From: secedu@all.net
Reply-to: secedu@all.net
Organization: Information Security Educators Mailing List
Subject: Information Security Educators Mailing List 1999-03-08
<pre>---------------------------------------------
From: mea culpa <jericho@dimensional.com>
Subject: REVIEW: "Time based Security", Winn Schwartau


0962870048.RVW   990305

"Time Based Security", Winn Schwartau, 1998, 0-672-31341-3,
U$49.99/C$70.95/UK#46.95
%A   Schwartau, Winn
%C   n/a
%D   1999
%E   n/a
%G   0-9628700-4-8
%I   Interpact Press
%O   U$25.00/C$37.00 813.393.6600 http://www.infowar.com/tbs/
%P   174 p.
%T   "Time Based Security, Practical and Provable Methods to
      Protect Enterprise and Infrastructure, Networks and Nation"

What is TBS (Time Based Security)? TBS is defined by the author as "a
non-technical examination of the very foundation of the technical
realities of the networked society. It is designed for a wide audience
with varying skill sets, backgrounds and business needs." Unfortunately,
the title's use of "practical and provable methods to protect enterprise
and infrastructure, networks and nation" implies (to me) that the book
will cover practical and applicable solutions to the problems pointed out.
Rather than presenting solutions, the author gives a high level diagnosis
of the problem, as well as simple-to-use equations for determining how it
affects your organization. 

The first fourteen chapters (each chapter averages 4.5 pages) go into the
description and foundation of TBS. Schwartau calls on well grounded and
practical examples to convey the importance of utilizing a security plan
that utilizes TBS. From the foundation, simple equations are designed to
contrast the importance of Protection, Detection, and Reaction (the key
elements of TBS). 

The next few chapters go into various security concepts and how they apply
to a TBS model. Starting with 'Defense in Depth' (Chapter 17), Schwartau
applies practical examples to his TBS equations and shows how to factor in
elements such as multi layered security. Unfortunately, these chapters
(especially 'SequentialTime-Based Security' [Chapter 18]), are extremely
short and lack the description needed to adequately convey their
importance. 

The remaining chapters cover a wider variety of topics and expand past the
TBS model a bit more. Some of these topics are Reaction Channels, TBS
Reaction Matrices & Empowerment, and Using TBS in Protection.

Overview: While TBS presents a great overview of the concepts and effects
of Time based Security, it does not present a grounded practical method
for implementing these ideas into a working network. Technical people
reading this book will no doubt question the book's claims of it being
"your handbook for protecting intangible things of value that have no
physical substance." Management and non-technical people however, should
definitely read this book. Schwartau cites easy to use examples and
layman's terms to explain the risks your network suffers. 


review by: Brian Martin <jericho@dimensional.com>
---------------------------------------------
From POPmail Mon Mar  8 07:50:08 1999
 (with Netcom Interactive pop3d (v1.21.1 1998/05/07) Mon Mar  8 15:43:55 1999)
X-From_: fcfc@multi33.netcomi.com  Mon Mar  8 09:42:08 1999
Received: (from fcfc@localhost) by multi33.netcomi.com (8.8.5/8.7.4) id JAA11103; Mon, 8 Mar 1999 09:42:08 -0600
Received: from smtpott1.nortel.ca (smtpott1.NortelNetworks.com [192.58.194.78]) by multi33.netcomi.com (8.8.5/8.7.4) with ESMTP id JAA11092 for <secedu@all.net>; Mon, 8 Mar 1999 09:42:06 -0600
Received: from zcard00m.ca.nortel.com by smtpott1.nortel.ca;
          Mon, 8 Mar 1999 10:41:55 -0500
Received: by zcard00m.ca.nortel.com with Internet Mail Service (5.5.2232.9) 
          id <GRB544CQ>; Mon, 8 Mar 1999 10:41:52 -0500
Message-ID: <E3B79B3AC965D211A2B70000F808AAD8567836@zftzd001.ca.nortel.com>
From: "Chris Hare" <chare@nortelnetworks.com>
Old-To: secedu@all.net
Subject: 
Date: Mon, 8 Mar 1999 10:41:46 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2232.9)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Orig: <chare@americasm01.nt.com>
X-Loop: secedu@all.net
To: fred at all.net

Converting it to text meant that a lot of the neat formatting on the =
lists
was lost.  Oh well.

Chris


Review:=20
Information Policies and Procedures: A Practitioner's Guide
Thomas Peletier, CISSP
Reviewed by Chris Hare
February 1999
Book Information
Information Security Policies and Procedures" A Practitioner's Guide
Published by Auerbach Publications
Published in=20
ISBN=20
258 p.

Overview
This is more of a reference manual than a book.  It discusses the whys,
wherefores, and hows of information security policy, including samples =
and
critiques of those samples.  The book is divided into two parts.  The =
first
part contains the information that the practitioner will use while =
creating
the policies and procedures.  The second part of the book can be used =
to
provide information to the support and core teams, as well as any =
interested
individual in the organization.  The information in the second part of =
the
book is also provided in electronic format on an enclosed Compact Disc.
This allows for easy reproduction and distribution within the =
organization.
There are some annoying "features" to this book however.  The font =
often
changes size in the middle of paragraphs, providing a somewhat =
disconcerting
feeling for the reader.  Anyone who has been on one or more of Tom's
seminars has heard some of the content of this book at least once. =20
Aside form those issues, it is an informative book for those people in =
the
information security field who are interested in policy and procedure
development.  It is however, not a book that I would recommend as =
reading
for the general systems security practitioner.

