«Securing Information in the Digital Age Information Security Policies This document presents a suite of integrated solutions which, together, offer ...»
In general, a user of an organisation’s systems should be offered no more than is necessary to perform the function required. See also Privileged User.
Privileged User A User who, by virtue of function, and/or seniority, has been allocated powers within the computer system, which are significantly greater than those available to the majority of users. Such persons will include, for example, the system administrator(s) and Network administrator(s) who are responsible for keeping the system available and may need powers to create new user profiles as well as add to or amend the powers and access rights of existing users.
Production System A (computer) system is said to be in production, when it is in live, day to day operation. Systems which have been developed and tested are said to be ‘migrated into production’.
Project Plan A project plan is a plan which specifies, to an adequate level of detail, the precise nature of the project about to be undertaken, the resources required, the responsibilities of each party, the tasks to be performed and the dependencies and constraints upon the project. Project plans are much more than a list of tasks presented in the form of a ‘GANTT’ chart.
Glossary 461 Protocol A set of formal rules describing how to transmit data, especially across a network.
Low level protocols define the electrical and physical standards to be observed, bit- and byte-ordering and the transmission and error detection and correction of the bit stream. High level protocols deal with the data formatting, including the syntax of messages, the terminal to computer dialogue, character sets, sequencing of messages etc.
Some examples of protocols are : TCP/IP, the protocol used on the internet to send and receive information; HTTP – used for Web page communications, is a subset of TCP/IP.
Proto-hacker Individual who has risen above the tinkering Anorak level with aspirations to be a Hacker - but does not yet have the necessary skills to crack a major system. Can cause much damage by clumsy entry Hacking and blundering around the system corrupting files - albeit unintentionally. Proto-hackers may have marginally more technical skills than Anoraks but still display immaturity by leaving calling cards, messages, graphics, etc.. As a result most of them are identified and caught before they graduate to being full Hackers.
Proxy Server A proxy server is a computer server which acts in the place of individual users when connecting to Web sites. The proxy server receives requests from individual workstations and PCs and then sends this request to the Internet. It then delivers the resultant information to the requesting PC on the network.
When used in conjunction with a firewall, a proxy server’s identify (and its connected PCs) is completely masked or hidden from other users. This is the manner in which secure sites operate.
Quarantine Defensive tactic employed against viruses. Anti-virus software can often detect viruses which it cannot repair automatically.. In such cases the simplest option is to delete the file, but better quality anti-virus programs offer the option to Quarantine the file. This involves removing the file from its current location, encrypting it, and locking it in the quarantine area, ie part of the disk which is not accessible by any application except the anti-virus program, and certain disk utility tools.
Once in quarantine the anti-virus utility programs may be able to open the file and examine the contents to allow a user to extract any useful information, or, if sufficiently skilled, to remove the virus and effect a manual repair of the file.
Real-time ‘Live’, ‘As it happens’. Real-time systems pass entries, update records, accounts, balances, etc., immediately new data is received and make that data available to users within the limitations of the system. Typically, the response from the system will be measured in milli-seconds. If a real-time system is failing to present its response to users adequately fast, it may well be indicative of other bottlenecks, such as a saturated network or other processes competing for processor priority. A real time system is assumed to need immediate access to processor power and will have its priority set accordingly.
Reconciliation In the IT context Reconciliation is a vital part of Acceptance Testing and Parallel Running whereby the output from both the ‘old’ and ‘new’ systems is compared to ensure that the new system is operating correctly. Clearly, if the old system claims that 2+2=4, while the new system differs - there is a problem.
Reconciliation goes beyond mere arithmetic and it is essential that all outputs be reconciled, to allow for known changes in the new system, and identify any unexpected results.
It is critical that this be completed before the new system is accepted.
Regression Testing Regression Testing is a process which tests a system once again to ensure that it still functions as expected / as per specification. The reason for this renewed testing activity is usually when a material change occurs to the system. For example; a new hardware platform; a major release of the operating system (e.g.
® ® Windows NT to Windows 2000 ). In addition, where say, the software vendor releases a new version of its database, a comprehension regression test plan needs to be developed and completed to ensure that the reports, screen, scripts, Remote Procedure Calls and User options, are all functioning as expected.
Warning! the chances are, that they will not work completely as expected, and that you will need to modify / change certain aspects of your configuration.
N.B. Regression Testing must also test the revised software by simulating its operational environment to ensure that all systems and interfaces still operate as expected.
Regression Testing should be conducted as per any system testing as proceed according to a Test Plan. If you do not perform Regression Testing, then your system could fail upon upgrade.
Repair A technically demanding technique used to undo the damage done to a file by virus infection and/or corruption. Most virus infections can be repaired automatically by an anti-virus program, but there are some, together with other types of (non-viral) data corruption which must be handled manually.
This approach requires a relatively high level of technical skills and the use of special software tools which should not be available to ordinary users.
The damaged files should be removed from the main system to a separately partitioned area while being repaired.
If the damage is severe or extensive, affecting a number of files, consideration my be given to recovering an earlier copy of the file from backup.
Request for Proposal – RFP The Request for Proposal – or RFP, is the document produced by the project team of the organisation when determining the supplier and/or solution to a commercial need or requirement.
