Internet & Intranet Security Management, Risks and Solutions, by Lech Janczewski, et al

INTERNET AND INTRANET SECURITY MANAGEMENT:
RISKS AND SOLUTIONS
by Lech Janczewski, University of Auckland, New Zealand

“In the last 12 years we have observed amazing growth of electronic
communication. From typical local networks through country-wide systems and
business-based distributed processing, we have witnessed widespread
implementation of computer-controlled transmissions encompassing almost every
aspect of our business and private lives.

“INTERNET AND INTRANET SECURITY MANAGEMENT: RISKS AND
SOLUTIONS addresses issues of information security from the managerial, global
point of view. The global approach allows us to concentrate on issues that could be
influenced by activities happening on opposite sides of the Earth.”

================================

FROM THE PREFACE:

“In information security, as in all areas of information technology, knowledge and
practice is advancing rapidly. There is a need for up-to-date material, but the rate of
change is so great that a textbook only a few years old will already be obsolete.
Covering the most important changes in the field of information security to produce
an updated text before it becomes obsolete is a lot to ask of one author, so we
have asked several, each expert in their own speciality, to complete one chapter.

“Overlaps are minimal, but chapters are substantially independent. Readers can,
therefore, either follow the text from the beginning to end, or pursue only their
special interests without having to read the whole text.

“The book is divided into four separate parts:

Part I: State of the Art

“Here major issues concerning development of Internet and intranet are discussed.
To present a balanced, world perspective, two points of view have been included:
from the United States (J. Palmer et al) and from a much smaller country, New
Zealand (J. Gutierrez). Despite their different situations both countries face
surprisingly similar information security problems.

Interestingly, system malfunctions rather than hackers and similar unwelcome
characters are still considered to be the greatest security threats.

Part II: Managing Intranet and Internet Security

“Three authors discuss issues related to efficient management of the security of
distributed systems.

“Electronic commerce requires not only technology but also people trusting this
method of doing business. In his chapter Dieter Fink discusses the components of
trust for electronic commerce and the methods of building and sustaining it.

“The foundation of every security system is the information security policy (ISP).
Lech Janczewski presents a method to allow rapid creation of an effective ISP. A
variety of documents that standardise development and assessment of information
security functions are discussed.

Fredj Dridi and Gustaf Neuman present an overview of Internet security issues with
special emphasis on Web security. An architecture is presented in which security
services are built to protect against threats and to achieve information security for
networked systems. Basic security protocols like IPSec, SSL, Secure HTTP, and
others are also presented.

Part III: Cryptography Methods and Standards

“Cryptography is the major technique allowing secure transport of data through
insecure environments and secure storage of data. In this part three authors
discuss a number of important issues related to cryptography:

“Export of cryptography is restricted by a number of national and international
agreements. Henry Wolfe in his chapter describes and discusses these
restrictions. In his opinion, it is impossible to enforce these restrictions and they
should be abolished. To allow a smooth introduction to more technically
challenging issues discussed later in the book, Dr. Wolfe presents a short
description of the most popular types of ciphers.

“Adequate security requires not only implementation of powerful cryptography (for
instance the development of a DES replacement), but also an adequate solution for
successful cryptography deployment. These issues are discussed by Dieter
Gollmann.

“In the final chapter of Part III, Chris Mitchell outlines the major standards
regulating cryptographic methods. The OSI security architecture, DES, Message
Authentication Codes, Digital Signatures, Hash Functions, and Key Management
are presented

Part IV: Security and The Law

“It is not enough to understand information security merely in terms of technology
(like PKI) and psychology (trust). Understanding the law is also necessary.
Technology is advancing so rapidly that law makers can't keep up and changes,
which are often inconsistent, are made in haste. Issues such as the rights of an
employee to keep data on his/her computer at work private, are not well
understood. These issues are discussed by Charles and Nicole Prysby.

“As professionals living in the USA, Charles and Nicole Prysby have an American
viewpoint. To give the reader a wider perspective the last chapter of this book,
written by G. Gunasekara from Auckland, presents similar issues in a New
Zealand context.”

================================

TABLE OF CONTENTS

Preface

Part I: STATE OF THE ART

Chapter 1 Security Risk Assessment and Electronic Commerce
A Cross-Industry Analysis
Jonathan W. Palmer, University of Maryland, USA
Jamie Kliewer and Mark Sweat, University of Oklahoma, USA

Chapter 2 Securing the Internet in New Zealand:
Threats and Solutions
Jairo A Gutierrez, University of Auckland, NZ

Part II: MANAGING INTRANET AND INTERNET SECURITY

Chapter 3 Developing Trust for Electronic Commerce
Dieter Fink, Edith Cowan University, Australia

Chapter 4 Managing Security Functions Using Security Standards.
Lech Janczewski, University of Auckland, NZ

Chapter 5 Managing Security in the World Wide Web:
Architecture, Services and Techniques
Fredj Dridi and Gustaf Neumann
University of Essen, Germany

Part III: CRYPTOGRAPHY AND TECHNICAL SECURITY STANDARDS

Chapter 6 Cryptography: Protecting Confidentiality,
Integrity and Availability of Data
Henry B. Wolfe, University of Otago, NZ

