«Securing Information in the Digital Age Information Security Policies This document presents a suite of integrated solutions which, together, offer ...»
Therefore, when e-mail is sent, even using a Digital Certificate, certified delivery to the recipient(s) is lacking. Best Practice is to request safe receipt from the recipient(s).
• It does not carry any legal validity. Unless sent using a Digital Signature an e-mail does not carry the legal validity as enjoyed by hard copy or signed fax transmission. However, legal reliance upon an email sent using a Digital Signature cannot necessarily be relied upon as it was only in 2000 that the US and UK accepted that such e-mails could be used as legally binding documents.
Glossary 426 E-mail Signature file The e-mail ‘signature’ or.sig (‘dot sig’), refers to the optional footer text appended to the end of each outward e-mail. Normally, a signature file includes the sender’s name, and other contact details e.g. telephone number and Web site address.
It should also contain a disclaimer. Consider the following :
***************************************************** Email Confidentiality Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or send this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail.
***************************************************** It could also include a disclaimer about the possibility of spreading a computer
***************************************************** Although this email has been scanned for the possible presence of computer viruses prior to despatch, we cannot be held responsible for any viruses or other material transmitted with, or as part of, this email without our knowledge.
***************************************************** Where the contents of the e-mail are those which, despite being sent from a corporate e-mail system, are the personal views of the sender, and should therefore be detached from any possible corporate view on the subject, the sender may incorporate the following in their e-mail footer.
***************************************************** The opinions expressed above are my own and are not those of any company or organisation.
***************************************************** Encryption The process by which data is temporarily re-arranged into an unreadable or unintelligible form for confidentiality, transmission, or other security purposes.
End of Day - eod A set or routines, programs etc., performed/run by IT department staff after normal close of business. With the advent of 24x7 processing, such routines may well now be run during the early hours of the morning and would include, for example, taking backups, running interest accruals on closing balances, checking files integrity etc.
End User License Agreement – EULA The End User License Agreement – or EULA - is a legally binding contract between the developer or publisher of a software program (or application) and the purchaser of that software. However, unlike the purchase of goods or services, the Glossary 427 EULA is, as its name implies, a license agreement. In other words, the purchaser does not own the software, they merely have a right to use it in accordance with the licence agreement.
During the install of package software, the purchaser is shown the contents of the EULA and is often required to scroll down through the EULA, at the bottom of which, one may Accept or Refuse the terms of the EULA. By enforcing the need to scroll through the EULA, a user would be unlikely to succeed in any action to deny acceptance of the terms of the EULA.
In some cases, the EULA is written on the outside of the packaging with the breaking of the seal to the CD, indicating acceptance of the EULA.
In all cases, the EULA is the contract which users ignore at their peril; and whilst most EULAs contains broadly similar clauses and restrictions, it is important to confirm these before committing your organisation.
Microsoft has helpfully provided detailed information about its own EULAs at www.microsoft.com/education/license/eula.asp.
Enforced Path Normally, a user with the appropriate access control, is able to use any PC or workstation on the local area network to run an application or access certain data.
However, where such data or system is classified as sensitive or requires restricted physical access, an enforced path may be applied. This is a straightforward configuration setting, performed by the Systems Administrator, whereby access is restricted to a specific workstation or range of workstations.
Enforcing the path will provide added security because it reduces the risk of unauthorised access; especially where such a workstation is itself within a secure zone, requiring physical access codes / keys etc.
Enhancement In theory, an improvement in hardware or software over the current version. In practice, enhancements are often merely vehicles to introduce some ‘new’ features into a package before withdrawing support for the current product, thereby pushing users towards upgrading their systems - at a price.
Error Log An error log records any abnormal activity on application software, usually in simple / plain text (ASCII). Each (main) application generates its own logs, and it is the responsibility of Systems Operations to retrieve and scrutinise them for any processing errors.
Escrow A legal provision whereby, in the event of a developer/supplier failing or otherwise ceasing to trade, the source code for their packaged software is made available to licensed / registered users, thereby enabling its ongoing maintenance.
e-Trading e-Trading is that part of e-Commerce which specialises in financial services. It deals in corporate paper (e.g. stocks and shares), the purchase of commodities, and currencies etc. It can be Business-to-Consumer or Business-to-Business.
Expectations Mismatch Expectations mismatch refers to the all too common condition whereby the customer’s expectations are different from those of the supplier and is one of the most common reasons for systems projects to falter. No matter which project or initiative is concerned, always ensure that expectations remain synchronised throughout the project.
The seeds for such mismatch are normally sown early on in the project, where the vendor presents a solution to the need as they perceive it, and the organisation believes that the vendor’s system can meet their needs; such belief often being based upon the verbal assurances given by the vendor.
It is strongly recommended that, as negotiations are progressing, the organisation documents precisely what it expects each party to provide and, more importantly, what each is not expecting to do / provide.
Example : a major systems vendor contracted with a bank to deliver a new system where the vendor contracted to implement the system. The bank’s management, and its project team, understood this to mean ‘set up and configure the system, to enable us to use it’ (in a live environment). The vendor refuted this, and suggested that implement meant to load up the software and test that it was working. Any required support for a ‘migration to live operations’ would be at additional cost…….
