- Email: [email protected]
Security, integrity and legality—Barriers to EDI progress in Europe?
UPDATE on Computer Audit, Control and Security
SECURITY, INTEGRITY AND L E G A L I T Y - BARRIERS TO EDI PROGRESS IN EUROPE? by John Draper Introduction: new technology, benefits and risks Electronic Data Interchange (EDI) is information technology giving trading organisations a new capability, and it is already in widespread use particularly for national trade in major countries around the world. It gives recognised benefits in cost savings and in faster flows of goods ~nd information, together with improved management control, and great co-operative efforts are being made to extend its use to international trade as quickly as possible. T h e paper aims to enhance our understanding of the significant opportunites that EDI can offer to our own organisations- but as with any technology, there are some issues to be examined, some downside risks of which we need to be aware. We all know about the risks associated with ultra high-technology projects such as the Space Shuttle or Nuclear Power. It is, however, necessary to remember that problems can occur with even the most familiar, low-technology processes unless thought and preventative actions are applied in advance of the problems arising. People will push to adopt EDI and to gain its undoubted benefits, and may leave the sorting out of any resulting problems until later. M y aim is to examine some of the fundamental business issues and risks arising from the use and potential abuse of E D I , focusing on the extent to which careful application of the technology itself and appropriate business procedures can minimise or eliminate those risks. This paper is in three parts, starting with a review of the issues involved in single network systems, then examining how those issues can be addressed with today's technology, finally looking at the wider international scefie where messages will probably need to cross several networks between sender and ultimate recipient. This paper will be highlighting areas where there is scope for further improvements both in the technology and the surrounding legal framework. T h e issues: E D I transfers over a single network Let's take a look at a typical simple EDI transaction over a communications link such as a Value Added Network. T h e computer in organisation A connects to the network and then sends a message for the computer in organisation B. Depending on the type of network service being 10
provided, this will be received immediately or when B's computer connects and 'calls forward' the messages in B's network mailbox. Once the message has been received, the recipient organisation, B, is entitled to ask the following questions about the integrity and reliability of the electronic data which they have just received. Who sent this message? Can we rely on the sender's identity as passed over the network? Using EDI in a manufacturing environment, for example, customers can modify the order book, thus affecting factory loading, stock and re-order levels. I n the terms of our scenario, organisation B, the recipient of the message needs to be assured that it really is A's data they have received before granting intimate access to their own vital operating data. This message isn't like the paper document that it replaces, on which we could see A's signature and perform certain checks. Even paper documents can cause problems: in 1987, some official-looking invoices purporting to be from the Yellow Pages telephone directory were sent out from Holland to businesses in Southern England _and several businessmen paid the invoices, without realising them to be fraudulent. So with EDI, what checking can the network perform on the validity of computers wishing to connect to its services, to avoid unscrupulous computer users gaining access? And does the EDI message received bear any data which could act as a check on the identity of the sender? After all, we've all heard of hacking into networks. If unscrupulous people with computers can masquerade as legitimate users, how do we assure ourselves that the same sort of thing can't happen by accident or design on this EDI network? H a v e we received all the parts of the messages, in the right sequence? Or is it possible that some part of the data didn't get through or has been duplicated, and we're not able to detect either of these events? Perhaps even a whole logical 'chunk' of the message might have gone astray, as happened on some of the initial trials with pioneering EDI networks. What facilities now exist in the communications carrying protocol, the network management and Volume 2 Number 3, 1990
UPDATE on Computer Audit, Control and Security
)
(EDI control software and the message structure itself to give us confidence that we have received 'the whole message, and nothing but the message' that A sent?
Is the transaction adequately secure and confidential to ourselves and the sender? T h e sender, A, and the recipient, B, will wish to work in commercial confidence, and they must be assured that only those people and organisations that ought to see the message should be able to do so. Exposure of the message to competing organisations, for example, could have farreaching consequence and must be prohibited under all circumstances. How can we be re-assured that no other user of the network has been able to browse among the items in our mailbox, or that copies of our EDI messages haven't, by some misdirection, landed in the electronic files of our competitors?
Can, the sender, A, rely on our receivhzg his message? And is he told when we have received it, and what state it appears to be in? How reliable and resilient is the network and its communications protocol, and what reporting facilities automatically inform A that his messages are getting through? Is there provision in the message syntax for requesting acknowledgement of receipt, and is this flexible enough to cover different degrees of error reporting? For example, B might wish to say: 'We've just received 3 messages, 2 of which appear to be O K , but please retransmit the second one'. Will an acknowledgement of receipt of a 'sound' message also constitute an agreed definition of the point in time at which the message is deemed to have been received by B, from when it may be acted upon as a contractual instrument?
And will any records that may be maintained or documents that are produced be acceptable to the courts and to any other parties who are involved, should any dispute arise over this commercial transaction? Well, I've just posed a tremendous number of questions and, so far, given very few answers - so let's now see just how far we can resolve these points. H o w t h e s e i s s u e s are a d d r e s s e d with today's technol-
ogy As we address each issue we will examine solutions called from (inter alia) value added networking procedures, communications technology and the use of the EDI message syntax - and then I will briefly summarise the overall position.
Who sent this message? Can we rely on the sender's identity as passed over the network? 1. Connecting to a network validates the user. It has to be said at the outset that each value added network service currently has its own particular procedures and requirements, including those which have to be satisfied before a user's computer is allowed access. T h e r e are also some procedural differences depending on the type o f communications facilities used to connect to the network service - dial-up voice, or connection via X25 or X21 circuits. Despite the differences, there are certain features which are found at all the better managed networks, and I shall mention some of these in the course of this paper.
T h e first is the requirement for the submission and checking the usernames and passwords: O
The Industry Group (e.g. F E C I F , ANA) allocates a distinctive username to each member organisation which wishes to exchange messages across the network.
O
When the user connects to the network, access to its facilities depends on the submission of this recognised username together with an associated password. The latter is known to the system only in a stored encrypted (i.e. scrambled) form, and no decryption routines are provided - thus stopping the clever programmer from interrogating the network computers in search of.passwords. The password submitted by the computer which is 'loggit ,n' is encrypted by the controlling network computer and then compared with the stored form. Matching resuits in the EDI service being made available, but mismatch terminates the log-on. There is often a limit set to the n u m b e r of log-on retires which may be made beforeall further attempts are barred and network services staff alerted.
O
These network services staff follow a painstaking
And as such things can't yet be entirely covered by the technology, are there other ways to cover these points?