Chapter 1 -  Why Policies, Standards and Procedures Are Needed
There are a number of legal requirements that require the development =
of
policies and procedures.    These requirements include the duty of =
loyalty
and the duty of care.  The duty of loyalty is evident in certain legal
concepts including the duty of fairness, conflict of interest, =
corporate
opportunity and confidentiality.    In order to avoid a conflict of =
interest
situation, individuals must declare any outside relationships that =
might
interfere with the enterprise's interests.  In the duty of fairness, =
does
the individual when presented with a conflict of interest situation, =
the
individual has an obligation to act in the best interest of all =
affected
parties.
When presented with material inside information such as advance notices =
on
mergers, acquisitions and patents, etc., the individual will not use =
them
for personal gain.  Failing to do so results in a breach of corporate
opportunity. =20
All matters affecting the corporation shall be kept confidential until =
such
time as the corporation chooses to make them public. =20
The duty of care is where the officers owe a duty to act carefully in
fulfilling the important tasks assigned to them.  For example, a =
director
shall discharge his or her duties with the care ad prudence an ordinary
person would exercise in similar circumstances, and in a manner that =
they
believe is in the best interests of the enterprise. =20
These two elements have an impact should there be an incident that =
calls the
operation into question.  In fact, in the United States, there are =
federal
sentencing guidelines for criminal convictions at the senior executive
level, where the sentence may be reduced where there are policies and
procedures that demonstrate due diligence.  That means that having an
effective compliance program in place to ensure that the corporation's
policies, procedures and standards  are in place can have a positive =
effect
in the event of a criminal investigation into the company.
For example, the basic functions that are inherent in most compliance
programs are
=B7 Established polices procedures and standards to guide the =
workforce;
=B7 Appoint a high level manager to oversee compliance with the =
policies,
procedures and standards;
=B7 Exercise due care when granting discretionary authority to =
employees;
=B7 Assure compliance policies are being carried out;
=B7 Communicate the standards and procedures to all employees and =
other;
=B7 Enforce the polices, standards and procedures consistently through
appropriate disciplinary measures;
=B7 Implement procedures for corrections and modification in case of
violations.
The third element from a legal perspective is the Economic Espionage =
Act of
1996 in the United States.  The EEA, for the first time, makes the =
theft of
trade secret information a federal crime, and subject the criminals to
penalties including fines, imprisonment and forfeiture.  However, the =
EEA
also experts that the organization with the information is taking =
reasonable
efforts to protect that information.
In addition to the legal requirements, there are also good business =
reasons
for establishing policies and procedures.  It is a well-accepted fact =
that
it is important to protect th information that is essential to an
organization, just like it is essential to protect the financial =
assets.
This means that there is a need for controls placed on the employees,
vendors, customers, and other authorized network users.  With growing
requirements to be able to access information from any location on the
globe, it is necessary to have organization wide set of information =
security
policies, procedures and standards in place. =20
With the changes in the computing environment from host based to
client-server based systems, the intricacies of protecting the =
environment
have increased dramatically.  The bottom line then is that good =
controls
make good business sense.  Failing to implement good policies and =
procedures
can lead to a loss in shareholder and market confidence in the company
should there be an incident that becomes public.
In writing the policies and procedures, it is necessary to have a solid
understanding of the corporation's mission, values, and business =
operations.
Remember that the policies and procedures exist to define and establish =
the
controls required to protect the organization. =20
Remember that security for security's sake is of little value the
corporation, its employees or the shareholders.

Chapter 2 -  Why Manage This Process as a Project?
The author recommends that the development of polices standards and
procedures are undertaken as a project.  In doing so, the =
implementation
team remains focused n the results to be achieved.  Furthermore, the
application of project management principles also helps in the =
assessment of
the development and ensures that the effort satisfies the needs of the
organization.
Consideration in the development of the polices and procedures should =
be
given to the following questions:
=B7 What should be included in the area of concern, or what is the =
scope?
=B7 What should be done first?
=B7 How much time will it take?
=B7 Is there a deadline that will act as a constraint on how much can =
be
accomplished?
=B7 How should changing requirements be managed?
=B7 How much will it cost?
=B7 How relevant are the policies and procedures to the environment?
=B7 Who should create them?
=B7 How should they be reviewed?
=B7 How should they be communicated?
=B7 How can opportunities for improvement be maximized?
These are all questions that can be managed through a project oriented =
view
to the development activity.
Through this chapter the author spends considerable time how to break =
down
the development of the policy or procedure into a project.  For =
example,=20
=B7 Identify the sponsor
=B7 Define the scope of the work
=B7 Who is the project manager?
=B7 Who are the individuals who possess the knowledge?
=B7 Who will be the review committee?
Based upon the scope and the high-level objectives that have been
established for the project, is is then necessary to identify the lower
level tasks associated with its completion.  This is accomplished =
through
the use of a Work Breakdown Structure (WBS).  The WBS should be =
reviewed and
advised on an ongoing through the project to make sure that all of the =
tasks
are completed, and that any unnecessary work is removed. =20
The major tenet of project management is to make sure that the project =
is
controlled so that it includes the work and only the work that needs to =
be
completed.   It is also necessary through the development of this =
policy to
carefully examine the costs associated with the development and
implementation and subsequent communication of the policy. =20
Another benefit of using project management techniques is the aspect of
quality.  B ensuring that the policy is developed with quality in mind, =
it
becomes easier over time to maintain it..  Involving peers, and other =
people
who were not involved in the development can ensure quality. =20
The author recommends that management not be involved in the early =
stages of
the work to ensure that the focus is on the development effort and not =
on
the status or performance of the project. =20
Through the use of good project management techniques, it is possible =
to
develop good policies that have sound elements of quality are cost
effective, and can be easily communicated to the user community while
meeting both the shareholder needs and the needs of the business.

