Green Book on the Security of Information Systems: A document that sets out the development of a consistent approach to Information Security in Europe, taking into account common interests with other countries.
cec64d8e676d6407d26798bfc63b3d21Page 1 Green Book Draft 4.0
Green Book Draft 4.0 Page 1
Sect. Issues / Requirement
Sect. Issues / Requirement
Draft 4.0
October 18, 1993
Table of Contents
Preface 1
Summary of Requirements for Action 3
Acknowledgement 7
1. Introduction 10
2. Scope 11
3. General issues 13
3.1. Globalisation of the economy 14
3.2. Internal Market 14
3.3. Human Rights and the Protection of Communications 15
3.4. Social Acceptance 16
3.5. Human Rights and the Safety 17
3.6. Confidence in Communication 18
3.7. Management of Openness and Protection 19
3.8. Common Concerns of Commercial and National Security 21
3.9. Security and Law Enforcement 22
3.10. Economics of the Security 23
3.11. Social Recognition of Information Crime 24
3.12. Human Factors 26
3.13. Safety Critical Environments 26
3.14. Embedding Systems 27
4. Demand Related Issues 29
4.1. Requirements for Enterprises and Individuals 30
4.1.1. Agreement on Security Requirements for Enterprises 30
4.1.2. Security Administration 32
4.1.3. Security Objectives for Enterprises 33
4.1.4. Exploiting Innovation 34
4.1.5. Sectoral Specifics 35
4.1.6. Security Domains 36
4.1.7. Security Labelling 37
4.1.8. Administration of Access to Security Related Data 38
4.1.9. Security Requirements for Individual Users 38
4.2. Requirements for Security Functions 40
4.2.1. Access Control 40
4.2.2. Requirements for Electronic Cash 42
4.2.3. Requirements for Security Services 42
4.2.4. Digital Signature 46
4.2.4.1. The Individual Right to Signature 46
4.2.4.2. Consistency of Legal Principles for Digital Signatures
47
4.2.4.3. Universal Acceptance of Digital Signatures 48
4.2.5. Privacy enhancement 49
4.2.5.1. Perception of Requirements for Privacy Enhancement
49
4.2.5.2. The Case for the Provision of Public Confidentiality
Services 51
4.2.6. Use of Names 53
4.2.7. Security of Electronically Stored Information 55
4.3. Requirements for the Safety of Communication Systems 56
4.4. Requirements for Evaluations 57
4.4.1. Trustworthiness of Communication 57
4.4.2. Motivation to Acquire Evaluated Solutions 59
4.4.3. Consistency of Procurement Practices 59
4.5. Requirements for Security and Safety Methodologies 60
4.5.1. Risk Analysis and Management 61
4.5.2. Metrics for Loss Assessment 62
4.5.3. Technology Assessment 63
4.5.4. Analysis of Audit Trails 63
4.5.5. Safety Specific Methodologies 64
4.6. Requirements for Audits 65
4.7. Information Valuation 66
5. Supply Related Issues 67
5.1. Supply Related Issues 67
5.1.1. Security Services 67
5.1.2. Signature Schemes 71
5.1.3. Confidentiality Schemes 72
5.2. Supply Related Issues - Security Management 73
5.2.1. Role of Trusted Third Parties (TTPs) 73
5.2.2. Key Usage 76
5.2.3. Key Management Service 77
5.2.4. Distributed-Secret Escrow Systems 78
5.2.5. Management Services for Names 79
5.2.6. The Management of TTPs 80
5.2.6.1. Operating Principles of TTPs 80
5.2.6.2. Interworking of TTPs 81
5.2.6.3. Interworking of Autonomous Confidentiality Services
82
5.2.6.4. Accreditation 83
5.3. Supply Related Issues - Evaluation of Trusted Solutions 84
5.3.1. Evaluation of Products, Systems, Services and Applications
85
5.3.2. International Harmonisation 85
5.3.3. Vendor Declarations 87
5.3.4. Self-evaluation 87
5.3.5. Evaluation of Applications 88
5.3.6. Evaluation of Communication Services 89
5.3.7. Trusted Network Management 90
5.3.8. Evaluation of Methods and Tools 91
5.3.9. Physical and Procedural Issues 92
5.3.10. Modifications to Evaluated Products 92
5.3.11. Performance Reporting for Trusted Products 94
5.3.12. Rationalisation of Evaluations 94
5.4. Maintenance of Safety and Assurance 95
5.5. Technological Change 96
6. Rights, 99
6.1. Legal Framework 99
6.2. Data held in Electronic Form 100
6.3. Environment 104
6.4. Interaction and Relationships between Private Parties 106
6.5. Harm 106
6.6. Eliminating 107
6.7. Legal Restrictions affecting Technical Solutions 108
6.8. Limitations to Liability 109
6.8.1. Recommendations for Liability Limiting Measures 109
6.8.2. Information Security Audit 110
6.9. Procedural 111
6.10. Insurance 112
7. Spectrum of Measures to provide Information Security 113
7.1. Policy Framework 113
7.2. Agreements 114
7.3. Regulation 114
7.4. Accreditation 114
7.4.1. Accreditation of Services 114
7.4.2. Accreditation of TTPs 115
7.5. Products and Services 115
7.6. Common Practices 115
7.7. Awareness 117
7.8. Specifications 117
7.9. Standards 117
7.10. Technology 118
8. Cross Impact Analysis 121
Annex: Recalling the Action Lines 140
Action line I - Development of a strategic framework for the security
of information systems 140
Action line II - Identification of user and service provider
requirements for the security of information systems 141
Action Line III - Solutions for immediate and interim needs of users,
suppliers and service providers 141
Action line IV - Development of specifications, standardisation,
evaluation and certification in respect of the security of information
systems 143
Action line V - Technological and operational developments in the
security of information systems 144
Action line VI - Provision of security of information systems 145
Appendix A: References 147
Appendix B: Abbreviations 148
Appendix C: Index 148
Draft 4.0 Version: Monday, October 18, 1993
Preface
The Council adopted in May 1992 a Decision in the field of the security
of information systems1 comprising the development of overall
strategies for the security of information systems (action plan) and
setting up a Senior Officials Group; (SOG-IS) to advise the
Commission on action to be undertaken. The Decision having as objective
the development of overall strategies aiming to provide users and
producers of electronically stored, processed or transmitted
information with appropriate protection of information systems against
accidental or deliberate threats.
The scope of the Decision foresees the following Action Lines; lines
of action:
I. Development of a strategic framework for the security of
information systems
II. Identification of user and service provider requirements for
the security of information systems
III. Solutions for immediate and interim needs of users, suppliers
and service providers
IV. Development of specifications, standardisation, evaluation, and
certification in respect of the security of information systems;
V. Technological and operational developments in the security of
information systems; and
VI. Provision of security of information systems.
The Decision is implemented by the Commission, in close association
with related actions in Member States and in conjunction with related
Community research and development actions.
As a step towards the formulation of the "Action Plan" identified in
the Council Decision and in accordance with the opinion of SOG-IS2 a
ÒGreen Book on the Security of Information SystemsÓ is being prepared,
which addresses, in accordance with the Annex of the Decision, an
overall view of the
¥ requirements for action in summary form
¥ issues involved
¥ spectrum of measures that result from an analysis of the
issues.
The present document sets out the background to the development of a
consistent approach to Information Security in Europe taking into
account common interests with other countries.
The intention of the Commission Services in preparing the present
document is to encourage a better understanding with the sector actors
in the Community on Information Security issues and to develop a
consensus on the requirements to be considered. It therefore does not
necessarily represent the views of the Commission Services, or of the
Senior Officials Group for Information Security, on the subject, but
rather provides a basis for reflection and concertation with sector
actors and Member States.
The ÒGreen BookÓ represents an intermediate step towards the
formulation of the Action Plan foreseen in the Council Decision. It is
to state the main issues related to the security of information systems
in its context. A deliberate effort has been made to present the
subject matter in as objective a fashion as possible. By progressively
widening the consultation in the preparation of the document the wish
is, to obtain a representative and balanced view of the issues and the
nature and implications of the options for action one may wish to
consider. In its presentation the document is intentionally avoiding to
voice an opinion on the framework or organisation which might be
adopted to address a given issue or requirement. Such recommendations
are to be included in the Action Plan.
Note on Draft 4.0
The preparation of the document includes four successive phases
including iterative steps in the preparation of the document:
Phase I: Preparation of an Outline and Collection of material
Phase II: Drafting
Phase III: Informal Consultation
Phase IV: Formal Consultation
In its present form it represents an intermediate step towards Phase IV
of the preparation of the Green Book.
Summary of Requirements for Action
1. Introduction Rationale
The trustworthiness and protection of information is essential for the
functioning of a modern society.
Information Security threats are growing with the diversification and
multiplication of communication services and use of electronic
information by business, administrations and the individual.
In the last decade, the Community has been working progressively
towards the creation of the Internal Market and led a policy of
liberalisation and harmonisation in the field of communications
services.
When the INFOSEC Decision was adopted it was recognised that the threat
to information security would need a collective effort on the European
level and it set as objective the formulation of an Action Plan to
complement the national actions in a well understood spirit of
subsidiarity as far as national and internal security was concerned.
The purpose of this section of the document is to set out the critical
factors for future developments and the action required to ensure
trustworthy information services and applications in Europe and in its
relations with other parts of the world. It formulates options for
future policy and identifies which promises to best meet the needs of
the EC in the context of international developments and trends.
2. Proposed Positions and Actions
Based on the results of the enquiry having resulted in the Green Book,
needs for action on an EC-scale have been identified. These require a
concerted approach within Europe and where possible internationally.
The following proposed positions and actions are derived from the
results of the work so far.
General Position
Democratic societies engaged in the global economy need to provide for
adequate levels of information security. With the growing diversity of
services and applications of telematics the security of information
systems will need to evolve with the growing demand and reduce the
risks of the threats to security and safety while avoiding to obstruct
innovation or economic and social developments.
A Trust Services
Proposed Positions
¥ In the emerging information society traditional techniques of
securing information, such as signatures, envelopes, registration,
sealing, depositing and special delivery need to be matched by
electronic equivalents.
¥ The protection of the user, service provider, operator and the
collectivity should be conserved and the balance between freedom and
responsibility not changed in an uncontrollable manner.
¥ Service offerings need to cater for the needs for seamless
information security for business, the general public, video and
multimedia communications and teleworking, in the non-classified
domain.
¥ The working of the Community Institutions and the EC-wide
operation of public administrations of the Member States, can be
expected to rely on a combination of these services, as appropriate.
¥ The definition of information crime and the rules governing the
use of electronic evidence in civil and criminal court proceedings need
to be harmonised within the EC to be able to address cases involving
trans-European services and applications. In the absence of such
harmonisation, Òsafe heavensÓ for illegal activities can form to the
detriment of the EC.
¥ As the economy becomes global, and the interrelationship among
the different actors tighter, the accepted practices and rules to which
these actors operate need to be well defined and transparent, implying
a coherent codification of essential practices and relations.
¥ As Europe formulates and implements policies depending on, or
affecting, information security, the consistency overall is demanding a
greater attention. Specifically this relates to the new policies under
the Maastricht Treaty, Internal Market, Competition, and Telecom
Policies and specific actions such as Open Network Provision (ONP
Directives) and Trans-European Networks (TENs).
Proposed Actions
¥ to provide for the setting up of trust services. Trust
services include digital signature, non-repudiation, claim of origin,
claim of ownership in negotiable documents, fair exchange of values,
untraceability, and time stamping.
¥ to provide for the establishment of Europe-wide confidentiality
services for non-classified information. These could include the
following classes:
> minimum IS assurance to be maintained by all service providers
(level of present letter mail and telephony under national privacy
legislation)
> enhanced IS assurance for private and professional use (level
of registered mail or courier delivery as needed for normal business
transactions such as ordering and billing)
> professional IS assurance as needed for recognised categories
of commercially (or otherwise) sensitive information
¥ to establish, accredit and audit a network of Trusted Third
Parties for the administration of the service provisions such as for
name assignment, key management, certification and directories
¥ to formulate a common EC-wide legal and regulatory Framework
for the alignment of national conditions to meet the needs of the
Internal Market and international developments in information security
¥ to establish the liability principles for information
providers, intermediates and value added service providers
¥ to put in place arbitration mechanisms to resolve liability
conflicts
¥ to establish the common principles for legislation covering
communication crime and for electronic evidence
¥ to develop generic codes of practice for the handling of
non-classified information, including rules for security labelling
¥ to develop sector-specific codes of practice and base line
controls.
B International Developments
Proposed Position
¥ In view of the rapidly evolving international communication and
security scene, the security needs of the European organisations and
individuals must be safeguarded and the competitiveness of the European
industry maintained.
¥ The creation of barriers to trade and services based on the
control over security mechanisms and digital signature schemes needs to
be avoided. In case acceptable international solutions can not be found
a European option should be considered.
Proposed Action
¥ to work towards international solutions for information
security requiring global assurance
¥ to strengthen the support for international standardisation
¥ to formulate common positions swiftly with respect to
international developments, as they arise
¥ consider a European option offering confidentiality and digital
signature services internationally.
C Technical Harmonisation
Proposed Positions
¥ Vendors and service providers need to innovate to survive
commercially. They have a vital interest in ensuring that their
products are adequately secure and safe.
¥ Electronic products, systems, services and applications must
operate to generally recognised levels of trust.
¥ A differentiated approach to the evaluations of trusted
solutions is needed which includes vendor declaration, self evaluation
or formal evaluation. The choice of either of these mechanisms will
depend on the costs and delays involved in formal certification
processes, the level of assurance required and national constraints.
¥ The international character of service and product supply
requires the establishment of mutual recognition of testing,
validation, auditing and liability assessment.
¥ Safety, security and quality have many commonalities: these
must be exploited to reduce cost and delays in evaluations.
Proposed Actions
¥ to establish an international scheme for evaluation,
certification and mutual recognition, that provides for Òonce onlyÓ
security, safety and quality evaluations for applications, services,
systems and products
¥ to establish the principles for incident reporting obligation
for evaluated solutions, and their dissemination
¥ to establish principles for incident containment
¥ to establish a scheme for service provider and vendor
self-evaluations and declarations
¥ to specify community-wide quality criteria for the safety of
systems, incl. methodologies for the assessment of threats,
vulnerabilities, and hazards for safety critical systems
¥ establish rules for the assurance of embedded systems.
