«Securing Information in the Digital Age Information Security Policies This document presents a suite of integrated solutions which, together, offer ...»
Scope Creep Scope Creep is the expression used by project managers and/or vendors who are under pressure to constantly deliver in excess of what was originally agreed.
Scope creep normally results from a failure to establish the clear requirements of the business users. As these begin to solidify the scope of the original plan can start to move – and continue to move. If the project manager is not alert to this (all too common) phenomenon, the requirements will constantly change thus ensuring
Screamer A VERY fast PC. Currently, to qualify as a ‘Screamer’ a PC must have at least a
1.5 Ghz processor and probably well in excess of a 30GB hard disk with a minimum of 256MB RAM; and as for the graphics card (oh, boy!).
Screen Grab Taking a ‘snapshot’ of a computer screen to be used in a document. Most screen grabbing is legitimate and is a useful device for documents such as guides and instruction manuals where the reader can see exactly what is mean by the text, rather than trying to imagine it. Some screen grabs are less innocent and have been used to obtain information from files which can be displayed but not copied or printed.
Screen Savers Screen savers, once created to save the screen from premature CRT burn out, are now used as a means of both protecting the screen and also for preventing casual shoulder surfing! Screen savers do have a useful and valid Information Security role. Used correctly, they will cut-in, blank the screen from view and require a user or network Administrator password to regain access. Provided the screen saver is set to trigger after (say) 2 minutes of inactivity, and upon user request, it can provide a useful and effective means of diverting casual / opportunistic incidents.
Screen Scraping Screen scraping is a technique used to interface (or link together) one system with another, by means of emulating User (screen) interaction. Screen scraping ‘maps’ the location of the various screens and the input boxes (fields) for the information.
Screen scraping will then emulate the input of an (electronic) User using the system at a terminal. This technique is not the preferred means of interfacing systems as it is slow and rather crude. However, it remains a viable means where other interfaces options are not easy or viable.
Scripts In a programming context Scripts are a type of programming language which are run, or executed, by another program. For example, Java Script is run by the Web browser which is running on the user’s PC.
Glossary 469 In the context of System Testing and User Acceptance Testing, scripts are used as the pre-determined input data to test the system. Scripts should not only state the precise data to be input, but also the expected response from the system. As User Acceptance Testing proceeds, the results from running the scripts will be recorded, as will the overall system conditions at the time to allow developers to more easily debug errors.
Scripts can take the form of input data sheets for manual input, or can be a series of files, the processing of which simulates the generation of transactions across the network to the system. This latter approach can allow for significant volumes to be processed. However, it is essential to proceed carefully as errors can so easily compound making analysis a nightmare!
Second Site A contingency arrangement whereby the organisation maintains a second computer centre, geographically remote from the primary system, but capable of taking over all processing and system functionality should the primary system fail.
Secure Area (on a system) Where an unknown file – e.g. one downloaded from the Internet – is to be opened (and this is especially true for any executable file i.e. a.exe file (a program), it must not be opened or executed in the normal filing space for your live systems.
A Secure Area – sometimes referred to as a ‘Sand Pit’ – is an area on a system which is totally shielded and / or isolated, from the potential impact of any code which is executed there. Whilst the isolation of the system is a clear requirement, scanning software which is able to detect malicious code activity must also be used, as Trojan code activity may go undetected.
Security Administrator Individual(s) who are responsible for all security aspects of a system on a day-today basis. The security administrator should be independent of both development and operations staff and often holds the highest power password on the system in order than the most sensitive activities can only be undertaken with a combination of both System Administrator and Security Administrator top-level passwords.
Security Breach A breach of security is where a stated organisational policy or legal requirement regarding Information Security, has been contravened. However every incident which suggests that the Confidentiality, Integrity and Availability of the information has been inappropriately changed, can be considered a Security Incident. Every Security Breach will always be initiated via a Security Incident, only if confirmed does it become a security breach.
Security for Electronic Transactions – SET SET was originally supported by companies such as MasterCard, VISA, Microsoft and Netscape and provides a means for enabling secure transactions between purchaser, merchant (vendor) and bank. The system is based upon the use of a electronic wallet which, carries details of the credit card, the owner and, critically a Digital Certificate. To provide end to end encryption and authentication, the SSL standard is used between the parties, thus ensuring digital trust between each leg of the transaction.
Security Officer The Security Officer in an organisation is the person who takes primary responsibility for the security related affairs of the organisation. It matters not whether the organisation is comprised two persons or two thousand, someone should be the named individual who becomes accountable for the Information Security of the organisation.
SED Smoke Emitting Diode (from Light Emitting Diode). A component which has allowed the magic smoke to get out.
Segregation of Duties A method of working whereby tasks are apportioned between different members of staff in order to reduce the scope for error and fraud. For example, users who create data are not permitted to authorise processing; Systems Development staff are not allowed to be involved with live operations.
This approach will not eliminate collusion between members of staff in different areas, but is a deterrent. In addition, the segregation of duties provides a safeguard to your staff and contractors against the possibility of unintentional damage through accident or incompetence – ‘what they are not able to do (on the system) they cannot be blamed for’.
Serial Processing Literally doing one thing after another. Generally Serial Processing is meant to indicate that one computer job must be completed before the next can begin and a queuing system is used, coupled with priority flags to indicate when a particular job request will be processed.
