«Securing Information in the Digital Age Information Security Policies This document presents a suite of integrated solutions which, together, offer ...»
1 Physical Access. The process of obtaining use of a computer system, - for example by sitting down at a keyboard, - or of being able to enter specific area(s) of the organisation where the main computer systems are located.
2 Logical Access. The process of being able to enter, modify, delete, or inspect, records and data held on a computer system by means of providing an ID and password (if required). The view that restricting physical access relieves the need for logical access restrictions is misleading. Any organisation with communications links to the outside world has a security risk of logical access. Hackers do not, generally, visit the sites they are hacking in person.- they do it from a distance!
Access Control List The Access Control List - ACL - is a file which a computer’s operating system uses to determine the users’ individual access rights and privileges to folders / directories and files on a given system. Common privileges allow a user to read a file (or all the files in a folder / directory), to write / update the file or files, and to run (execute) the file (if it is an executable file, or program).
Access Rights The powers granted to users to create, change, delete, or simply view data and files within a system, according to a set of rules defined by IT and business management. It is not necessarily true that the more senior a person, the more power is granted. For example, most data capture - essentially creating new files or transactions, is performed at relatively junior level, and it is not uncommon for senior management to have access rights only to view data with no power to change it. There are very good Internal Control and Audit reasons for adopting this approach.
Accidental Damage In relation to Information Security, accidental damage refers to damage or loss, that is caused as a result of a genuine error or misfortune. However, despite the genuine nature of the accident, such incidents can, and should be prevented by awareness, alertness and action.
For example, whilst we can all sympathise with the person who has lost their 50 page document through a system crash, there is little excuse for not having made a suitable backup copy from which to recover the situation.
Account An ‘account’ is the term used most commonly to describe a user’s profile which permits access to computer systems. Sometimes the account refers simply to the means of gaining network access to printers and the filing system; in other instances ‘accounts’ can be application systems’ specific and incorporate a range of optional privileges controlling a user’s level of access. (See Access Control).
Achilles Heel The term Achilles Heel refers to an area of weakness which, when applied to Information Security means the weak link in the security safeguards. An example of an Achilles Heel would be where substantial effort has been made to secure data on the server, and yet virtually anyone is able to walk in to the systems room and remove the disk sub-systems.
The appropriate action for the Security Officer in your organisation, is to identify the Achilles Heel, and to take action against it.
Admissible Evidence Admissible Evidence is ‘evidence’ that is accepted as legitimate in a court of law.
From an Information Security perspective, the types of ‘evidence’ will often involve the production of a system’s log files. The log file will usually identify the fact that a
ADSL ADSL (Asymmetric Digital Subscriber Line) is a relatively new technology for transmitting digital information at high speeds, using existing phone lines (POTS ) to homes and business users alike. Unlike the standard dialup phone service, ADSL provides a permanent connection, at no additional cost.
ADSL was specifically designed to exploit the one-way nature of most multimedia communication in which large amounts of information flow toward the user and only a small amount of interactive control information is returned. Several experiments with ADSL to real users began in 1996. In 1998, wide-scale installations began in several parts of the U.S. In 2000 and beyond, ADSL and other forms of DSL are expected to become generally available in urban areas.
With ADSL (and other forms of DSL), telephone companies are competing with cable companies and their cable modem services.
N.B. The Information Security implications of connecting full time to the Internet should not be underestimated. Anyone connecting their system full time to the Internet, needs a firewall, which does not have to cost $hundreds.
Alpha Geek The most knowledgeable, technically proficient, person in an office, work group, or other, usually non-IT, environment. Born ‘fiddlers’ and ‘tinkerers’, they tend to ignore the basic rule of ‘If it ain’t broke don’t fix it’ preferring to operate on the basis of ‘Fix it, until it is broke’. Such people can be a considerable security risk like ordinary Geeks, Anoraks, and Tech-heads, - only more so.
Alpha Software Software, described as an ‘alpha version’ means that, whilst it has received basic testing by the developer(s), it is not yet ready for full testing. Alpha versions may have modules or components missing or with only partial functionality. Alpha software should never be used for other than demonstrations and (elementary) testing.
Analog, Analogue A description of a continuously variable signal or a circuit or device designed to handle such signals. The opposite is ‘discrete’ or ‘digital’. Typical examples are the joysticks or steering wheels associated with flight and driving simulations or air/space combat games.
Glossary 390 Analogue Computer A machine or electronic circuit designed to work on numerical data represented by some physical quantity (e.g. rotation or displacement) or electrical quantity (e.g.
voltage or charge) which varies continuously, in contrast to digital signals which are either 0 or 1 (Off or On).
For example, the turning of a wheel or the movement of a mouse or joystick can be used as input. Analogue computers are said to operate in real time and are used for research in design where many different shapes and speeds can be tried out quickly. A computer model of a car suspension allows the designer to see the effects of changing size, stiffness and damping.
Analyst In two basic IT variants - Business Analysts, and Systems Analysts - these individuals are involved in the front end design stages of systems from the view points of users and IT respectively. The analysts will determine the business requirements to be addressed, the processes which are involved in meeting those needs, and the systems designs which will deliver those requirements to the users.