Chapter 3 -  Planning and Preparation
Planning and preparation are an integral part of policy, standards and
procedure development, bt one which is often neglected.  Included in =
the
preparation process is all of the work that must be done.  Policy lays =
out
the general requirements to take, the standards define the tools that =
are to
be used, and the procedures give the employees the step by step =
instructions
to do it. =20
Well-written procedures never take the place of supervision, but they =
can
take some of the more mundane tasks and move them out to the employees.
The policies are used by the employees to provide information and =
guidance
in making decisions when their manager is not available.  The policy =
should
identify who is responsible for which activity. =20
An effective set of policies can actually help the organization achieve =
two
key security requirements: separation of duties and rotation of =
assignments.
No single individual should have complete control over a complete =
process
from inception to completion.  This is an element in protecting the
organization from fraud. =20
Individuals wo are involved in sensitive duties should be rotated =
through
other assignments on a periodic basis.  This removes them the sensitive
activities, thereby reducing their attractiveness as a target.  =
Rotation of
duties can also provide other efficiencies including job efficiency and
improvement.  The improvement aspect is achieved as the result of =
moving
people through jobs so they don't develop short cuts, errors creeping =
into
the work or a decrease in quality.
Once the policies ate established it is necessary to define the =
standards
that will be used to support the policy.  These standards can include
hardware, software, and communications protocols to who is responsible =
for
approving them. =20
There is no point in developing this documentation unless there is a
communication plan developed to get the information out to the =
employees and
others as appropriate.  This is particularly important, as management
doesn't have the luxury of sitting down with every employee and =
discussing
his or her responsibility. =20
The ability to provide the information to the employees is an essential =
part
of the development of the policies, standards and procedures.  Through =
these
vehicles the employees will understand how they should perform their =
tasks
in accordance with the policies. =20
The preparation activities involve establishing the core and support =
teams.
The core team consists of the writer and the editor, the primary
stakeholders, information security staff, information systems, internal
audit and Policy Development groups.  It is also advisable to include =
the
Legal Department as many policies can be affected by, or affect =
compliance
with legislation.
The Support Team includes representatives from each of the various =
business
units.  Their responsibilities are to review and critique the =
documentation.
The involvement of the business units is important to ensure that the =
needs
of the business unit are addressed in the policy.  The support team is =
also
charged with the responsibility of keeping their individual business =
units
apprised of the progress. =20

Chapter 4 -  Developing Policies
Policy is the cornerstone to the development of effective information
security architecture.  The policy statement defined what the policy =
is, is
often considered the most effective part of the policy.    The goal of =
an
information security policy is to maintain the integrity, =
confidentiality
and availability of information resources. =20
The basic threats that can prevent an organization from reaching this =
goal
include theft, modification, destruction or disclosure whether =
deliberate or
accidental.  =20
The term policy means different things to different people.  The author
proposes that the term policy is a statement of enterprise beliefs, =
goals
and objectives, and the general means for their attainment in a =
specified
subject area. =20
A policy should be brief, and set at a high level.  Because policies at
written at a high level, supporting documentation must be developed to
establish how employees will implement that policy.   Standards, are
mandatory activities, actions, rules or regulations that must be done =
in
order for the policy to be effective.
Guidelines are more general statements that provide a framework in =
which
procedures are based.  While standards are mandatory, guidelines are
recommendations.  For example we could create a policy that states
multi-factor authentication must be used, and in what situations.  The
standard defines that the acceptable multi-factor authentication tools
include Entrust and SecurID. =20
Procedures spell out the specifics how the approved standards are to be
implemented. =20
The author finishes the chapter with a review of some policies and a
critique of them highlighting the strengths and development areas of =
each
policy.
Remember that policies should=20
=B7 Be easy to understand;
=B7 Be applicable;
=B7 Be doable;
=B7 Be enforceable;
=B7 Be phased in;
=B7 Be proactive;
=B7 Avoid absolutes;
=B7 And meet business objectives
The author also discusses three major policy types
=B7 Program policy  which is used  to create an organization's overall
security vision;
=B7 Topic specific policies that are used to address specific topics of
concern.  There will normally be a topic specific policy for each =
section of
the program policy;
=B7 Application specific policies that are used to protect specific
applications or systems.
The policy itself should contain the following elements:
=B7 What - the intent of the policy;
=B7 Who - what are the employees responsibilities and obligation and =
any
specific requirements that must carried out by a job function;
=B7 Where - what is the scope of the policy;
=B7 How - what  are the compliance factors, and how compliance will be
measured;
=B7 When - when does the policy tae effect;
=B7 Why - why is it necessary to implement this policy.

