intelligence. The amendment is specifically directed at the international communications surveillance system known as Project ECHELON.     

National Security Agency releases Army Security Agency histories covering 1945–1963

The National Security Agency (NSA) will release approximately 5,000 pages of Army Security Agency (ASA) histories from the period 1945–1963.     

An Automatically Verified Prototype of the Tokeneer ID Station Specification

Journal of Automated Reasoning - The Tokeneer project was an initiative set forth by the National Security Agency (NSA, USA) to be used as a demonstration that developing highly secure systems can...     

A “stumbling” US encryption policy

“Are those in opposition to the administration's [encryption] policy prepared to sacrifice public safety in the interests of commercial gain?” Those words, uttered by Deputy Assistant Attorney General Robert Litt, would etch themselves in the minds of those who attended the 7 May 1977 House International Economic Policy and Trade hearing on “Encryption: Individual Rights vs National Security”. The hearing was held to consider Representative Bob Goodlatte's liberalized encryption export bill.     

NSA and Congress wrangle over hearings on possible illegal eavesdropping: Editorial Correspondent

According to knowledgeable sources, hearings by the US House of Representatives Government Reform Committee on potential communications surveillance illegalities by the National Security Agency (NSA) will not be held until April 2000, at the earliest.     

Effective Use of Consultants in Your Security Programs

Abstract

A nearly classic symptom of ineffective Security Programs is the annual security review conducted by outside consultants that only resurrects last year's problems with new report covers and a new invoice. All too often, consultants hear clients saying, “…oh yeah, the other consultant we had said the same thing.” ¹     

NSA providing computer security services to civilian sector

According to several documents provided to the Electronic Privacy Information Center (EPIC) in Washington, DC, USA the National Security Agency (NSA) is encouraging civilian agencies of the US Government to utilize its computer security services, including risk and threat assessments. According to knowledgeable officials in Washington, this is in blatant contravention of the Computer Security Act, which assigns such responsibilities to the National Institute of Standards and Technology (NIST).     

Security? Who’s Got Time For Security?: I’m Trying to Get my Job Done

What would you do if you were stuck in one place, and everyday was exactly the same, and nothing you did mattered?”Phil Connor, Ground Hog Day

“That about sums it up for me,” answered Ralph, and I’m sure most system administrators, information system security officers (ISSOs), physical security, operations security, and other security professionals would agree. Everybody takes them for granted — until the network goes down or applications can’t be used. And that’s the problem: a totally wrong perception of what’s required for the serious business of properly doing full spectrum security. Security is not something extra. Security is a normal part of doing business.     

Analytical review of methods of providing internet anonymity

The Internet community all over the world is showing growing interest in a subject of information security and anonymity on the Internet, especially after revelations of Edward Snowden, when it became known about mass spying by certain organizations (such as the US National Security Agency) on Internet users, companies, political organizations, etc. This led to the active development of various anonymous networks, VPN services, proxies, etc. The aim of this article is to review popular methods of providing Internet anonymity, compare them, and discover their benefits and disadvantages.     

Preparing for ISO 17799

Abstract

The information security industry has finally developed and published standards. This article examines each of the ten areas identified in the standards document, ISO 17799, and identifies key points the security professional should address in his or her security program. While there are other standards (BS 7799, ISO/TR 15369), this article concentrates on the recommendations of the International Standard ISO/IEC 17799:2000, “Information Security Management, Code of Practice for Information Security Management.” The International Organization for Standardization (ISO)¹ and the International Electrotechnical Commission (IEC) form a specialized system on worldwide standardization. National bodies that are members of ISO and IEC participate in the development of international standards through technical committees. The United States, through the American National Standards Institute (ANSI), is the secretariat. Twenty-four other nations (Brazil, France, United Kingdom, China, Democratic People's Republic of Korea, Czech Republic, Germany, Denmark, Belgium, Portugal, Japan, Republic of Korea, the Netherlands, Ireland, Norway, South Africa, Australia, Canada, Finland, Sweden, Slovenia, Switzerland, New Zealand, and Italy) have participant status and 40 other nations are observers.     

Training for information assurance

In 2001, cadets from three military institutions built networks and defended them against a week of attacks led by the National Security Agency. The trial-by-fire exercise; which repeats in 2002, is a step toward preparing future network designers and administrators to think more strategically     

Trust in Cyberspace

At a 27 October news conference, the National Research Council (NRC) unveiled a study called ‘Trust in Cyberspace’ commissioned by the NSA and the Defense Advanced Research Projects Agency (DARPA), the study by the Committee on Information Systems Trustworthiness, a panel composed of several leading industry specialists and academics, concluded that all the work done heretofore by NSA, the Communications Security Establishment (CSE) of Canada, and a group of four European countries on information security standards, has been largely fruitless.     