What credibility can we attach to this message as a form of binding contract with A for the supply of goods and services? Do we still need some paper document to be furnished by the sender, A, as an adjunct to this message to give it legal standing? Or to conform to current commercial or administrative practice in a particular country? Or is there another way of assuring that messages received are credible as a form of binding contract?
And if we do rely on this message and carry out our perceived contractual obligations, what is our legal standing if anything is brought into question and we need to funffsh evidence? What records are maintained which can show that the message transfer has taken place - by the sender, on the network and by the recipient? What reports are available and at what frequency can they be provided? How long are logs of messages retained? Volume 2 Number 3, 1990
11
UPDATE on Computer Audit, Control and Security
CEDI
O
procedure for identifying users who phone in saying that they've lost their p a s s w o r d - b e f o r e giving them access to the facilities for setting up a new one. At all times, the passwords are under user control; they are not maintained by the network staff.
sures that constituent parts of messages are stored and transmitted in their correct sequence. Networks are also built to be resilient to occasional problems with transmission or the transient failure of one of the network databases.
Variations are possible on this theme - for instance, small encrypting devices at the sending computer, possibly hand-held or in the form of a token (e.g. Smart card) can allow the computers controlling the network to vet the user without necessarily storing encrypted passwords centrally. T h e result is the s a m e - a validated user identity which is very difficult to forge.
3. T h e E D I F A C T syntax contains a full range of control fields.
2. Sending the message - syntax confirms. I shall concentrate on the ISO standard syntax for international trade data i n t e r c h a n g e - E D I F A C T . The point~ I shall make hold in general for E D I F A C T ' s counterparts in national E D I , such as Tradacoms and ANSI X12. T h e E D I F A C T Interchange header segment UNB, which as its name implies comes at the front of the message, contains a Sender Identified (up to 35 characters) and if requirements, an address for rever~e routing. These can be 'in clear' or encoded by arrangement between the interchanging parties A, and B, and the network operator. There is also a Password field of up to 14 characters which can again be 'in clear', coded or encrypted. Depending on the encryption method adopted, this latter technique could in itself assure the recipient that the message really did come from the sender.
Summary By carefully exploiting the facilities illustrated above, organisation B can be sure in almost all circumstances that organisation A really has sent the message.
A transmission of an E D I F A C T message contains reference pairs and message and segment counts which enable the recipiei~, organisation B, to be sure that all parts of the message have been transmitted and received correctly and in the right sequence. Each Header segment contains control information which is linked to similar and additional information in its type of Trailer segment. Thus the Interchange Header UNB contains a control reference which is repeated in the Interchange Trailer U N Z together with a count of the number of messages transmitted, and similar control fields occur in the Functional Group and Message segments.
Smnmary Organisation B can easily assure itself that all the message has been received, and that all parts are in the right order. Modern communications facilities often incorporate selfcorrecting algorithms. Even with older, less sophisticated facilities, there is adequate control information available in the EDI message syntax to detect and initiate correction of occasional communications vagaries.
Is the transaction adequately secure and confidential to ourselves and the sender? T h e guiding principle for EDI services is that the sender and recipient should be assured that the electronic message is at least as secure as its predecessor, the paper document, was when sent through the post.
Have we received all the parts of the message, in the right -- 1. The network must be demonstrably secure sequence? 1. Communications p r o t o c o l s - an inherent facility in modern protocols. T h e more comprehensive protocols such as X.25 automatically check the sequence of the packets of data that are being delivered and also ensure that all the packets arrive at their proper destination. One major Customs Authority, an X.25 user, observed that 'data loss and corruption just don't seem to happen'. T h e r e is obviously less checking in the older and simpler protocols such as telex - users of this protocol will need to rely on network and syntax safeguards. 2. Resilience is built into the network. T h e control and management software in the network en12
T h e user of an EDI network should check at the outset to ensure that the VAN supplier has designed and is operating the system to the highest levels of security - both at the physical level (access to equipment, software and staff) and at the 'logical' level inside the network and its computers. For example, messages in a user's mailbox should be made available to the authorised user only. Any audits of the entire facility should be carried out at regular intervals by a reputable independent auditing firm. 2. T h e message should be encrypted for additional assurance. Here we come across the first example of where technology and operational/national requirements and practice may be at variance. While complete encryption o f a mesVolume 2 Number 3, 1990
UPDATE on Computer Audit, Control and Security
CEDI sage can guarantee its confidentiality, the'Value Added Networks Operators, Telecommunications Administrations and National Government Departments prefer messages to be 'in clear' - the networks and TAs for ease of handling and charging, departments such as Customs for the handling/vetting of messages transmitted to them. Thus partial encryption is the nearest we can achieve to total security. Where required, it can perform valuable checks, both on the identity of the sender and on the integrity/accuracy of the message that is received. Firstly, one can encrypt message passwords as described earlier: it is also feasible to construct an encrypted hash total of all the message data fields, including the sender's identity. This hash total, termed the message's 'digital signature' or 'message authentication code', is then transmitted along with the message, and can be unscrambled and checked by the recipient. The rhost secure digital signature systems will use public and private key encryption techniques such as RSA. Private and public keys are created and sent out by the network control computer when the sender, A, accesses the network for the data transmission session. The message's digital signature is encrypted using A's private key, and decrypted by recipient B using A's public key, which has been sent to him. Successful decryption proves not only the integrity of the entire EDI message but also that the private key, held by A, is the only key that could have been used to encrypt the signature - a double check on A's identity. These very secure encryption techniques do however require that the network can handle the creation, storing and transfer of k e y s - and not many commercial networks provide this facility today. There are also some overheads in terms of extra service messages (to send the key information over the network), longer and more complex messages (to accommodate the digital signature and message-related cryptographic data) and a slight increase in message transmission times (to allow for the encryption and decryption processes, and the longer messages). Any one network will probably offer only one kind of encryption as its own standard across its network, and extra computing hardware may be needed by the sender, A, the recipient, B, and on the network control computers to perform the cryptographic work. So today the user's choice may be limited. However, financial EDI systems and some government networks have been pioneering in this field, and the additional standard messages needed are now being designed - so these facilities are likely to be available to a wider user audience in the next few years. Summary For most trade transactions the security and confidentiality offered by Value Added Network suppliers is adequate. However, if the recipient needs absolute assurance about the identity of the sender and that messages have not Volume 2 Number 3, 1990
been tampered with, then the digital signature (partial encryption) is the only practical solution. This requirement will probably dictate the choice of network and also increase the costs of setting up and running the user's EDI service. Can the sender, A , rely on our receivhzg his message? And h he told when we have received it, and what state it appears to be in? 1. Some communications protocols can guarantee receipt. Some of the more comprehensive proprietary protocols offer a guarantee of message delivery, for example ICL CO3 and IBM's SNA. Applications using the full OSI stack naturally enjoy this facility, as it is provided by the transport layer, layer 4. An example here is the X.400 Message Handling Service, which would be very appropriate for EDI. However, some European telecomms carriers offer other protocols, such as X.21 circuit switched service, which do not provide a message delivery 'guarantee'. 2. The network should report on success/failure of transmission. Some networks can check at the outset that message transfers between A and the intended recipient B are correctly addressed and valid, and that the message type(s) are on a pre-defined list held in the network's control computers. This list is called a trading director, and it keeps a record of the current message transfer pattern that all the network's partners are willing to accept, and from whom. Thus a typical entry might read that A can send to B Invoice and Despatch Note messages. Valid Invoices and Despatch Notes will be accepted for onward transmission but wrongly addressed messages, or ones of the wrong type, will be detected and flagged to a sender at the time of transmission. The sender, A, is also available to track progress of his message to its destination. The progress report, which is automatically provided for every transfer, will also show any errors encountered while the message is in transmission. 3. EDIFACT users can request acknowledgement. The UNB Interchange Header segment contains an Acknowledgement Request indicator, allowing the sender A, to check that B, the recipient, has received and identified the start and end of the EDI message. This check can, of course, be done after B has performed some more detailed content vetting. The interchange agreement can spell out the degree of checking which A can rely on B having done when B sends back the Acknowledgement. This agreement Can also cover the required procedures for retransmission of messages failing the c h e c k s whether the whole set of messages is to be retransmitted 13