Chapter 5 -  Information Classification
In this chapter the author presents the requirements around =
establishing an
information classification system for the organization.  Information is =
an
asset and a property of the organization.   All employees are expected =
and
required to protect information from unauthorized access, modification,
disclosure, or destruction.    However, before employees can be =
expected to
protect their information, they must understand the importance, or =
value, of
the information that they have. =20
The information classification and methodology will provide them with =
the
information, guidelines and support they need. There are four essential
aspects to information classification:
=B7 Classification from a legal standpoint;
=B7 Responsibility for care and control;
=B7 Integrity of the information;
=B7 Criticality of the information and the systems processing it.
We classify information in order to determine the protection measures =
that
should be applied to those resources.  Because those resources are =
limited,
it necessarily follows that once the information is classified, it will =
be
easier to determine what resources should be applied to protect it.  =
For
example, the company's strategic plan is probably the most vital piece =
of
information on the network.  This mans that the company should apply =
more
resources to protect this information than to protect the employee =
list.
The old concept in computer security is that everything is closed until =
it
is opened.  However, the author identifies that in his experience, =
almost
90% of the information in a typical company must be accessible to the
employees or to the pubic.  In fact, the author suggests that 10% of =
the
information in the company is public, 80% internal use only, and 10%
considered to be highly confidential. =20
The essential point with information classification is that not all
information has the same value.   Therefore it is necessary to develop =
at
least a high level attempt at information classification. =20
Information classification is not generally a security problem.  It is
however, a business decision process.  As a result, security =
professionals
and computer technicians should be as removed as possible from the
information classification process.    This is necessary in order to =
develop
an information classification system that satisfies the business side =
of the
enterprise. =20
In a recent pair of surveys, Deloitte & Touche and Ernst & Young =
interviewed
Fortune 500 managers to rank the importance to them on information
availability, confidentiality, availability and integrity.  The =
managers
interviewed felt that the information had to be available when they =
needed
to have access to it.  Implementing access control packages that =
rendered
access difficult or overly restrictive is a detriment to the business
process.
The author suggests that a team of individuals should undertake the
establishment of an information classification process.  This is the =
same
team format that was discussed in earlier chapters.  The support team =
should
consist of members from each of the major user groups or departments.  =
The
core group is actually responsible for the development of the policy.  =
The
policy is written after interviewing the user departments and =
determining
their needs.
The first cut of the development process is to examine information from =
two
perspectives:
=B7 Sensitivity - that is the need for confidentiality, integrity and
controlled usage;
=B7 Availability - ensuring that the information is available when =
needed.
In order to have a good picture of he classification types that may be
required, it is necessary to interview as many of the individual users =
as
possible within the organization.  Furthermore, information examples =
should
be solicited from the various groups including Human Resources, =
Financial,
Engineering, budget, Legal, Information Systems ad Administrative =
records.
In this way, we can be assured that the information classifications =
that are
being developed are appropriate to the business. What is important to =
note
is that the team should resist the desire to add categories.  We should =
also
resist the temptation to classify everything the same.  To simplify the
classification the author suggests that some organizations have flirted =
with
classifying everything as confidential.  The problem with this concept =
is
that confidential information generally requires special handling.   =
This
would violate the concept of applying controls only where they are =
needed,
and would require the organization to waste limited resources to =
protect
assets that do not require that level of control. =20
The question is: what constitutes confidential information?  =
Confidential
information is generally defined as information which if disclosed could=

violate the privacy of individuals, reduce the company's competitive
advantage or cause damage to the organization. =20
Trade secret information is defined in the EEA of 1996 to include all =
forms
and types of financial, scientific, business, technical, economic or
engineering information regardless of how it is stored or memorialized.
However, the EEA has a two edged sword.  While it is illegal for =
someone to
steal the information, the owner of the information must take the
appropriate measures to protect it while it is under their care.=20
There are other information classification types that have been =
available
over the years including copyright, patents and trademarks.  The author
discusses each of these classification types in detail in the chapter.
>From here, the author examines several information classification =
policies
and critiques them based upon the information that has been presented =
in the
text thus far. =20
The important thing to remember with classification of information is =
that
information normally declines in sensitivity with the passage of time.  =
As a
result information should be reviewed periodically and downgraded as
appropriate.  If the information knows the date that the classification =
is
to be downgraded, then the date is to be indicated on the information.  =

It is also suggested that a clear line of authority be established to
control access to the information.  For example, the author suggests =
that
there be an owner, custodian and user identified. =20
The owner is responsible for judging the information resource and =
assigning
the proper classification level.    The custodian is responsible for
providing the security safeguards for processing equipment, information
storage and backup and recovery.  The user must use the information =
only for
the purpose for which it was intended, and maintain the integrity,
confidentiality and availability of the information that has been =
accessed.
Information classification drives the control requirements and allows =
the
information to be protected to a level that is commensurate with its =
value
to the organization.  The cost of over-protection is eliminated and
exceptions are minimized.  Remember that all information regardless of =
how
it is created, stored or handled is not created equal.    Consequently
segmentation or classification of information into categories is =
necessary
to help identify the framework for evaluating the information's =
relative
value.  After establishing the relative value, it becomes possible to
develop cost-effective controls that will preserve the information =
asset for
the organization.