Acknowledgement
The present document is the result of numerous contributions received
from experts, working in the framework of IBAG, SRI, the Security
Investigations and SOG-IS members (over 150 contributions received).
To develop the thinking on specific groups of issues, the SOG-IS
Advisory Group, reinforced by other experts, were consulted and
contributed to the development of the document. In a spirit of
openness, qualified contributions were accepted from all parties ready
to contribute and to discuss their input in the context of an
international workshop, that served to consolidate the views into a
coherent presentation.
While the experts acted in a personal capacity, their affiliation is
included in the list below as an indication of the range of experience
which was drawn upon.
The contributions and active involvement in the preparation of this
document of the following personalities is gratefully acknowledged:
C. Amery Zergo Consultants Ltd. UK
K. Anstštz BIFOA D
Mr. Auer Siemens Nixdorf D
G. Axelsson Swedish Agency for Administrative Development
S
E. Barreto CEC DGIII/B
M. Baum Independent Monitoring USA
T. Benjamin Defence Research Agency UK
E. Bible Cameron, Markby and Hewitt B
D. Birch Hyperion UK
J. Birenbaum France Telecom F
J. Blackwell CEC DGXIII/C
C. Blatchford Panacea Ltd UK
R.E. Bloomfield ADELARD UK
A. Brignone Protexarms F
S. Brummel Akin, Gump, Strauss, Hauer, Feld & Dassesse B
A.J. Butcher MOD - Royal Air Force UK
L. Cabirol SCSSI F
R. Cadwallader ENACT Ltd. UK
P. Carriot F Telecom F
S. Castell CASTELL UK
E. Cauvin Agence pour la protection des programmes F
D. Cerny Bundesministerium des Innern D
B.J. Chorley NPL UK
J. Christensen CEC DGXIII/C
C. Clark IBAG UK
R. Clark University of Dublin Ireland
B. Collins PCSL Consulting UK
J-F. Cornet ECOLORG F
C.J. Coumou Coseco International BV NL
J.M. Court Institute of Chartered Accountants UK
H. Daniel BSI D
P. Daniel GEC Marconi Secure Systems Ltd. UK
J. De Decker IBM B
D. De Geest ESN B
Mr. de Kervasdoue CAP SESA F
A. de la Torre Prados Ministerio de Industria E
E.R. de Lange Ministry of Transport, Public Works and Water
Management NL
P. de Lauzanne GSIT F
B. De Schutter Free University of Brussels B
M. De Soete Philips I.T.S. B
T. de Vries KPMG Management Consultants NL
D. De Winter Siemens Nixdorf AG D
P. Dellios Ministry of Transports and Communications GR
Y. Deswarte LAAS-CNRS & INRIA F
G. Dietzel CEC DGXIII/C
R. Dunkel IBM Europe F
D. Duthil Agence pour la protection des programmes F
G. Eisen IABG D
G. Endersz Telia Research AB S
R.A. English Communications Security Establishment UK
A. Eriksen Ministry of Justice N
P. Fagan Secure Information Systems Ltd. UK
Mr. Fravezzi Ministry of Defence B
A. Fujioka NTT Laboratories Japan
P. Furberg c/o Swedish Agency for Administrative Development
S
S. Gaskill Dibb Lupton Broomhead UK
M. Gasparinetti CEC Consumer Policy Service
H. Gebhardt CEC DGXIII/A
S. Geyres VERILOG F
L. Glanert Deutsche Telecom D
A. Hallan L
R. Hanouz CEPME F
N.G.L. Harding Health Systems Co-ordination UK
G. Hardy Touche Ross & Co. UK
N. Harwood BT UK
P. Haufman SPRI S
S. Herda GMD D
V. Heyvaert Akin, Gump, Strauss, Hauer, Feld & Dassesse
B
N. Higham UK
G. Hoberg BELGACOM B
P. Hoving TeleTrust S S
E. Humphreys XiSEC UK
D. Hurley OECD
F. Iribarne Navarro E
K. Iversen Norwegian Centre for Medical Informatics N
E. Jahren Ministry of Government Administration N
C. Jansen Philips Crypto B.V. NL
M. Jones DTI UK
M. Kemna CEPIS Task Force NL
M. King CESG UK
H.M. Kluepfel Bellcore USA
P. Knopf Swiss Mission to the E.C. B
T. Knowles DMR Group Ltd. UK
M. Kopecky SNCF F
S. Kowalski Stockholm University S
H. Kurth IABG D
S. Kurzban PACE
P. Landrock Cryptomathic A/S DK
J. Lang Perihelion Software Ltd. UK
C. Laske Free University of Brussels B
Y. Le Roux Digital Equipment F
J. Leach Zergo Consultants Ltd. UK
A. Legait SYSECA F
O. Leiberich D
E. Lemmens Programmation de la Politique Scientifique B
W. London Cameron, Markby and Hewitt UK
W. Madsen Computer Sciences Corporation USA
S. Mathews PCSL Consulting UK
R.A.J. Middleton British Computer Society UK
M. Miloikovitch Thomson-CSF F
S. Mohammed European Parliament
R. Moses Information Systems Ltd. UK
P. MŸller Bull IngŽnierie F
M. Nasrullah Ministry of Transport, Public Works & Water
Management NL
S.-I. Nilsson ECITC B
J. Norman SGS-Thomson Microelectronics F
M. Ohlin Swedish Defence Material Administration S
T. Osvald CEN B
K.W. Ott Ott Technology Software sprl B
A. Parondo ISDEFE E
A. Patel Teltec IRL
L. Pauwels Belgacom B
A. Peralta Univ. Politecnica de Cataluna E
H. Peuckert Siemens AG D
C. Pfleeger Trusted Information Systems (UK) Ltd. UK
F. Piau Pari Mutuel Urbain F
E. Pimentel Saraiva Banco Totta & Acores P
D. Pinkas Bull F
R. Pizer Certification Body, UK ITSEC Scheme UK
D. Poelmans EDS B nv B
R. I. Polis Groupe de Management Genve CH
K. Presttun Alcatel F
G.R. Price Glynwed Group Services Ltd. UK
M. Purser Baltimore Technologies Ltd. IRL
G. Rabe Technischer †berwachungs-Verein Nord e.V. D
K. Rannenberg Universitaet Freiburg D
R. Rehorst Telecommunications and Post Department NL
K. Rihaczek DuD D
E. Roback Computer Systems Laboratory USA
G. Roelofsen PTT NL NL
T. Roraas Norwegian Telecommunication Regulatory Authority
N
C. Rossi FTI I
R.A. Rueppel R3 Security Engineering AG CH
G. Ruggiu Bertin F
G. Rumi ETNOTEAM SpA Italy
M. Salmon Thomson CSF F
E.H. SchŠfer Deutsche Telecom D
I. SchaumŸller-Bichl Genesis GmbH A
T. Schoeller BSI D
G. Shuringa Radobank NL
H. Siebert IBM Deutschland D
F. Simoes European Parliament
R. Slegtenhorst Organisation and Technology Research NV B
S. Smith EDS B B
J. Sneep COSSO NL
H. Strack EISS D
W. Suchun FUNDP B
M. Tuset E
R. Urry Digital Equipment Corp. B
I. Uttridge Logica Defence & Civil Government Ltd. UK
P. van Dijken Shell International Petroleum NL
P.W.J. van Dok Cooperative Centrale Raiffeisen-Boerenleenbank B.A.
NL
H. van Dorp Bazis Foundation NL
W. van Gils Intercai NL
M. van Lith KPMG EDP Auditors NL
N. van Zuuren Prodata Systems B
A. Veller Cullen International B
A. Verrijn-Stuart Leiden University NL
L. Voorham CEC Security Office
H. Weerd Coopers & Lybrand NL
W. Whitehurst IBM Corporation USA
K. Wiessing The Dutch Government Centre for Information
Security NL
G. Williams ACT/BIS Information Systems Ltd. UK
D. Willis DTI UK
S. Winkelmann Hochschule fŸr Technik u. Wirtschaft D
H. Wirth AuswŠrtiges Amt D
1. Introduction Rationale
Individual, corporate and national wealth expresses itself increasingly
in the form of information. The growth and performance of an estimated
2/3 of the economy relies on manufacturing or services heavily
dependent on information technology, telecommunications and
broadcasting, and therefore depends critically on the accuracy,
security and trustworthiness of information. This is of as great
importance and interest for individuals as for commerce, industry and
public administrations. Correspondingly, the protection of information
Security of Information Systems, definition; in all its aspects,
here referred to as Information Security3 , has become a central policy
issue and a major concern world-wide.
The Council Decision of March 31, 19924 in the field of security of
information systems recognises this situation and calls for the
Òdevelopment of strategies to enable the free movement of information
within the single market; while ensuring the security of the use of
information systems throughout the CommunityÓ.
A consistent approach at European level could help to promote the
interoperability of systems, lower existing barriers and avoid the
formation of new ones between the individual Member States and with
other countries5 Therefore, there is an urgent need to address
requirements and options for action in the field of security of
information systems at national, Community and international level in
close collaboration with sector actors and national governments. Any
action must take into account both national and international
commercial, legal and technical developments.
The key issue is to provide effective and practical security for
information held in an electronic form to the general users, the
business community and administrations without compromising the
interests of the public at large.
Since information security is involved in the protection not just of
property and people, but even of society itself, Member States regard
it as a topic which, like defence, touches on national sovereignty.
2. Scope, definition
Security is a pervasive subject that arises whenever information is
being used in private, business and public life. The scope of the
subject and a clear distinction of the of the different dimensions
needs to be kept in mind throughout. The diagram below provides a
statement of the scope in an aggregate form.
Structure of document;this document
The core of the document is describing issues and the resulting
requirements for action. It was felt necessary to state the problems
clearly and concisely before attempting to define solutions. In this
sense, the document, in its present form, represents a rather
comprehensive analysis of the problems, without being a work
programme. The requirements for actions are stated in a general form,
without implying any particular organisational responsibility. These
issues are grouped under the following headings:
¥ General issues. Here some of the basic issues relating to the
security of information systems are described. These place security
into a fast evolving world economy and states issues like rights and
obligations, human rights, openness and protection.
¥ Demand related issues.; Issues under this section are
concerned with requirements, security objectives, Codes of Practice,
and the needs for digital signature and privacy enhanced
communications.
¥ Supply related issues;. Under this heading, issues are
identified which arise when meeting the demand for security and include
security services, Trusted Third Parties, evaluation and R&D.
¥ Rights, responsibilities and liabilities issues.; Under this
heading issues relating to the consequences of security breaches are
dealt with. These include civil law and insurance.
The measures one can consider addressing the issues identified are
aggregated in a separate section. This presentation is used to
accentuate the profile of issues which can be addressed by the same
kind of measures.
The diagram below depicts this structure.
3. General issues; Issues (of general nature)
3.1. Globalisation of the economy; and mobility
Issue
The internationalisation, diversification, pluralisation and
popularisation of the use of communications and information systems.
Discussion
The unprecedented increase in mobility and the provision of global
communications has resulted in manufacturing, trade and leisure
activities extending world-wide. Distributed manufacturing, publishing,
and financial operations form the back-bone of the modern economic
system. Travelling and communications for business or pleasure are
common place. This is being supported, and sometimes driven, by a
spectacular development in the field of communications and by the
proliferation of affordable and easy to use information systems. In the
last decade the cost-performance of long-distance transmission has
improved by 5 orders of magnitude. This change is providing the basis
for a rapid diversification of world-wide services customised to
provide access to a full range of information services and utilities
wherever and whenever required. Terrestrial, satellite and mobile
networks provide the physical infrastructure and an unrestrained number
of service applications provide the customised applications.
The nature and scope of provision of Information Security in this new
world of open, multi-service and multi-media communications with a
multitude of alternatives to routing, management and access has
profoundly changed the requirements and options for Information
Security (IS).
Flexibility of access, openness of the network and the service
environment have to be balanced against the requirement of
accountability of the user and the service provider and the protection
of possible third parties involved. Associated with this is a new
network of responsibilities and liabilities.
Requirements
¥ Revision of the scope and approach to information security to
reflect the new conditions, challenges and requirements brought about
by globalisation
¥ adaptation of the respective policies and regulations
¥ clearly defined conventions on the expectations,
responsibilities, duties and liabilities, related to levels of
security, harm, and good practices.
3.2. Internal Market; (Òfour freedoms;Ó)
Issue
Alignment of the national conditions relating to Information Security
with the requirements of the functioning of the Internal Market.
Discussion
The Internal Market, as adopted in the ÒSingle ActÓ, provides for the
"four freedoms " within the Community, ie free movement of goods,
capital, services and people. The legislation of Member States provides
for the internal needs for information security, however the
requirements in the case of trans-European communications remains to be
addressed. Inconsistent or incomplete provisions of information
security and safety represents a technical obstacle to the working of
the Internal Market.
The measures taken to establish confidence in systems should not
adversely affect the flow of goods and services. Standardisation,
certification, mutual recognition and administrative procedures should
provide for the unobstructed working of the Internal Market. This
requires standards that are valid but not overly restrictive on
technological solutions, certification regimes that recognise the
international aspects of many of the markets (eg in avionics, motor
vehicles), the costs of certification, and the likely acceptance by the
market of any certification regimes put in place.
Beyond the technical aspects, the administration of information
security needs to reflect the realities of the needs of the Internal
Market. Services are to be increasingly provided on the principle of
Òone-stopÓ and Òpay-per-useÓ. Information security, as an integral
part of services, needs to be provided in a seamless manner throughout
the Community and support EC actors in their business world-wide.
Related are the issues of liability and insurance. The impact of
different states legal systems and the associated liability issues
needs to be understood.
Requirements
¥ Adaptation of the existing provisions with respect to their
conformance to the Internal Market policy of the EC implying the
removal of existing internal barriers and the avoidance of the
formation of new technical barriers due to divergent application of
security and safety rules, regulations and legislation
¥ provision to business and the public of solutions available
throughout the Community and preferably at the international level
respecting the Òone stopÓ and Òpay-per-useÓ principles
¥ consistent deployment of standards and certification where
critical for the working of the Internal Market
¥ certification and standards that reflect the needs of the
different market segments.
3.3. Human Rights and the Protection of Communications;
Issue
To reconcile the human right to privacy and the obligations of law
enforcement to protect public order.