UPDATE on Computer Audit, Control and Security
) or only those in error. And in the absence of any national or international, legal/administrative rulings on when B is deemed to have received th e message, the interchange.
Summary T h e sender, A, can rely on the control facilities provided by the more comprehensive communications protocols and built into well-operated networks to ensure that the message will reach B, his intended recipient. Using the E D I F A C T syntax will allow him to ask B to acknowledge receipt of the message and confirm that it is in good condition.
What credibility can we attach to this message as a form of binding contract with A for the supply of goods and services? A, the sender, and B, the recipient, are bound by the interchange agreement that they have drawn up with each other and with the Value Added Network supplier. As we have seen, they can with careful use of available technology be assured of the integrity of the network and the message. T h e agreement then forms a highway code to guide them in navigating the dicey roads of effecting the commercial transaction to which the message relates. T h e UNCID rules must be warmly welcomed as forming a model solution to the drafting of such an agreement One senior lawyer at the EDI 87 Conference in London said that they would greatly simplify and clarify the contractual position in many commercial transactions. An Interchange Agreement, he said, was much more straightforward than the usual, complex commercial cycle of 'invitation to t r e a t - o f f e r - c o u n t e r o f f e r disagreement - clarification - more letters - more phone calls - acceptance' which he spends his time, and his clients' money, unravelling every working day. As such agreements become recognised as the basis of standard commercial practice in EDI, then it will be easier for either partner (A or B) to gain any legal support needed to reinforce the contractual relationship on which the organisation has acted.
And if we do rely on this message and carry out our perceived contractual obligations, what is our legal standing if anything is brought into question and we need to furnish evidence?
sure to gain the benefits of EDI, coupled with changes in national laws, will in due course overcome this barrier. Meanwhile, this paper intends to bring some reassurance about the integrity of EDI messages. 3. Legal admissibility of computer produced evidence. U N C I T R A L concluded in 1985 that the rules of evidence in domestic and international trade law should not prove any bar to the use of computers and EDI. However, the section above indicates that current trade practice may prove a more effective limitation. It must also be remembered that the rules of evidence in some recent legislation (for example the 1984 U K Police and Criminal Evidence Act) display a woeful lack of understanding of the capabilities of modern computer systems. T o be demonstrably secure, a computer system from which solid evidence can be furbished needs a Mandatory control operating regime. In these systems, introduced for commercial users, rigid control is enforced on access to all files and software, and all actions are automatically and securely audited. Mandatory systems are already in use in government networks; increasing trade message traffic on commercial networks would indicate a need for their network control computers to operate in the same way. Only then can the course really rely on the computer records and logs which may be produced as evidence.
Summary Good auditing facilities must be provided. Business and administrative practice can be a limiting factor on the adoption of EDI; legal rules of evidence may be less than ideal while not intentionally forming a barrier to progress. T h e wide use of the U N C I D rules should be of great benefit in allowing parties to foresee and forestall potential problems. As use of EDI grows there will be an increasing need for network computers to be even more secure. International trading, multi-network EDI transfers and the law
1. Audit and message logging As in any communications system handling important messages both the sender's, A's, and the receiver's, B's, computers should maintain secure logs of messages sent and received. Also the VAN usually provides audit logs and trails for authorised users, maintaining these reports in a secure state for the required statutory periods (or as agreed between the EDI partners). 2. Business, legal and administrative practice There are some countries, such as France, where certain EDI transmissions have to be supported by paper documents before the commercial transactions to which they relate can proceed. This may be a 'hangover' from times before electronic transmissions were deemed feasible, or simply reflect administrative inertia. Commercial pres14
So far we've addressed a simple scenario, of an EDI message crossing one network between A, the sender, and organisation B, A's trading partner, with both parties resident in one country. And the position has been shown to be fairly satisfactory. Now consider the implications of this more international model, a picture of how retailing might develop as a European Community's Free Internal Market becomes a reality over the next few years. Frau Flindt, a German housewife, uses her Smart card to authenticate an order for a new hi-fi which she enters through the terminal in her local shopping mall. T h e order is transmitted via a German catalogue agency to its U K headquarters which places a further Just-In-Tim order with a Spanish electronics factory. Delivery is ordered from, and effected by, a French transport and warehousing organisation direct to Frau Flindt's house Volume 2 Number 3, 1990
UPDATE on Computer Audit, Control and Security
CEDI in Karlsruhe, within days of her placing the original order. T h e French firm then notifies the catalogue agency of successful delivery. All these information transfers are carried out by EDI, as are additional messages carrying customs information, instructions for insurance, invoices and, eventually, payment instructions to their bankers from all the parties in the logistics chain. Several value added networks are used, and some of the messages traverse a n u m b e r of networks to get to their respective destinations. T h e observant will have noticed two underlying assumptions in this scenario, the first of which is 'all these information transfers are carried out by EDI'. In the current world of import-export, various paper documents such as licences and health certificates surround the main trading documents, bills of lading and the like. It is up to the EDI fraternity to push their national/international administrative organisations to adopt electronic equivalents to thes~ 'peripheral' documents as soon as possible, so that traders and administrators can each enjoy the speed which fully electronic information flows can bring. T h e second assumption in the scenario is that the EDI traffic needs to cross several networks. Technically, there is no reason why all the traffic could not be carried on one enormous pan-European network: this could be made very secure, be easily audited, and it would eliminate any commercial problems about charging between competing networks. However, given the large number of networks already in operation across Europe, the commercial reality is that the majority of long-distance international EDI traffic will probably cross more than one network. Competition between these networks will naturally lead to problems with, inter alia, cross charging. We can now pose a n u m b e r of questions, and give some answers:
Firstly, do the senders and recipients of hzternational, multinetworked E D I messages enjoy the same technological safeguards as they would if their messages used only one network? Does the German catalogue agency, for example, enjoy the same security for its EDI messages sent to the U K as if all the traffic were on one national network? It has been shown that all the major networks operate in their own secure fashion, checking that messages sent can be received, for instance, and producing audit information to allow the progress of a message to be monitored through their system. What is needed is agreement on the facilities to be provided in standard internetwork interfaces (sometimes called gateways). This agreement should specify, inter alia:
O
how networks will provide guaranteed end-to-end delivery for multi-networked messages;
Volume 2 Number 3, 1990
_
O
which if any range of encryption facilities will be offered across networks;
O
how networks aim to provide audit reports showing adequate detail of the message's multi-network journey when the main aim is that gateways should be transparent to network traffic.