Chapter 6 -  Developing an Electronic Communications Policy
Use of electronic communications, which is primarily email, in business =
is
spreading rapidly.  In many organizations the email system is now the =
place
for office gossip and other conversations not related to business.
Electronic mail is a paperless form of communication regardless of the
technology used to implement it. =20
Email allows messages to be sent from one location to another much like
postal mail.  The current controversy surrounding email is regarding =
the
privacy of communications.  Most employees regard the right to privacy =
as a
fundamental right.  Legislation over workplace privacy issues is =
expected to
increase as more and more employers, both public and private, engage in
testing, monitoring and surveillance of employees.
The courts have ruled that the expectation of privacy requires two key
elements:
=B7 The individual exhibited an actual expectation of privacy, and=20
=B7 That this expectation is one that society considers reasonable.
The author also recommends that balancing the issues around the privacy =
of
electronic communications and email is very important.  For example,
balancing the privacy rights of the employee, the need of the employer =
to
protect systems security and manage company resources and the need for =
third
parties to access company files. =20
Despite the needs of the employer, employees need to feel comfortable =
that
they can communicate in an electronic manner without "big brother" =
watching
them.  Many of the status in the USA and many companies are in the =
process
of determining the volume of email that is of a non-business nature, =
and
establishing controls to limit or restrict that activity.  However, the
concern is that such a policy will restrict the use of the email system =
in
general and then inhibit the=20
employees from using the system to develop and express actual business
documents. =20
However, the employer must also be concerned with protecting systems
security and managing company resources.  There are a number of =
legitimate
reasons to monitor email messages.  These include disgruntled employees =
who
may be sending information outside of the company to future jobs or
safekeeping elsewhere and communication over the Internet where =
messages are
rarely encrypted, and may be at risk to eavesdropping. =20
However, using a facilitated approach to the policy development, an
organization can review the impact that email usage has on =
confidentiality,
information integrity and system availability. =20
The key to being successful with an electronic communications policy is =
to
do a risk analysis.  The author recommends that the following elements =
be
considered in the risk analysis.  These elements=20
=B7 Sexual harassment;
=B7 Race, age or other forms of discrimination;
=B7 Libel and slander;
=B7 Insider trading;
=B7 Trade secret and competitive advantage information; and,=20
=B7 The rights of third parties to get access to files. =20
Worth noting that the text identifies the seven principles of email =
security
which were developed at the Information and Privacy Commission in =
Ontario.
These elements are discussed briefly in the text. =20
Protecting email privacy through the implementation of an organization =
wide
policy will enhance the work environment and promote effective =
communication
throughout the organization.  While the principles that the author has
identified lay out a framework for email privacy protection, the =
difficult
decisions involving the balance between employee privacy and employer
proprietary interests will need to be made based upon the needs of the
organization. =20

Chapter 7 -  Typical Organization Policies
The author identifies that every organization must develop a basic set =
of
policies.  These can normally be found as  a document prepared by the
organization and can be used by an information security professional to
reinforce the message as needed.  In this chapter the author presents =
sample
organizational policies that include the topics=20
=B7 Shared beliefs;
=B7 Standards of conduct;
=B7 Conflict of interest;
=B7 Communication;
=B7 Electronic communication systems;
=B7 Internet security;
=B7 Electronic communication policy;
=B7 General security policy;
=B7 Information protection policy; and,
=B7 Information classification.

Chapter 8 -  Writing Procedures
Procedures are as unique as the organization.  There is generally no
accepted standard for the proper way to write a procedure.  What will
determine how the procedures look in the organization is either the =
standard
that has been developed previously or an examination of what ill work =
best
for the target audience. =20
The author highlights the following definitions:
=B7 Policy - A high level statement of enterprise beliefs, goals and
objectives and the general means for their attainment for a specified
subject area;
=B7 Procedure - These spell out the specific steps of how the policy =
and the
supporting standards and guidelines will actually be implemented.  They =
are
a description of tasks that must be completed in a specific order. =20
=B7 Standard - Mandatory actions, activities, rules and regulations =
designed
to provide policies with the support structure and specific direction =
they
require to be meaningful and effective.  They are often expensive to
administer and, therefore, should be used judiciously.
=B7 Guidelines - More general statements designed to achieve the =
policy's
objectives by providing a framework within which to implement =
procedures.
Where standards are mandatory, guidelines are recommendations.
The author goes on to identify the writing commandments that relate to
procedures, including organizing the material, reading and editing, =
finding
subject experts, the language to use for the audience, and establishing =
a
procedure checklist. =20
The author also identifies a few of the many styles available for =
writing
procedures.  These include the narrative, the flow chart, and the play
script.  The narrative style presents information in a paragraph =
format.  It
is conversational and flows nicely, but it does not present the user =
with
easy to follow steps.  The flow chart format provides the information n =
a
pictorial format.  The play script style presents step by step =
instructions
for the user to follow. =20
It is important to remember that the language of the procedure should =
be
written at a level that the target audience will be able to understand. =
 The
key procedure elements as discussed in the chapter are identifying the
procedure needs, determining the target audience, establishing the =
scope of
the procedure and describing the intent=20

Chapter 9 -  Creating a Table of Contents
This chapter is focused more on creating a table of contents for a =
procedure
book that would be found at an individual's desk.