Discussion
Privacy and the protection of private information is considered one of
the fundamental human rights of individuals and is protected to varying
degrees in Member States. The European convention on Human Rights
states ÒEveryone as a right to respect for his private and family life,
his home and his correspondenceÓ. Individuals have the legitimate
expectation that this right is respected and that solutions are made
available to him that ensure the safeguard of this right. This applies
to conversation in the home and to a lesser degree when
telecommunications is being used. However, prevailing national
solutions do not, at present, provide for trans-European services and
communications and this lack can be exploited, inter alia, by organised
crime. With the rapid growth and diversification of communication
services the rights and duties of individuals and law enforcement are
being reviewed and redefined, eg FBI supported legislation and the
proposal of the government to provide US business and citizens with
cryptographic devices including explicit provision for intercept by law
enforcement agencies.
As the safety and security of the individual provided by the process of
law and order is also related to human rights, reconciling these
objectives represents a delicate political issue.
The diagram below gives an overview of international, Community and
national responsibilities for different application categories.
Requirements
¥ Common approach defining rights, responsibilities and duties of
individuals, business and of the authorities.
3.4. Social Acceptance; of Identification; and
Authentication; Methods
Issue
To reconcile the human right to privacy and protection and the use of
identification and authentication methods for access control,
authentication and accountability.
Discussion
The use of biometric methods and smart cards is technically feasible
and becoming more economically feasible as an identification technique
and access control.
Biometric methods; rely on a system of machine recognition of a set
of personal characteristics to verify the identity of an authorised
user in order to allow access to some physical environment. Such
personal characteristics include hand-written signatures, fingerprints,
voice prints, machine phrenology, lip prints, response of the skeleton
to a physical stimulus, hand geometry and retinal patterns.
Many other different personal characteristics and recognition
techniques are being investigated by researchers. Some of these effect
the human right for privacy more than others and some are socially
unacceptable.
As an example, the retinal blood-vessel pattern of a human eye (retinal
vasculature) is highly characteristic of the individual. A typical
system might work as follows. The individual is required to look into
an optical device and through a process of optical adjustment fixate on
a crosswire whereby the recognition machine will locate the fovea of
the individual, and scanning with a low intensity infra-red beam detect
the nodes and branches of the retinal pattern falling within the
scanned area. The measured pattern is compared with the stored pattern
of the individual and access is granted or denied depending on the
result of the comparison. This method of machine recognition may or may
not be considered sociably acceptable on the grounds of hygiene, due to
the type of information being stored about the individual (a record of
which may be built up which may reveal other information relating to a
persons health condition) or the general problem of protection of
medically relevant information.
There are systems under trial for the recognition of human profiles eg
the human face. Again these systems may not in general be socially
acceptable and the issue of privacy and human rights may come into
play. The use of voice-prints has been introduced in Australia and
does not require the consent of the persons concerned. It is used to
scan calls for individuals.
In addition to biometric controls;, the role of smart cards
containing megabytes of personal data may potentially represent an
issue. Even a magnetic stripe on a passport or national identity card
may contain around 200 characters of information. Security and privacy
controls should reflect national conventions and practices. Smart
identity cards and national identification numbers may serve as
conduits to greater amounts of personal data contained in data bases.
Member States treat such technology differently. As identity cards and
passports transition to machine readable embedded chips and
magnetic/optical stripes respectively, privacy and security controls
must be incorporated to prevent abuse of the personal data therein.
Progress in bio-technology raises new questions as to the definition of
privacy and as to the rights of the individual over information
relating to his person and the assurances required for its use.
Information relating to genetic defects are of obvious sensitivity and
implies corresponding measures for protection. Work may need to be
undertaken to set out a clear definition between things that are
biometric and things that are medical. At the present time there is
low confidence by the general public in the honesty of commerce or
government in the field of bio-technology.
Requirements
¥ Clarification of the ownership of biometric data; and
privacy of biometric data; issues related to the use of biometric
data
¥ agreed classification of biometric data and conditions
requiring secure handling of such data
¥ definition of the rights of and responsibilities of
individuals, business users, corporations and administrations using
biometric techniques.
3.5. Human Rights and the Safety; of Systems
Issue
To reconcile the human right to expect the supply of goods and
services that are not life threatening, with the vendors commercial
needs to supply goods and services that exploit information systems in
safety critical functions.
Discussion
Safety critical systems differ from security critical ones in that if
they fail death or serious injury to people may result. The law treats
the liability of suppliers in this situation differently from that
where information is lost or property damaged. Suppliers are held
strictly liable. Codes of practice for the development of safety
critical systems exist in order to reduce the chance of failure and
design techniques are invoked to analyse all possible hazards.
Nevertheless risks remain.
At a Community level, harmonisation of such codes of practice and
design techniques would enable citizens to rely on a consistent level
of safety in any Member State, and it would reduce the costs of
development of codes of practice and design techniques in each country.
Community-wide procurement would be facilitated, as would the
development of safety critical systems by Community-wide consortia.
Requirements
¥ Community wide standard for design practices and codes of
conduct
¥ harmonised legal environment for vendors and users of safety
critical systems.
3.6. Confidence in Communication; Systems and Confidence in
Services
Issue
To establish confidence in communication services and systems for all
the parties involved (users, public, service providers etc.). This
includes confidence in the general ability of the technology as well as
confidence in specific solutions and the way they are managed.
Discussion
Confidence in the security and safety of communication services and
systems is a basic requirements if regulators are to discharge their
duties, if service providers and vendors are to able to operate in the
communication market, and if consumers and users are to benefit from
the technologies. In considering confidence we need not only to address
it on from an idealised objective viewpoint but also to take into
account the behaviour of users, their perception of risks and its
volatility. It might only take one incident to undermine user
confidence with substantial financial and political repercussions. eg
reluctance to use air travel, rejection of certain makes of cars.
Confidence is therefore a key notion. It is achieved through the
integration of disparate sources of evidence from the process used to
develop the system, properties of the system as revealed by analysis
and testing, and through experience with the particular systems and
other similar ones. The confidence in a service or system should be
rigorously and scientifically based: the confidence should not be
misplaced. There is a need to understand this integration of evidence
and engineering judgement and to develop procedures and techniques for
it.
An important contributor to confidence is the experience with the
system under consideration and similar systems. While many suspect that
software and design errors are important factors undermining confidence
in systems this is normally supported by anecdotes rather than by
statistically significant evidence. There is a need to establish what
dependability is being achieved in practice, the relative importance of
different parts of the computer systems and how the dependable computer
systems are compared wit other components in the wider system.
Mechanisms should be put in place for feeding this data back to the
development of systems and for providing early warning of problems
before these develop into incidents. Ideally, the experience with
systems should be related back to the techniques and procedures used to
develop them.
There is also the issue of how confidence in a service or system can be
expressed and communicated.
While undoubtedly independent diverse viewpoints are important in the
verification and validation of systems and in motivating vendors and
service provides the issue of whether these practices need to be
codified into formal requirements for third party evaluation and
certification needs careful consideration and evaluation of the costs,
risks and benefits. The alternatives of self-evaluation, vendor
declarations and of using other mechanisms such as liability and the
insurance market may be more appropriate.
Linked to the concept of confidence is the need to anticipate whether a
systems could potentially meet the requirements and to prevent the
development of unassurable systems . It may be possible to develop
simple rules (eg the notion of claim limits used in parts of the
nuclear industry to disallow claims of reliability greater than 10-5
failures per demand for a single system) that, while not restricting
innovation unduly, prevents delimiting what is assurable.
Requirements
¥ Real-time indication for the user of the trustworthiness of a
service or system
¥ feedback mechanisms for security and safety related incidents
involving communications
¥ independent assessment of the levels of trustworthiness being
achieved
¥ investigation of the reasons why the security and safety of
systems are compromised
¥ understanding of the relative importance of the different
system components and the components of the wider system and usage
context
¥ methods/frameworks for evidence reporting
¥ role (costs, benefits) of certification in providing confidence
and communicating this in the market place
¥ establishment of agreed claim limits to establish
assurability.
3.7. Management of Openness and Protection
Issue
Openness and protection are partially contradictory user requirements,
which need to be reconciled depending on the specific circumstances.
The user must be able to define the security controls based on need,
consistent with national, international and regulatory constraints.
These controls need to managed in a way that provides protection in an
open environment and do not unduly impede the functioning of the
service or usage.
Discussion
In considering management, one must introduce the concept of a user of
an Information System, and the role that they perform in using that
system. At any time the user of an Information System will be
performing a role, which could be one of: system owner, administrator,
auditor, investigator, data provider, or user. It is quite possible for
the requirements of these roles to be logical in conflict with each
other. Openness of access may be in conflict with protection from
general availability. There may also be national, international or
regulatory constraints which impose role requirements beyond those
needed to satisfy the operational use of the Information System. An
open environment must be provided with controls that are capable of
providing protection without technical limitations.
A single, isolated computer may be effectively protected, as far as
confidentiality is concerned, against threats from outside by physical
separation and human administration. This does not apply in the context
of telematics. Telecommunications and telematics applications are
increasingly being designed for maximum openness and inter-operability
since the utility of ITT&B-based services and applications depends
largely on the possibility of users world-wide being able to freely
inter-operate over communication links. Major international efforts are
underway to establish standards permitting this, in particular through
Open System Interconnection (OSI);, Open Distributed Processing
(ODP); and Open Network Provision (ONP);.
The acceptance and use of telematics services depends on meeting the
justifiable interests of all parties: in particular to be able to chose
trade-offs between "openness" and "protection"6.
In recognition of this, increasing attention is being given to the
provision of Information Security Services and Techniques.
The comparison with the way this dilemma is traditionally addressed
leads to some observations which also apply when information is handled
electronically. These include, for example
¥ The User/Originator requires the freedom to decide over the
degree of openness/protection depending on his appreciation of the
requirement or the applicable rules of conduct for the given activity.
¥ Profiles exist setting out the needs of both openness and
protection that need to be supported. A single level profile will not
support the requirements of all the users involved, and there may need
to be mechanisms which allow for negotiation between profiles to
determine temporarily agreed common profiles.
¥ Infrastructure, services, applications and organisation have to
be adapted to provide the openness/protection.
¥ To the role holders, both the visibility of and the
transparency of the degree of openness/protection is crucial.
¥ Accountability for the application of appropriate levels of
openness/protection require objective records, which are themselves
protected.
¥ The management of the openness and the protection of
Information Systems requires the definition of security domains. These
correspond to the security policies which are in force for the
Information Systems in use, as modified by the constraints of the role
holders. It should be remembered that computers which are not directly
under human supervision may form part of the security domains
involved.
The development of a generic framework for the management of open and
protected communications in a user/business oriented environment must
include:
1. Reinforcement of the options to define security domains
Terminal users, servers and other computer based resources link into
business processes to provide information domains which require
corresponding security domains. Such facilities must not only promote
the correct degree of openness , but must also provide filters against
unauthorised access. This needs to be possible not only at one site eg
on LAN-Based applications, but also via MANs and other
communication-links. The definition and management of such security
domains needs to be possible either from within the user group or
provided by a trusted third party. Virtual Private Networks have some
of the features, but these would also need to be available in the
context of public network based applications.
2. User Interface for the management of openness/protection
The normal usage requires the ability to communicate either with
specific correspondents, a select group, an open group or
indiscriminately. The choice being determined by the nature of the
information, its function and the applicable rules. The user-interface
needs to cater for this as well as the underlying services and
applications.
3. Objective records; and procedures for the accounting of
open/protected transactions
Processes must be available that provide non-refutable evidence of the
origin of, and delivery of, information to all involved partners.
Requirements
¥ Generic framework for the management of open and protected
communications in a user/business oriented environment:
- definition of agreed security domains
- user interface for the management of openness/protection
- objective records and procedures for the accounting of
open/protected transactions
3.8. Common Concerns of Commercial and National Security
Issue
Information Security is a common concern of business, administrations,
citizens, law enforcement and defence.
Discussion
Though not to the same degree, commercial and personal information
security shares many aspects with the defence and other classified
governmental affairs. This provides an opportunity for commercial and
personal applications to build on experience and expertise from the
defence and classified government area.
The reverse is also true. As commercial security advances and becomes
available at a large scale, governments and defence organisations may
wish to take into account this body of experience. In addition
governments themselves are, of course, in the need of adequate
protection of their non-classified information and will wish to make
use of public services of this kind.
Requirements
¥ Common requirements of business, citizens and authorities to
adequately protect commercial and personal information and its
communication.
3.9. Security and Law Enforcement; on International Scale
Issue
Crime is exploiting weak information security to further its ends.
Strong information privacy may also be used to escape investigation by
law enforcement.
Discussion
Crime, and here organised crime; and terrorism in particular, are
relying on weak information security; to prepare and execute their
operations. As quite powerful means for information security have been
published and are freely available, their increased use in protecting
such operations is perceived as a growing problem. Public authorities
have in the past used legal and regulatory powers to restrict the use
and dissemination of related technologies. With the growing
availability of computing power and open networks, this approach is
getting less effective, as organised crime, contrary to the legitimate
user, feel free to use products that are not authorised. The overall
result is that business is seriously constrained in meeting its
security requirements, particularly in international communications and
in its relations with other organisations. If business requires the
legal and regulatory powers to relinquish total control over these
security related technologies, business has a Òduty of care;Ó to
manage and control their use for their commercial and business
purposes, including the policing and auditing of management
environments. Correspondingly, authorities maintaining control carry
the responsibility for the potential damage to business, individuals
and the economy at large.
Privacy and security are impacted by the growth in interconnected
law enforcement/criminal information systems;; There is an increasing
availability of criminal and law enforcement information from a variety
of national data bases (eg, United Kingdom's Police National Computer 2
- PNC2;; Germany's INPOL;; France's fichier des personnes
recherchŽes - FPR;; the United States' National Crime Information
Centre - NCIC;; Canada's Canadian Police Information Centre - CPIC
and Australia's Law Enforcement Access Network - LEAN) and
international data bases (eg, Schengen Information System;;
INTERPOL's X.400 distributed data base network and the
EUROPOL;/Trevi Information System;). Incorrect information can
lead to false arrests and a general denial of civil liberties.
Non-vetted information can result in individuals being arrested and/or
investigated for spurious and non-criminal reasons such as political,
trade unionist and religious activities.