Anoraks Whimsical term for computer enthusiasts - usually, but not exclusively, young and lacking in social skills. The term derives from the preferred item of apparel for attending computer exhibitions, it being equipped with numerous sizeable pockets ready to be stuffed with all manner of obscure electronic gizmos.
Some anoraks tend more to the software side of IT and may graduate to being Hackers. Anoraks certainly have their uses but, in many ways, are a security risk.
Such persons are inclined to do things with, and to, organisation IT systems simply for the technical and intellectual challenge, rather than for any business benefit to the organisation. Also known as Nerds, Geeks, and Tech-heads, the term is acquiring wider usage to describe any enthusiastic follower of obscure sports, hobbies, pastimes, etc.
ANSI American National Standards Institute which is the main organisation responsible for furthering technology standards within the USA. ANSI is also a key player with the International Standards Organisation – ISO.
Anti-Virus Program Software designed to detect, and potentially eliminate, viruses before they have had a chance to wreak havoc within the system, as well as repairing or quarantining files which have already been infected by virus activity
Application software Computer programs that are used by the Organisation to meet its business needs (as opposed to system software). Typically such software includes programs for accounting, transaction processing, word processing, spreadsheets, databases, graphics, and presentations, and any special software developed specifically for that particular business.
Architecture - Technical and Applications The term ‘technical architecture’, refers to the core technologies deployed across a computing resource / network. For example an organisation’s technical architecture may comprise UNIX servers running on RISC hardware, Windows® NT servers running on Intel CISC processors; over a 100BASE-T network using CAT 5 cabling.
The application’s architecture can refer to a range of components but, in the corporate environment, identifies the foundational database upon which the majority of business applications are built. For example an organisation’s applications architecture could be Oracle relational database (running on the UNIX servers identified above in the technical architecture) for business applications, and Microsoft Office® for all office and inter-organisation communications.
Archive An area of data storage set aside for non-current (old, or historical) records in which the information can be retained under a restricted access regime until no longer required by law or organisation record retention policies. This is a field in which computers have a distinct advantage over older paper files, in that computer files can be ‘compressed’ when archived to take up far less space on the storage media. Paper records can only be compressed by using microfilm, microfiche, or, more recently, by scanning into a computer system. Whichever system is chosen, care must be exercised to ensure that the records retained meet legal requirements should it ever be necessary to produce these records in a court of law.
Archiving The process of moving non-current records to the Archives. Once records are no longer required for day-to-day operations they should be passed to the control of an independent Archivist Archivist Individual (or possibly, department) responsible for the retention, care and control, and subsequent destruction, of non-current records. The Archivist should be independent, not involved in processing, and have no power to create or amend records other than registers/indices of stored material.
ARP – Address Resolution Protocol When data arrives at a local gateway, bound for a specific local computer, ARP will map the inbound IP Address to the local machines physical address – know as its MAC address.
Audit Log Computer files containing details of amendments to records, which may be used in the event of system recovery being required. The majority of commercial systems feature the creation of an audit log. Enabling this feature incurs some system overhead, but it does permit subsequent review of all system activity, and provide details of: which User ID performed which action to which files when etc.
Failing to produce an audit log means that the activities on the system are ‘lost’.
Audit Trail A record, or series of records, which allows the processing carried out by a computer or clerical system to be accurately identified, as well as verifying the authenticity of such amendments, including details of the users who created and authorised the amendment(s).
Auditor Person employed to verify, independently, the quality and integrity of the work that has been undertaken within a particular area, with reference to accepted procedures.
Authentication Authentication refers to the verification of the authenticity of either a person or of data, e.g. a message may be authenticated to have been originated by its claimed source. Authentication techniques usually form the basis for all forms of access control to systems and / or data.
Authorisation The process whereby a person approves a specific event or action. In companies with access rights hierarchies it is important that audit trails identify both the creator and the authoriser of new or amended data. It is an unacceptably high risk situation for an individual to have the power to create new entries and then to authorise those same entries themselves.
Auto Dial-back A security facility designed to ensure that ‘dial up’ links to the organisation’s communications network may only be accessed from approved/registered external phone numbers. The computer holds a list/register of user IDs and passwords together with telephone numbers. When a remote call is received from one of these users the computer checks that ID and password match and then cuts off the connection and dials back to the ‘registered’ telephone number held in the computer files. This system works well with fixed locations such as remote branches but may be inconvenient for staff who move around a lot. The drawbacks may be overcome by using a mobile telephone (connected to a laptop computer) as the registered dial-back - subject to the security requirements of protecting such items against theft or eavesdropping.
Glossary 393 Availability Ensuring that information systems and the necessary data are available for use when they are needed. Traditionally, computer systems were made available for staff use by the IT department in the early morning, and then closed down again by the IT staff before running their ‘End of Day’ routines. Availability was thus the poor relation of Confidentiality and Integrity in security terms. However the extension of the working day (for example because of trading with different time zones) and the growth of 24x7 systems, associated with e.g. web sites, Internet (on-line) trading, cash point machines, coupled with the threats of viruses and intrusions means that availability has become a much more important element of Information Security work.