Chapter 10 -  Establishing A Critique Process
As the policies and procedures are written, it is necessary to =
establish a
critique process o review them.  The review team must include members =
from
all parts of the organization who have a basic knowledge of the topic.  =
It
is not desirable to use subject matter experts in the review as they =
will
make assumptions that another person would not make.
The writing process often drives the writer into a closed environment.  =
As
he or she becomes focused on gathering materials, reviewing documents =
and
learning to be a subject expert, objectivity is often lost. =20
As discussed in previous chapters, the author recommends that there be =
a
core group and a support group responsible for performing the document
critiques.  The core group is responsible for largely writing the =
documents.
They will perform both the research and the writing to complete the =
project.
The support group is responsible for reviewing the documents.  The =
support
team is made up of representatives from the major user groups within =
the
organization.
This is in addition to an editor who is responsible for reviewing the
documents for grammar.  The support team is not responsible for =
reviewing
the documents for grammar, but is responsible for reviewing the policy =
or
procedure to ensure that it meets the business requirements. =20
The author recommends that there be three rounds of reviews.  The =
initial
round will be the support team's first pass at the document.  The =
second or
updated round should include as many of the support team's =
recommendations
as possible.  It is the core team's responsibility to review the every
suggestion and to implement the suggestion or meet with the group and
explain why it is not. =20
Once the suggestions have been reviewed and the documented updated, the
document should be sent out for another review.  With the updated =
completed,
the document is then ready for a third and final review, and the =
document
labeled as final draft. =20
During the review, some key points should be remembered:
=B7 Not every comment or suggestion must be accepted;
=B7 If there appears to be a conflict, set up a meeting to resolve the =
issue;
=B7 Whenever possible, implement the suggestion;
=B7 There is a weighting system for comments;
=B7 Understand the politics of the organization;
=B7 Ensure special needs are addressed.
The final element in the review process is to establish a focus group =
made
up of a larger audience.  The intent is to allow them to review the =
policy
or implement the procedures and then debrief them on its effectiveness. =
=20
In summary, the critiquing process is made up o five steps;
1. Writing the document;
2. Proofreading the document;
3. Editing the document;
4. Critiquing the document, and;
5. Testing the document through the focus group.

Chapter 11 -  Selling the Policies and Procedures
The missing factor in an effective information is employee involvement =
or
awareness.  Many organizations go to great lengths to develop an =
extensive
set of controls, but still security fails.  Often this is a result of =
not
understanding the cultural direction of the organization and its =
employees.
The author presents a number of "war stories" to illustrate were =
controls
have failed in other organizations.  The are target groups are =
identified
where the information security policies must be "sold". These are
=B7 Senior management - who expect a sound rational approach, and are
interested in the overall costs of implementation and how the program =
stacks
up against others in the industry;
=B7 Line supervisors - who are focused on getting their job done.  They =
are
not interested in anything that appears to slow down their already =
tight
schedule.  The key with line supervisors is to stress how the new =
process
wil give the employees the tools they need to access information and =
systems
in a timely and efficient manner, while showing them what the problem
resolution is, and who to call if there are any problems.
=B7 Employees  - who are gong to be skeptical about the new policy and
procedures.  Employees typically operate with the view that if they do
nothing, the initiative will end.  It is necessary to thoroughly =
identify
what is expected of them and how the new policy and procedure will =
assist
them in gaining access to the information and systems they need to =
complete
their tasks. =20
The type of approach chosen is based upon whether or not the =
organization
currently has an existing information security program in place, and =
how
active it is.  Those organizations with no awareness program will find =
it
necessary to convince management and the employees of the policy's
importance.
In organizations with outdated exiting policies and procedures the key =
will
be convincing management and employees that it is time to implement new
policies.  In summary, the author identifies a number of areas where
security controls have failed as a result of outdated or =
non-implemented
policies.  These include
=B7 Uncontrolled or inadequately controlled access;
=B7 Vague or inadequate responsibilities;
=B7 Inadequate training of personnel;
=B7 Employee exposure to unnecessary temptation;
=B7 Protection against disgruntled employees;
=B7 Passwords that fail to meet the challenges of the 21st century;
=B7 Exposure of sensitive information in the trash.
(As a note, email correspondence is as private as a post card, and as =
such
we should be encrypting every message we can.)
The typical computer criminal is a non-technical user of the system or
application and who has been around long enough to know what would =
cause an
audit.
Since at least 1974, more and more discussion has focused around the =
use of
passwords.  Most security experts agree that the day of the reusable
password is over, and that while it is still deemed as the most
cost-effective first line of defense.  Employees must be continually
reminded about the necessity of choosing good passwords, as password =
abuse
has been the number one problem in computer security.
Resolving this problem can be addressed through five steps:
1. Obtain senior management approval and support;
2. Establish enterprise wide policies;
3. Implement an enterprise wide awareness program;
4. Monitor compliance;
5. Make compliance an appraisal item
However, the author suggests that implementing controls to simply be in
compliance and resolve an audit point is no reason on its own to =
implement
anything.

Chapter 12 -  References
This chapter contains a list of references where the reader can go for =
more
information.

Part 2 - Reference Guide
The second part of the book is intended to provide the information =
security
practitioner with the tools to support the development and =
implementation of
a security program tailored to the organization's unique need.  The
information contained in these chapters is intended for, and suitable =
for
the general user community.  The information contained in chapters 13 =
to 21
section has been included on a CD-ROM for easily inclusion into =
existing
pollicies.=20