Requirements
¥ Effective, internationally agreed, economic, ethical and usable
solutions to meet business, administration and personal needs
¥ mechanisms for authorised interception for law enforcement
¥ reporting of incidents and crimes adjusted to the conditions of
the Internal Market
¥ equipment, software and an infrastructure of trusted third
parties.
3.10. Economics of the Security; of Information Systems
Issue
The use of information security impacts on costs;, performance;
and availability;. It may also be used to achieve a competitive
advantage;.
Discussion
The cost of security is an integral part of cost of ownership of an
information system, ie namely that without security the users system is
at risk. The cost of protection against breaches of security needs to
be commensurate with the costs (both direct and indirect) that may be
incurred from a breach in security. A security breach may have short
term (and perhaps, localised) implications such as loss of sales and
revenue or fraud or theft. It may also have longer term (and wider)
impacts on business communities through loss of confidence and
consequential loss of business.
The costs of detection, resistance and recovery can be both tangible
and high, and although there are techniques available to quantify risks
there are no generally applicable methods for estimating the potential
costs arising for example from denial of service or loss of integrity.
The provision of security measures may also make it harder to use and
may constrain overall performance. However, where the security risk is
high enough to cause an unacceptable level of compromise, leading to
considerable commercial and financial loss, then security measures must
be given high priority commensurate with the nature and value of the
business in question.
If information security is too expensive, clumsy, not effective in the
context of actual usage or not available in time its use is avoided and
high risks are taken until something drastic happens. The issue for
information security is therefore, not only to be effective but also to
address other requirements which impact the acceptability and
application of information security.
In particular, countermeasures; may have to be put in place that
meet specific regulatory or legislative requirements, with associated
mandatory assurance; needs.
To a business, securing information can be thought of as being like an
insurance policy - the cost of protection must be balanced against the
likely consequences of the perceived threat occurring. This cost is
made up of a number of elements, including:
¥ the life-cycle costs; of implementing the countermeasures in
relation to likely and worst case
¥ impact on business performance
¥ liability of management for incidents and relationship with
customer confidence
¥ legal costs.
An important experience from the past two years shows that, in
commercial applications, the aspects of cost and ease of use are
critical for the introduction of information security. For this reason
a number of enterprises, including many Governments, are looking to
procure Commercial Off The Shelf (COTS); security products to meet
their needs, rather than developing bespoke systems.
The unit cost of security is affected by market volume. Market volume
is unlikely to be achieved without commoditisation of security products
to the point where they are part of the IT infrastructure rather than a
separate cost factor (on cars, ABS was expensive until it became
generally fitted).
High volume and commoditisation can be achieved by:
· the provision of a common architecture and security building
blocks which can be used across the widest possible community so that
low prices can be achieved
· development of world-wide standards for secure systems
· raising awareness of security risks in order to stimulate
demand
· common or mutually recognised security evaluations world-wide
· vendor self-certification, with appropriate liabilities
· agreed protection levels with corresponding sets of protection
measures (to focus products onto common needs). Current work on
baseline controls could provide a basis for an agreed minimum
protection level. Other protection levels may be needed for more
sensitive or critical information
· it may be that separate security evaluation criteria and
methods need to be developed to allow low price, low assurance
assessments to be carried out
Requirements
¥ ÒIS-to-cost;Ó techniques for business and private users
¥ incorporation of good information security design practice in
the development of products and services
¥ definition of information security as business and marketing
factor
¥ identification of acceptance levels for insurers, regulators
and the commercial courts
¥ specification of duties and responsibilities of parties to the
use of information systems and their security requirements
¥ security architecture and "building blocks" specifications and
standards, with a view to minimising the cost of providing commonly
needed levels of security.
3.11. Social Recognition of Information Crime
Issues
Negligence, ignorance and recklessness are the some of the causes of
many security breaches and create the opportunity for information
crimes.
Discussion
Information security breaches, like failures to observe safety rules,
can in many instances be attributed to a lack of care; or ignorance.
This is compounded by the fact that the loss of immaterial goods, for
example information, is not considered as serious as the loss of
material goods. This is due in part to the fact that electronically
stored information can be reproduced at close to zero costs without the
loss of the original. Stealing information is therefore often
considered as a gain for the thief without a loss to the owner. It is
perceived by many to be a game rather than a real problem because
people are unable to relate the electronic world to the real one. This
has the double effect of inciting negligence by the owner of the
information and little concern for the illegal acquisition of
information. Because of the widely practised back-up of information
resources, this applies even to the intentional or accidental
destruction of information.
There is much work in establishing and reinforcing "ethical
principles;" as applied to specific actions of information ownership,
creation, dissemination, etc. These need to be related to sector
actors, their control perspective and the assets over which they
exercise either explicit or implicit authority. This needs to be
related to codes of practice and conduct, legislation and regulation to
establish the extent to which protection is dependent upon a formal or
informal control environment or can rely on the enhancement of ethical
and professional standards. Changes to traditional programming
techniques have made it possible for non-IT professionals to deliver
programming and systems analysis methods. In many smaller enterprises
such work would often be done by non-IT professionals.
Two examples of computer crime illustrate the diversity of situations
which may arise:
Example 1
In a German company (belonging to the "Association for Security") a
programmer - unsatisfied with his salary - caused damage by a specific
computer-programme. This program modified the data of a data bank by
randomly controlled write operations. The programme was intricately
hidden among other programme-parts. Within two years the data-bank
became more and more defective and damaged. The costs of damages and of
reconstructing the data bank were about 500 000 ECU.
Example 2
In an office of the German Government a huge computer-system,
comprising various storage means and terminals was installed. Suddenly
the computer-execution-times and the response times became much longer
than expected. After a difficult investigations it turned out, that a
programmer, who had founded together with his wife a shop for sending
out photo-equipment, has done his complete accounting, mailing, etc.
for his shop on the computer in a hidden area. He had camouflaged or
suppressed the protocolling of this programme. He caused damage of
about 100 000 ECU.
Requirements
¥ Education and training on the information security requirements
and concepts needed to operate in a secure manner in the Information
Age
¥ clarification of "Info-Ethics" for the professional and
individual user in its relationship to information security
¥ clarification of responsibilities of the sector actors in
general and in their relations within each other, with particular
reference to open and distributed applications.
3.12. Human Factors
Issue
Human interference with information systems constitutes the biggest
risk factor to security and the most difficult to address.
Discussion
The largest potential threat to IT systems arises from the people
involved in them be they designers, programmers, operators or users.
And more security breaches are caused by human error, often by well
intended people, than any other causes.
Apart from providing Òfool-proofÓ system and services, there is thus a
need for organisations to give due consideration to the non technical
techniques which they should consider to meet this threat. Such
techniques could come under the heading of personnel policies and
forced users - positive vetting, removal on notice, monitoring changes
in life style, avoidance of collusion, job organisation, contracts of
employment, etc. And the role of good supervision.
Allied to this is the need to emphasise that controls in a system must
not only relate to the technical mechanisms but to the system overall,
including the clerical and manual workforce. And, of course, they must
relate to the overall objectives of the organisation.
"Security is an attitude of mind, practice and discipline."
Requirements
¥ Adjustment of personnel management practices and organisational
procedures to reduce the vulnerability by the actions of staff and
other people
¥ greater use of non-technical management controls.
3.13. Safety Critical Environments
Issue
Protection of information in safety critical environments;.
Discussion
Safety and security have a common technological basis, but differ in
their objective. In complex systems there is in many cases a duality
of objectives. Safe systems need also to be secure. The reverse is not
necessarily the case.
Safety is defined in terms of hazards and risk. A hazard is a set of
conditions (a state) that can lead to an accident, given certain
environmental conditions. The analysis of the safety environment
involves identifying the hazards within a safety critical environment
and then either verifying that hazardous states cannot be reached or
that the risk is acceptable. Risk is defined as a function of the
probability of a hazard occurring, the probability that the hazard will
lead to an accident, and the worst potential loss associated with such
an accident. You can diminish risk by reducing any or all of these
factors, and there are environmental-safety techniques that focus on
each.
There is an increase in the use of information systems within various
areas of application which are considered as part of a safety critical
environment. For example in the area of healthcare (eg medical
databases), air traffic control, transportation of hazardous and
dangerous goods, industrial processes etc. The increased reliance on
electronic information in these various areas of application
specifically related to the control and management of safety, has
resulted in an increased need for the protection of the information
system supplying such information. Therefore the protection of
information systems used in safety critical environments is factor to
be addressed when considering hazards and associated risks in such
environments.
Consideration needs to be given to the common requirement of security
and safety, common methods for analysing the threats, vulnerabilities
and hazards, and the role of security evaluation for safety-critical
systems.
Requirements
¥ Common approach to the handling of security and safety critical
requirements
¥ methodologies for threat, vulnerability and hazard analysis for
the protection of information systems used in safety-critical
environments
¥ methodologies for the design, development and procurement of
safety critical systems, covering project management, development
environment, auditing of process, configuration management and change
control
¥ common approach to security evaluation of information systems
in safety-critical environments
¥ common approach to information systems recovery in safety
critical environments.
3.14. Embedding Systems Embedded systems security
Issue
There is a marked trend to embed information systems in other products.
This raises particular security and safety issues.
Discussion:
Increasing use of computers and information processing is occurring in
a manner that incorporates information/computers into other products to
make those products more usable, flexible, etc. These embedded systems,
that are usually hidden from the user, depend upon the accuracy of the
programs they contain and the information inputs/outputs to preserve
the usefulness of the products in which they are placed. Failure of the
processor or corruption of the programs or information contained may
cause failure or destruction of the device or hazard to the user.
Embedded systems are already being used in automobiles for controlling
ignition and carburettor systems or braking systems, in television sets
and VCRs, in microwave ovens, and so on. As embedded systems
proliferate they create potentials for physical hazard to users beyond
simple loss of the functionality of the devices in which they are
embedded. The potential will also exist that such embedded systems
could constitute a hazard to the well-being of bystanders or property.
Security hazards; can be introduced quite unwillingly. For
flexibility reasons, suppliers of communication systems are moving
towards installable firmware in the field. They may thereby overlook
the fact that such a facility may create an undefined platform. IEEE
standard 1149.1 calls for standard test access ports and also foresees
the possibility of remote diagnosis. It is therefore possible to
extract data flowing between the components on a printed circuit.
To some extent, liability laws will cover product failures which create
damage to users. However, there may need to be some added means of
ensuring the reliability of embedded systems and the integrity of the
systems as they leave the factory.
Requirements
¥ Methods of testing that enable standards of reliability to be
ensured, including tests to destruction where appropriate
¥ approach for the certification of safe products
¥ definition of requirements for fail-safe system architectures
and implementations
¥ anti-tampering and protection specifications and standards
¥ quality label, that indicates the quality level of the embedded
system
¥ awareness of designers of the potential impact of innovation in
the validity of test technology.
4. Demand Related Issues; Issues (related to demand)
4.1. Requirements for Enterprises and Individuals
4.1.1. Agreement on Security Requirements for Enterprises
Issue
Identification of real world security requirements and objectives for
business and administration. The derivation of security requirements
from business requirements is complex and not well understood.
Discussion
The protection of information systems must include all relevant
aspects. Consideration must be given to requirements from the view
point of the enterprise, taking into account corporate and organisation
plans, goals and strategies of the business or administration.
Requirements at this level can be then translated into "Security
Objectives" - why the security functionality is required as it applies
to the operation of the business or administration environment.
There are two elements to this:
¥ identifying business requirements which have a security
dimension
¥ relating that security dimension to security objectives.
These security objectives need then to be supported by a definition of
the security functionality and related services required necessary to
support the user/business.
The security model has not included legal, accounting or regulatory
requirements which may be imposed upon enterprises rather than forming
any integral part of the Enterprise requirements.
Given the complexity and diversity of user/enterprise requirements for
such protection it is necessary to classify the requirements in some
structured way consistent with real world business and operational
environments.
The protection of information systems needs to consider the enterprise
requirements of the ÒbusinessÓ. These requirements not only include
functionality that is ÒownedÓ by the enterprise but must include
inter-enterprise requirements as well. It must consider the
functionality and assurance of IT building blocks, end user
applications, integration enablers (such as electronic mail), operating
systems, communication services and protocols, and basic hardware and
software platforms.
The balance of functionality and assurance; (what it does) and
assurance (how well it does it), both generic and application specific,
will determine the extent to which electronic information systems are
accepted as an integral part of both the public and corporate IT
infrastructure to underpin business actions.
The prime requirement for any secure system must be a set of
architectural principles that can be effectively translated into an
overall design framework. Secure systems must be created at different
Ògrades of assuranceÓ from a set of policies, standards and
procedures.
Specific security requirements relating to open systems will come from
a threat assessment and risk analysis which will form part of the
overall system security policy process.
The cost of security; is an integral part of the cost of ownership
of an IT system ie namely that without security the userÕs system is at
risk. The cost of protection against breaches of security needs to be
commensurate with the costs (both direct and indirect) that may be
incurred from a breach in security. A security breach may have short
term (and perhaps, localised) implications such as loss of sales and
revenue or fraud. It may also have longer term (and wider) impacts on
business communities through loss of confidence and consequential loss
of business.
The cost of detection;, resistance and recovery can be tangible and
high, and although there are techniques available to quantify risks
there are no generally applicable methods for estimating the potential
costs arising for example from denial of service or loss of integrity.
The provision of security measures may also make it harder to use and
may constrain overall performance. However, where the security risk is
high enough to cause an unacceptable level of compromise, leading to
considerable commercial and financial loss, then security measures must
be given high priority commensurate with the nature and value of the
business in question. Sectoral requirements vary widely, as do
requirements by size of enterprise within a sector. Sectoral
requirements may be varied by regulation, bilateral international
agreements, general trading agreements or conventions.
Increased demand for Electronic trading; from all kinds of
businesses, both public and private sector, will place requirements for
security on the communal service infrastructure that provides the
capability for such business activities. The regulatory and legal
environment within which such service organisations work will become a
factor for economic growth in the community, and security of service
provision an element of such services.
Requirements
¥ Taxonomy and directory of user requirements and security
objectives derived from experience with practical applications.
4.1.2. Security Administration
Issue
Security administration operates within the overall management. It
should not compromise its mission.
Discussion
Security administration is an indispensable function for the normal
working of any organisation and falls within the "control" aspect of
management's activities.
The function's objectives will be to ensure the existence and
maintenance of security of:
¥ hardware, firmware, software
¥ personnel
¥ communications and networks
¥ physical environment.
