Document Sample
Security Powered By Docstoc
					Mechanisms for managing
  information security:
policy, regulation and law
      James Backhouse
      Reputations at stake

• FT article 7th January 2000
• $40m to UBS Geneva
   5 transactions ordered by dead
    employee of client
   1 by unauthorised person

• all approved by Merrill Lynch
  employees, some in London
Cybercrime costs US business
     $378m - FBI report
• US businesses and government
  departments lost $378m last year
    • 85% reported security breaches in the last
      12 months, up from 1999 figure of 42 %
    • 6% lost $151m worth of proprietary data in
      corporate espionage.
    • 4% lost $93m of financial fraud through
• majority of security breaches
  originated over the internet
  Hackers tear apart US sites -
   FBI issues public warning
• Friday 30th March 2001 6:30pm
• The credit card details of over one
  million web users have been stolen
  or compromised following a co-
  ordinated hacking attack on over 40
  US websites.
   Top Seven Management of
        Security Errors
• Pretend the problem will go away if
  they ignore it
• Authorize reactive, short-term fixes
  so problems re-emerge rapidly
• Fail to realize how much money their
  information and organizational
  reputations are worth
• Rely primarily on a firewall
   Top Seven Management of
        Security Errors
• Fail to deal with the operational
  aspects of security
• Fail to understand the relationship of
  information security to the business
• Assign untrained people to maintain
  security and provide neither the
  training nor the time to make it
  possible to do the job
    First priority in systems
…is the establishment of a security
          Security Policy

“The set of laws, rules, and practices
  regulating how an organization
  manages, protects and distributes
  sensitive information” (Walker 1985)
“A wide ranging document which is
  about managing the business as a
  whole, managing it securely and
  protecting a company’s key asset –
  its information” (Woodward 2000)
        Security standards

BS7799 (= ISO17799) states that
 “management should set a clear
 direction and demonstrate their support
 for information security through the
 issue of a company information security
  BS7799 Code of Practice for
    Security Management
• Early 1990s - EDI and first electronic
  trading partnerships
• Arose out of a “Best Practice” drive
  with BT, Shell, Barclays, Marks &
• Initiative of DTI and BSI
• Principles developed for IS Security
     What the Standard covers

•   Security policy
•   Security organisation
•   Assets classification and control
•   Personnel security
•   Physical and environmental security
•   Computer and network management
   What the Standard covers

• System access control
• System development and
• Business contingency planning
• Compliance
         Example: Policy

The board attaches particular importance
 to its people, information, business
 processes, systems and property.
          Example: Scope

covers all aspect of the company's
  operations including networks and
  switching systems, products and
  services, administration procedures and
  systems, security of buildings and the
  workplace, and all internal
     Example: Responsibility

People are personally responsible and
  accountable for the security of their operations.
  Senior Divisional Management through their
  Security Co-ordinators will be responsible and
  accountable for the provision of divisional
  security management and support services
  using a team of suitably qualified and trained
    Example: 3 Key Documents

• The Commercial Security Manual, covering
  security policies for all electronic systems;
• Information Security Code, covering the
  secure handling of all information;
• Physical Security Handbook, covering
  policy in the physical and environment
  protection of buildings and business
      Compliance checking

Compliance and Review unit checks key
 business processes for their
 conformance to existing policy. Its
 members come from throughout the
Developing Security
      Security evaluation,
certification and accreditation
  For Verisign a “trustworthy”
        system means...
“ hardware, software, and
   procedures that are reasonably secure
   from intrusion and misuse;
provide a reasonable level of availability,
   reliability and correct operation;
are reasonably suited to performing their
   intended function;
and enforce the applicable security policy”
         Three Key Terms
• Evaluation: assessment of a product
  or service against defined security
  evaluation criteria
• Certification: the issue of a formal
  statement (certificate) confirming the
  results of the security evaluation
• Accreditation: the procedure for
  accepting a product, a service, a
  system for use within a particular
  Accrediting the accreditors

• UKAS is root accrediting agency for
• Organisations awarding
  accreditation must be impartial,
  competent, effectively managed
• Surveillance annually
• Reassessment every four years
 1998 Accreditation
Certification Scheme

    UKAS Accredited
     Certification Service -
     private company

• Security Evaluation criteria first
  developed in 1983 in USA
     Trusted Computer System Evaluation
      Criteria known as the Orange Book
• Hierarchy of security levels ranges
   D (poorly secured)
   A1 (all aspects of design, development

    and implementation covered)
       UK ITSEC Scheme

• “The objectives of the scheme are to
  meet the needs of Industry and
  Government for cost effective and
  efficient security evaluation and
  certification of IT products and
  systems. The Scheme also aims to
  provide a framework for the
  international mutual recognition of
CLEF- CommerciaL Evaluation
• CLEFs provide evaluation services
  which lead to certification for a range
  of services or products:
   access control and authentication
   real-time and fault-tolerant systems

   secure workstations

   communications etc
        What is a CLEF?

