- Email: [email protected]
Definitions
TransnationaZ report
PERSONNEL
POLICIES
Dismissal can be hazardous
General climate very important
It will be very hard to draft harmonious legislation, and the problems are still far from being solved. An extremely useful publication that concerns itself with this and related subjects is the TRANSNATIONAL DATA REPORT, published by Wayne Smith & Co, Suite 810, 500 12th Street, Southwest, Washington DC Special features 20024, USA. The annual subscription is $40. have so far included detailed appraisals of new legislation in France, Germany, Norway, Sweden and Denmark.
The authors of AN ANALYSIS OF COMPUTER SECURITY SAFEGUARDS FOR DETECTING AND PREVENTING INTENTIONAL COMPUTER ABUSE (US National Bureau of Standards Publication 500-25), assesses the strict enforcement of employee termination policies as the most effective personnel measure against the internal destruction Most people would agree that it is sensible for of programs. employees who have resigned or been dismissed to leave as quickly as possible so they are not tempted to seek revenge. In the UK, however, the process of dismissal itself can be a It can be judged unfair even when the hazardous business. The manner of dismissal basic grounds for it seem well-founded. must not be too crude or out of step with generally expected standards, For example, if a thief is caught with his hands in the till or the data bank, it would not be wise for his manager to dismiss him on the spot using ungentlemanly language. The article in this issue of the Bulletin on the Lloyds' Employers Protection Insurance scheme deals with other aspects of this problem. have been However, no other personnel policies or practices identified by the authors of the NBS report as powerful defences against security violations. This is very surprising. It should at least be stressed that the general climate within a company can be a very strong deterrent against crime. Companies that allow sloppiness, condone errors, and accept fiddling and 'minor frauds' (although there are no such things) are much more exposed to the possibility of major crime than efficiently run companies that expect high standards of honesty and integrity. In our opinion, the NBS report personnel questions as:
should
have
dealt
with
such
business ethics recruitment and pre-employment screening practices policies on conflicts of interest incentive schemes systems for reporting and monitoring losses/errors suggestion schemes counselling and career development schemes Corr7nonmisconception
There is a common misconception that computer problems are created and solved exclusively within the computer centre. The manipulation of computer systems is, of course, rarely an end in itself and, to succeed, computer security must fit into a company-wide security plan.
DEFINITIONS
In last month's terms 'computer this month with
Con;puter
security
Bulletin we suggested definitions for the controls' and 'computer audit'. We continue 'computer security'.
COMPUTERBkh!UUD& SECURITYBULLEllB Vol.1 No.5
A UK National Computing Centre (NCC) report WHERE NEXT FOR COMPUTER SECURITY? states: "Security is a difficult concept to define in a few words, since in many cases its definition only becomes clear by virtue of its absence". Another NCC publication SECURITY FOR COMPUTER SYSTEMS is only marginally more helpful: 11... Security has been considered as those measures necessary to help ensure both that the services provided by the computer are not impaired, and that the information it handles is only available to those for whom it is intended," We suggest the following definition of 'computer security': "All measures which protect the computer system (including hardware, software, documentation, data and people) against threats of physical harm, or the consequences of violation of access or availability rules, contamination or distortion of information etc."
Techniques
Computer controls and audits are some of the techniques used in computer security. There are many others, including: fire drills physical access control systems copyrighting of programs security clearance checks on personnel distribution control over hard copy a recovery procedure in case of prolonged machine failure etc
Privacy
In recent years, the question of privacy has been raised as an issue of public concern. Awareness of the vast amount of sensitive and confidential data which is stored in computer banks, has raised questions about its accuracy and use. This topic will be covered more fully at a later date, but any definition of 'computer security' should include the control of data access. Next month we will discuss the terms 'computer crime', 'computer fraud' and 'computer abuse'. GEOFFREY HORWITZ
CASE STUDY UNIVERSITY
FRAUDS
In December 1978 two former students of Queens College, Jamaica, New York, were charged with falsifying examination grades for themselves and other students, They have pleaded not guilty. James Chin started work in the College's data processing centre in 1969 and enrolled as a College student, finally graduating in 1975. His alleged conspirator, Tom Tang, enrolled at the College in 1970 and graduated in 1974.
Computer Zistings disagreed
Suspicions were first aroused in 1978 when a physics instructor noticed differences between his original, handwritten, examination results and those subsequently produced on computer listings. Internal auditors analysed over 100 000 records and discovered irregularities in examination results in the cases of 24 students and 179 subjects. Allegations include: Falsification in 154 examination results involving 19 students, by manipulation of data held on disk files and by altering grade cards before computer processing. Falsification by the accused of their own examination results.