Chapter 7 Foundations for Cryptography ,
Dieter Gollmann, Microsoft Research, UK

Chapter 8 Developments in Security Mechanism Standards
Chris Mitchell, University of London, UK

Part IV: SECURITY AND the LAW

Chapter 9 Electronic Mail, Employee Privacy and the Workplace
Charles Prysby, University of North Carolina, USA
Nicole Prysby, Attorney at Law, Virginia, USA

Chapter 10 Protecting Personal Privacy in Cyberspace:
The Limitations of Third Generation Data Protection
Laws Such as the New Zealand Privacy Act 1993
Gehan Gunasekara, University of Auckland, NZ

About the Authors
Index

================================

ABOUT THE AUTHORS

Chapter 1

“Jonathan Palmer is an Assistant Professor at the University of Maryland, College
Park. His research interests include the strategic use of IT, electronic commerce,
and virtual organizations. His work has appeared or been accepted for publication
in Information Systems Research, Communications of the ACM, Journal of World
Business, Journal of Computer-Mediated Communication, European Management
Journal, The Information Society, International Journal of Electronic Commerce,
International Journal of Human-Computer Studies, JASIS. Palmer serves on the
editorial board of International Journal of Electronic Markets and Electronic journal
of Organizational Virtualness. He served on the faculty at the University of
Oklahoma and taught at the University of Southern California. Palmer was director
of corporate relations at The Peter F. Drucker School the Claremont Graduate
University in California. His previous academic experience includes administrative
positions at The Fletcher School of Law and Diplomacy and The Harvard Business
School. Ph.D. Claremont Graduate University.

“Jamie Kliewer is currently teaching computer science in Phnom Penh, Cambodia.
He is a graduate of the University of Oklahoma in Management Information
Systems where he was a J.C. Penney Leadership Fellow.

“Mark Sweat is a consultant and analyst in MIS and electronic commerce at Koch
Industries in Wichita, Kansas. He is a graduate of the University of Oklahoma in
Management Information Systems where he was a J.C. Penney Leadership Fellow
and worked for the Center for MIS Studies.”

Chapter 2

“Jairo Gutierrez is a Senior Lecturer in Information Systems at The University of
Auckland. Previously he worked as an R&D Manager, Systems Integration
Consultant, and Information Systems Manager. He also conducted seminars on
LAN/WAN technologies. He teaches data communications and computer
networking. His current research topics are in network management systems,
programmable networks, and highspeed computer networking. He received a
Systems and Computer Engineering degree from The University of The Andes
(Colombia, 1983), a Masters degree in Computer Science from Texas A&M
University (1985), and a Ph.D. (1997) in Information Systems from the University of
Auckland (New Zealand).

Chapter 3

“Dieter Fink is Associate Professor in the School of Management Information
Systems at Edith Cowan University in Perth, Western Australia. Prior to joining
academe he worked as a Systems Engineer for IBM and as Manager Consultant
for Arthur Young & Co (now Ernst & Young). His teaching and research interests
are in IS management where he specialises in IT security, investment justification
and benefits management. Dr Fink is the author of "Information Technology
Security -Managing Challenges and Creating Opportunities", published by CCH
Australia. Other publications have appeared in journals such as Long Range
Planning, Australian Journal of Information Systems and Internal Journal of
Information Management. A current research project is the delivery of knowledge
services by professional service firms using Internet technologies.”

Chapter 4

“Lech Janczewski, (MEng - Warsaw, MASc - Toronto, DEng - Warsaw) has over
thirty years experience in information technology. He was the managing director of
the largest IBM installation in Poland and project manager of the first computing
center in the Niger State of Nigeria. He is currently with the Department of
Management Science and Information Systems of the University of Auckland, New
Zealand. His area of research includes management of IS resources with the
special emphasis on data security and information systems investments in
underdeveloped countries. Dr Janczewski wrote over 60 publications presented in
scientific journals, conference proceedings and chapters in books. He is the
chairperson of the New Zealand Information Security Forum.

Chapter 5

“Fredj Dridi is a Ph.D. student at the Dept. of Information Systems and Software
Techniques at the University of Essen, Germany. He received his diploma degree
in Computer Science 1995 from the University of Kaiserslautern. Between 1992
and 1996 he was working at DFKI on intelligent engineering systems. Currently,
his working areas are Information Systems, Security Management, Internet/
Intranet Technologies and Software Engineering.

“Gustaf Neumann was appointed Chair for Information Systems / New Media at the
Vienna University of Economics and Business Administration in November 1999. A
native of Vienna, Austria, he graduated from the Vienna University of Economics
and Business Administration (WU), Austria, in 1983 and holds a Ph.D. from the
same university. He joined the faculty of WU in 1983 as Assistant Professor at the
MIS department and served as head of the research group for Logic Programming
and Intelligent Information Systems. Before joining the Vienna University, Gustaf
Neumann was Prof. of Information Systems and Software Techniques at the
University of Essen, Germany. Earlier he was working as a visiting scientist at
IBM's T.J. Watson Research Center in Yorktown Heights, NY, from 1985-1986 and
1993-1995. In 1987, he was awarded the Heinz-Zemanek award of the Austrian
Association of Computer Science (OCG) for best dissertation (Metainterpreter
Directed Compilation of Logic Programs into Prolog). Professor Neumann has
published books and papers in the areas of program transformation, data modeling,
information systems technology and security management. He is the author of
several widely used programs that are freely available, such as the TeX-dvi
converter dvi2xx and the graphical front-end package Wafe.”