• CLEFs perform evaluation under the
  UK ITSEC Scheme
• Provisional or Full
• CLEFs subject to requirements and
• Admiral, EDS, IBM, Logica, Syntegra
      Certification Scheme
• Certificates can be used by vendors
  to advertise and sell products
• Confidence in security features
• Security policy
      EDS - CLEF character
• Located in a secure area
• Physical, administrative and
  technical security requirements
• EDS - 20 evaluators working in 8
  independent task cells
• Commercial confidentiality of
  products and systems
• Evaluation for ITSEC, UK, US
 Security Evaluation methods

• Evaluation methods depend on level
  of assurance being sought:
   straightforward functional testing
   code examination

   static analysis and formal proof

   penetration testing

• Work in line with approved work plan
 Example ITSEC certifications
    Certification awarded November 1999
• BorderWare Version 6.1 Firewall Server
  Certification awarded January 2000
           BS 7799
 Context for accreditation for
     secure information
• Electronic commerce, smart card and
  internet technology generally mean
  IS security is more important now
• BS7799 can help identify the risks to
  information and the effective
  measures to adopt
      Accreditation for BS7799

• c:cure is a set of arrangements which
  enables accredited certification
  against BS 7799 - DISCONTINUED
   UKAS
   Certification Body

   Accredited Auditor

   Certification of Organisation’s IS Sec
   Auditors and Certification

• Under BSI-DISC's overall scheme
     British Computer Society (BCS) and
     the International Register of Certificated
      Auditors (IRCA)
• are tasked with independently and
  impartially assessing and registering
  individuals who meet the criteria for
  c:cure auditors.
      BS7799 Accreditation

• During accreditation system security
  is checked for
   completeness
   conformance with the overall security

    requirements and objectives set by
      BS7799 Accreditation

• The accreditation authority
   checks the corporate security policy
   agrees that system security policy was

    properly derived from the corporate
    security policy
   ensures countermeasures are sufficient

    to ensure policy
   ensures enough confidence in the
    effectiveness of countermeasures
 c:cure certification - qualified
• "… of course c:cure cannot provide
  absolute guarantees. Rather it is a
  business enabler. It does show that
  certificated organisations are
  committed to information security.
  They have looked at best practice in
  the light of their business needs.
  They have given serious thought to
  the security threats they face and
  they have put in place appropriate
    Electronic Signature
EU Directive 1999/93/EC
    “A Community
    Framework for
 Electronic Signatures”
    Electronic Signature
“data in electronic form which are [is]
attached to or logically associated with
other electronic data and which serve
as a method of authentication;”
                   @ $1
        Electronic Signature
         Legal Recognition
5.1 …. advanced electronic signatures
  which are based on a
      qualified certificate
  and which are created by a
      secure signature creation device
  satisfy the legal requirement equivalent to
  hand-written signatures.
5.2 …. an electronic signature (of any form)
  is not denied legal effectiveness
     Electronic Signature
Qualified Electronic Signature
                                                   Annex I

                           Please                CA Signature
                           supply                   Verification
                            @ $1
               Signature             Jim
Annex III                                         Certificate

                    Electronic                                     Issuing
   Creation                                                        Certification
                    Signature                                      Authority
                                                                   Annex II
Electronic Signature Directive
      Requirements of 5.1
“Qualified Electronic Signatures”
  Annex I - Requirements for
   qualified certificates

  Annex II - Requirements for
   certification service providers
   (certification authorities) issuing
   qualified certificates
       Requirements of 5.1
 “Qualified Electronic Signatures”
Annex III - Requirements for secure
 electronic signature creation devices

(Annex IV - Recommendations for
  electronic signature verification)
Electronic Signature Directive
      Annex I - Requirements of
        Qualified Certificates
a) Indication that certificate is “Qualified”

c) Name or pseudonym of signatory

d) Signature verification key (signature verification

f) Limitation on value of transaction

Can be met using standard certificate format e.g.
 Electronic Signature Directive
   Annex II - Requirements of CA
   Issuing Qualified Certificates
a) Demonstrate reliability
b) Immediate revocation
c) Ensure date and time of revocation can
   be determined
d) Verify identity
e) Employ personnel with appropriate
f) Use trustworthy systems
Can be met by a good quality Certification
 Electronic Signature Directive
     Annex III - Requirements of Secure
        Signature Creation Device
1. Must by appropriate technical &
  procedural means ensure that:
a) Signature generation key is unique and
  held securely
b) Signature verification key cannot be
  derived from signature generation key
c) Signature generation key can only be
  used by signatory
    Annex III - Requirements of Secure
       Signature Creation Device

