- Email: [email protected]
IT security breaches survey report 1991
p::::'..:~ • i ~:!}i::
ii ii:4} ::Zii(Y:i}"iiiii~ii i i i i!:::.: ii :!O3/ 4:".:ili :!: ::.:.-IIIO(Zi:;:.::i:~: i::.ii::?()q}:il::
This would obviate the need for the Code to address explicitly the vast and moving target of computer and network technology. To summarize, the Code is quite comprehensive and gives sound advice. It is probably most useful to information security managers in large organizations as a checklist for areas to consider, and also for 'beginners' in the field to understand the scope of information security. However, to claim
~ii!ii
'compliance' with the Code will not necessarily imply that measures are in place to ensure that appropriate (i.e. commensurate with the level of risk) security measures are in place. Thus a business may spend large sums with their auditors to check a partner's compliance, without deriving a greatly increased level of confidence that its information will be adequately protected. A revised code with more
BOOK REVIEW
ili!]i!
IT SECURITY BREACHES SURVEY REPORT 1991, published by the NCC In a collaborative effort with the DTI, ICL and the assistance iii!~i of Elsevier Publications, the NCC mailed a nine page i~i{i questionnaire to 8270 UK companies (drawn from a wide !iiiii! range of known computer users). The questionnaire, iiii!~i !i!iii! designed to guarantee anonymity, comprised sections !!!ii!{ relating to general applicability (such as the existence, or ]iiii~! ~!i!i!i! otherwise, of security policies) and those which requested ~iii!il information on any individual IT security breaches that had ~]iiiiii occurred. A total of 950 responses were received, of which iiiiii!i 889 were deemed valid enough to feature in the survey !iiiiii! report. iiiiiiii The data thus validated and analysed is produced in a 299 page missive, packed with tables, charts and statistics. It comprises six sections; Overview, a description of major findings (no surprise to any IT security professional, albeit iiiiiiii the estimated national cost of security breaches was : illuminating); IT Security Policy and Procedures, covering the approach of organizations to security planning, legislation and disciplinary procedures, and Security Breaches, an overview of the types of physical and logical breaches encountered. This is followed by detailed examination of the nature, cause, cost and overall impact of Physical and Logical breaches. Finally, Security Breaches, :: consists of a complete review of major breaches reported in the survey, :8~3
32
~-~
:. : .....:
• .r~= .. ::: :.. : ~ ~::o: .: :
concentration on risk analysis and less on particular technologies would go a long way to addressing these concerns. Copies are available from BSI, Linford Wood, Milton Keynes, MK14 6LE, tel: + 4 4 (0)908 221166, fax: + 44 (0)908 322484. Price £10.00 Neil A. McEvoy, Report Correspondent, IT Security Consultant, Hyperion
ii!!iii!i i]i!i!i!iiii :iiiiliiiiiiiiili: iii: iiiiiiiiiii!ii!iZ!i!i!i!iiiiii!iiiiiii!iii!i!i:i!ii iiii!iiiill iili !iiiiiiiiiiiiii/iiii!i!i!i i!i!i~i!!]!i!!!iiiii!i ii!{!i!iiiiiiiii]iiiiiliiiii:i ii iiiiiiiii iiii !iiiiii!iii!i!i!ili!iiiiiiiii
~ii i il :ii i li
It was interesting to note that the accompanying Management Summary stated that 25 security breaches were completely reviewed; there are in fact one 100 such cases in the book! That said, the highlighted cases do reveal the time, effort and costs of rectifying breaches - timely reminders, perhaps, for management who only pay lip service to computer security. As already pointed out, the publication is full of tables, charts and statistics. The use of colour would have enhanced the capability of the reader to understand a number of, unnecessarily, complex items. It is appreciated, though, that :i: colour would have substantially raised production costs and boosted the retail price beyond the current level. Another problem is that the conclusions arising from the survey are not firmly drawn, though they do feature in the first few pages. However, I did note that general advice for users is dotted about the book and, undoubtedly, further assistance may be obtained from the DTI, ICL, the NCC et al. Pause for thought; why such a relatively small response to the questionnaire, and how much credibility can be given to statistics extrapolated from such a small response? The book, priced at £145, may be obtained from the National Computing Centre (Tel: +44 (0)61 228 6333), quoting ISBN 0-85012-846-3.
