Managing Information Systems Security and Privacy (eBook)

Contents 10
1 Introduction - The Scope of the Work and its Methodology 13
1.1 Defining Security and Privacy 14
1.2 The Importance of Standards 16
1.3 Technological Issues 19
1.4 Organization and the Human Factor 20
1.5 Legal Frameworks 21
1.6 Before Proceeding Further 22
2 Organization, Security and Privacy 25
2.1 Recent History of the Field 25
2.2 Frameworks Level 27
2.2.1 Assets 29
2.2.2 Threats 29
2.2.3 Vulnerabilities 30
2.2.4 Risks and Impacts 30
2.2.5 Safeguards and Residual Risk 30
2.2.6 The Concept of Security Management Processes 31
2.3 Techniques for ISs Security Management 31
2.3.1 Security Objectives and Strategies 32
2.3.2 Security Related Organizational Issues 33
2.3.3 Risk Analysis 33
2.3.4 Safeguards Selection, Security Policy Definition and its Realization 38
2.3.5 Supervision and Incident Handling 39
2.4 Particular Implementations Level 39
2.4.1 General Hints for Selection of Safeguards 40
2.4.2 Organizational Safeguards 41
2.4.3 Personnel Security 41
2.4.4 Physical and Environmental Security 42
2.4.5 Access Control, Communications and Operations Security 43
2.4.6 ISs Development, Maintenance, and Monitoring 45
2.4.7 Incident Handling 48
2.4.8 Business Continuity Planning 48
2.4.9 Compliance and Auditing 49
2.4.10 Security Awareness 50
2.5 Standardized Safeguard Templates 51
2.5.1 Organizational Safeguard Templates 51
2.5.2 Technology Compliance Safeguards 51
3 Security Technology: Concepts and Models 54
3.1 Security Mechanisms 55
3.1.1 Pseudorandom Number Generators 55
3.1.2 One-way Hash Functions 56
3.1.3 Symmetric Algorithms 58
3.1.4 Asymmetric Algorithms 62
3.1.5 Steganography and Watermarking 65
3.2 Cryptographic Protocols 67
3.2.1 A Brief Overview of Computer Communications 68
3.2.2 Security Services 70
3.2.3 Models of Security Services 70
3.2.4 The Relationships Between Security Services 75
3.3 Key Management 77
3.3.1 Key Generation 77
3.3.2 Key Distribution 77
3.3.3 Complementary Key Management Activities 79
3.4 Security Infrastructure 80
3.4.1 Public Key Infrastructure 80
3.4.2 Authentication and Authorization Infrastructure 86
3.4.3 Network Layer Security - IPSec 89
3.4.4 Secure Sockets Layer and Transport Layer Security 102
3.4.5 Secure/Multipurpose Internet Mail Extensions 106
3.4.6 One-time Password Systems 111
3.4.7 Firewalls 112
3.4.8 Intrusion Detection Systems 116
3.4.9 Extensible Markup Language Security 118
3.4.10 Smart cards 126
3.4.11 Biometrics Based Technology 128
3.5 Security Services as the Basis for e-Business Processes 131
3.5.1 Electronic Payment Systems 131
3.5.2 Web Services 133
3.6 Privacy Enabling Technologies 142
3.7 A Different Paradigm - Wireless Networking 144
4 Legal Aspects of ISs Security and Privacy 147
4.1 Cryptography in General 147
4.2 Digital Signatures 150
4.3 Privacy Issues 151
4.3.1 Privacy and Electronic Communications 153
4.3.2 Workplace Privacy 154
4.3.3 Spamming 155
4.3.4 Electronic Tracking Technologies 156
4.3.5 Identity Theft 156
4.4 ISs and Software Liability 156
4.5 Intellectual Property Rights 158
4.6 Computer Forensics 159
5 Where Are We Headed? 161
6 Appendix 164
6.1 Brief Mathematical Preliminaries 165
6.1.1 Information Theory 165
6.1.2 Complexity Theory 170
6.1.3 Abstract Algebra 171
6.1.4 Number Theory 172
6.1.5 Computing Inverses and Exponentiation in Zn 176
6.1.6 Computational Complexities in Zn 177
6.2 Cryptographic Primitives 178
6.2.1 One-way Hash Functions 178
6.2.2 Pseudorandom Number Generators 183
6.2.3 Triple DES 184
6.2.4 RSA Algorithm 192
6.2.5 Diffie-Hellman Key Agreement 193
6.3 Formal Methods 194
6.3.1 Overview of Formal Methods 194
6.3.2 Introduction to Logic BAN 195
6.3.3 Language Z Overview 202
6.3.4 Emerging Formal Methods 207
6.4 Socio-Technical Systems Modeling and Simulation 207
6.4.1 Business Dynamics 208
6.4.2 Agent Technologies 214
7 Further Reading 218
8 Listing of the Simulation Model 220
References. 222