CONTENTS - Emerald
CONTENTS - Emerald
CONTENTS - Emerald
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
3 Security Management and Policy<br />
041301 `IT security in the nancial sector'<br />
C Amey, Computer Fraud and Security Bulletin (Jan 95) pp 16{19<br />
As banking systems get more complex, they become less secure, and the only<br />
real response is managerial | through risk assessment, documentation, education and<br />
design stage application review. The role of technical measures such as authentication<br />
servers is that they can help to recentralise some of the control.<br />
041302 `A Process-Oriented Methodology for Assessing and Improving<br />
Software Trustworthiness'<br />
E Amoroso, C Taylor, J Watson, J Weiss, Fairfax 94 pp 39{50<br />
Various US military agencies and contractors and contractors have been working<br />
since 1989 on a methodology for assessing the amount of trust which can be placed in<br />
a piece of software. The result is a set of trust classes ranging from T0 (no trust) to<br />
T5 (the highest level). As with the Orange Book, there is a matrix of increasing trust<br />
requirements, which is given; and the authors also describe the rationale behind the<br />
design. This combines elements of ISO 9000, CMU SEI's capability maturity model,<br />
and existing defence methodologies, and is heavily oriented to the software process<br />
rather than to the nal product.<br />
041303 `Security Modelling for Organisations'<br />
A Anderson, D Longley, FK Lam, Fairfax 94 pp 241{250<br />
The authors discuss how security o cers can use models of the systems under<br />
their protection to communicate with managers, to estimate the e ectiveness of threat<br />
models, and to assign value to intangible assets such as con dence.<br />
041304 `Liability and Computer Security: Nine Principles'<br />
RJ Anderson, ESORICS 94 pp 231{245<br />
The author discusses recent experience in the UK and elsewhere of legal disputes<br />
involving cryptographic evidence. One of the most powerful tactics in such cases is to<br />
challenge security claims by pushing for disclosure of the other side's security mechanisms;<br />
this has been granted by anumber of courts, leading to the collapse of prosecution<br />
cases. Computer security mechanisms whose purpose is to provide evidence must<br />
therefore be designed to withstand scrutiny from hostile experts. Further problems are<br />
caused by the fact that many security systems are really intended to shift blame rather<br />
than to stop attacks, and this fact itself is concealed; and from system designers' lack<br />
of understanding of how the legal system actually works.<br />
041305 `Daten- und Informationssicherung (IS) als strategische Gesamtlosung'<br />
R Apitzsch, Datenschutzberater v 19 no 2 (15/2/95) pp 6{10 (in German)<br />
The author discusses the security consulting approach of IBM Deutschland. This<br />
focusses on building complete solutions to all an organisation's security and disaster<br />
recovery requirements.<br />
041306 `Secure the Virtual O ce'<br />
DS Bernstein, Datamation (15/1/95) pp 49{52<br />
The author discusses basic computer security and gives a list of vendor contacts.<br />
041307 `The Clipper Chip and the Price of Security in America'<br />
JR Butler, KA Forcht, Information Management and Computer Security v 2 no 5<br />
(1994) pp 9{12<br />
The authors talk about the Clipper chip; they describe in general terms how it<br />
works and discuss some of the political issues raised.<br />
19