Chapter 6 Security & Compliance Management PDF
Document Details
Uploaded by krisgueco22
Tags
Summary
This chapter outlines the key aspects of security and compliance management, including risk management, compliance procedures, and information security strategies related to e-commerce. It also includes a discussion of relevant legal aspects in Germany and the European Union.
Full Transcript
CHAPTER 6 SECURITY & COMPLIANCE MANAGEMENT LEARNING OBJECTIVES IN THIS CHAPTER YOU WILL LEARN, WHAT ARE THE BASIC ELEMENTS OF RISK MANAGEMENT, WHAT WE UNDERSTAND BY COMPLIANCE MANAGEMENT, WHAT ARE THE BASIC ELEMENTS OF INFORMATION SECURITY MANAGEMENT, WHAT TECHNOLOGY CAN...
CHAPTER 6 SECURITY & COMPLIANCE MANAGEMENT LEARNING OBJECTIVES IN THIS CHAPTER YOU WILL LEARN, WHAT ARE THE BASIC ELEMENTS OF RISK MANAGEMENT, WHAT WE UNDERSTAND BY COMPLIANCE MANAGEMENT, WHAT ARE THE BASIC ELEMENTS OF INFORMATION SECURITY MANAGEMENT, WHAT TECHNOLOGY CAN DO TO MAKE E-COMMERCE SECURE, WHAT ARE THE MOST IMPORTANT LEGAL ASPECTS OF E-COMMERCE. 6.1 FOUNDATIONS OF RISK MANAGEMENT 6.1.1 THREATS OF ICT SYSTEMS ICT SYSTEMS AND THE INFORMATION, STORED IN THESE SYSTEMS, CAN BE ATTACKED BY SOFTWARE VIRUSES, HACKERS OR ESPIONAGE. PEOPLE (OWN EMPLOYEES, EXTERNAL PEOPLE) CAN DAMAGE OUR ICT SYSTEMS AND DESTROY OR DAMAGE INFORMATION STORED IN THESE SYSTEMS. BSI HAS PUBLISHED A COMPREHENSIVE LIST OF THREATS FOR ICT 6.1.3 DEFINITION OF RISK A RISK IS THE EXTENT OF LOSS, WHICH MAY HAPPEN IF A THREAT OCCURS. 6.1.4 MEASUREMENT OF RISKS SINGLE RISK THE STANDARD APPROACH (ACKERMANN 2013, P. 14) IS, THAT THE RISK VALUE IS EXPRESSED BY THE PRODUCT OF THE PROBABILITY OF OCCURRENCE AND THE EXPECTED AMOUNT OF LOSS.THE AMOUNT OF LOSS IS CONSIDERED AS A RANDOM VARIABLE. THUS IT WOULD BE “MORE” CORRECT TO DEFINE THE RISK VALUE AS THE EXPECTATION VALUE OF THE RANDOM VARIABLE “AMOUNT OF LOSS” WITH ITS UNDERLYING PROBABILITY DISTRIBUTION. 6.1.4 MEASUREMENT OF RISKS RISK PORTFOLIO A VERY NAÏVE APPROACH TO VALUE THE TOTAL VOLUME OF RISKS OF A MANAGEMENT OBJECT (E.G. A TOTAL ORGANIZATION OR A PORTFOLIO OF SPECIFIC OBJECTS OR A SPECIFIC E-COMMERCE SYSTEM) IS THE NUMBER OF IDENTIFIED RISKS. MANY PEOPLE THINK, THAT SUCH AN APPROACH IS TOO SIMPLE BUT IT IS MUCH BETTER TO WORK WITH SUCH A VERY SIMPLE LIST AND TO DISCUSS ABOUT THE RISK SITUATION THAN TO IGNORE THE RISKS. 6.1.4 MEASUREMENT OF RISKS RISK PORTFOLIO A VERY NAÏVE APPROACH TO VALUE THE TOTAL VOLUME OF RISKS OF A MANAGEMENT OBJECT (E.G. A TOTAL ORGANIZATION OR A PORTFOLIO OF SPECIFIC OBJECTS OR A SPECIFIC E-COMMERCE SYSTEM) IS THE NUMBER OF IDENTIFIED RISKS. MANY PEOPLE THINK, THAT SUCH AN APPROACH IS TOO SIMPLE BUT IT IS MUCH BETTER TO WORK WITH SUCH A VERY SIMPLE LIST AND TO DISCUSS ABOUT THE RISK SITUATION THAN TO IGNORE THE RISKS. 