Information Classification

Abstract

This article devotes four sections to addressing specific information classification topics and what policies for those topics might look like. Included in the text will be a formal discussion on each of the topics and examples of existing policy statements. The author will analyze these policies and establish the framework for the development of such policies for any organization. The first topic to be discussed will be information classification. From there the author will examine the need for an e-mail policy and then an Internet policy along with the supporting awareness program needed for Internet compliance. Finally, the author will establish a basic list of corporate level policies that every organization should have along with the sight modification required to support an information security program.     

An XML-based architecture to perform data integration and data unification in vulnerability assessments

One of the problems facing penetration testers is that a test can generate vast quantities of information that need to be stored, analysed and cross-referenced for later use. Consequently, this paper will present an architecture based on the encoding of information within an XML document. We will also demonstrate how, through application of the architecture, large quantities of security-related information can be captured within a single database schema. This database can then be used to ensure that systems are conforming to an organisation's network security policy.     

A Survey of Audit Retrieval Packages

Abstract

Everything an information security practitioner deals with requires some form of testing to ensure that the information technology or resource is within configuration specifications. This applies to ensuring that business continuity (BC) and disaster recovery (DR) plans are documented and executable as per the business continuity strategy and that the capabilities are deployed as part of an overall business continuity program for the enterprise. Testing BC/DR plans is done with regard to justifying the economic benefit of having BC/DR capabilities in place. A company that decides not to test its BC/DR plans will not know if those capabilities and documented procedures will work during a disaster and thus risk survivability of the enterprise. The information security professional may be asked to assume the role of testing coordinator or facilitator. This role, in most organizations, is responsible for coordinating and facilitating testing of all BC/DR plans, which requires a thorough understanding of the plans to ensure that the business continuity policy will be met, attaining appropriate funding for the overall testing of these plans, identifying the types of testing that should be conducted, scheduling testing to minimize its impact on business operations, and developing scenario-based test plans that clearly state the scope, purpose, and objective for testing.     

微过滤驱动在终端文档安全保护中的应用

在研究WindowsNT内核操作系统的驱动框架的基础上,基于Minifilter过滤驱动技术以及文档标识技术,设计并实现了一个具有文件安全保护能力的终端文档安全保护系统。该系统既实现了对终端文档的透明标识及透明加密安全保护,又具有对文档访问的策略控制,能有效地防止终端重要信息的泄漏。改进了文档标识技术,将文档密钥嵌入文档标识中,文档标识不仅起到标识文档的作用,也起到了简化密钥管理的作用。     

Integrating Information Security through Total Quality Management

Abstract

As companies begin to increase their electronic presence, digitizing increasingly more of their private and sensitive information, the need for information security becomes mandatory. While the relationship between technology and business functionality expands, information security has safeguarded the information the business needs to survive. Organizations are increasingly aware of information security issues and are constantly seeking control measures. Information security studies predominantly focused on the presence of information security controls rather than the quality of those controls. Security, as an element of quality, must be addressed in the development, implementation, and monitoring of strategy and policy. In order to ensure that adequate controls are established for information systems, quality assurance and information systems auditors should maintain a close working relationship. Total Quality Management is mandatory in the successful application and proliferation of information security controls.     

Software engineering services for export and small developing economies

Abstract

A number of authors and multi‐national organizations have suggested that providing information services, and in particular software engineering and programming services, for export afford an important economic opportunity for poor countries. Throughout the world, developing countries have acted on this advice. This paper will argue that the opportunities for software engineering services in particular are limited, at least for small developing economies. The main argument is that software engineering and programming are labor‐intensive activities and that small developing countries simply do not have the required resources to acquire or train a sufficient number of software engineers and programmers. Any development policy that blindly follows the tenet that small developing countries can improve their economic position through the provision of information services for export is therefore bound to fail. Hence, more sophisticated policies are called for. This paper will also examine a number of such policy options, including an innovative human resource development policy being developed in Jamaica. Keywords: Information services for export, economic development policy, small developing countries, Jamaica     

What Makes an Effective Information Security Policy?

It is a well-known fact that the information security policy is one of the most important controls needed within an organization to manage the implementation and ensure the effectiveness of information security. The information security policy is essentially the direction-giving document in an organization and defines the broad boundaries of information security. Furthermore, it indicates management’s commitment to, and support for, information security in an organization and defines the role it has to play in reaching and supporting the organization’s vision and mission.     