Networks also need to agree minimum standards and methods for the validation of user accesses. So in our scenario, the properly authenticated messages from the U K organisation to the factory in Spain will be acceptable as they cross network boundaries with little or no addit~ional validation. These validation standards will thus affect the specification of gateways. And the Spaniards know that a similar message from, say, a Dutch organisation on a different VAN will have passed similar levels of security checking. This will make their job of assessing the 'Trustedness' of a message from a trading partner and the level of database access to allow it so very much easier than today. Work-programmes to address these topics of EDI network gateway facilities and validating user accesses could be fruitful projects under the Community's new T E D I S initiatives.
Secondly, what is the legal position if one of the messages fails to get through, and which network bears the cost of any rectification? What if the notification of delivery message in our scenario never gets from the French transport firm to the German catalogue agency - does Frau Flindt get the hi-fi but never have to pay for it? Or would the French firm receive no payment for its delivery services? This is one aspect of EDI trading that must be covered in the Interchange Agreement between A and B, as liability for rectification is not easily proven, and the telecomms carriers and in turn the VANS suppliers do their best to minimise their commercial exposure. Inter-connected networks could give the communications and service suppliers even more room for manoeuvre so the Interchange agreement and the gateway specification are vitally important to the EDI user. There must also be practical, rather than theoretical, agreement in the courts as to the evidential value of any audit records that may be produced in support of a legal action.
Which country's legal system is asked to adjudicate in a muhicountry transfer? This could be the country where the sender organisation resides, or where the receiving organisation resides, where the evidence (audit reports and message logs) can most easily be collected, or even another country's jurisdiction. Until there is agreement, probably sponsored by the ICC or U N C I T R A L , on which country should have 15
UPDATE on Computer Audit, Control and Security
) adjudicative rights, then parties who wish to exchange international EDI messages should agree this point beforehand in their bi-lateral interchange agreements. This could get very complex as the usage of EDI grows and with it the number of trading partners for each organisation. In UNCITRAL'S next project, the definition of rules for electronic funds transfer, no doubt they will be addressing this sort of issue. Conclusions I hope that I've shown that, even with the current state of the art, EDI messages can be very secure and legally acceptfible in the context of sample, single-network transfer within one country. For international EDI, much good work has already been done on the formulation of message syntax and the design of standard messages; this will gain added momentum with the establishment of the EDIFACT Board. There are, however, a number of unresolved technical and legal issues which still form barriers to widespread
use of EDI when messages have to cross national or network boundaries. To overcome these barriers, the development of adequate, modern administrative and legal rules, together with agreed standards for user authentication and secure internetwork gateways, is if anything more important for the future growth of international EDI than the message standards. We should not be deterred by these problems from starting to use EDI and to reap its undoubted benefits, nor by the additional problems we discover in the course of implementing our own EDI systems. Many people and organisations are already involved in finding ways round these barriers, particularly EDI users and trade bodies, the professions and governments and are attempting to discuss and resolve outstanding problems in the shortest possible time - both the current problems and the new ones as they arise. In the meantime, while these remaining issues are being resolved, let us not forget that the only valid approach for the prospective user of international EDI is - caveat emptor!
John Draper is Principal Consultant in ICL's Network Applications Business Centre, specialising in EDI and Information Security. In the last 3 years he has undertaken assignments with The Institute of lnternal Auditors, SITPRO and the European Commission. During 1988 he spoke at COMPAT '88 in the Hague, COMPSEC in Londoh's Heathrow, for the CEC TEDIS programme in Brussels and at the National Institute of Standards in Washington.
NEWS M o r e resources n e e d e d for c o m p u t e r law enforcement Certainly it does not inspire confidence that the Computer Crime Unit has no budget to retain consultants to assist with technical aspects of investigations and has to rely on borrowing British Telecom computer crime unit hardware. Only 50 officers have attended the four week police staff college course on computer crime. (Computing, 30th November). The police's own progress towards national IT integration is still tentative. The Home Office would like to see an integrated national network linking police, prisons, the Crown Prosecution Service etc. However, individual police authorities are taking steps towards office automation which may pre-empt national standardisation to some extent. 16
(
BOOKS)
An Introduction to the Security of Computer Systems by R.J. Potts. PLC Consultancy Services, ISBN 1 871259 00 2, 148 pages. Soft back, s
This book is aimed at giving the non-specialist an overview of the fundamentals of computer security. This it succeeds in doing with a clear readable style.