It will also be concerned about disaster recovery and contingency
planning; compliance with legislation such as data protection and
privacy laws, and maintaining auditability. Corporate governance issues
are now starting to require directors of listed companies in UK to
state publicly whether they consider that their companies' system of
internal control has been working, and this specifically includes
information security consideration.
Security administration represents a non-negligible cost factor in an
enterprise. It may also unduly restrict personnel to do their job.
Therefore, security administration and management needs must be
reconciled.
Personnel in the security administration function need not only to have
adequate awareness, information and training in order to recognise
threats and vulnerabilities and to be aware of appropriate
counter-measures, but also to understand the enterpriseÕs mission.
Management is responsible for reviewing audit reports and taking
corrective action where necessary. Audit is responsible for ensuring
that security technology has been implemented in accordance with the
organisation's security policy.
Specific items to be considered under this area also include control
over safety critical and process control information, and security logs
and the need for real-time alarms to detect intruders, where
appropriate. It is important to be realistic about controls and not be
overlook simple matters such as the possibility of passwords being
sold.
Requirements
¥ Guidelines for establishment of security administration
function
¥ recommendation on moving towards commonality of laws on data
privacy and protection, particularly relating to individuals
¥ means to provide increased awareness and relevant education and
training
¥ guidelines for consideration of balanced security, taking
account of level of risk in different areas (physical, personnel,
hardware, software, data, etc).
4.1.3. Security Objectives for Enterprises
Issue
Definition of Security Objectives for enterprises.
Discussion
A security objective is a description of what security the enterprise
is trying to achieve eg why this security control/function is wanted.
It is a mission statement of the user/enterprise which describes why an
aspect of security is needed. It is a user/business target or purpose
to which security is being addressed. For example, consider the subject
of data integrity and the objective "Prevent unauthorised modification
to data". The security objective has the objective "Appropriate
mechanisms should exist to preserve the integrity of data". For example
this may be related to data held on a medical database, on a company
financial database, in airline reservation system or a geography
information system.
The organisation of security; within enterprises in terms of
business control structures or in the case of some user environment (eg
legal, accounting, audit etc.) and functions (eg IT, human resources,
insurance) needs to be integrated with a set of security policies,
standards (both public and in-house), and made compliant with laws and
regulations (eg computer crime manual), guidelines and codes of
practice etc.
The process of producing a security policy; may require the use of a
set of security methodologies, tools and evaluation criteria. For
example risk analysis methods, baseline controls, and evaluation
criteria (eg ITSEC, Federal Criteria etc.).
Security objectives; thus encompasses a set of objectives (and
possibly sub-objectives) and a set of related issues that reflect
specific points of concern, problems, questions relative to business
requirements, controls and applications.
The diagram below shows the relationship between Security objectives,
Security organisation, and Security methodologies;. Laws apply to
the user environment directly. Their presence generates some of the
security objectives. Standards may be both mandatory and
discretionary, and may incorporate methodologies. The final box covers
security methods and techniques.
Requirements
¥ Standard techniques for drawing-up security policies for
typical situations
¥ methods and techniques for agreeing levels of security and
security objectives.
4.1.4. Exploiting Security and Innovation
Issue
To establish how service providers and vendors could exploit the
benefits of innovation without compromising security and safety.
Discussion
Vendors and service providers need to innovate to survive commercially.
They have strong vested interest in ensuring that their products are
adequately secure and safe. Businesses by their very nature need to
take risks to survive and this commercial imperative for a risk taking
culture has to be reconciled with the needs for an inherently risk
averse security and safety culture in a way that is effective yet does
not stifle innovation.
There are many aspects to innovation. On the one hand there is
innovations which change the technology that is being used to implement
systems (eg from electrical or electronic to programmable). Other
innovations concern the domains of application (new forms of command
and control, remote diagnosis and maintenance, ultra-critical
applications) and other innovations concern the technology. This can
either be in the technologies deployed (eg new forms of fault
tolerance, different types of open systems) or in the technologies used
to develop systems (eg code generation. novel testing regimes, formal
methods, neural nets).
These innovations are likely to continue the trend for greater
integration and internationalisation of systems, a convergence of
dependability safety and security problems, a blurring in the
distinction between hardware and software. Systems are likely to more
open in the past, and be the result of evolution and make grate use of
components already deployed in other applications. The safety and
security concerns will change as a system evolves and changes in the
environment of a system (eg organisational changes, removal of other
systems ensuring safety) can cause a system to evolve into a higher
level of criticality.
There is a need that the measures taken to provide confidence in
systems can cope with these innovations and that businesses have
predictable certification or regulatory costs where these are relevant.
This has a number of implications for the regulatory and certification
regimes and poses challenges to the standards making process.
Innovation can bring with it new hazards. There is a need to identify
these and either remove them via redesign, provide measures to tolerate
them or at worst, measures to mitigate their consequences.
Requirements
¥ Assessment methods for impacts of changes on systems
¥ procedural and regulatory framework needs to address
convergence of safety and security, etc (implications for standards)
¥ methods for identifying early on where innovations are likely
to be unacceptable from a safety perspective or will result in such
economic penalties that they are not viable commercially.
4.1.5. Sectoral Specifics
Issue
Beyond the normal requirements common to different business sectors and
user environments there may also be additional requirements and
priorities specific to the operational nature and commercial mission of
a particular business. These specific requirements can be normally
expressed in terms of codes of practice and baseline controls.
Discussion
Legal and regulatory provisions can be supported by Codes of Practice
in an attempt to achieve due care and diligence. There are those of
general application and those that are industry specific. A general
Code of Practice may achieved by the establishment of a security
management handbook, maybe based upon the approach taken for achieving
a Quality code of practice (ISO9000). The application of information
security is a prerequisite for the successful conduct of business for
particular sectors, especially when these sectors a highly interactive.
The traditionally prominent among them are:
¥ Finance
¥ Trade
¥ Medical
¥ Telecommunications
¥ Manufacturing industry
¥ Process industry
¥ Administrations.
There may be other market led requirements, that will result in a
different security based segmentation.
Requirements
¥ Consolidation and development of a set of Codes of Practice and
baseline controls addressing specific business sector requirements.
4.1.6. Security Domains
Issue
Openness and protection.
Discussion
In practice, the level of information security is dynamically adapted
to a given situation. This leads to the concept of Dynamic IS
Management and the need to be able to define domains, in which
information security is applied homogeneously.
Domains are user groupings sharing some of their functions and support.
For some activities they operate as virtually closed user groups, but
have the possibility to interwork with other domains as long as certain
minimum requirements ensure no loss of trust or a transparent
downgrading.
The notion of a security domain is therefore important for two reasons.
Namely,
¥ It can be used to describe how security is managed and
administered, and
¥ It can be used as a building block in modelling security
relevant activities that involve elements under distinct security
authorities.
Examples of domain activities are:
¥ accesses to elements (eg a database for network management)
¥ a communications link
¥ operations relating to a specific management function
¥ non-repudiation operations involving a notary.
The organisation of security within enterprises in terms of business
control structures or in the case of some user environment (eg legal,
accounting, audit etc.) and functions (eg IT, human resources,
insurance) needs to be supported by a set of security policies,
standards (both public and in-house), laws and regulations (eg computer
crime manual), guidelines and codes of practice etc.
The security policy defines what is meant by security within the
domain, the rules by which security may be obtained to the satisfaction
of the security authority, and the activities to which it applies. The
security policy may also define which rules apply in relations with
other security domains in general, and in relations with particular
other security domains.
The management of inter-domain openness and protection may be different
depending on similarities in purpose, and agreements will be needed to
achieve appropriate levels of assurance. Mechanisms by which TTPs
achieve efficient, coherent management of policies, procedures and
controls between domains need development:
Requirements
¥ Mechanisms for management of policies, procedures and controls
between domains for TTPs
¥ generation of guidelines for domain creation, management and
control
¥ development of a common framework for domain interworking
¥ agreement on management, TTPs, accreditation, auditing and
relations with law enforcement agencies.
4.1.7. Security Labelling
Issue
Transfer of information among domains requires agreements on the
expression of the sensitivity of information, ie the syntax and
semantics of the associated information labels, and of the procedures
and mechanisms for handling labelled information.
Discussion
The basis for the trustworthiness of a domain and the trust between
domains is the assurance that the processes that are used to manipulate
information behave in a way that corresponds to the protection
requirements of the information in terms of confidentiality and
possession, integrity and authenticity, and availability and utility.
Labels are a method for expressing the sensitivity of information.
They can be based on different scales, like the value of information or
the impact of a security breach affecting the information.
The need for comprehensive labels has become acute because of the
increasing degree to which organisations interoperate electronically.
This has led to increased reliance on technical measures to achieve
adequate security. It is quite feasible for trusted systems to switch
on or off technical measures automatically providing that the label
adequately expresses the security requirement associated with a piece
of information. Labels could then be used to make decisions on
information routing, transmission enveloping, requirements for
confirmation and so on.
However, decisions on information routing etc. cannot be made without
user labelling, that is, some indicator of the categories of
information which can be allowed into end systems or to users.
Organisations have to agree on the range of options that do meet any
particular security requirement. Part of the solution to the handling
of labelled information lies in the development of Codes of Practice
specifying procedures and mechanisms. There is also a need for
accreditation and audit of communicating partners. The introduction of
independent third parties avoids the pairwise interactions that would
otherwise be necessary to establish trust.
Requirements
¥ Guidelines for security labelling.
¥ standard on how to express labels and on the meanings of a
basic set of security labels
¥ Codes of Practice and accreditation methods for domains
claiming to support standard labels, and their mutual recognition.
4.1.8. Administration of Access to Security Related Data;
Issue
Support of functions for the administration of security related data.
Discussion
Management of rights is an administrative function available to both
security administrators and resource owners. While management
functions reserved to security administrators can be rather
sophisticated, functions available to resource owners have to be kept
simple and easy to use. The management of rights can be separated into
security information related to users (eg privileges, keys and/or
passwords) and security information related to resources (eg access
control lists, labels; keys). Management functions need to be
performed form the place where the administrator/resource owner is
sitting and apply to a number of remote resources. It is therefore
important that the management of access rights is done in a secure
fashion (eg using appropriate security protocols).
Requirements
¥ Easy to use tools for access right management and key
management
¥ secure solutions for remote administration
¥ awareness for control issues concerning security related data,
and implications of non-action.
4.1.9. Security Requirements for Individual Users
Issue
Individuals and small companies have "enterprise requirements" but
often have little opportunity to choose appropriate security protection
when dealing with large organisations (eg equipment and software
suppliers, service suppliers, banks).
Discussion
The individual user, in their role as a private citizen or as a member
of a liberal profession (eg a lawyer or medical doctor), has a natural
interest, and sometimes a legal requirement, to protect some of their
information. Unlike in the case of the enterprise, the individual user
will not normally go through a systematic process of establishing
goals, definition of security objectives, etc., unless they are subject
to professional standards of conduct.
The individual normally has at his disposal a PC (or small network of
PCs) and some communication links, eg telephone, fax, e-mail. Often
physical security is likely to be weak.
Most liberal profession work under some codes of practice or conduct.
These codes are of a general nature and do not normally specify
particular security arrangements.
The common and specific requirements of individual users, with regard
to the protection of their computer installation (physical and
electronic), the protection of their data (against accidental and
deliberate loss) and the protection of their communications (eg signed
communications, privacy enhanced communications) must be established.
The individual user has also an interest that the totality of
processing of any matters relating to the user is correct and
confidential to the extent required.
Requirements
¥ User profiles identifying standard types of users together with
typical requirements.
4.2. Requirements for Security Functions
4.2.1. Access Control
Issue
Access control procedures to many systems need to be standardised and
well managed to meet their objectives.
Discussion
Computer systems and services impose control procedures on persons (or
other systems) attempting to access them directly or over local or
wide-area networks. These access control procedures apply to
"connections"; that is, they determine whether or not a connection,
association or session is allowed to be established. These control
procedures have been often primitive and relatively insecure, as the
occurrence of "hacking" demonstrates.
The requirement for secure access control is not confined to access to
host computers by persons at terminals. Reciprocal (mutual) access
control is often needed between two (or sometimes more) systems. Access
control can apply across general telecommunication networks,
determining (for example) who may call whom by telephone; or who may
receive which programme on a cable TV network. In addition to applying
to end-to-end (trans-network) communications, access control also
applies to users and (even more importantly) operators accessing the
network and to access by human users to terminal devices.
Although the importance of access control is widely recognised, the
practical application of security techniques in solving the problem is
more limited. This is for a variety of reasons including technical
complexity, lack of agreed standards and lack of user acceptability.
Secure access control relies on a mixture of:
¥ identification mechanisms; (authentic naming;)
identifying the remote person or system
¥ authorisation mechanisms;, determining the authority of the
remote person or system to carry out different types of actions
¥ random (unpredictable) components;, affording protection
against the re-use of once-valid access control messages under invalid
circumstances (replay)
¥ cryptographic techniques to protect the above from
modification, copying, etc.
Without some analysis of access control scenarios, followed by some
outline standardisation work, users and systems are going to find
themselves having to implement and use (depending on their current
application) a range of incompatible techniques, which in turn rely on
only partially interoperable infrastructures (such as naming and
identification authorities, certification authorities, key management
systems, directory services, etc.).
Access control very often involves only two parties: one making the
access and one granting/denying the access. In some environments this
is however inadequate as some intermediaries cannot do the access on
their behalf but on the behalf of someone else. This applies in a
number of cases, in particular for distributed applications or
transaction processing. For example, in a distributed service the
requester addresses its request to the nearest server able to fulfil
the service and then the request has to be forwarded so that it can be
honoured by the appropriate server within the service. This problem is
called delegation.
For the server point of view different policies may apply: it may be
interested only by the privileges of the initial requester and by the
privileges of all the intermediaries. The access control decision may
then be based on the properties of the initial requester only or on all
of the entities involved. In addition restrictions about what
intermediaries are or are not allowed to do may be specified by the
initial requester.
There is a need for widely accepted solutions to the most common access
control scenarios.
Requirements
¥ Group access control scenarios and schemes based on levels of
commonality
¥ techniques, products, specifications and standards addressing
access control matched to the scenarios identified
¥ parameters common to most or all of the above techniques,
products, specifications and standards and the feasibility of
establishing common formats for them
¥ identification of the key features for coherence in the
supporting infrastructure
¥ basic access control mechanisms for pilot implementation
¥ development of delegation scenarios
¥ identification of techniques, products, specifications and
standards addressing delegation and their association with the
identified scenarios.