8
COMPUTER~~~~~WhSECURITYBULlETIN Voll No 5
PERSONNEL
POLICIES
Dismissal can be hazardous
General climate very important
It will be very hard to draft harmonious legislation, and the problems are still far from being solved. An extremely useful publication that concerns itself with this and related subjects is the TRANSNATIONAL DATA REPORT, published by Wayne Smith & Co, Suite 810, 500 12th Street, Southwest, Washington DC Special features 20024, USA. The annual subscription is $40. have so far included detailed appraisals of new legislation in France, Germany, Norway, Sweden and Denmark.
The authors of AN ANALYSIS OF COMPUTER SECURITY SAFEGUARDS FOR DETECTING AND PREVENTING INTENTIONAL COMPUTER ABUSE (US National Bureau of Standards Publication 500-25), assesses the strict enforcement of employee termination policies as the most effective personnel measure against the internal destruction Most people would agree that it is sensible for of programs. employees who have resigned or been dismissed to leave as quickly as possible so they are not tempted to seek revenge. In the UK, however, the process of dismissal itself can be a It can be judged unfair even when the hazardous business. The manner of dismissal basic grounds for it seem well-founded. must not be too crude or out of step with generally expected standards, For example, if a thief is caught with his hands in the till or the data bank, it would not be wise for his manager to dismiss him on the spot using ungentlemanly language. The article in this issue of the Bulletin on the Lloyds' Employers Protection Insurance scheme deals with other aspects of this problem. have been However, no other personnel policies or practices identified by the authors of the NBS report as powerful defences against security violations. This is very surprising. It should at least be stressed that the general climate within a company can be a very strong deterrent against crime. Companies that allow sloppiness, condone errors, and accept fiddling and 'minor frauds' (although there are no such things) are much more exposed to the possibility of major crime than efficiently run companies that expect high standards of honesty and integrity. In our opinion, the NBS report personnel questions as:
should
have
dealt
with
such
business ethics recruitment and pre-employment screening practices policies on conflicts of interest incentive schemes systems for reporting and monitoring losses/errors suggestion schemes counselling and career development schemes Corr7nonmisconception
There is a common misconception that computer problems are created and solved exclusively within the computer centre. The manipulation of computer systems is, of course, rarely an end in itself and, to succeed, computer security must fit into a company-wide security plan.
DEFINITIONS
In last month's terms 'computer this month with
Con;puter
security
Bulletin we suggested definitions for the controls' and 'computer audit'. We continue 'computer security'.
COMPUTERBkh!UUD& SECURITYBULLEllB Vol.1 No.5
A UK National Computing Centre (NCC) report WHERE NEXT FOR COMPUTER SECURITY? states: "Security is a difficult concept to define in a few words, since in many cases its definition only becomes clear by virtue of its absence". Another NCC publication SECURITY FOR COMPUTER SYSTEMS is only marginally more helpful: 11... Security has been considered as those measures necessary to help ensure both that the services provided by the computer are not impaired, and that the information it handles is only available to those for whom it is intended," We suggest the following definition of 'computer security': "All measures which protect the computer system (including hardware, software, documentation, data and people) against threats of physical harm, or the consequences of violation of access or availability rules, contamination or distortion of information etc."
Techniques
Computer controls and audits are some of the techniques used in computer security. There are many others, including: fire drills physical access control systems copyrighting of programs security clearance checks on personnel distribution control over hard copy a recovery procedure in case of prolonged machine failure etc
Privacy
In recent years, the question of privacy has been raised as an issue of public concern. Awareness of the vast amount of sensitive and confidential data which is stored in computer banks, has raised questions about its accuracy and use. This topic will be covered more fully at a later date, but any definition of 'computer security' should include the control of data access. Next month we will discuss the terms 'computer crime', 'computer fraud' and 'computer abuse'. GEOFFREY HORWITZ
CASE STUDY UNIVERSITY
FRAUDS
In December 1978 two former students of Queens College, Jamaica, New York, were charged with falsifying examination grades for themselves and other students, They have pleaded not guilty. James Chin started work in the College's data processing centre in 1969 and enrolled as a College student, finally graduating in 1975. His alleged conspirator, Tom Tang, enrolled at the College in 1970 and graduated in 1974.
Computer Zistings disagreed
Suspicions were first aroused in 1978 when a physics instructor noticed differences between his original, handwritten, examination results and those subsequently produced on computer listings. Internal auditors analysed over 100 000 records and discovered irregularities in examination results in the cases of 24 students and 179 subjects. Allegations include: Falsification in 154 examination results involving 19 students, by manipulation of data held on disk files and by altering grade cards before computer processing. Falsification by the accused of their own examination results.
8
COMPUTER~~~~~WhSECURITYBULlETIN Voll No 5