It covers the fundamentals of computer security, the threats, personnel security, physical security, software security, data and communications security, documentary security, electronic security, legal aspects, insurance issues, contingency planning and implementation of security policy. Volume 2 Number 3, 1990
SECURITY, INTEGRITY AND L E G A L I T Y - BARRIERS TO EDI PROGRESS IN EUROPE? by John Draper Introduction: new technology, benefits and risks Electronic Data Interchange (EDI) is information technology giving trading organisations a new capability, and it is already in widespread use particularly for national trade in major countries around the world. It gives recognised benefits in cost savings and in faster flows of goods ~nd information, together with improved management control, and great co-operative efforts are being made to extend its use to international trade as quickly as possible. T h e paper aims to enhance our understanding of the significant opportunites that EDI can offer to our own organisations- but as with any technology, there are some issues to be examined, some downside risks of which we need to be aware. We all know about the risks associated with ultra high-technology projects such as the Space Shuttle or Nuclear Power. It is, however, necessary to remember that problems can occur with even the most familiar, low-technology processes unless thought and preventative actions are applied in advance of the problems arising. People will push to adopt EDI and to gain its undoubted benefits, and may leave the sorting out of any resulting problems until later. M y aim is to examine some of the fundamental business issues and risks arising from the use and potential abuse of E D I , focusing on the extent to which careful application of the technology itself and appropriate business procedures can minimise or eliminate those risks. This paper is in three parts, starting with a review of the issues involved in single network systems, then examining how those issues can be addressed with today's technology, finally looking at the wider international scefie where messages will probably need to cross several networks between sender and ultimate recipient. This paper will be highlighting areas where there is scope for further improvements both in the technology and the surrounding legal framework. T h e issues: E D I transfers over a single network Let's take a look at a typical simple EDI transaction over a communications link such as a Value Added Network. T h e computer in organisation A connects to the network and then sends a message for the computer in organisation B. Depending on the type of network service being 10
provided, this will be received immediately or when B's computer connects and 'calls forward' the messages in B's network mailbox. Once the message has been received, the recipient organisation, B, is entitled to ask the following questions about the integrity and reliability of the electronic data which they have just received. Who sent this message? Can we rely on the sender's identity as passed over the network? Using EDI in a manufacturing environment, for example, customers can modify the order book, thus affecting factory loading, stock and re-order levels. I n the terms of our scenario, organisation B, the recipient of the message needs to be assured that it really is A's data they have received before granting intimate access to their own vital operating data. This message isn't like the paper document that it replaces, on which we could see A's signature and perform certain checks. Even paper documents can cause problems: in 1987, some official-looking invoices purporting to be from the Yellow Pages telephone directory were sent out from Holland to businesses in Southern England _and several businessmen paid the invoices, without realising them to be fraudulent. So with EDI, what checking can the network perform on the validity of computers wishing to connect to its services, to avoid unscrupulous computer users gaining access? And does the EDI message received bear any data which could act as a check on the identity of the sender? After all, we've all heard of hacking into networks. If unscrupulous people with computers can masquerade as legitimate users, how do we assure ourselves that the same sort of thing can't happen by accident or design on this EDI network? H a v e we received all the parts of the messages, in the right sequence? Or is it possible that some part of the data didn't get through or has been duplicated, and we're not able to detect either of these events? Perhaps even a whole logical 'chunk' of the message might have gone astray, as happened on some of the initial trials with pioneering EDI networks. What facilities now exist in the communications carrying protocol, the network management and Volume 2 Number 3, 1990
UPDATE on Computer Audit, Control and Security
)
(EDI control software and the message structure itself to give us confidence that we have received 'the whole message, and nothing but the message' that A sent?
Is the transaction adequately secure and confidential to ourselves and the sender? T h e sender, A, and the recipient, B, will wish to work in commercial confidence, and they must be assured that only those people and organisations that ought to see the message should be able to do so. Exposure of the message to competing organisations, for example, could have farreaching consequence and must be prohibited under all circumstances. How can we be re-assured that no other user of the network has been able to browse among the items in our mailbox, or that copies of our EDI messages haven't, by some misdirection, landed in the electronic files of our competitors?
Can, the sender, A, rely on our receivhzg his message? And is he told when we have received it, and what state it appears to be in? How reliable and resilient is the network and its communications protocol, and what reporting facilities automatically inform A that his messages are getting through? Is there provision in the message syntax for requesting acknowledgement of receipt, and is this flexible enough to cover different degrees of error reporting? For example, B might wish to say: 'We've just received 3 messages, 2 of which appear to be O K , but please retransmit the second one'. Will an acknowledgement of receipt of a 'sound' message also constitute an agreed definition of the point in time at which the message is deemed to have been received by B, from when it may be acted upon as a contractual instrument?
And will any records that may be maintained or documents that are produced be acceptable to the courts and to any other parties who are involved, should any dispute arise over this commercial transaction? Well, I've just posed a tremendous number of questions and, so far, given very few answers - so let's now see just how far we can resolve these points. H o w t h e s e i s s u e s are a d d r e s s e d with today's technol-
ogy As we address each issue we will examine solutions called from (inter alia) value added networking procedures, communications technology and the use of the EDI message syntax - and then I will briefly summarise the overall position.
Who sent this message? Can we rely on the sender's identity as passed over the network? 1. Connecting to a network validates the user. It has to be said at the outset that each value added network service currently has its own particular procedures and requirements, including those which have to be satisfied before a user's computer is allowed access. T h e r e are also some procedural differences depending on the type o f communications facilities used to connect to the network service - dial-up voice, or connection via X25 or X21 circuits. Despite the differences, there are certain features which are found at all the better managed networks, and I shall mention some of these in the course of this paper.
T h e first is the requirement for the submission and checking the usernames and passwords: O
The Industry Group (e.g. F E C I F , ANA) allocates a distinctive username to each member organisation which wishes to exchange messages across the network.
O
When the user connects to the network, access to its facilities depends on the submission of this recognised username together with an associated password. The latter is known to the system only in a stored encrypted (i.e. scrambled) form, and no decryption routines are provided - thus stopping the clever programmer from interrogating the network computers in search of.passwords. The password submitted by the computer which is 'loggit ,n' is encrypted by the controlling network computer and then compared with the stored form. Matching resuits in the EDI service being made available, but mismatch terminates the log-on. There is often a limit set to the n u m b e r of log-on retires which may be made beforeall further attempts are barred and network services staff alerted.
O
These network services staff follow a painstaking
And as such things can't yet be entirely covered by the technology, are there other ways to cover these points?