The project team should already have ascertained the types of solution which are appropriate and the vendors which compete in that space. The RFP is sent by the organisation to each of the primary vendors, with the intention that each vendor responds with a written proposal detailing how they will provide the solution, and the terms and conditions of such supply.
Typically, an RFP will comprise the following items :
N.B. It is extremely important that all vendors are treated equally and fairly and, as such, it is worth spending adequate time in order to plan for and prepare the RFP. Information provided to one vendor, as a result of (say) a one on one meeting, and not provided to other vendors, would be viewed as biased or uncompetitive and could result in difficulties, especially where you expect to use that vendor in the future. Therefore, if it is necessary to provide additional information, as a result of an enquiry from one vendor, supply this to all.
Glossary 465 Response / Response Time Response time usually refers to a user’s subjective assessment of a computers ‘response’ to their request. Such requests could be to logon to the network, or could be to receive the confirmation code following entry of a transaction. The response time of a system results from the interaction of multiple components and not simple the ‘power’ of the computer itself (although this helps!) There could be massive contention across the network, or there could be heavy processing taking place on resulting in little available ‘CPU’ time to deal with your request. One way of improving response time, is to increase the priority of the process which you are running. However, such techniques are not adviseable, unless you are the System Administrator and have a good understanding of the impact such re-prioritisation may have.
Retention and deletion of E-mail Correspondence Simple e-mails carry no legal status at this time. Their use should therefore be limited to basic correspondence upon which no legal reliance is placed. At present, the law is still evolving with regard to e-mail, but current practice appears to be either to retain everything as a part of your organisation’s activities, or retain nothing. In practice, organisations will wish to retain e-mails, as they nevertheless represent a record of genuine business correspondence, notwithstanding the fact that their validity in a court of law may be challenged.
However, the use of a Digital Signature is now legally enforceable in some countries, and any messages received using such signatures could be considered legally valid and hence enforceable. See Digital Signature for further information.
Road Warrior An ‘outdoor’ member of staff whose ‘office’ is a laptop and cellular telephone.
Such persons, because of the nature of their working environment, and, to some extent the personality types associate with such work may well require a more than proportional share of the organisation’s computer housekeeping time.
Root Directory In a computer’s filing system on the hard disk, the root directory is the directory (or ‘folder’) from which all other directories will be created. In Microsoft Windows® the root is denoted by the symbol ‘\’ and in the world of Unix is shown by ‘/’ (just to be different!) In Unix the all powerful user of the system is also known as root which permits access and all privileges to the root directory and hence the entire filing system.
Rotation of Duties Accompanied by Segregation of Duties, Rotation is a useful security measure which has, in the past, uncovered a number of users nefarious activities. In days gone by rotation was particularly important for staff such as cashiers in the habit of fiddling their till balances. Now it is aimed more at staff who use organisation computer systems. The logic behind the approach is that a new set of eyes on a situation may uncover irregularities - for example, the use of unauthorised, unlicensed, software.
Alternatively it may serve merely to prove that all is in order. Either way it is useful to know.
Routine In IT, generally, a set of computer Commands/instructions forming part of a program. For ease and clarity of programming, software often consists of numerous modules, routines, sub-routines, etc., each of which can, if necessary, be programmed by a different person, only being brought together at the final stages.
RSA RSA stands for Rivest, Shamir and Adleman, who are the developers of the public-key encryption and authentication algorithm. They also founders of RSA Data Security which is now RSA Security www.rsasecurity.com.
The capability to use RSA security is incorporated within the browsers of both Microsoft and Netscape and other major corporate communication tools such as Lotus Domino® / Notes®.
The creation, use and management of the Public and Private keys which are required for RSA security, use Public Key Infrastructure, or PKI.
A computer server placed outside an organisation’s Internet Firewall to provide a service that might otherwise compromise the local net’s security.
Glossary 467 Salami Slicing A technique employed successfully by criminally inclined IT staff to acquire large sums of money, by means of very small amounts. Essentially it needs something like a Foreign Exchange business environment where there are large numbers of transactions involving more than 2 decimal places. As currencies, generally, only use two places decimals beyond this point are rounded off. Salami Slicing programs will always round down the amount, and transfer the additional places to a separate, hidden account which has a balance accumulating, over time, to a significant figure; multi-million dollar sums have been involved. This approach can only really work with systems handling huge numbers of transactions and where the amounts will not be noticed.
Very difficult to spot, and usually only comes to light (if at all) when the individuals involved leave the organisation, or are observed to be living well beyond their salary levels with no visible other means of support.
Sales DroidPejorative term for a computer sales representative.
Samurai A hacker who hires out for legal cracking jobs, snooping for factions in corporate political fights, lawyers pursuing privacy-rights and First Amendment cases, and other parties with ‘legitimate’ reasons to need an electronic locksmith. Some have modelled themselves on the ‘net cowboys’ of William Gibson's cyberpunk SF novels. Some Samurai claim to adhere to a rigid ethic of loyalty to their employers and to disdain the vandalism and theft practiced by criminal crackers as beneath them and contrary to the hacker ethic. Some quote Miyamoto Musashi's ‘Book of Five Rings’, a classic of historical Samurai doctrine, in support of these principles.
Sanity Check Checking a piece of work – IT related or anything else - for completely stupid mistakes. The term implies that the check is to make sure the author was sane when the work was produced. Often difficult to prove!