6.1.6 BASIC RISK MANAGEMENT STRATEGIES AVOIDANCE OF THREATS, WHICH MEANS THAT YOU ARE ABLE TO COMPLETELY ELIMINATE THE THREAT OF YOUR MANAGEMENT OBJECT. NORMALLY YOU WILL NOT BE ABLE TO COMPLETELY AVOID A THREAT. REDUCTION OF THREATS, WHICH MEANS THAT YOU LOWER THE RISK RESULTING FROM THAT THREAT. IN MOST CASES YOU WILL BE ABLE TO REDUCE THE POTENTIAL AMOUNT OF LOSS. WHETHER YOU CAN CHANGE THE PROBABILITIES OF OCCURRENCE CAN ONLY ANSWERED IF THE SPECIFIC SITUATION IS KNOWN. 6.1.7 BASIC RISK MANAGEMENT TASKS OBVIOUSLY IT IS NOT SUFFICIENT TO KNOW THE RISKS. MANAGEMENT HAS TO ACTIVELY WORK ON IT. THIS DOES NOT ONLY INCLUDE THE APPLICATION OF THE RISK MANAGEMENT STRATEGIES LISTED ABOVE. THEY ALSO HAVE TO BE PREPARED FOR THE SITUATION WHEN A RISK OCCURS. THIS LEADS TO THE FOLLOWING ELEMENTARY MANAGEMENT TASKS: AVOID, REDUCE OR ACCEPT THREATS. TRANSFER RISKS, IF THIS IS THE BEST STRATEGY. KNOW WHAT MUST BE DONE WHEN A RISK OCCURS. 6.1.8 BUSINESS CONTINUITY MANAGEMENT MAIN PROCESSES ARE: PREPARE FOR EMERGENCY SITUATION (PROVIDE DOCUMENTATION, TRAIN PEOPLE, RUN EMERGENCY EXERCISES), INITIATE AND BUILD UP EMERGENCY ORGANIZATION (ALERT MANAGEMENT, DISASTER MANAGEMENT TEAM), RUN EMERGENCY ORGANIZATION/PROCESSES (IF A DISASTER OCCURS), RE-INSTALL REGULAR ORGANIZATION/PROCESSES, GET BACK TO REGULAR ORGANIZATION/PROCESSES, STOP AND BREAK DOWN EMERGENCY ORGANIZATION/PROCESSES. 6.2 COMPLIANCE MANAGEMENT WE START WITH THE DEFINITION OF COMPLIANCE: IN GENERAL, COMPLIANCE MEANS CONFORMING TO A RULE, SUCH AS A SPECIFICATION, POLICY, STANDARD OR LAW. REGULATORY COMPLIANCE DESCRIBES THE GOAL THAT ORGANIZATIONS ASPIRE TO ACHIEVE IN THEIR EFFORTS TO ENSURE THAT THEY ARE AWARE OF AND TAKE STEPS TO COMPLY WITH RELEVANT LAWS AND REGULATIONS. 6.2.2 INTEGRATION INTO GRC MANAGEMENT GOVERNANCE IS THE COMBINATION OF PROCESSES ESTABLISHED AND EXECUTED BY THE BOARD OF DIRECTORS THAT ARE REFLECTED IN THE ORGANIZATION’S STRUCTURE AND HOW IT IS MANAGED AND LED TOWARDS ACHIEVING GIVEN OBJECTIVES. RISK MANAGEMENT IS PREDICTING AND MANAGING RISKS THAT COULD HINDER THE ORGANIZATION TO ACHIEVE ITS OBJECTIVES. COMPLIANCE WITH THE COMPANY’S POLICIES AND PROCEDURES, LAWS AND REGULATIONS, STRONG AND EFFICIENT GOVERNANCE IS CONSIDERED TO BE A KEY FACTOR TO AN ORGANIZATION’S SUCCESS. 6.3 INFORMATION SECURITY MANAGEMENT (ISM) LET US START WITH THE DEFINITION OF SECURITY: SECURITY IS A STATUS WHERE A PERSON, A RESOURCE OR A PROCESS IS PROTECTED AGAINST A THREAT OR ITS NEGATIVE CONSEQUENCES. INFORMATION SECURITY MEANS THE SECURITY OF OUR INFORMATION ASSETS. 