What credibility can we attach to this message as a form of binding contract with A for the supply of goods and services? Do we still need some paper document to be furnished by the sender, A, as an adjunct to this message to give it legal standing? Or to conform to current commercial or administrative practice in a particular country? Or is there another way of assuring that messages received are credible as a form of binding contract?
And if we do rely on this message and carry out our perceived contractual obligations, what is our legal standing if anything is brought into question and we need to funffsh evidence? What records are maintained which can show that the message transfer has taken place - by the sender, on the network and by the recipient? What reports are available and at what frequency can they be provided? How long are logs of messages retained? Volume 2 Number 3, 1990
11
UPDATE on Computer Audit, Control and Security
CEDI
O
procedure for identifying users who phone in saying that they've lost their p a s s w o r d - b e f o r e giving them access to the facilities for setting up a new one. At all times, the passwords are under user control; they are not maintained by the network staff.
sures that constituent parts of messages are stored and transmitted in their correct sequence. Networks are also built to be resilient to occasional problems with transmission or the transient failure of one of the network databases.
Variations are possible on this theme - for instance, small encrypting devices at the sending computer, possibly hand-held or in the form of a token (e.g. Smart card) can allow the computers controlling the network to vet the user without necessarily storing encrypted passwords centrally. T h e result is the s a m e - a validated user identity which is very difficult to forge.
3. T h e E D I F A C T syntax contains a full range of control fields.
2. Sending the message - syntax confirms. I shall concentrate on the ISO standard syntax for international trade data i n t e r c h a n g e - E D I F A C T . The point~ I shall make hold in general for E D I F A C T ' s counterparts in national E D I , such as Tradacoms and ANSI X12. T h e E D I F A C T Interchange header segment UNB, which as its name implies comes at the front of the message, contains a Sender Identified (up to 35 characters) and if requirements, an address for rever~e routing. These can be 'in clear' or encoded by arrangement between the interchanging parties A, and B, and the network operator. There is also a Password field of up to 14 characters which can again be 'in clear', coded or encrypted. Depending on the encryption method adopted, this latter technique could in itself assure the recipient that the message really did come from the sender.
Summary By carefully exploiting the facilities illustrated above, organisation B can be sure in almost all circumstances that organisation A really has sent the message.
A transmission of an E D I F A C T message contains reference pairs and message and segment counts which enable the recipiei~, organisation B, to be sure that all parts of the message have been transmitted and received correctly and in the right sequence. Each Header segment contains control information which is linked to similar and additional information in its type of Trailer segment. Thus the Interchange Header UNB contains a control reference which is repeated in the Interchange Trailer U N Z together with a count of the number of messages transmitted, and similar control fields occur in the Functional Group and Message segments.
Smnmary Organisation B can easily assure itself that all the message has been received, and that all parts are in the right order. Modern communications facilities often incorporate selfcorrecting algorithms. Even with older, less sophisticated facilities, there is adequate control information available in the EDI message syntax to detect and initiate correction of occasional communications vagaries.
Is the transaction adequately secure and confidential to ourselves and the sender? T h e guiding principle for EDI services is that the sender and recipient should be assured that the electronic message is at least as secure as its predecessor, the paper document, was when sent through the post.
Have we received all the parts of the message, in the right -- 1. The network must be demonstrably secure sequence? 1. Communications p r o t o c o l s - an inherent facility in modern protocols. T h e more comprehensive protocols such as X.25 automatically check the sequence of the packets of data that are being delivered and also ensure that all the packets arrive at their proper destination. One major Customs Authority, an X.25 user, observed that 'data loss and corruption just don't seem to happen'. T h e r e is obviously less checking in the older and simpler protocols such as telex - users of this protocol will need to rely on network and syntax safeguards. 2. Resilience is built into the network. T h e control and management software in the network en12
T h e user of an EDI network should check at the outset to ensure that the VAN supplier has designed and is operating the system to the highest levels of security - both at the physical level (access to equipment, software and staff) and at the 'logical' level inside the network and its computers. For example, messages in a user's mailbox should be made available to the authorised user only. Any audits of the entire facility should be carried out at regular intervals by a reputable independent auditing firm. 2. T h e message should be encrypted for additional assurance. Here we come across the first example of where technology and operational/national requirements and practice may be at variance. While complete encryption o f a mesVolume 2 Number 3, 1990
UPDATE on Computer Audit, Control and Security
CEDI sage can guarantee its confidentiality, the'Value Added Networks Operators, Telecommunications Administrations and National Government Departments prefer messages to be 'in clear' - the networks and TAs for ease of handling and charging, departments such as Customs for the handling/vetting of messages transmitted to them. Thus partial encryption is the nearest we can achieve to total security. Where required, it can perform valuable checks, both on the identity of the sender and on the integrity/accuracy of the message that is received. Firstly, one can encrypt message passwords as described earlier: it is also feasible to construct an encrypted hash total of all the message data fields, including the sender's identity. This hash total, termed the message's 'digital signature' or 'message authentication code', is then transmitted along with the message, and can be unscrambled and checked by the recipient. The rhost secure digital signature systems will use public and private key encryption techniques such as RSA. Private and public keys are created and sent out by the network control computer when the sender, A, accesses the network for the data transmission session. The message's digital signature is encrypted using A's private key, and decrypted by recipient B using A's public key, which has been sent to him. Successful decryption proves not only the integrity of the entire EDI message but also that the private key, held by A, is the only key that could have been used to encrypt the signature - a double check on A's identity. These very secure encryption techniques do however require that the network can handle the creation, storing and transfer of k e y s - and not many commercial networks provide this facility today. There are also some overheads in terms of extra service messages (to send the key information over the network), longer and more complex messages (to accommodate the digital signature and message-related cryptographic data) and a slight increase in message transmission times (to allow for the encryption and decryption processes, and the longer messages). Any one network will probably offer only one kind of encryption as its own standard across its network, and extra computing hardware may be needed by the sender, A, the recipient, B, and on the network control computers to perform the cryptographic work. So today the user's choice may be limited. However, financial EDI systems and some government networks have been pioneering in this field, and the additional standard messages needed are now being designed - so these facilities are likely to be available to a wider user audience in the next few years. Summary For most trade transactions the security and confidentiality offered by Value Added Network suppliers is adequate. However, if the recipient needs absolute assurance about the identity of the sender and that messages have not Volume 2 Number 3, 1990
been tampered with, then the digital signature (partial encryption) is the only practical solution. This requirement will probably dictate the choice of network and also increase the costs of setting up and running the user's EDI service. Can the sender, A , rely on our receivhzg his message? And h he told when we have received it, and what state it appears to be in? 1. Some communications protocols can guarantee receipt. Some of the more comprehensive proprietary protocols offer a guarantee of message delivery, for example ICL CO3 and IBM's SNA. Applications using the full OSI stack naturally enjoy this facility, as it is provided by the transport layer, layer 4. An example here is the X.400 Message Handling Service, which would be very appropriate for EDI. However, some European telecomms carriers offer other protocols, such as X.21 circuit switched service, which do not provide a message delivery 'guarantee'. 2. The network should report on success/failure of transmission. Some networks can check at the outset that message transfers between A and the intended recipient B are correctly addressed and valid, and that the message type(s) are on a pre-defined list held in the network's control computers. This list is called a trading director, and it keeps a record of the current message transfer pattern that all the network's partners are willing to accept, and from whom. Thus a typical entry might read that A can send to B Invoice and Despatch Note messages. Valid Invoices and Despatch Notes will be accepted for onward transmission but wrongly addressed messages, or ones of the wrong type, will be detected and flagged to a sender at the time of transmission. The sender, A, is also available to track progress of his message to its destination. The progress report, which is automatically provided for every transfer, will also show any errors encountered while the message is in transmission. 3. EDIFACT users can request acknowledgement. The UNB Interchange Header segment contains an Acknowledgement Request indicator, allowing the sender A, to check that B, the recipient, has received and identified the start and end of the EDI message. This check can, of course, be done after B has performed some more detailed content vetting. The interchange agreement can spell out the degree of checking which A can rely on B having done when B sends back the Acknowledgement. This agreement Can also cover the required procedures for retransmission of messages failing the c h e c k s whether the whole set of messages is to be retransmitted 13