4.2.2. Requirements for Electronic Cash
Issue
A general purpose system is needed for providing electronic cash.
Discussion
The securing of electronic cash shares some problems with negotiable
documents, and may also need additional properties such as privacy
(untraceability) and dividability.
Large scale solutions already exist for paying small amounts of money
in special situations, such as special cards for telephones and
travel. Other systems exist for large amounts of money - prepayment
and credit cards;. Between these two, there is a need for a system
to make general purpose payments for relatively small amounts of
money. This means that the system must have low transaction costs, and
will thus be able to compete with existing special cards.
The system should ideally include the following properties:
¥ unlimited transferability (from one user to another)
¥ dividability into any sub-amount required
¥ independence from on-line TTP services
¥ privacy / untraceability
¥ security and uniqueness - ie cannot be forged or copied.
It should give users complete control over the amount transferred in
each transaction, and allow them to know the amount remaining. It
should be relatively easy to refill the device with electronic money,
possibly via unsecured network services.
Requirements
¥ Agreement on the concepts underlying electronic cash
¥ international standards.
4.2.3. Requirements for Security Services
Issue
Various security services have been identified. Agreement on their
requirements must be established.
Discussion
A variety of security services has bee identified. Although several of
these are used in practice at a limited scale, their general
requirements have not yet been agreed and their availability to the
general user is not yet established. Some of the more important
services are described below.
Non-Repudiation Services
Non-repudiation of origin respectively receipt means that a particular
user, called the originator respectively the receiver, cannot repudiate
(ie deny) to have signed respectively received a particular electronic
document. It does not prove who has actually created the document. We
have exactly the same problem with paper documents: the fact that
someone puts his signature on a hand-written transcript of music does
not mean he is the composer.
Non-repudiations services are precisely the services which in
electronic communication can cover all legal functionalities of a
hand-written signature, but in a much more secure way: The main
difference is that the digital signature which supports the
non-repudiation provides a logical connection to the message.
Claim of Origin
Copyright is a very important security service in the electronic
handling of a document. The major problem with enforcing copyright of,
say, a software program, is that of two different versions it is
difficult to decide which one is the original. This problem is of
course not restricted to electronic documents only. In fact, one runs
into exactly the same kind of problems as in the paper world.
The service required here is "claim of origin". This is the counterpart
to non-repudiation in the sense that the point is to allow the creator
to prove who created the document, as opposed to non-repudiation of
origin, which allows everybody to prove that someone has signed a
particular document (which typically commits him to something). The
difference is that with non-repudiation services, the receiver is able
to prove something, whereas claim of origin pertains to the
transmitter.
Claim of ownership
Some conventional physical documents, such as eg the bill of lading and
the bill of exchange, must be negotiable. The possession of the
document must allow to give title to anybody who can present it. The
electronic equivalent is also needed.
The goal to achieve here is that an electronic document at any
particular time can be proved to be the (temporary) property of a
particular user.
With ordinary paper documents, the problem is solved by giving the
original of a document certain physical attributes that are difficult
to reproduce. With this precaution, it makes sense to speak of the
original of a document, and define the owner simply as the person
holding the original.
Negotiable documents entail that their physical uniqueness must be
protected against duplication; it must be easy to distinguish a copy
from its original. This is the case with hand signed paper documents;
the hand-written signature cannot be copied such that the copy could
not be distinguished from the original. Although a digital signature
does protect the integrity of the signed electronic document, it can,
however, easily be copied so that the physical original cannot be
distinguished from its copies.
This impedes the usage of electronic communication eg in maritime
trade. The sender of a cargo produces a unique document, the bill of
lading, hands a copy to the shipper and sends the protected original to
the receiver. The receiver may trade the original and its title or keep
it. Whoever presents the original to the shipper will be handed over
the cargo.
The shortcoming of the paper bill of lading is the fact that it takes
time to transport it, particularly as it is a piece of value and must
be well
protected. Therefore, an electronic substitute should be found that
protects the uniqueness of the original document, and which can be
transacted over communication systems. The technique should support
recovery after equipment or communication failure.
Besides issuing negotiable documents there are other ways of securing
correct title to property. Instead of a person proving his claim by the
presence of a token, the claim may be addressed to a distinct person
who then is expected to prove his identity. This is the case with the
freight bill, which is another way to deliver a cargo to the authentic
receiver. However, the freight bill cannot be traded as effectively as
the bill of lading.
The provision of electronic negotiable documents must include:
¥ document uniqueness, ie a document should only exist in one
single valid copy (and can therefore not be sold more than once by an
owner)
¥ document authenticity, ie a document should not be able to
alter, and the origin of a document should be possible to identify
¥ transferability, ie the document should be possible to transfer
through communication networks
¥ fail-safe storage and communication, ie recovery after failure
should be possible both when document is stored and transferred between
parties.
One should expect that, unless proper electronic documents will be
available, the use of paper for negotiable documents will be continued
at the expense of effectiveness and more paper.
Transaction of negotiable documents are often a part of a larger
business transaction, eg the seller of a document receives a payment,
or negotiable documents are exchanged between the parties. When such
transactions are taking place over a telecommunication network, there
might be a need for a service
giving fair exchanges of values, ie a service that can guarantee that
either
will the whole exchange be performed or it will perform no exchange.
Such a service will secure fraud during exchange of values.
Fair Exchange of Values
When negotiable trade documents change hands, they are often handed
over in exchange for something else, for example another negotiable
document, some form of payment, or simply some piece of information
that may be of sufficient value to the receiver.
The party who gives a document away may of course be concerned with the
possibility that he may not receive in exchange the object or the
information he was supposed to.
If the parties meet physically and exchange ordinary documents, this
concern may not be very serious; an attempt of abuse is likely to be
detected early enough to prevent a successful fraud. In the world of
(interactive) EDI, however, the problem can be more serious. Efficient
communication is possible over great distances with parties to which
there may be little or no existing business relations. Such parties may
well be found worthy of less trust than those with which physical
meetings can be arranged.
Untraceability
As electronic registration and transportation of data becomes more
common, there are an increasing number of scenarios where individuals
face new threats against their privacy. Since many types of personal
data can easily be traced to particular individuals, the fact that the
data are electronically stored introduces the possibility that someone
could efficiently collect comprehensive dossiers on individuals, even
without this becoming known to the users themselves.
In its most general form, anonymity or untraceability is a service with
the goal of preventing such personal data from being traced and
collected.
The issue is therefore to allow accesses, calls or transactions to be
performed without revealing the identity of the user.
In some cases, anonymity of the user is required or identification of
the user is unnecessary. Examples where anonymity is required are
about electronic cash or electronic shopping where this is related to
the privacy of the user. Practical cases are about road toll systems
and mobile phone billing without revealing location history of user.
Examples where identification of the user is unnecessary by the target
system is where a service is opened to thousands of users but where
subscription to the service is not managed directly by the service but
by another company: The service manager is only interested in the fact
that charges can be paid when the service is used. Who is using the
service is not relevant. In some cases the user would also like to
know that the service manager is not able to trace back the user.
Another category where anonymity is required is non-traceable calls.
Reporting fraud or corruption will only happen if the call (either
phone or e-mail) is not traceable to the caller.
There is a need to have mechanisms able to fulfil these needs. However
these kinds of techniques should not be used when there is at the same
time a requirement of auditability. For cases where both requirements
exist there can be solutions where tracing an event can only be
achieved by co-operation between different auditors.
Time-Stamping
In electronic communications, a digital equivalent is required for the
date and time stamp in the paper world. Such a time stamp must be
issued by an organisation that is trusted. If time stamps are simply
attached internally by the sender or receiver of a message, then, in
case of litigation, it will be difficult to establish if these were
erroneous or have been forged.
In direct communications, both parties may agree on a mutual time
reference, but in store-and-forward type communications time stamping
by a third party is particularly important .
Depending on sectoral differences, different granularities of time
stamps may be needed. Some sectors may be content with the date, some
with the nearest second.
Requirements
¥ Scenarios for the use of electronic security services
¥ user specifications for electronic security services
¥ establishment of international application rules that can
operate under the different legal frameworks and that ensure
international communicability
¥ identification of different scenarios where it is appropriate
for the public interest to mask or hide the identity of the end user,
taking into account the balance between full anonymity and audit.
4.2.4. Digital Signature
4.2.4.1. The Individual Right to Signature
Issue
Individuals have the right to sign any information.
Discussion
Like with hand-written signatures, anybody is entitled to use a digital
signature. Therefore, the distribution of keys for the purpose of
signature must be non-discriminatory and non-restrictive. Separate from
the signature is the question of entitlement, ie if a certain person is
empowered to sign a certain element of information, document or
transaction.
Signature verification is therefore a two step process: formal
verification of the signature and verification of the entitlement of
the sender. This process is depicted below.
It is assumed in this simple model, that the sender adds his
certificate (name plus his public key) to the signed document. The
formal verification then establishes that a person with a certain name
has correctly applied his signature and that the document has not been
modified in transfer. Verification of entitlement checks that the name
has the legal power to sign a particular document.
Note that as a consequence, the powers given to a person should not be
included in the attributes of the certificate, otherwise any change in
these powers would invalidate the certificate.
The situation maybe further complicated by the fact that several
signatures maybe required for certain documents, eg husband and wife
plus notary, two company directors.
Requirements
¥ Clarification of the right to signature and the attached
entitlement.
4.2.4.2. Consistency of Legal Principles for Digital
Signatures
Issue
The legal functions have to be clearly identified for the authority of
digital signatures, before a code-of-practice can be developed and
introduced.
Discussion
In legal practice security and functional requirements for hand-written
signatures differ widely. In some cases a hand-written signature is
only to indicate that the signer has concluded his train of thought or
his expression of will; under the given circumstances its authenticity
may be obvious and needs not be provable. In other cases, for evidence,
the signature must be provably authentic. In yet other cases
authenticity requirements may demand attestation or even ask for more
than one person's signature or for public notification.
The spectrum of legal requirements can be matched by the spectrum of
technical realisations which may differ with respect to security
provisions just as widely as legal requirements. Yet the signing
process must be transparent to the signer. For this reason it must
follow standardised rules; specific man-machine interfaces must be
familiar to the signer; ie they must follow a standardised layout
principle.
For ease of transition (in judicial thinking) from hand-written to
digital signatures traditional functional requirements for hand-written
signatures should be met by the technical implementation of digital
signatures as closely as possible.
A particular problem is the validity period of a digital signature. One
must distinguish the validity period of the signature itself and the
validity period of the entitlement.
The validity period of the digital signature; itself may have to be
limited for technical reasons. These reasons include:
¥ Insufficient key length;. One may discover that some years
from now, new progress in mathematics and technology makes it plausible
that keys of the originally chosen limited length can be broken. (For
instance, several European banks have introduced remote banking with
RSA keys of length 512 bits. One cannot guarantee that this will be
safe in 10 years, or even less, from now.)
¥ Poor key generation;. One cannot be sure that programs at
the desired quality level will be used by all key management centres.
Hence users of those key management centres may find that their keys
are breakable, and they have to cancel their certificates.
¥ Weak protection of workstation;. The secret key of a user
may be compromised accidentally or through negligence. It may also be
possible to tap the password of a user through a Trojan horse on his PC
and subsequently get access to the secret key. (Fraudulent users may
even claim this happened, and give away their key on purpose, in order
to dispute that a certain signature did originate from them.)
Taking the necessary precautions, and taking a differentiated approach
to the validity period of signatures, then most digital signatures
would fall inside the scope of applicability of hand written signatures
The entitlement attached to a signature normally changes much faster.
The authority given to a person should therefore not be included in the
attributes of the certificate, otherwise any change in entitlement
would invalidate the certificate.
However, in all the work that has been carried out so far, there is no
solution offered to the following problem: If messages have been signed
with a key and needs to be kept for a number of years, and that key is
denounced by the user as being compromised, how can the value of the
already calculated signature be left intact? One possibility might be
to use a TTP for time stamping, but further study into this problem
seems in place. An example may illustrate this point.
If a user A signs a message in 1993, which has legal consequences to
user B until 2003, and A then cancels his certificate in year 1995,
claiming that his key has been compromised, he will probably claim that
the signed document from 1993 was falsified in 1995 by B, who could
have bought a copy of A's secret key. However, if B upon receipt in
1993 had gone to a TTP and had the signature of A time stamped and
signed by the TTP, or even registered, he can prove that A in fact did
produce the said signature back in 1993.
For some sectors and/or applications the granularity of the time
stamping will be critical. It is conceivable that trusted time down to
one second accuracy will be needed.
Requirements
¥ EC-wide/international agreement on the legal functions of
signatures;
¥ clarification of the conditions of acceptance of the
authority of a digital signature;, eg for legally binding purposes,
ie as substitute for hand-written original signatures
¥ recommendation for the implementation for a public digital
signature scheme; for use by business, administrations and the general
public
¥ legislative rules and, where appropriate, liabilities, for
keys, certificates and TTPs to cover revocation of any or all the
entities involved in the Òchain of proofÓ needed in the signature
technique.
4.2.4.3. Universal Acceptance of Digital Signatures
Issue
For digital signatures to become a full alternative to hand-written
signature universal acceptance is required.
Discussion
All functions of the hand-written signature should also apply to
digital signatures.
Where legal functions are carried out by digital signature, consensus
with the legal profession is essential.
Requirements
¥ Development, together with the legal profession, of
recommendations for the practical use of digital signatures as a full
equivalent to hand-written signatures in legal transactions
¥ demonstration, through pilot projects, that digital signatures
can be used as equivalent to hand-written signatures
¥ inclusion in the curriculum of relevant educational institutes
(eg engineering, law and business schools) the use of digital
signature.
4.2.5. Privacy enhancement ;issues
4.2.5.1. Perception of Requirements for Privacy Enhancement
Issue
Confidentiality is, at times, essential for the good functioning of
administrations, business and human relations.
Discussion
Business user of telecommunications and information systems cannot
obtain full business benefit without confidentiality services being
available. There is a clear need for confidentiality services in the
exchange of information in the business as well as in the private use.