The project faltered and nearly failed.
Expectations mismatch occurs most often where plans are inadequate with the consequence that, when the detail tasks are to be performed, one or both parties presume that it is the responsibility of the other party and each then ‘points the finger’ at the other party. Avoid this with a formal approach to project management.
Expiry The point/date by which an event (such as changing a password) must take place.
Extranet An Extranet is a private network which uses the Internet protocols and extends beyond an organisation’s premises, typically to allow access by clients, suppliers, or selected third parties.
Extranets require strong security if they are to prevent unauthorised access. This can range from a relatively simple User ID and password to the use of Digital Certificates, User IDs and passwords, with, naturally, end to end encryption of data.
Fallback Procedures Fallback procedures are particular business procedures and measures, undertaken when events have triggered the execution of either a Business Continuity Plan or a Contingency Plan.
Glossary 429 Fax / Facsimile Machines Whilst the use of faxes is being eclipsed by that of e-mail, they are still preferred where a legal record of transmission and delivery is required.
Fax machines operate by incorporating 3 technologies into a single unit : a scanner to convert a page into a graphical image; a printer to print the resultant image and a modem to transmit the data across the public telephone network.
Despite the fact that fax images can be tampered with as easily as any other form of electronic data format, they have nevertheless become accepted as bona fide documents for legal purposes.
Great care should be exercised when accepting a fax as genuine because its Integrity may be questionable, as there is no data validation or authentication between sending and receiving parties. Any fax machine can use the Calling Station IDentifier (CSID) as it so wishes and, whilst some software can check the name of the CSID before transmission, this is of limited value where robust security is required.
Faxes should not be used for Confidential information where the Integrity of the information is paramount. In an effort to reduce the risk, callers and senders will often (physically) watch over the fax machine in order to capture the expected fax.
However, it is ‘wide open’ from a security perspective and, because fax machine numbers are so publicly available, a ‘tap’ on the line could indeed intercept faxes.
Features / Glitches (Bugs) Within the IT community, the term ‘bug’ is frowned upon, and is often replaced with the quaint term ‘feature’ or, a ‘glitch’. Irrespective of how it is described, it remains a Bug !
Finagle's Law The ‘folk’ version of Murphy's Law, fully named ‘Finagle's Law of Dynamic Negatives’ and usually rendered ‘Anything that can go wrong, will.’. One variant favoured among hackers is ‘The perversity of the Universe tends towards a maximum.’. The label ‘Finagle's Law’ was popularised by SF author Larry Niven in several stories depicting a frontier culture of asteroid belt miners. This ‘Belter’ culture professed a religion and/or running joke involving the worship of the dreaded god Finagle and his mad prophet Murphy.
Fire-Resistant Storage Cabinet The legal records and documents of most organisations are likely to be in traditional paper / printer form. A fire resistant cabinet or safe is required to secure these documents from fire for a guaranteed period of time.
Firewalls Firewalls are security devices used to restrict access in communication networks.
They prevent computer access between networks (say from the Internet to your corporate network), and only allow access to services which are expressly registered. They also keep logs of all activity, which may be used in investigations.
Glossary 430 With the rapid growth in electronic communications - particularly via the Internet firewalls, and firewall software, are being installed which will allow remote users to access limited parts of the system but restrict further access without satisfying specific identification and authorisation requirements. For example; an organisations’ Web site will contain pages which are available to any Internet ‘surfer’ but other areas will not be accessible without recognition of authorised user status by the system. See Extranet.
Firewall Machine. A dedicated gateway computer with special security precautions on it, used to service outside network, especially Internet, connections and dial-in lines. The idea is to protect a cluster of more loosely administered machines hidden behind it from intrusion. The typical firewall is an inexpensive microprocessor-based Unix machine with no critical data, with modems and public network ports on it, but just one carefully watched connection back to the rest of the cluster. The special precautions may include threat monitoring, call-back, and even a complete iron box which can be keyed to particular incoming IDs or activity patterns.
Firewall Code. The code put in a system (say, a telephone switch) to make sure that the users can't do any damage. Since users always want to be able to do everything but never want to suffer for any mistakes, the construction of a firewall is a question not only of defensive coding but also of interface presentation, so that users don't even get curious about those corners of a system where they can burn themselves.
Firmware A sort of ‘halfway house’ between Hardware and Software. Firmware often takes the form of a device which is attached to, or built into, a computer - such as a ROM chip - which performs some software function but is not a program in the sense of being installed and run from the computer’s storage media.
Fit for Purpose Fit for Purpose is a general expression which can be useful to ensure that Information Security solutions are appropriate for your organisation. Vendors will sometimes attempt to ‘fit’ their solution to your problem. Fit for Purpose is an expression which, when used within the solution negotiation context, places an onus of responsibility upon the vendor to ensure that its solution is (indeed) fit for the purpose which their client expects.
Example : a well known systems company contracted for the sale of their system.
Inclusive in the price was one of week training in the system. During implementation it became apparent that one week for training was totally inadequate. The customer successfully claimed (prior to legal action) that the supplier’s solution was inadequate and hence not fit for purpose.
When considering Information Security solutions, it is good practice to remind any potential suppliers in your requirement that the solution must be fit for purpose.
See also Request For Proposal.