Chapter 21 -  Baseline Organization Information Security Program
In this chapter, the author ties all of the previous material into one
place.  The chapter covers the development of the program through to =
its
implementation.  This includes assessing the information environment, =
risks,
and designing the program elements.  This chapter presents the concept =
of
the organization information security coordinator, the group =
information
security coordinator and the area information security coordinator.
The group and area information security coordinators are positions =
intended
to support the organization information security coordinator. =20
The organization information security officer is responsible for =
overseeing
he development and implementation of the overall information security
program.  The group information security coordinator is responsible for =
the
delivery of the program within one or more major divisions of the
organization. =20
The author recommends that the information security coordinator have =
the
following qualifications:
=B7 An employee of the company who has a brad familiarity wit the
organizational group which allows tem to understand the information =
security
needs and concerns;
=B7 Have easy access to all levels of management within the =
organization or
group;
=B7 Familiar with information technology; and;
=B7 Good presentation and speaking skills.
The information security coordinator's responsibilities include =
conducting
training and awareness sessions for the employees in the company to =
ensure
they are aware of their responsibilities as defined in the policy.  =
They
also must continue to evaluate and evolve the directions of the =
security
program to satisfy the organization's ever changing needs.
"The secret to enforcement is prevention; the secret to prevention is
education"
		R. Wallace Hale
With the development and implementation phases completed, the program =
enters
the maintenance phase.  It is at this point that continual evaluations =
of
the program are required to ensure that changing business needs are
addressed.
---------------------------------------------
From POPmail Mon Mar  8 07:55:12 1999
 (with Netcom Interactive pop3d (v1.21.1 1998/05/07) Mon Mar  8 15:48:59 1999)
X-From_: fcfc@multi33.netcomi.com  Mon Mar  8 09:44:54 1999
Received: (from fcfc@localhost) by multi33.netcomi.com (8.8.5/8.7.4) id JAA11264; Mon, 8 Mar 1999 09:44:54 -0600
Received: from smtpott1.nortel.ca (smtpott1.NortelNetworks.com [192.58.194.78]) by multi33.netcomi.com (8.8.5/8.7.4) with ESMTP id JAA11256 for <secedu@all.net>; Mon, 8 Mar 1999 09:44:50 -0600
Received: from zcard00m.ca.nortel.com by smtpott1.nortel.ca;
          Mon, 8 Mar 1999 10:44:39 -0500
Received: by zcard00m.ca.nortel.com with Internet Mail Service (5.5.2232.9) 
          id <GRB544F8>; Mon, 8 Mar 1999 10:44:36 -0500
Message-ID: <E3B79B3AC965D211A2B70000F808AAD8567839@zftzd001.ca.nortel.com>
From: "Chris Hare" <chare@nortelnetworks.com>
Old-To: secedu@all.net
Subject: Cyberlaw Canada
Date: Mon, 8 Mar 1999 10:44:33 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2232.9)
Content-Type: text/plain; charset="iso-8859-1"
X-Orig: <chare@americasm01.nt.com>
X-Loop: secedu@all.net
To: fred at all.net

And another



Review: 
Cyber Law Canada
Jeffrey M. Schelling
Reviewed by Chris Hare
February 1999
Book Information
Cyber Law Canada
Published by Self Counsel Press
Published in 1998
ISBN 1-55180-125-6
177 p.

Overview
Despite the number of pages, this is a very easy read.  It is written at a
level that most people can understand, and prides some good examples that we
can all relate to.  The book provides a "business" view of computer law
issues.  This is not a technical book, and that is reflected in the
sometimes misleading, or not quite correct discussions on the technical
issues.
Aside from that, the book presents the major legal issues that can affect
computer user, consultants and professional in an interesting way.  Overall,
while there is not much law that is specifically targeted at computer and
computer crime, there is a significant amount of existing law that is being
used to protect society.
The author discusses those aspects of law, and to some degree what issues
and legal decisions in other countries are likely to affect the evolution of
computer law in Canada.

Chapter 1 - Online Liability
In this chapter, the author addresses the difference between tort and
criminal law.  A tort is a wrongful act or omission.  Tort law is one of the
largest and most diverse areas of law.  Criminal law involves offences where
the suspect must be charged and convicted by the government under the
Criminal Code.  
In Canada, tort law is based upon common law, which is based upon the
judgements of previous cases.  
There are issues that can affect computer professionals in the performance
of their duties.  For example, the software developer that designs a program
which in time is used by a customer who experiences problems and possibly
lost data, may be held responsible under tort law in an area known as
negligence.  Negligence involves the process of taking reasonable care to
avoid harm to those who may be foreseeably affect by your actions.  In the
case of the computer programmer, sufficient design and testing should have
revealed the problem.  If the user can demonstrate that the programmer did
not exercise care in the development of the software, and may be held liable
for the customer's loss.
The author discusses the various methods of preventing negligence and what
remedies are available should you be a victim of a negligent act.
The chapter also presents the topics of libel and slander.  Libel is a
defamatory statement that is one which causes a member of the community to
think less of another person.  Libel si defamation in writing.  
Slander is the defamation of a person by saying something verbally.  
The issue with defamatory statements is that they negatively impact the
person's reputation, and from a technology point of views can occur in
"flames" within a newsgroup, chat room, or in email.

Chapter 2 - An Internet Security Primer
In this weak chapter, the author discusses the main elements of internet
security.  For most f us, this will be a very light chapter, and only cover
on the very highest points.  The author briefly discusses what a firewall
is, why encryption is needed and some types of encryption and why security
is important in Cyberspace.  He makes a good attempt as presenting public
versus private key encryption, but so little information is provided that
the explanation is not very clear.

Chapter 3 - Buying and Selling Goods Online
The focus of this chapter is issues with doing business on the Internet.
The author again takes a look at the importance of encryption and discusses
issues with using your credit card on the Internet and digital cash.  His
discussion of digital cash also provides some brief comments on the common
digital cash providers on the Internet.   
He ends his discussion of digital cash with a presentation about the Mondex
smart card system developed in England.  (This smart card based system was
placed into a trial at the Brampton office when it opened.)
It is recommended in this text that doing business on the Internet should
involve the use of liability and access agreements to define what the
customer and vendors responsibilities are, and how issues are resolved.
The differences between Internet purchasing and Electronic Data Interchange
are discussed, and the author does a good job here.  The major differences
are that EDI requires that a trading agreement be established between the
organizations that are doing EDI business, and are well established.
The chapter finishes up by discussing advertising on the internet, and while
many web sites advertise in different ways and that is tolerated, the
distribution of unsolicited email, or spam, is not.  

Chapter 4 - Electronic Contracts
With the movement to wards doing business online, the question that comes up
is what about contracts?  Oral and written contract involving a description
of service, and agreement between the parties involved are entered into
every day.  Written contracts involve th use of a signature.  
A contract may also be implied based upon the conduct of the parties
involve, even if agreement on the tasks to be completed is not specifically
identified.  In cyberspace then, how are contracts handled?  
Before describing this, lets first discuss the essential elements of a
contract, which are offer, acceptance and consideration.  An offer is made
by one party and agreed to by the other.  Consideration is how the accepting
party will compensate the offering party once the work has been completed.  
The author goes on to explain that an electronic contract can be offered and
accepted in a variety of ways - through email, a web site or other ways,
including an offer by email and acceptance through fax or paper mail.
This then begs the question of is an online contract considered equal with a
written or verbal contract? Under that Statute of Frauds, some contract must
be writing.  Those are generally the contracts that are deemed to be so
important, or to have such a high value that even though an agreement may be
reached electronically, they must be documented and proper signatures and
seals affixed.  Examples of such contracts include land or property sales,
or contracts which are for a period greater than one year.
Other possibilities discussed include the use of a digital signature, or a
digital watermark.  A digital watermark is a "watermark" that is embedded
into the document, such as a picture, a piece of music or a document.
The author moves on to complete that chapter with a discussion of the
elements of a contract in general, and an electronic contract specifically,
while providing an example.

Chapter 5 - Who Owns What in Cyberspace
This chapter discusses the issue copyright, trademarks and patents.
Trademarks are used to protect something that is used by an organization and
is associated with them such as a product brand name.  A Patent is
applicable to an invention.
The issue of copyright is discussed at length including how to get one, what
is and is not protected by copyright, and the problems associated with
including copyright works on your web site.  
There are some wide ranging rights in this area, and care should be taken
when you want to use something from another web site, or even link to it.
American case law has reached judgements that restrict the use of links to
other web sites without permission, due to the appearance that it can
indicate of a relationship between two organizations.
The author also discusses the issues around software piracy and impact of
copyright legislation on piracy, and the sanctions that can be imposed upon
an individual or organization.  

Chapter 6 - Trademarks and Domain Names
A trademark is a set of words or symbols that are used to distinguish the
goods and services of one person from those of another.  For example,
Nintendo, Compaq and IBM are all trademarks. This chapter briefly discusses
the issues around trademarks and their registration.  It also addresses the
issues of domain names and their relationship to trademarks.  Finally, the
author discusses how to apply for a domain name, and what to do should
someone else be using your trademark as their domain name.

Chapter 7 - Protecting Trade Secrets Online
A trade secret is defined as that information which is confidential and has
economic value.  Each of us in our day to day interactions frequently
discusses trade secret information with others.  This confidential
information exchange is best protected by a non-disclosure agreement, much
like the one we signed we started our employment.
The author takes a brief look at the issue of trade secret security, and
infers, maybe even almost states, that a trade secret is no longer a trade
secret should the owner of the information not employ due care in protecting
that information.
He closes the chapter with a discussion of confidentiality and
non-disclosure agreements with a sample agreement.

Chapter 8 - Privacy Rights
The issue of privacy has taken on a new meaning with the emphasis on getting
information into electronic storage.  There are many laws that regulate
privacy and they are being put to the test in today's society.  Essentially,
there are three privacy rights that are recognized under the law:
· Privacy of identity - people have the right to be who they are.  (Sounds
funny, but is true.)  As a result, misappropriate of someone's identity is a
violation of their privacy of identity.
· Privacy of data - people expect the information about them is protected.
That is to say that all of us expect that the institutions we deal with will
protect the information they have available about us.
· Privacy of communications - that the communication in which we are
involved, including online communications are private and should not be
disclosed with the sender's or receiver's permission.
The author makes specific mention of the Ontario Privacy commissions work in
this area.
The author discusses the issue of the privacy of email.  He notes that while
many people believe that email is private it is not unless it is encrypted.
Employees believe that their e-mail at work is private.  However, this may
or may not be the case depending upon the organization's view.  Many
organizations state in an electronic communications policy that email is a
service provided to employees as a tool in their job responsibilities, and
as such may monitor these communications at any time.
The chapter finishes up with a discussion of what things should be included
in a corporate e-mail policy.

Chapter 9 - Computer Crime
The author discusses the law as it relates to computer crime in this
chapter.  While there have been a number of amendments to the Criminal Code
in the last few years, it is important to remember the rest of the Criminal
Code also applies.  That means that if a computer is used to commit the
crime, while it may be defined as computer crime, other laws may be used to
seek a conviction.  
The Criminal Code makes the following actions criminal acts:
· Unauthorized alteration, destruction, or interference with the use of
data;
· Unauthorized access to or use of a computer system;
· Unauthorized interception of computer communications; and,
· Telecommunications fraud.
The major areas that the author discusses in the text relate to obscenity,
pornography and hate propaganda.  

Chapter 10 - Legal Research on the Internet
The author finishes up with a chapter describing the legal resources that
are available on the internet, and they are extensive.  He includes a
description of them along with the owner if they are a prominent lawyer, and
the web address.
---------------------------------------------