The most common example of serial processing is printing - especially when shared by several users.
Server Typically a dual (or better) processor computer which supplies (serves) a network of less powerful machines such as desktop PCs, with applications, data, messaging, communications, information, etc.. The term is replacing ‘host’ in many situations since the processing power of a desk top server is such that one machine is sufficient to run the computing requirements of a complete organisation.
Service Level Agreement – SLA A Service Level Agreement (SLA) is a contract between your organisation and the vendor of your system(s) to provide a range of support services, up to an agreed Glossary 471 minimum standard. SLAs will usually specific precisely what the support procedures are to be and the way in which a support call will be escalated through the vendor’s support organisation to achieve resolution.
SLAs should always have a maximum response time. In other words, from the moment the call is logged with the vendor, the SLA should specify the response time until either, an engineer arrives on site or perhaps a member of technical support calls back.
It is very important to discuss the details of the SLA with the vendor because, often, the only time when you will use it, is when you have suffered a breakdown or problem with your systems and it is then that you will need to depend upon the ‘fine print’ of the SLA.
Shareware Software supplied on a ‘try before you buy’ basis. Shareware is produced by software companies and independent programmers and supplied to users through a variety of channels including magazine cover disks, e-mail, mail order, Internet downloads, etc. The basic idea is that users will try out the software (which is sometimes, but not always crippled or limited in some way) and will like it so much that they will pay a relatively small registration fee to become an authorised user of the unrestricted program.
Shareware has been very successful and several software houses have established themselves as niche market leaders this way but companies should exercise caution in the use of such material. Shareware form independent programmers has a reputation for being ‘buggy’, causing conflicts with other software already installed on the computer, or simply failing to perform as expected.
Companies with policies which permit the installation and use of such material should restrict it to stand alone test or development machines where the software behaviour and the programs claimed benefits can be examined fully before being installed as registered version on live machines.
Sheep Dip Slang term for a computer which connects to a network only under strictly controlled conditions and is used for the purpose of running anti-virus checks on suspect files, incoming messages etc.
It may be inconvenient, and time-consuming, for a organisation to give all incoming E-mail attachment a ‘health check’ but the rapid spread of macro-viruses associated with word processor and spreadsheet documents, such as the ‘Resume’ virus circulating in May 2000, makes this approach worth while.
Shoulder Surfing Looking over a user’s shoulder as they enter a password. This is one of the easiest ways of obtaining a password to breach system security. The practice is not restricted to office computers, it is used wherever passwords, PINs, or other ID codes are used.
Could the person behind you at the bank ATM be a shoulder surfer?
Sign-Off The term ‘sign off’, as used in the world of systems means an agreement, as evidenced by the customer’s signature, that the system or project, meets the specified requirements. Much pressure will be brought to bear for users to sign-off
Sizing Sizing is an activity which is sometimes overlooked as today’s systems are usually so ‘powerful’ that formal sizing appears pointless. A sizing exercise analyses the demands to be placed upon a system, in terms of concurrent users, data types and quantity, storage requirements, expected response times etc and concludes the minimum specification for the system.
Slag As a verb; - to run a destructive program which will render most or all of a computer systems files, records, and data, utterly useless.
As a noun; - a description of what is left of a computer system after the slag code has been run.
Normally associated with IT staff, and Logic Bombs, Slag Code has, allegedly, been used by a Hacker to destroy a computer system. Slag Code has also been used to blackmail organisations such banks into handing over significant sums in return for information as to the location of the code and deactivation procedures.
More recently, the term has acquired alternative meanings:To bring a network to its knees by overloading it with data traffic
2. To describe all the irrelevant and uninteresting material which has to be waded through on the Net while trying to reach the once piece of valuable information sought. This is also known as Bitslag.
Glossary 473 Smart Card Smart cards look, and feel like, credit cards, but have one important difference, they have a ‘programmable’ micro-chip embedded. Their uses are extremely varied but, for Information Security, the are often used, not only to authenticate the holder, but also to present the range of functions associated with that user’s profile.
Smart Cards will often have an associated PIN number or password to provide a further safeguard. The main benefits of using Smart Cards is that their allocation can be strictly controlled, they are hard to forge and are required to be physically inserted into a ‘reader’ to initiate the authenticate process.
Smoke Emitting Diode An incorrectly connected diode, probably an LED, in the process of losing its Magic Smoke and becoming a Friode.
Smurf / Smurfing A smurf attack is one that is very technical and exploits features of the IP protocol within the TCP/IP protocol used for Internet communications.
A smurf attack causes a victim’s computer to become completely ‘way laid’ with answering fictitious network requests (‘Pings’) that it grinds to a halt and prevents anyone else from logging on.
See Denial Of Service for further information.
Snail Mail Bits of dead tree sent via the postal service as opposed to electronic mail. One's postal address is, correspondingly, a ‘snail (mail) address’. The variant ‘paper-net’ is a hackish way of referring to the postal service, comparing it to a very slow, lowreliability network.
Sniffers A sniffer is a program which captures and analyses packets of data as it passes across a network. They are used by network administrators who wish to analyse loading across network segments, especially where they suspect that spurious packets are ‘bleeding’ from one network to another.