Security when outsourcing: concepts, constructs, compliance

Security when outsourcing: concepts, constructs, compliance

H. J. HighlandllFlPlSEC’97 Conference Proceedings Security When Outsourcing: Concepts, Constructs, Compliance E. Roos Lindgreen, H.R.D Janus, A. Sha...

116KB Sizes 2 Downloads 84 Views

H. J. HighlandllFlPlSEC’97

Conference Proceedings

Security When Outsourcing: Concepts, Constructs, Compliance E. Roos Lindgreen, H.R.D Janus, A. Shahim, G. Hulst, and I.S. Herschberg, KPMG EDP Auditors, Amstelveen, The Netherlands. As the ownership and management of information technology (IT) is increasingly put out at contract, information security turns out to be an essential issue to address in any outsourcing process. The authors analyze present concepts for the demand side and the supply side of the market for external facilities management. They propose a cyclic approach related to British Standard 7799 allowing the service provider and his client clearly to define respective responsibilities in the construct of a formal security agreement, part of the general agreement between the service provider and his client. Such a security agreement stems from an assessment of the client’s IT environment; compliance with the security agreement is tested by a formal review to be conducted by an impartial evaluator.

Towards A Holistic View of Security and Safety of Enterprise Information and Communication Technologies: Adapting to a Changing Paradigm Dr. Klaus Brunnstein, burg, Germany.

University

of Hamburg,

Ham-

When enterprises heavily rely upon proper working of Information and Communication Technologies (ICTs), they often experience shortcomings in programs and systems, failing availability and unreliable access through networks as major drawback in their operation, with possible effects on productivity and profitability. Traditional, ‘security’ addresses some of these aspects but, based on its military model (Bell LaPaudla), essential requirements are seriously missing. With a view towards distributed enterprise work, the paper analyzes why basic concepts of ‘traditional security’ fail to meet these requirements. On the basis, it is postulated that holistic ‘sikerhet’ combining traditional security and safety is needed for ICT based enterprises. This concept requires improved professional education and awareness, but will also need more user and public awareness.

208

A Taxonomy of Electronic Case Schemes Ernest Foo, Colin Boyd, William Caelli, and Ed Dawson, Information Security Research Center, School of Data Communications, Queensland University of Technology, Brisbane, Australia. A large number of electronic cash schemes have been proposed in the literature and several commercial ventures have started which claim to provide an anonymous payment protocol. These schemes have been designed to provide certain security properties. Not all the schemes have proven to be practical and the precise security properties of the different schemes are difficult to compare due to their complex protocols. In this paper the key services required by electronic cash are identified and their provision in different electronic cash schemes published in the literature is compared. In addition to the security services, the mechanisms used to implement these services are isolated.

Security Requirements and Solutions in Distributed Electronic Health Records B. Blobel, Otto-von-Guericke University Magdeburg, Faculty ofMedicine, Institute of Biometrics and Medial Informatics, Madgeburg, Germany The healthcare systems in all developed countries are changing to labour-shared structures such as Shared Care. Such structures require extended communication and cooperation. Medical information systems integrated into the care process must be able to support that communication and cooperation adequately, representing an active and distributed Electronic Health Record (EHR) system. Distributed health record systems must meet high demands for data protection and data security, which concern integrity, availability, confidentiality including access management, and accountability. Communication and cooperation information systems can be provided by middleware architectures. For the different middleware architectures used in healthcare, such as ED1 (HL7, EDIFACT) CORBA or DHE, the architectural principles and security solutions are independent of applications and transparent to the user. For trusted communication and cooperation, application-related and user-related security mechanisms are required. Such mechanisms have to fulfil the security policy of the application domain. They