UPDATE on Computer Audit, Control and Security
) or only those in error. And in the absence of any national or international, legal/administrative rulings on when B is deemed to have received th e message, the interchange.
Summary T h e sender, A, can rely on the control facilities provided by the more comprehensive communications protocols and built into well-operated networks to ensure that the message will reach B, his intended recipient. Using the E D I F A C T syntax will allow him to ask B to acknowledge receipt of the message and confirm that it is in good condition.
What credibility can we attach to this message as a form of binding contract with A for the supply of goods and services? A, the sender, and B, the recipient, are bound by the interchange agreement that they have drawn up with each other and with the Value Added Network supplier. As we have seen, they can with careful use of available technology be assured of the integrity of the network and the message. T h e agreement then forms a highway code to guide them in navigating the dicey roads of effecting the commercial transaction to which the message relates. T h e UNCID rules must be warmly welcomed as forming a model solution to the drafting of such an agreement One senior lawyer at the EDI 87 Conference in London said that they would greatly simplify and clarify the contractual position in many commercial transactions. An Interchange Agreement, he said, was much more straightforward than the usual, complex commercial cycle of 'invitation to t r e a t - o f f e r - c o u n t e r o f f e r disagreement - clarification - more letters - more phone calls - acceptance' which he spends his time, and his clients' money, unravelling every working day. As such agreements become recognised as the basis of standard commercial practice in EDI, then it will be easier for either partner (A or B) to gain any legal support needed to reinforce the contractual relationship on which the organisation has acted.
And if we do rely on this message and carry out our perceived contractual obligations, what is our legal standing if anything is brought into question and we need to furnish evidence?
sure to gain the benefits of EDI, coupled with changes in national laws, will in due course overcome this barrier. Meanwhile, this paper intends to bring some reassurance about the integrity of EDI messages. 3. Legal admissibility of computer produced evidence. U N C I T R A L concluded in 1985 that the rules of evidence in domestic and international trade law should not prove any bar to the use of computers and EDI. However, the section above indicates that current trade practice may prove a more effective limitation. It must also be remembered that the rules of evidence in some recent legislation (for example the 1984 U K Police and Criminal Evidence Act) display a woeful lack of understanding of the capabilities of modern computer systems. T o be demonstrably secure, a computer system from which solid evidence can be furbished needs a Mandatory control operating regime. In these systems, introduced for commercial users, rigid control is enforced on access to all files and software, and all actions are automatically and securely audited. Mandatory systems are already in use in government networks; increasing trade message traffic on commercial networks would indicate a need for their network control computers to operate in the same way. Only then can the course really rely on the computer records and logs which may be produced as evidence.
Summary Good auditing facilities must be provided. Business and administrative practice can be a limiting factor on the adoption of EDI; legal rules of evidence may be less than ideal while not intentionally forming a barrier to progress. T h e wide use of the U N C I D rules should be of great benefit in allowing parties to foresee and forestall potential problems. As use of EDI grows there will be an increasing need for network computers to be even more secure. International trading, multi-network EDI transfers and the law
1. Audit and message logging As in any communications system handling important messages both the sender's, A's, and the receiver's, B's, computers should maintain secure logs of messages sent and received. Also the VAN usually provides audit logs and trails for authorised users, maintaining these reports in a secure state for the required statutory periods (or as agreed between the EDI partners). 2. Business, legal and administrative practice There are some countries, such as France, where certain EDI transmissions have to be supported by paper documents before the commercial transactions to which they relate can proceed. This may be a 'hangover' from times before electronic transmissions were deemed feasible, or simply reflect administrative inertia. Commercial pres14
So far we've addressed a simple scenario, of an EDI message crossing one network between A, the sender, and organisation B, A's trading partner, with both parties resident in one country. And the position has been shown to be fairly satisfactory. Now consider the implications of this more international model, a picture of how retailing might develop as a European Community's Free Internal Market becomes a reality over the next few years. Frau Flindt, a German housewife, uses her Smart card to authenticate an order for a new hi-fi which she enters through the terminal in her local shopping mall. T h e order is transmitted via a German catalogue agency to its U K headquarters which places a further Just-In-Tim order with a Spanish electronics factory. Delivery is ordered from, and effected by, a French transport and warehousing organisation direct to Frau Flindt's house Volume 2 Number 3, 1990
UPDATE on Computer Audit, Control and Security
CEDI in Karlsruhe, within days of her placing the original order. T h e French firm then notifies the catalogue agency of successful delivery. All these information transfers are carried out by EDI, as are additional messages carrying customs information, instructions for insurance, invoices and, eventually, payment instructions to their bankers from all the parties in the logistics chain. Several value added networks are used, and some of the messages traverse a n u m b e r of networks to get to their respective destinations. T h e observant will have noticed two underlying assumptions in this scenario, the first of which is 'all these information transfers are carried out by EDI'. In the current world of import-export, various paper documents such as licences and health certificates surround the main trading documents, bills of lading and the like. It is up to the EDI fraternity to push their national/international administrative organisations to adopt electronic equivalents to thes~ 'peripheral' documents as soon as possible, so that traders and administrators can each enjoy the speed which fully electronic information flows can bring. T h e second assumption in the scenario is that the EDI traffic needs to cross several networks. Technically, there is no reason why all the traffic could not be carried on one enormous pan-European network: this could be made very secure, be easily audited, and it would eliminate any commercial problems about charging between competing networks. However, given the large number of networks already in operation across Europe, the commercial reality is that the majority of long-distance international EDI traffic will probably cross more than one network. Competition between these networks will naturally lead to problems with, inter alia, cross charging. We can now pose a n u m b e r of questions, and give some answers:
Firstly, do the senders and recipients of hzternational, multinetworked E D I messages enjoy the same technological safeguards as they would if their messages used only one network? Does the German catalogue agency, for example, enjoy the same security for its EDI messages sent to the U K as if all the traffic were on one national network? It has been shown that all the major networks operate in their own secure fashion, checking that messages sent can be received, for instance, and producing audit information to allow the progress of a message to be monitored through their system. What is needed is agreement on the facilities to be provided in standard internetwork interfaces (sometimes called gateways). This agreement should specify, inter alia:
O
how networks will provide guaranteed end-to-end delivery for multi-networked messages;
Volume 2 Number 3, 1990
_
O
which if any range of encryption facilities will be offered across networks;
O
how networks aim to provide audit reports showing adequate detail of the message's multi-network journey when the main aim is that gateways should be transparent to network traffic.