i:::
ii ii:4} ::Zii(Y:i}"iiiii~ii i i i i!:::.: ii :!O3/ 4:".:ili :!: ::.:.-IIIO(Zi:;:.::i:~: i::.ii::?()q}:il::
This would obviate the need for the Code to address explicitly the vast and moving target of computer and network technology. To summarize, the Code is quite comprehensive and gives sound advice. It is probably most useful to information security managers in large organizations as a checklist for areas to consider, and also for 'beginners' in the field to understand the scope of information security. However, to claim
~ii!ii
'compliance' with the Code will not necessarily imply that measures are in place to ensure that appropriate (i.e. commensurate with the level of risk) security measures are in place. Thus a business may spend large sums with their auditors to check a partner's compliance, without deriving a greatly increased level of confidence that its information will be adequately protected. A revised code with more
BOOK REVIEW
ili!]i!
IT SECURITY BREACHES SURVEY REPORT 1991, published by the NCC In a collaborative effort with the DTI, ICL and the assistance iii!~i of Elsevier Publications, the NCC mailed a nine page i~i{i questionnaire to 8270 UK companies (drawn from a wide !iiiii! range of known computer users). The questionnaire, iiii!~i !i!iii! designed to guarantee anonymity, comprised sections !!!ii!{ relating to general applicability (such as the existence, or ]iiii~! ~!i!i!i! otherwise, of security policies) and those which requested ~iii!il information on any individual IT security breaches that had ~]iiiiii occurred. A total of 950 responses were received, of which iiiiii!i 889 were deemed valid enough to feature in the survey !iiiiii! report. iiiiiiii The data thus validated and analysed is produced in a 299 page missive, packed with tables, charts and statistics. It comprises six sections; Overview, a description of major findings (no surprise to any IT security professional, albeit iiiiiiii the estimated national cost of security breaches was : illuminating); IT Security Policy and Procedures, covering the approach of organizations to security planning, legislation and disciplinary procedures, and Security Breaches, an overview of the types of physical and logical breaches encountered. This is followed by detailed examination of the nature, cause, cost and overall impact of Physical and Logical breaches. Finally, Security Breaches, :: consists of a complete review of major breaches reported in the survey, :8~3
32
~-~
:. : .....:
• .r~= .. ::: :.. : ~ ~::o: .: :
concentration on risk analysis and less on particular technologies would go a long way to addressing these concerns. Copies are available from BSI, Linford Wood, Milton Keynes, MK14 6LE, tel: + 4 4 (0)908 221166, fax: + 44 (0)908 322484. Price £10.00 Neil A. McEvoy, Report Correspondent, IT Security Consultant, Hyperion
ii!!iii!i i]i!i!i!iiii :iiiiliiiiiiiiili: iii: iiiiiiiiiii!ii!iZ!i!i!i!iiiiii!iiiiiii!iii!i!i:i!ii iiii!iiiill iili !iiiiiiiiiiiiii/iiii!i!i!i i!i!i~i!!]!i!!!iiiii!i ii!{!i!iiiiiiiii]iiiiiliiiii:i ii iiiiiiiii iiii !iiiiii!iii!i!i!ili!iiiiiiiii
~ii i il :ii i li
It was interesting to note that the accompanying Management Summary stated that 25 security breaches were completely reviewed; there are in fact one 100 such cases in the book! That said, the highlighted cases do reveal the time, effort and costs of rectifying breaches - timely reminders, perhaps, for management who only pay lip service to computer security. As already pointed out, the publication is full of tables, charts and statistics. The use of colour would have enhanced the capability of the reader to understand a number of, unnecessarily, complex items. It is appreciated, though, that :i: colour would have substantially raised production costs and boosted the retail price beyond the current level. Another problem is that the conclusions arising from the survey are not firmly drawn, though they do feature in the first few pages. However, I did note that general advice for users is dotted about the book and, undoubtedly, further assistance may be obtained from the DTI, ICL, the NCC et al. Pause for thought; why such a relatively small response to the questionnaire, and how much credibility can be given to statistics extrapolated from such a small response? The book, priced at £145, may be obtained from the National Computing Centre (Tel: +44 (0)61 228 6333), quoting ISBN 0-85012-846-3.
i:::