Hacking the Nation-State: Security,Information Technology and Policies of Assurance∗

ABSTRACT

The transmission and storage of information in digital form coupled with the widespread proliferation of networked computers has created new issues for policy. An indispensable business tool and knowledge-sharing device, the networked computer is not without vulnerability, including the disruption of service and the theft, manipulation, and destruction of electronic data. This paper seeks to identify frame analysis of the security of information resources. Historical review of security issues presented by electronic communication since the inception of the telegraph is conducted so as to produce salient points for study regarding the security of more recently developed computer networks. The authors aim to inform the blossoming area of study falling under the label information security with a primer on the key pieces of what may be considered a theory of digital statecraft, drawing back to the nineteenth century.     

Security Through Deception

ABSTRACT

For each layer of information security there is a number of techniques and tools that can be used to ensure information superiority. Indeed some experts would argue that you cannot have the former without the latter. In today's technological & interconnected world, however, information superiority is very hard to achieve and almost impossible to maintain. This paper will argue that the art of deception is a reliable and cost effective technique that can assure the security of an infrastructure. The paper will conclude by presenting a technical solution of the above statement.     

Genuine French WWII M-209 cryptograms

Abstract

In the French Army archives three cryptograms encrypted by the M-209 were found. They date from 1944 and come from the 1st French Army. Since the security rules in the military require them to be destroyed, it is extremely rare to have access to this type of document.

This article aims to show the use of the M-209 in the French Army. It will first briefly describe the operation of the M-209 encryption machine and describe the cryptographic means used by the French Army during the Second World War, including the M-209 provided by the Americans. The three cryptograms found in the archives will then be studied. The various components of these messages are described, starting with the key groups (which provide the message key) and continuing to the main abbreviations as well as some codenames. The plaintexts will then become understandable. This article ends with the reconstruction of the keys (internal and external) of the first two messages. This reconstruction could not be completed for the third message: it is given as a challenge to the readers of Cryptologia. This is also the opportunity to balance the security of the M-209 with that of the Enigma.     

The Theory of Planned Behavior and Information Security Policy Compliance

ABSTRACT

Much of the research on security policy compliance has tested the relationships posited by the theory of planned behavior. This theory explains far from all of the measurable variance in policy compliance intentions. However, it is associated with something called the sufficiency assumption, which essentially states that no variable is missing from the theory. This paper addresses this assumption in the context of information security policy compliance. A meta-analysis of published tests on information security behavior and a review of the literature in related fields are used to identify variables that have the potential to improve the theory’s predictions. These results are tested using a random sample of 645 white-collar workers. The results suggest that the variables anticipated regret and habit improve the predictions. The variables increase the explained variance by 3.4 and 2.6 percentage points, respectively, when they are added individually, and by 5.4 percentage points when both are added.     

Abstracts & Commentary

Abstract

Whether you are responsible for ensuring the availability of your enterprise network or you are a chief technology officer or information security manager, you will likely ask yourself these questions: How much should I spend on security? Am I more secure today than I was yesterday? What metrics can I use to measure whether my security is improving or not? When can I stop patching so I can get back to doing real work?     

Managers’ and Employees’ Differing Responses to Security Approaches

ABSTRACT

Modern organizations face significant information security threats, to which they respond with various managerial techniques. It is widely believed that “one size does not fit all” for achieving employee information security policy compliance; nevertheless, it is yet to be determined which techniques work best to different organizational employees. We further this research stream by finding that different levels of users might be effectively motivated by different types of coercive and empowering techniques that are suitable to their level and position in the organizational chart. Our results suggest that participation in the ISP decision-making process might prove to be a more effective approach to motivate lower-level employees toward compliance and that enhancing the meaningfulness of policy compliance could be the preferred method among higher levels of management. Members within each level of the organization can be effectively influenced to comply with ISPs when such strategies are customized for their level.     