Today the exchange of sensitive information requiring confidentiality
is often done in non-electronic form because for electronic
transmission ÒconfidentialityÓ is either not available or its use not
permitted. With the increasing demand for fast exchange of all kind of
data, demand for confidentiality;ÒconfidentialityÓ will become
pressing. It is already present in some applications such as medical
information systems.
Most business and private users of communication systems are aware of
the conflict between their confidentiality requirements and national
security issues which require the possibility to intercept the
communication in a way regulated by national laws. They accept the
national authorities ability for this interception provided there are
adequate safeguards to prevent unauthorised interception even by
government employees.
Expectations of confidentiality of electronic message services can
currently not be met in the absence of international standards or
internationally accepted methods. Uptake of these services by
commercial users to support business processes will therefore have a
natural limit, ie to those messages that someone usually writes on a
postcard. Examples of commercially sensitive information includes
pricing and bidding strategies, mergers and take-overs, or from a
privacy point of view (transmission of personnel and medical data).
User needs for confidentiality, user needs
In analogy with confidentiality offered by existing physical mail and
archiving services, ie envelopes, registration, courier services, etc.,
there is a need for confidentiality in the situation of electronic
interchange and storage of data. Even more so because electronic data
can much more easily be copied or disclosed in its usual form, eg only
channel coding and formatting as the "envelope", than its physical
counterpart.
At present certain unclassified but sensitive information on physical
media such as paper, microfilm, or photograph, of business enterprises
or medical centres are protected against unauthorised disclosure by
physical and procedural methods.
Today the trend is towards more electronic communication and storage of
data and hence there is a need for appropriate confidentiality services
in an agreed or standardised form to be readily available for all users
of electronic information systems.
Service provision
The extent to which confidentiality services are provided for a
specific business or citizen could depend on a system of licenses or
certificates.
A particular business might qualify for a confidentiality license
depending on its internal procedures and activities. A general
(minimum) level of confidentiality could be provided to all users.
It should be possible for certain user groups or businesses to use
other confidential services (egÊproprietary) than the standard ones
provided.
There are strong indications of emerging "bottom up" solutions for
these needs (eg the Pretty Good Privacy offering on Internet, beginning
1993).
Other initiatives (eg the announcement of the "Clipper Chip", 16ÊApril
1993) illustrate the growing awareness of governments of the needs of
their citizens for confidentiality services.
Awareness
In general users of electronic data processing systems are not aware of
the threats involved in using those systems. Only after they have
noticed (the consequences of) an unwanted or unauthorised disclosure of
their information will they start to think of the inherent
vulnerability of the system they are using. In view of this one should
try to create more security awareness. Users, service providers,
operators and authorities should achieve a certain minimum level of
awareness of the issues involved in using confidentiality services
before embarking on their use.
Granularity (meeting differentiated needs)
Confidentiality services at different granularity and for different
types of telecommunication services are needed. Based on his risk
analysis the user can then decide which level of confidentiality he
needs and then use the services which provides this required level.
Some users may want a range of services of different assurance levels
(analogy of courier services, registered mail, ordinary mail). Some
users may want visibility of assurances to different extents.
Impact of loss of information ;and Impact of theft of information
By its nature, actual risks and impacts of disclosure are hard to
quantify. But the absence of a baseline of protection of
confidentiality will undoubtedly have a negative impact on commercial
(and other) usage of international electronic communications in a wide
range of business processes.
Actors and roles
Individuals may have a number of roles in more than one organisation -
these need defining or clarifying. Their "role" as a private citizen is
an important case. The organisations that act as custodians of roles
need to be classified also. These are essential ingredients for domain
management.
Mutual confidence and TTPs; TTPs (mutual confidence of)
Users and mechanisms to ensure that they get assurance of compliance to
agreed Òrules of procedureÓ from their trading partners, or other
private citizens, with whom they are interacting using confidentiality
services. TTPs are one mechanism for achieving this, but other lower
assurance, lower cost solutions may also need to be considered.
Requirements
¥ Frameworks and architectures which are accepted as well by the
business users as by the national security agencies and the service
providers
¥ standards for services and service provision
¥ compatibility of confidentiality services with existing
communication standards and practices where possible
¥ verification of practicability of proposed solutions through
suitable pilot projects
¥ model contracts for confidentiality services
¥ awareness improvement of sector actors of the potential losses
due to the absence of confidentiality services.
4.2.5.2. The Case for the Provision of Public Confidentiality
Services
Issue
The provision of public confidentiality services have to reconcile the
needs of the business sector and general public with the obligation of
public authorities to provide adequate protection while at the same
time maintaining its capability to fight organised crime, maintain
public order and national security.
A well developed public confidentiality service would provide for the
obligations in a transparent manner.
Discussion
Business operates increasingly in an international and open
environment. The communications take place via private and public
networks. Modern network management techniques use alternative routing
depending on traffic conditions. This implies that the physical
communication is under the control of a variety of intermediaries
working under different regulatory and legal conditions for data
protection and privacy, and therefore one must consider the network as
inherently vulnerable. This means that end-to-end protection is
required. This applies also to the general public using international
public telephone networks.
It is a fact that business and the general public have been addressing
their needs with public domain solutions (published algorithms and
freely available software). However, the approach is awkward and its
utility therefore limited, since, for example, there is no public
directory and he has to manage the keys himself. A public solutions
open to all users requiring electronic signature and confidentiality
would remove the need for the use of ad hoc solutions. It would also
provide for a transparent solution to the need for legally authorised
intercepts.
If a public confidentiality scheme is offered, organised crime could
also subscribe to such a scheme, but as it would include provisions for
legal intercept, it would hardly be attractive. One would expect that
such users would continue to find their own solutions as will the
classified domain.
An open and public service offering a credible level of confidentiality
would therefore provide for the honest user, while not worsening the
situation with respect to public order or national security.
The combination of international communication and national security
regulations require a common framework for confidentiality services,
which on the one hand interoperate within all Community Member States
as well as with countries outside the Community which themselves may
establish their confidentiality services. This requires either an
overlay approach or gateways which link the different national or
regional services. These gateways are only required where multinational
agreements for co-operation on national security concerns is not yet
established. In this case these gateways may provide at least an
interim solution.
In order to fulfil its function and eliminate the need for Òhome-made"
solutions, the public confidentiality service must be open to
world-wide use and provide its service in a non-discriminatory way.
Confidentiality services should ensure that
¥ Users are protected and obtain assurance against non authorised
interception and disclosure.
¥ The confidentiality service is of high (technical, procedural)
quality and evaluated as such by all Member States.
¥ Authorised disclosure of the protected user information (undo
the confidentiality service) is under certain well-defined
circumstances possible, eg by secret-sharing.
With this approach, confidentiality mechanisms details (description) do
not need to be published or disclosed to the public in general.
While the use must be largely unrestricted, the systems and sub-systems
or equipment for the independent implementation of aforementioned
confidentiality services can be made subject of export controls, eg
export is possible ifÊ:
¥ The users comply with the rules of the exporting nation
(end-user declaration) with respect to the disclosure mechanism.
¥ Multinational business users form EC countries with "central"
organisations.
¥ Other countries on a bilateral agreement liaise with EC if they
comply with the rules.
Export restrictions are, inter alia, based on the concern that
cryptography may be used by hostile governments or other organisations
for the concealment of subversive information. The same concern does
not apply to the use of cryptography for integrity and authenticity
enhancing service.
There are technical solutions to provide only integrity, integrity plus
signature, and integrity, signature and confidentiality.
Confidentiality enhancement is de facto only meaningful in
communications with also the two other functions being provided.
The problem remains that organised crime and hostile governments are
not restrained from adopting public domain solutions or from developing
Òhome-madeÓ mechanisms. Furthermore they are able to exploit legitimate
users of systems and solutions to their own ends by use of
ÒtraditionalÓ criminal mechanisms of bribery, blackmail or threats to
personal safety. Legislation could discourage non-authorised use, but
cannot be expected to prevent it, particularly in the case of organised
crime. Restrictive legislation impacts the Òlaw-abiding userÓ much
stronger than others.
Choice versus interoperability
The users and service providers may feel the need to choose solutions
to achieve the assurance levels they require. But interoperability will
dictate a limited set of possible choices being available, and costs of
service provision will also focus debate onto efficient solutions.
Advice and instruction versus prohibition
This may vary from country to country, however certain minimum-rules
will need to be adhered to between parties offering interworking public
schemes which includes beyond simply usage also systems and sub-systems
or equipment for the independent implementation of such confidentiality
services
The confidentiality that users enjoy will depend upon the robustness of
the service that is offered. This in turn will depend upon the
robustness of the architectures available to perceived threats: key
theft, masquerade, deliberate denial of service, inadequate disaster
recovery are examples of threats the vulnerability to which may be
different for alternate architectures.
Mechanisms are needed that provide for a defined way to pass from one
domain to another. This will require collective or multilateral
agreements for interoperation.
Requirements
¥ Architecture that minimises service vulnerability
¥ framework for the provision of trans-domain confidentiality
services
¥ guidelines for pan-European confidentiality service providers
(including accountability)
¥ model contract for relationship between service providers
across national boundaries
¥ assurance criteria for service providers and operators
¥ accreditation process for mutual recognition.
4.2.6. Use of Names; and Certification of Credentials
Issue
Use of names and of credentials (eg the public key) in international
communications.
Discussion
Name Assignment and Certifications Authorities are Trusted Third
Parties. Their purpose is to allow for individual and authentic
addressing of communication system users by means of their
authenticated Distinguished Names. A user may ask a Naming Assignment
Authority for a Distinguished Name. The Naming Authority will give him
a Relative Distinguished Name and supplement it by its own
Distinguished Name to the user's Distinguished Name. Thus, although a
person may ask several Naming Authorities for the same Relative
Distinguished Name, each of his Distinguished Names will be unique,
because the Distinguished Names of the Naming Authorities, by
definition, will be unique. The concept of an agent that handles the
interfaces between the end-user and the naming authorities is important
in providing a user friendly interface to this process.
The two functions of name assignment (or identification) and
certification are ÒbindingÓ operations. Name assignment binds a
particular name to an entity (a person or device), and certification
binds certain credentials to a name. The diagram below shows the double
binding process.
A Distinguished Name; and a unique cryptographic Public Key ;are
made part of the user's Credentials. The Public Key can be used to
verify a (ciphertext) signature which has been effected by the user's
complementary Secret Key (not contained in the Credentials).
Credentials are signed/certified by the Certification Authority. Thus
the user's Certificate consists of the Credentials, their signature by
the Certification Authority and, if necessary, the Certification
Authority's own Certificate. The user is given his certificate,
preferably in a tamper resistant chipcard.
After signing a message with his Secret Key; the user concatenates
his Certificate to the message and its signature. The receiver of the
signed message can use the Certification Authority's widely available
Public Key to verify the signer's Certificate and Public Key. With the
latter the authenticity and integrity of the message can be verified.
The security services related to name assignment and certification need
further standardisation as well as legal recognition, both preferably
on an international level.
The United States have already begun to apply relevant US national
standards. Therefore, corresponding standardisation action should be
started on a European level. Its results should be made the basis for a
European contribution to international standardisation. At the same
time an interface toward a legal usage of naming and certification
services should be defined to ease the adaptation to and to provide for
the compatibility of the various EC legal systems.
Other related issues are pseudonyms and anonymity, for which a business
requirement has been identified. Different degrees of anonymity should
be provided for according to the specific needs in digital cash,
tele-shopping, registration in data bases for statistical purpose etc.
As described above, the ability to sign a piece of data is to be
distinguished from the entitlement an entity possesses. This
relationship is depicted below:
It is necessary to identify requirements and to develop guidelines for
the use of names, in relation to:
> requirements to meet by naming authorities
> requirements to meet by the user
> naming principles
> format of Distinguished Name/Relative Distinguished Name
> handling protocol between naming authorities, user and
certification authority
> change of names
> recording of information pertinent to de-referencing of names
(by the Directory).
It is further necessary to develop guidelines covering the creation and
use of certificates, in relation to:
> certificate semantics and format
> certificate handling (production, issuance)
> signature and its certification (method, process)
> authentication of certificate owner (method, process)
> expiry dates
> renewal of certificates (periodical)
> renewal of TTP public key (periodical)
> handling compromises of secret information (secret keys, PIN
etc.)
> revocation of certificates and notification
> black listing and execution of certificates
> security standards to be met by certification authorities.
Requirements
¥ Guidelines covering the use of names
¥ guidelines covering the use of certificates.
4.2.7. Security of Electronically Stored Information
Issue
As legally and commercially significant information is transferred and
stored electronically, the implications of this on long-term (10's of
years) secure storage and retrieval must be properly understood.
Discussion
Industry is moving increasingly towards electronic trading in all its
aspects. Governments are encouraging the use of electronic
communication of commercially and legally significant information. As a
result, there is a need both to establish irrefutably the origin of,
and the delivery of, such information and, particularly, that the
information has been signed and stored in an unforgeable way. This
unforgeable electronic signature must be trusted for at least 10's of
years for some information, and the associated information must be
retained in a secure manner that is capable of human interpretation at
any time during that period. Any system proposed for electronic
signature storage must be as secure and robust as that currently used
for hand-written signatures.
Any such system must allow for not just technical evolution, but also
social change and other factors (eg the continued existence of trusted
public key directory centres, or the way businesses merge, change or
collapse).It is not currently clear that the way this can be achieved
is yet accepted legally, or the full implications are even properly
understood
Requirements
¥ Common approach to the security of electronically stored
information
¥ unforgeable secure storage.
4.3. Requirements for the Safety of Communication Systems
Issue
Safety requirements for communication systems must be expressed in ways
that capture users expectations, reflect the engineering viewpoints of
vendors and service providers and are appropriate for regulators.
Safety requirements have to be integrated with other types of
requirement, eg reliability and security.
Discussion
End user requirements for safety of products or services are often
implicit or stated in very "soft" terms or in terms that assume
regulation and certification is looking after their needs. These user
requirements can be contrasted with the engineering specifications
needed by vendors and service providers to build systems and provide
for their assurance.
In addition safety is just one attribute and has to integrated with all
the other types of requirements and potential conflicts identified and
resolved. For example, the requirement for visibility of evidence for
safety assurance may conflict with security considerations, the need to
make access impossible for security reasons may conflict with the need
for emergency procedures. (eg evacuation). However users main concerns
are ones of cost and choice and these have to be addressed in the
dialogue between service providers, vendors and regulators.