Obstacles Experienced by Care Managers in Managing Information for the Care of Chronically Ill Patients

ABSTRACT

Care managers play a key role in coordinating care, especially for patients with chronic conditions. They use multiple health information technology (IT) applications in order to access, process, and communicate patient-related information. Using the work system model and its extension, the Systems Engineering Initiative for Patient Safety (SEIPS) model, we describe obstacles experienced by care managers in managing patient-related information. A web-based questionnaire was used to collect data from 80 care managers (61% response rate) located in clinics, hospitals, and a call center. Care managers were more likely to consider “inefficiencies in access to patient-related information” and “having to use multiple information systems” as major obstacles than “lack of computer training and support” and “inefficient use of case management software.” Care managers who reported “inefficient use of case management software” as an obstacle were more likely to report high workload. Future research should explore strategies used by care managers to address obstacles, and efforts should be targeted at improving the health information technologies used by care managers.     

NIST and NSA: Perfect together

The new director of the National Institute of Standards and Technology, Dr Raymond Kammer, has told the US Senate Subcommittee for Technology and Space that his agency and the National Security Agency (NSA) have worked very closely together in many computer security efforts.     

Standardization in Information Technology Security

The author overviews the international standards developed by SC 27 “IT Security techniques” of the ISO/IEC Joint Technical Committee “Information technologies.” The standards include cryptographic mechanisms, evaluation and testing of products and information systems, countermeasures, and security services. Both published standards and those under development are considered.     

Reform of government and the future performance of national surveys

The assumption of this paper is that Governments pursue the following strategic objectives with respect to geospatial information, as produced by National Surveys (including Cadastres):

• 1.for its own purposes, i.e. to govern, it must be assured of unlimited and efficient access to National Survey material;
• 2.society should have the broadest possible “free”, but not “cost free”, access to the products and services of National Surveys because this increases “positive externalities” for society as a whole; and
• 3.the products and services of National Surveys, including Cadastres, should, in a planned fashion, become independent of government subsidies.

The article argues that under the constraints of those objectives, the regulatory environment of the Public Service (in parliamentary democracies), is counterproductive to the requirements for economic efficiency in pricing and distribution of national survey products and services. Because National Surveys and Cadastres are natural monopolies, the arguments are based on economic theory of the regulation of natural monopolies. Due to the introduction of Information and Communications Technology (ICT), the client community has ubiquitous access to survey and geospatial data processing technology, as well as a growing supply of commercially available substitutes for the products and services of the conventional natural monopolies. Hence, the paper first defines the product and services content of the natural monopoly in the modern ICT and Geospatial Data Infrastructure dominated environment for the case of a National Mapping Agency (NMA) which includes, in this case, the Cadastral Surveying and Mapping. Having defined the products and services in the natural monopoly, all other (value-added) products and services are by definition placed in the free competitive market. The paper goes on to demonstrate that it is in the interest of society that the NMA or Cadastre competes in this market in order to realize economies of scope. The “parity-principle formula for bottleneck service pricing” (Baumol, Ordover & Willig, 1997. Parity pricing and its critics: a necessary condition for efficiency in the provision of the bottleneck services to competitors. Yale Journal of Regulation) provides the necessary and sufficient condition under which a level playing field can be created for all competitors that require the monopolist's (NMAs) assets for the value-added production in the free market. However, an independent regulator must supervise the application of this principle. Next, the issue of pricing is dealt with in light of meeting the policies on maximum output and diminishing subsidy. As the government has set the broadest possible distribution as a strategic goal, the NMA will have to act as an output maximiser as opposed to a profit maximiser. Output will therefore have to be set at a point where economic profit is not negative, and this will determine the unit price. These criteria lead to a set of management objectives and an accountability framework for NMAs. It is only at that point that the discussion on the desirability of more independence from the Public Service regulations, of which privatisation is the extreme form, becomes meaningful. The article concludes that outright privatisation, that is, placing the assets of the NMA and all decision-making power over them in the hands of private individuals, is in conflict with the first strategic objective. Furthermore that a regulated monopoly and output maximisation are unattractive conditions for potential franchisers, concessionaires or management contractors. Hence an appropriate solution would be to put the organization at arms-length from government within the accountability framework developed but established in commercial law and without tax benefits. A Cabinet level Minister must be the politically accountable regulator of the “level playing field” and the pricing policy.     

Measuring software quality: a case study

The National Security Agency's (NSA) mission is to provide support for the security of the United States. Over the years, the Agency has become extremely dependent on the software that makes up its information technology infrastructure. NSA has come to view software as a critical resource upon which much of the world's security, prosperity, and economic competitiveness increasingly rests. To ensure cost effective delivery of high quality software, NSA has analyzed effective quality measures applied to a sample code base of 25 million lines. This case study dramatically illustrates the benefits of code level measurement activities     

Key escrow encryption Bill hits congress

After years of FBI Director Louis Freeh, White House operatives, and various National Security Agency (NSA) and Justice Department officials threats that failure by industry to voluntarily embrace government encryption key recovery schemes would result in mandatory programmes and legislation, such a forecast may have been realized.