Chapter 6

“Henry B. Wolfe has been an active computer professional for more than 40 years.
He has earned a number of university degrees culminating with a Doctor of
Philosophy from the University of Otago. The first ten years of his career was spent
designing systems in a manufacturing environment. The next ten years of ever
increasing responsibility was devoted to serving in the U.S. Federal Government
rising to the position of Director of MIS for the Overseas Private Investment
Corporation. After a short (and successful) foray into the oil and natural gas
business Dr. Wolfe took up an academic post at the University of Otago and for
the past fifteen or so years has specialized in computer security. During that
period he has earned an international reputation in the field of computer virus
defenses. Dr Wolfe occasionally writes about a wide range of security and privacy
issues for Computers & Security, Network Security and the Computer Fraud &
Security Bulletin (where he is also an Editorial Adviser).”

Chapter 7

“Dieter Gollmann was a scientific assistant at the University of Karlsruhe,
Germany, where he was awarded the 'venia legendi' for computer science in 1991.
At Royal Holloway, University of London) he worked as a Lecturer, Senior Lecturer,
Reader, and finally as a Professor in Computer Science. He was a Visiting
Professor at the Technical University of Graz in 1991 and an Adjunct Professor at
the Information Security Research Centre, QUT, Brisbane, in 1995. He has been
acting as a consultant for HP Laboratories (Bristol) and joined Microsoft Research
in Cambridge in 1998. He has published a textbook on Computer Security and over
50 research papers on topics in cryptography and information security. He has
served on the program committees of the major European conferences on
computer security (ESORICS) and cryptography (EUROCRYPT), as well as other
international conferences in these areas.

Chapter 8

“Chris Mitchell received his B.Sc. (1975) and Ph.D. (1979) degrees in Mathematics
from Westfield College, London University. Prior to his appointment in 1990 as
Professor of Computer Science at Royal Holloway, University of London, he was a
Project Manager in the Networks and Communications Laboratory of
HewlettPackard Laboratories in Bristol, which he joined in June 1985. Between
1979 and 1985 he was at Racal-Comsec Ltd. (Salisbury, UK), latterly as Chief
Mathematician. He has made contributions to a number of international
collaborative projects, including two EU ACTS projects on security for third
generation mobile telecommunications systems, and is currently convenor of
Technical Panel 2 of BSI IST/33, dealing with Security Mechanisms and providing
input to ISO/IEC JTC1/SC27 on which he currently serves as a UK Expert and as
editor of two international security standards. He is academic editor of Computer
and Communications Security Abstracts, and a member of the Editorial Advisory
Board for the journals of the London Mathematical Society. He has published over
100 papers, mostly on security-related topics, and he continues to act as a
consultant on a variety of topics in information security.”

Chapter 9

“Charles Prysby is a professor and head of the department of political science at
the University of North Carolina at Greensboro. He received his Ph.D. from
Michigan State University in 1973. His primary areas of research are in voting
behavior, political parties, southern electoral politics, and contextual effects on
political behavior. His articles have appeared in a number of journals and edited
books, and he is the coauthor of Political Behavior and the Local Context (Praeger,
1991). He also is the coauthor of the computer-based instructional packages on
voting behavior in presidential elections published by the American Political
Science Association as part of the SETUPS series. For a number of years he has
taught a graduate course on computer applications in public administration.

“Nicole Prysby is an attorney with interests in the area of employment law. She
received her J.D. with honors from the University of North Carolina School of Law in
1995. She is a contributing author for several publications in the employment and
human resource law area, including the State by State Guide to Human Resource
Law, and the Multistate Payroll Guide, and is a co-author of the Multistate Guide
to Benefits Law (all Aspen/Panel). She currently is working in the field of
environmental consulting, for Perrin Quarles, Associates, in Charlottesville,
Virginia. From 1995-1997, she was an attorney in the Public Law Department at
the National Legal Research Group, Charlottesville, Virginia.”

Chapter 10

“Gehan Gunasekara (BA,LLB Wellington, LLM (lions) Auckland) is a lecturer in
Information Technology Law at the University of Auckland. He teaches law
subjects at the University's School of Business and Economics including
undergraduate and postgraduate papers on privacy and data protection law. He has
published articles in legal journals in both New Zealand and the United Kingdom
and has contributed to several text books. His most recent and on-going research
is a study of New Zealand's privacy legislation. Gehan is also interested in several
other areas of commercial law. He is a Barristor and Solicitor of the High Court of
New Zealand.”

================================
2000, 302 pages. Order #DR457.