Networks also need to agree minimum standards and methods for the validation of user accesses. So in our scenario, the properly authenticated messages from the U K organisation to the factory in Spain will be acceptable as they cross network boundaries with little or no addit~ional validation. These validation standards will thus affect the specification of gateways. And the Spaniards know that a similar message from, say, a Dutch organisation on a different VAN will have passed similar levels of security checking. This will make their job of assessing the 'Trustedness' of a message from a trading partner and the level of database access to allow it so very much easier than today. Work-programmes to address these topics of EDI network gateway facilities and validating user accesses could be fruitful projects under the Community's new T E D I S initiatives.
Secondly, what is the legal position if one of the messages fails to get through, and which network bears the cost of any rectification? What if the notification of delivery message in our scenario never gets from the French transport firm to the German catalogue agency - does Frau Flindt get the hi-fi but never have to pay for it? Or would the French firm receive no payment for its delivery services? This is one aspect of EDI trading that must be covered in the Interchange Agreement between A and B, as liability for rectification is not easily proven, and the telecomms carriers and in turn the VANS suppliers do their best to minimise their commercial exposure. Inter-connected networks could give the communications and service suppliers even more room for manoeuvre so the Interchange agreement and the gateway specification are vitally important to the EDI user. There must also be practical, rather than theoretical, agreement in the courts as to the evidential value of any audit records that may be produced in support of a legal action.
Which country's legal system is asked to adjudicate in a muhicountry transfer? This could be the country where the sender organisation resides, or where the receiving organisation resides, where the evidence (audit reports and message logs) can most easily be collected, or even another country's jurisdiction. Until there is agreement, probably sponsored by the ICC or U N C I T R A L , on which country should have 15
UPDATE on Computer Audit, Control and Security
) adjudicative rights, then parties who wish to exchange international EDI messages should agree this point beforehand in their bi-lateral interchange agreements. This could get very complex as the usage of EDI grows and with it the number of trading partners for each organisation. In UNCITRAL'S next project, the definition of rules for electronic funds transfer, no doubt they will be addressing this sort of issue. Conclusions I hope that I've shown that, even with the current state of the art, EDI messages can be very secure and legally acceptfible in the context of sample, single-network transfer within one country. For international EDI, much good work has already been done on the formulation of message syntax and the design of standard messages; this will gain added momentum with the establishment of the EDIFACT Board. There are, however, a number of unresolved technical and legal issues which still form barriers to widespread
use of EDI when messages have to cross national or network boundaries. To overcome these barriers, the development of adequate, modern administrative and legal rules, together with agreed standards for user authentication and secure internetwork gateways, is if anything more important for the future growth of international EDI than the message standards. We should not be deterred by these problems from starting to use EDI and to reap its undoubted benefits, nor by the additional problems we discover in the course of implementing our own EDI systems. Many people and organisations are already involved in finding ways round these barriers, particularly EDI users and trade bodies, the professions and governments and are attempting to discuss and resolve outstanding problems in the shortest possible time - both the current problems and the new ones as they arise. In the meantime, while these remaining issues are being resolved, let us not forget that the only valid approach for the prospective user of international EDI is - caveat emptor!
John Draper is Principal Consultant in ICL's Network Applications Business Centre, specialising in EDI and Information Security. In the last 3 years he has undertaken assignments with The Institute of lnternal Auditors, SITPRO and the European Commission. During 1988 he spoke at COMPAT '88 in the Hague, COMPSEC in Londoh's Heathrow, for the CEC TEDIS programme in Brussels and at the National Institute of Standards in Washington.
NEWS M o r e resources n e e d e d for c o m p u t e r law enforcement Certainly it does not inspire confidence that the Computer Crime Unit has no budget to retain consultants to assist with technical aspects of investigations and has to rely on borrowing British Telecom computer crime unit hardware. Only 50 officers have attended the four week police staff college course on computer crime. (Computing, 30th November). The police's own progress towards national IT integration is still tentative. The Home Office would like to see an integrated national network linking police, prisons, the Crown Prosecution Service etc. However, individual police authorities are taking steps towards office automation which may pre-empt national standardisation to some extent. 16
(
BOOKS)
An Introduction to the Security of Computer Systems by R.J. Potts. PLC Consultancy Services, ISBN 1 871259 00 2, 148 pages. Soft back, s
This book is aimed at giving the non-specialist an overview of the fundamentals of computer security. This it succeeds in doing with a clear readable style.
It covers the fundamentals of computer security, the threats, personnel security, physical security, software security, data and communications security, documentary security, electronic security, legal aspects, insurance issues, contingency planning and implementation of security policy. Volume 2 Number 3, 1990