Using argumentation to evaluate software assurance standards

ContextMany people and organisations rely upon software safety and security standards to provide confidence in software intensive systems. For example, people rely upon the Common Criteria for Information Technology Security Evaluation to establish justified and sufficient confidence that an evaluated information technology product’s contributions to security threats and threat management are acceptable. Is this standard suitable for this purpose?ObjectiveWe propose a method for assessing whether conformance with a software safety or security standard is sufficient to support a conclusion such as adequate safety or security. We hypothesise that our method is feasible and capable of revealing interesting issues with the proposed use of the assessed standard.MethodThe software safety and security standards with which we are concerned require evidence and discuss the objectives of that evidence. Our method is to capture a standard’s evidence and objectives as an argument supporting the desired conclusion and to subject this argument to logical criticism. We have evaluated our method by case study application to the Common Criteria standard.ResultsWe were able to capture and criticise an argument from the Common Criteria standard. Review revealed 121 issues with the analysed use of the standard. These range from vagueness in its text to failure to require evidence that would substantially increase confidence in the security of evaluated software.ConclusionOur method was feasible and revealed interesting issues with using a Common Criteria evaluation to support a conclusion of adequate software security. Considering the structure of similar assurance standards, we see no reason to believe that our method will not prove similarly valuable in other applications.     

基于信息流的多级安全策略模型研究

内部威胁是企业组织面临的非常严重的安全问题,作为企业最贵重的信息资产——文档,是内部滥用的主要目标。以往的粗粒度安全策略,如最小权限原则、职责分离等,都不足以胜任文档安全化的内部威胁问题。提出了一个崭新的多级安全策略模型,引入了文档信息流和信息流图概念,并提出了相关算法。它能依据系统上下文环境的变化,动态地产生信息流的约束条件,屏蔽可能产生的隐藏信息流通道。     

IT diffusion in small and medium‐sized enterprises: Elements for policy definition

Abstract

The aim of this paper is to discuss the main elements that define an information technology (IT) diffusion policy for small and medium‐sized enterprises (SMEs) and to discuss the relevance of this policy for developing countries. The paper will review how innovation and regional development studies confer on SMEs an important role in economic development. Furthermore, it presents a discussion on the present supply and demand oriented IT diffusion policies in developed countries, that reveals the challenges for policy definition. In conclusion, the main elements that define an IT policy for SMEs will be highlighted, and lessons for developing countries will be discussed.     

Effective Change Management: Ensuring Alignment of IT and Business Functions

ABSTRACT

The objective of a financial audit is to detect any “material” misstatement in financial records and reports. On the surface, that objective seems to be unrelated to information security. The relationship between the two sets of activities may also seem to be insignificant. In fact, there is a significant relationship and one that is mutually beneficial. Entities that are subject to financial audits and employ best practices of information security should improve the efficiency and effectiveness of the financial audit. It is also possible that the financial audit of such an entity would uncover any existing relevant gaps in the entity's application of information security best practices which, when remediated, should improve the effectiveness of information security function.     

An Overview of Transnational Organized Cyber Crime

ABSTRACT

This essay discusses the nature of transnational organized crime (TOC) and its activities affecting today's electronic landscape. It is assumed that the reader is familiar with IT-related information security in general, and therefore the technicalities around networks and information systems will be avoided as many papers and books cover these subjects extensively. Most security practitioners are familiar with the technical aspects of IT-related attacks (referred to here as cyber attacks or crimes) but not so with the organization and structure of the groups behind these attacks. We will further explore the origins and evolution of TOC, and how it influences and is influenced by today's omnipresent ‘speed of thought’ digital society.     

Security and Control in the Cloud

ABSTRACT

Cloud computing is a new IT delivery paradigm that offers computing resources as on-demand services over the Internet. Like all forms of outsourcing, cloud computing raises serious concerns about the security of the data assets that are outsourced to providers of cloud services. To address these security concerns, we show how today's generation of information security management systems (ISMSs), as specified in the ISO/IEC 27001:2005, must be extended to address the transfer of security controls into cloud environments. The resulting virtual ISMS is a standards-compliant management approach for developing a sound control environment while supporting the various modalities of cloud computing.

This article addresses chief security and/or information officers of cloud client and cloud provider organizations. Cloud clients will benefit from our exposition of how to manage risk when corporate assets are outsourced to cloud providers. Providers of cloud services will learn what processes and controls they can offer in order to provide superior security that differentiates their offerings in the market.