In the safety field the notion of the tolerability of risk and the use
of both qualitative and quantitative risk assessments provides a lingua
franca between regulators and service providers as well as in a
modified form for users and those with professional interests. This
discussion needs to be broadened and integrated with security
requirements particularly for domains (eg medical informatics) where
open, heterogeneous computer systems have significant IT security and
safety components.
In addition to the risks from products or services that the user is
willingly engaging in or purchasing there are the risks from indirect
accidents (eg major chemical or nuclear accident) and normally in
discussions of policies towards the acceptability of risk a distinction
is made between these two types of risk with the requirements for
indirect risk being more onerous than those entered into voluntary.
Again, there is the need to integrate the discussion of these risks
with those from security breaches.
Requirements
¥ Platform for a dialogue on risk including users, regulators,
vendors and service providers
¥ policy on risk management on a societal level based on
objective risk assessment methods
¥ techniques that permit an integrated approach to the different
types of risk (safety, security, commercial, direct, indirect).
4.4. Requirements for Evaluations
4.4.1. Trustworthiness of Communication ;Solutions
Issue
Establishment of trust in components, products, systems, services and
applications .
Discussion
The trustworthiness of a given communication solution and its use imply
that the system owners and especially the users need confidence in its
security and safety. They also need to be able to compare different
solutions with regard to the security and safety capabilities, cost,
functionality, performance, availability and reliability.
The diagram below shows schematically the major roles of the actors
involved. The end-user normally runs an application, eg a particular
banking application. The application is provided by the application
provider, who, in turn, may use various services, offered by service
providers, eg communication services.
To run and provide applications and services, systems are required,
supplied by, normally, several system suppliers. System suppliers
purchase components and products from sub-suppliers.
In the end, the trustworthiness of the application must be
established. This overall trustworthiness is a function of the
trustworthiness of the application provider, the service providers, and
the systems, products and components.
Depending on the needs of the user, vendor declarations,; self
evaluations; or formal evaluations; may be required at the various
stages. The choice of either of these mechanisms will depend on the
costs and delays involved in formal certification processes, the level
of assurance required and national constraints.
Another major factor is the recognition of certificates in other
markets and their utility, eg in protecting the user or vendor against
liability claims, where it is possible to do so.
The qualifications, experience and motivation of project managers,
evaluators, certifiers, accreditors and system administration staff
also affect the resultant level of trust achievable in the operational
system.
Users continually need to upgrade their hardware platforms and change
or add to software systems to remain commercially competitive and to
follow trends, etc. Thus the ease with which systems and products can
be re-evaluated or the portability of evaluation results are important
issues when deciding on the needs of the user. For example, portability
of products and systems across different hardware platforms. For how
long will a vendor support the evaluated hardware and software
configuration? Will a vendor re-evaluate all upgrades of their product
in a timely manner?
Requirements
¥ International agreement on criteria and evaluation methods, and
mutual recognition of test results
¥ clarification of the commercial value of Òcertified productsÓ,
eg in terms of liability limitation
¥ clarification of the status and implied liability of vendor
declarations
¥ international agreement on the methods for evaluating security
and safety critical system development processes, and the
qualifications and experience needed for individuals that are involved
in these processes.
4.4.2. Motivation to Acquire Evaluated Solutions
Issue
The advantage of the use of evaluated/certified solutions is not
generally accepted for commercial applications.
Discussion
Formal security evaluations have been carried out at a national level
by a comprehensive, costly and time consuming process. The investment
in the evaluation process by the vendor has resulted in higher prices
for the resulting secure IT product. The duration of the evaluation
process, has resulted in many secure products falling behind the
technical state of the art.
Up to now, this has often detracted from their broader relevance in the
commercial market. Users have often preferred lower cost, more
functionality rich products unless forced to purchase evaluated and
certified products through some public procurement policy.
Vendors, historically, had products evaluated separately by each
national market and their supporting criteria. The resulting limited
revenue opportunity did not justify the high cost of getting products
evaluated.
It is necessary to change this view by convincing users of the
advantages of purchasing evaluated/certified solutions. Rapid adoption
of Common evaluation and certification criteria is essential to reduce
cost and speed-up mutual recognition of the resulting certificates.
Requirements
¥ Rapid adoption of Common Criteria
¥ agreement on common evaluation method
¥ portability of test results and mutual recognition
¥ work sharing between vendors, test centres and users to speed
up the evaluation process
¥ establishment of the Òvalue-addedÓ for the use by
administrations and business, eg in terms of liability protection and
in relation to insurance costs
4.4.3. Consistency of Procurement Practices
Issue
National procurement guidelines for the purchase of
evaluated/non-evaluated products are not consistent throughout the EC,
nor is there a general agreement on when there is an obligation to use
evaluated products, and when it is recommended but discretional.
Discussion
Some security evaluated IT and communications products are purchased as
a result of a risk analysis where it is determined that the evaluated
communications product better suits the organisation's security needs
than a non-evaluated product.
However, a survey conducted of over 200 organisations indicated that,
to a large extent, evaluated products are purchased today by
organisations in the EC because of the expectation they will be
required by law to use certified products. This type of legislated
market is occurring especially in those Member States that were
involved in the development of ITSEC.
Unless the procurement policies in the EC are harmonised, the public
sector use of IT products will become a patchwork of evaluated and
unevaluated products. This may create new barriers to the efficient
flow of information.
Ways should be found to assist those member states not involved in the
early stages of ITSEC to develop and test procurement policies that are
based on evaluated communications products.
Requirements
¥ Identification of categories of applications requiring
evaluated solutions
¥ alignment of national procurement policies concerning evaluated
products
¥ development of guidelines on applicability of evaluation
levels.
4.5. Requirements for Security and Safety Methodologies
4.5.1. Risk Analysis and Management
Issue
A number of Risk Analysis and Management methods are available within
the market place. However, potential purchasers have no recognised
method to establish which method is the most effective for their
purposes.
Discussion
It is a fundamental requirement that such enterprise should manage the
security of its Information Systems (IS). The strategy to manage
information security must be based on, and compatible with, overall
Corporate Security Policy, which , in turn, must reflect and support
the key business objectives of the enterprise. However, in addition,
any security implemented must be commensurate with the levels of risks
to which the enterprise is subject, so as to ensure that adequate, but
not excessive, investment is made to protect corporate assets.
The Information Security Strategy will help to ensure the most
effective use of resources, and will, where appropriate, ensure a
consistent approach to security across a range of different systems.
How the Information Security Strategy is to be implemented should be
described in detail in a Corporate Information Security Policy.
Strategic objectives should be produced. These are general security
objectives which may be defined, for instance, in terms of the levels
of confidentiality, integrity and availability that the enterprise
wishes to attain. The application of baseline security standards has a
place within an Information Security Strategy, but not as a substitute
for Risk Analysis and Management.
The implementation of the Corporate Information Security Policy is thus
based upon the process of Risk Analysis and Management: that is the
assessment of the levels of risks to which corporate assets are subject
and the implementation of appropriate security safeguards. Risk
Analysis and Management is therefore the key process for the effective
protection of information security.
Risk Analysis and Management is relevant to, and should be applied
over, the complete life cycle of each information security. It can be
applied at differing degrees of detail and rigor depending on the size
of the organisation and the complexity of information security.
To enable successful Risk Analysis and Management requires a set of
security methods, tools, evaluation criteria, and, of course, products,
standards and guidelines.
There are a number of Risk Analysis and Management methods, supported
by appropriate tools, available in the market place and some
organisations will have developed their own in-house methods.
Enterprises need a means by which they can establish which method is
the most effective for their purposes. It is appropriate that such a
means is agreed, implemented and fully supported within the EC.
As a result of previous CEC sponsored projects, Risk Analysis and
Management models have been developed an encompassed in the supporting
"Claims Structure". This "Claims Structure" will allow the evaluation
of Risk Analysis and Management methods to be achieved. Currently it
is being actively considered by the ISO SC27 Working Group 1 for
inclusion in international standards. This is a good example where
European expertise, backed and supported by the CEC, is influencing the
establishment of International Standards.
Related to these issues are:
¥ the proposed standards for security incident reporting;
schemes, the output from which can improve Risk Analysis and Management
reviews;
¥ the availability of methods and tools for contingency
planning/disaster recovery, which need to be aligned to the "Claims
Structure" and Risk Analysis and Management methods;
¥ evaluation criteria within ITSEC, the Federal Criteria (Draft
criteria produced by NIST in the US) and a EC/US Government Editorial
Board to produce a "Common Information Technology Security Criteria".
Requirements
¥ Consideration of the "Claims Structure" as a standard mechanism
for specification of requirements, evaluation and the selection of
Risk Analysis and Management methods
¥ evaluation of the "Claims Structure" for applicability in the
safety domain
¥ support for the "Claims Structure" as an international standard
¥ further evaluation of methods using the "Claims Structure"
¥ accreditation of organisations to conduct Risk Analysis and
Management method evaluations.
4.5.2. Metrics for Loss Assessment
Issues
There is a fundamental need for guidance of any kind on how to assess
the loss and damages an organisation might face and how much of this
might be addressed by evaluation and certification. Such metrics would
increase the perception of the value of a formal evaluation scheme.
Discussion
Action is necessary to ensure the effective international exploitation
of the security product evaluation and certification scheme. There must
be a competitive business advantage of developing, implementing and
using certified security products, and there must be a well understood
correlation between a certified security product and the problems that
it can solve.
Progress is hindered by lack of independent measures of the business
relevance of the certified product.
Measures can be obtained by:
¥ vendor/user studies (from actual risk assessment)
¥ product comparisons (using loss reduction models)
¥ insurance contracts (both direct and consequential damage
assessment)
¥ vendor cost/benefit profiles (market penetration, Software
engineering costs, etc.).
Such studies would prove invaluable to the SMEs who cannot justify
extensive Security controls yet are probably the most vulnerable to the
consequences of information abuse.
The ITSEC actions should reflect a balance between the product based
concepts of security objectives (codes of good practice) and
quantitative risk/loss assessment.
This should result in measured, affordable controls as a prerequisite
to developing a European and international security market.
Requirements.
¥ Mapping of certified product features to specific security
incidents
¥ common, product independent risk analysis processes.
4.5.3. Technology Assessment
Issue
The solution of many IT security issues requires anticipation of
complex future scenarios. Technology Assessment (TA) provides a
framework in which the use of new and future technology can be
investigated to provide security safeguards for a particular
application under consideration.
Discussion
When considering new applications, especially those that are likely to
have a substantial life cycle, new or developing technology may be of
use in providing effective security safeguards.
Technology Assessment is designed to involve relevant factors from
different areas and to consider all pertinent perspectives (technical,
economical, psychological, political, etc.). Technology Assessment
aims at preparing options for political action based on the results of
a multidisciplinary approach. Technology Assessment is well
established in the US. There is a pilot Technology Assessment project
in the field of IT security in Germany funded by BSI.
Requirements
¥ Identification of the information security issues may be solved
within the Technology Assessment process
¥ Technology Assessment pilot in Europe in the field of
information security to assess the consequences for future information
security applications and provide options for political and legal
actions.
4.5.4. Analysis of Audit Trails
Issue
The lack of efficient tools and associated framework prevents the
efficient management and analysis of audit trails.
Discussion
The analysis of audit trails is the last recourse solution to
facilitate detection of misuse of information systems. However several
drawbacks prevent their efficient analysis in large and distributed
information systems:
¥ Even though the nature of audit information is often
well-defined by existing security standards, there are no standards for
the storage and distribution of such information.
¥ The hierarchical ordering and merging of information coming
from numerous security services of various nature and location is not
possible, thus preventing an efficient synthetic analysis thereof.
¥ The enormous volume of audit information requires specialised
analysis tools. Existing tools are often based on statistical or
relational search techniques. They usually leave the Security Officer
with fastidious and boring scrutinising tasks and often significant
combinations of events remain unnoticed. Artificial Intelligence (AI)
based techniques could be of help in this domain. Of course, such tools
cannot provide absolute and exhaustive scrutiny.
The acquisition and exploitation of audit information may infringe on
the right to privacy of individuals, eg in teleworking systems where
such information could be exploited to oversee workers' performance on
the job. Similarly, the analysis of credit card payment records
provides insight on holder's private habits, even though it is
necessary to detect security-critical behaviour. These concerns may
warrant the recourse to TTP services to prevent abusive analysis of
audit trails. These services fall in the same domain as presented in
paragraph 6.1.7.
Requirements
¥ Rules and regulations for the design, handling and exploitation
of audit trail information, in conformance with privacy laws and
practices
¥ prevention of audit data base compromise (eg techniques of
separation of information)
¥ services for the independent acquisition, management, and/or
analysis of audit trails
¥ development of innovative technologies (AI-based) for the
exploitation of large audit trails.
4.5.5. Safety Specific Methodologies
Issues
To establish the processes, techniques and methodologies for achieving
safety.
Discussion
Despite the large resource devoted to research and development in
software and systems engineering there is still little data on the
effectiveness and costs of different methods and techniques for
building dependable systems. The best consensus that can be achieved is
reflected din emerging generic international safety standards which
either decline to provide guidance or do so in very vague terms. There
is a need to define what software engineering processes should be put
in place to build systems, how these should be applied and how the
results from them can be demonstrated to meet the requirements.
There is also a need to establish variation of requirements throughout
the system lifecycle and to understand the role of process maturity and
models and its interaction with technologies for development. The
tendency in safety (and other) applications to require a bureaucratic
documentation based process needs evaluation and the cost/benefits
established. The relative importance of process based approaches, the
competency of those involved and analytical techniques need to be
addressed.
Safety is of course just one aspect of dependability and many of the
problems in achieving safety are general problems. In order to
facilitate the exploitation of generic work on dependable systems and
to focus this work on the needs of safe and secure systems there is a
need to understand in what ways the engineering of safety systems are
different. For example, we need to understand how safety analysis
techniques (Hazops, fault tree analysis etc.) fit into requirements
capture, the need for special fail-safe architectures and design, the
special requirements for hardware fault detection, tolerance and
management.
The approaches to achieving safety should also recognise not just the
software issue but also the problems of designing trusted hardware and
the increasing blurring between hardware engineering and software
arising from the use programmable ROMs.
Requirements
¥ Software engineering processes and techniques for safety
applications including their application and evaluation
¥ understand the special needs for engineering safe systems.
4.6. Requirements for Audits
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!