2. “Secure signature-creation devices must
  not alter the data to be signed or prevent
  such data from being presented to the
  signatory prior to the signature process.”
Can be met by smart card or similar device,
  debatable whether can be met by software
 Electronic Signature Directive
Article 6
Liability of Certificate Authorities (CA)
  Issuing Qualified Certificates to the
   certified data (identity, key) is correct at
    time of issuance
   failure to register revocation

   CA must prove not acted negligently
 Electronic Signature Directive

• EU may reference standards for:
   Annex II f) CA trustworthy systems and
    cryptographic device
   Annex III Secure Signature Creation
 Conclusions on EU directive
• Legal recognition of Electronic
  Signature in place across Europe
  - may be of any form
• Common “qualified” level of service
  recognised across Europe
• Moving towards Common framework
  for Approval for “Trust” Service
UK Electronic Communications

• March ‘97 Consultation
• April ‘98 Statement
• March ‘99 Consultation
• PIU Report - May’99
• Draft legislation - July ‘99
• Voluntary ‘approvals’ scheme for
 trust service providers (Part 1)
• Legal recognition of electronic
 signatures and “Order making” powers on
 “writing” and “signatures” (Part II)
• Modifications to telecom licensing (Part III)
          T SCHEME

• Membership organisation
• ‘Approval’ against service profiles
• ‘Approvals’ by UKAS/CBs
• Industry/market driven
• Interim Board from April 2000
      Part 1 - Govt. success criteria
• …cover a range of services inc. signature and
  confidentiality services..
• …be demonstrably rigorous, impartial and trusted...
• ...not act as a barrier to new entrants to the market....
• …be able to set standards (procedural and technical)...
• …provide a clear mechanism for Government to
  monitor progress
• …adopt mechanisms for ensuring compliance
          The mission
tScheme          ..approval based
                 on independent
                 assessment of
                 the provision of
    tScheme      trust services
                 against defined
• Definition / selection of Approval Profiles,
  inc. operational & technical standards
• Responsibility for application of
• Review / Renewal / Revocation / Mediation
• Promotion of approved Trust Services

 BUT no actual provision of services
          approval profiles
One per service type and level/class
Operational hand web-book
1 Base profile - common elements
2 Service specific profiles
3 Sector specific guidelines
4 Minimum criteria
5 Acceptable & equivalent evidence
      approval creation
                                Service C
                    Service B

              Service A

                   Service Specific
          +         Requirements
         Modelling trusted services

                    Subscriber                Relying Party

                    Agreement                  (Directive
                                               Article 6)

               CA=Entity which                          CA Accredited &
               signs certificate                    Has overall responsibility

Registration    Certificate    Certificate       Revocation        Revocation
                Generation    Dissemination      Management          Status
      Subfunctions may be provided by CA or subcontracted to another CSP
tScheme                  Trust Service                      Independent
                         Provider                           Assessors
Publish Approval
                                                              Appoint UKAS
 Profile Criteria

                               Develops and ensures          Appoint qualified
                               complying environment            auditors

Provides evidence                Develops evidence
                                   of compliance              Audit process
  of compliance

                              Application for approval to
                                 specific profile with
 Evidence           NO


  Approval                    Contracts to comply with
  published                     Scheme Conditions
• enables e-business innovation & growth
• encourages the development of new ways of
  conducting electronic business
• reacts quickly to technological change
• is cost effective
• fulfills EC requirements
• accommodates the needs of
     business users, consumers, technology
           providers, government & service
• APACS                   •   DMA
• BBA                     •   Equifax
                          •   e-centre UK
• British Chambers of
  Commerce                •   FEI
                          •   HMG e-envoy / CCTA / DTI
• BT
                          •   ICL
• Chubb
                          •   IBM
• CSSA                    •   Notaries for e-commerce
• CBI                     •   Post Office Viacode
• Consumers Association   •   Trustis ..more on the
• De La Rue Interclear        way
• Differing approach throughout Europe
• tScheme will meet most of the objectives
• Will need some supervisory arrangements
  for those working outside tScheme
• OFTEL ? CESG ? A modified tScheme ?

Shared By: