Principles for Managing Information Security in the New Millennium

This chapter sketches out three classes of principles. Following a brief description of the class, each principle is elaborated and suggestions made thereof as to its applicability. The three classes of principles are: Principles for managing the pragmatic aspects of an organization; Principles for managing the formal rule-based aspects of an organization; Principles for managing the technical systems

Internet and E-Business Security

The Internet is one of the miracles happening in this century. Starting from a project known to a few hundred people, the Internet is now a global network and the hottest hype in the world. Its growth, however, has been slowed by the concern over Internet security. Internet security has been blamed as the stumbling block preventing the widespread acceptance of electronic business. Is Internet security really a problem? If so, what are the technologies available to alleviate this problem? How should management evaluate the existing technologies? This chapter looks at the issues surrounding e-business security. The chapter first discusses Internet security and then proposes a framework to help management evaluate existing security technologies.

Cyber Terrorism and the Contemporary Corporation

During the last ten years there has been a growth of Information Systems and related Internet technology. In recent years the Internet has grown from a solely military/academic network to one that can be used by business or individuals. In the years since the first World Wide Web (WWW) applications were developed, there has been an explosion in the global use of the Internet. With this growth has come an increasing usage of the medium by criminal and terrorist groups.This chapter will explain why and how cyber-terrorists attack these services. The aims of the chapter are to: describe the background of cyber-terrorism; describe what cyber-terrorism is; describe the vulnerabilities of electronic commerce to cyber-terrorism; discuss the future of electronic commerce and cyber-terrorism.

Ethical Elements of Security and Developments in Cyberspace that Should Promote Trust in Electronic Commerce

The following sections of this chapter report current and future aspects of EC related to the concept of trust. In the next section we review the current climate surrounding electronic business. In particular we consider: customer relationship management, risks related to business on the Internet, the factors that are driving electronic business and issues related to infrastructure and security. We also consider issues related to cyber crime such as the threat from hackers, Web fraud, and the perils of neglecting threats of internal attack. Then in the third section we concentrate on the technological developments in EC related to security and consider in detail two particular aspects: the authentication of transactions and mechanisms which support electronic payments. Following this in the fourth section we look to the future and provide our recommendations with regard to Trusted EC. Here we look at three areas: the role of computer ethics, management issues and a future model for EC. In the last section we present our overall conclusions.

Information Systems Security and the Need for Policy

As the pervasiveness of networks create a more open set of information systems for the mobile and diverse needs of the organization, increased attention must be paid to the corresponding increase in exposure of those systems to attacks from internal and external sources. The first step to preparing the organization against these threats is the development of a systems security policy which provides instruction for the development and implementation of a security posture, as well as provides guidelines for the acceptable and expected uses of the systems. This chapter provides background support for the need for information security policy, and outlines a sample structure that may be used to develop such a policy.

Assurance and Compliance Monitoring Support

This chapter discusses generic concepts of compliance monitoring for anomaly detection systems [CMAD]1 in terms of the functionality of CMAD systems, the agents involved, the classes of CMAD environments, the problem solving and decision-making requirements. CMAD applied to the capital market (cm) is discussed as an example of compliance monitoring in highly complex environments. This includes a review of current literature, the problems reported and proposed solutions. Finally we introduce an additional dimension to the CMAD problem-solution construct and list potential applications.

An Analysis of the Recent IS Security Development Approaches

Recently, several Information Systems Security (ISS) development approaches that support modeling have been presented. This chapter analyzes and compares the recent approaches for the development of secure ISs. The comparison and analysis will be carried out from the viewpoints of a conceptual meta-model for IS; research methods used; the organizational roles of IS security; the objectives of the research; selected philosophical foundations (underlying epistemology, philosophy of science) and applicability. This contribution of the chapter can be divided into descriptive (assumptions that researchers should be aware of) and prescriptive implications (the direction of future research).

Addressing Prescription Fraud in the British National Health Service

Prescription fraud constitutes an important drain of health service resources, but one that is difficult to detect and therefore to prevent or rectify. It is expected that the use of information technology in the prescribing process could enhance fraud prevention and detection. For example, electronic prescribing or networking between prescribing stakeholders could facilitate audit. However, the implementation of several computerized solutions in the British National Health Service (NHS) has been problematic. Computerized support for prescribing and fraud prevention is likely to face similar challenges unless the implementation of a technical solution is considered with due attention to the organizational and social context. This chapter presents the problem of prescription fraud in Britain and some of the technological alternatives available for dealing with the problem. The main focus of the chapter, however, is to consider such technological ‘solutions’ in their broader context and examine how technology may limit or may be limited by organizational and social factors, such as the interests and political considerations of the various stakeholders of the prescribing process. In this respect, the chapter provides a useful analysis within which other information systems security issues can be considered.

Challenges in Managing Information Security in the New Millennium

In the past decade two developments have brought information security management issues to the fore. First has been the increased dependence of organizations on information and communication technologies, not only for key operational purposes but also for gaining strategic advantage. Second, abetted by information and communication technologies, the whole business model for many organizations has been transformed. Whereas in the past companies could rely on confining themselves to a particular geographical area to conduct their business. Today companies are increasingly becoming location independent and are finding themselves to be strategically disadvantaged if they are confined to a particular place. The consequence of advances in information technologies and the changing boundaries of the firm have brought the importance of data and information to the fore. This is because it is information that helps companies realize their objectives and helps managers to take adequate decisions. In the business model of the past, data and information to a large extend was confined to a particular location and it was relatively easy to protect it from falling in the hands of those who should not have it (i.e. maintain confidentiality). Because information was usually processed in a central location, it was also possible to ensure, with a relative degree of certainty, that it’s content and form did not change (i.e. maintain integrity) and ensure that it was readily accessible to authorized personnel (i.e. maintain availability). In fact maintaining confidentiality, integrity and availability were the main tenants for managing security. Today because the nature of the organization and scope of information processing has evolved, managing information security is not just restricted to maintaining confidentiality, integrity and availability.

The Irish Experience with Disaster Recovery Planning

In order to determine the extent to which IS managers and other managers are treating disaster recovery planning as a serious issue, an empirical study was carried out which aimed at determining whether Irish managers were aware of the threats facing their organizations and at measuring the extent of planning that they undertake as a result. The study found that, although well aware of the potential disasters, Irish managers are often complacent with IT matters.