6.3.1 PROTECTION GOALS WITH RESPECT TO INFORMATION THERE ARE SEVERAL COMMON PROTECTION GOALS: AUTHENTICITY: REALNESS/CREDIBILITY OF AN OBJECT/SUBJECT, WHICH IS VERIFIABLE, INTEGRITY: DATA CANNOT BE MANIPULATED UNNOTICED AND WITHOUT PROPER AUTHORIZATION, CONFIDENTIALITY: INFORMATION RETRIEVAL NOT POSSIBLE WITHOUT PROPER AUTHORISATION, AVAILABILITY: AUTHENTICATED AND AUTHORIZED SUBJECTS WILL NOT BE RESTRICTED IN THEIR RIGHTS WITHOUT PROPER AUTHORIZATION, OBLIGATION: A TRANSACTION IS BINDING IF THE EXECUTING SUBJECT IS NOT ABLE TO DISCLAIM THE TRANSACTION AFTERWARDS, AUTHORIZATION: POWER AND RIGHT TO CONDUCT AN ACTIVITY. 6.3.2 OBJECTIVES OF ISM FULFIL ORGANIZATIONAL DUTIES: GIVE PRECISE, BINDING AND COMPLETE ORDERS TO YOUR PEOPLE; SELECT PEOPLE CAREFULLY WITH RESPECT TO DUTIES AND RESPONSIBILITIES; CHECK WHAT YOUR PEOPLE DO IN THE DAILY OPERATION; INFORM YOUR PEOPLE ABOUT LAWS, RULES AND INSTRUCTIONS THEY HAVE TO FOLLOW. BUILD AN EFFICIENT AND TRANSPARENT ORGANIZATION. BUILD A PROFESSIONAL SECURITY, CONTINUITY AND RISK MANAGEMENT. INCREASE EFFICIENCY WITH GENERAL AND UNIFIED RULES AND METHODS. REDUCE TIME CONSUMPTION AND COSTS WITH SECURITY AND SECURITY AUDITS INTEGRATED INTO BUSINESS PROCESSES. RUN A CONTINUAL IMPROVEMENT PROCESS TO MINIMIZE RISKS AND MAXIMIZE ECONOMIC EFFICIENCY. 1. THE ISM PROCESS THE INFORMATION SECURITY MANAGEMENT PROCESS HAS FOUR MAJOR STEPS, WHICH ARE SUBSEQUENTLY DESCRIBED: INITIALIZE: О UNDERSTAND INFORMATION SECURITY REQUIREMENTS, О BUILD INFORMATION SECURITY POLICY TO DEFINE OVERALL SECURITY OBJECTIVES, О ESTABLISH INFORMATION SECURITY REPRESENTATIVE AND ORGANIZATION, ANALYSE AND DEVELOP INFORMATION SECURITY STRATEGY: О DETERMINE PROTECTION NEEDS, О ANALYSE THREATS, О ANALYSE RISKS, О DEDUCE INFORMATION SECURITY REQUIREMENTS PLAN AND IMPLEMENT: О DEFINE, WHAT HAS TO BE REGULATED, О DEFINE, HOW IT SHOULD BE REGULATED (COMPREHENSIVELY OR DETAILED), О PREPARE INFORMATION SECURITY CONCEPTS, О DEFINE POLICIES AND GUIDELINES, О PREPARE FOR IMPLEMENTATION PROJECTS, О RUN INITIAL TRAININGS, OPERATION AND MONITORING: О ADMINISTER ACTIVITIES AND MANAGE DOCUMENTATION, О RUN TRAININGS AND INCREASE SECURITY AWARENESS, О IDENTIFY KEY PERFORMANCE INDICATORS, О CONDUCT AUDITS/ASSESSMENTS. 6.3.4 ISM ACTIONS ORGANIZATION: ESTABLISH ACCESS PROFILES. PROVIDE AND FILE TASK DESCRIPTIONS FOR IT ADMINISTRATORS AND INFORMATION SECURITY REPRESENTATIVES. CONDUCT ADMINISTRATION OF KEYS. RUN EVACUATION AND EMERGENCY EXERCISES. TECHNIQUE: IT SECURITY: IMPLEMENT AND OPERATE FIREWALLS, VIRUS SCANNER, SPAM FILTER, ENCRYPTION SOFTWARE. FACILITY MANAGEMENT: INSTALL ACCESS CONTROL SYSTEM, DOOR LOCKS, FIRE DETECTION SYSTEM, BURGLAR ALARM SYSTEM, EMERGENCY POWER GENERATOR, UNINTERRUPTABLE POWER SUPPLY (UPS). SAFETY OF BUILDINGS: INSTALL FENCES, OBSERVATION CAMERAS. 6.3.4 ISM ACTIONS PEOPLE: CONDUCT A PROFESSIONAL RECRUITING AND INCLUDE SECURITY ASPECTS. DO A PROPER PLACEMENT OF EMPLOYEES (DUTIES OF EMPLOYEES). ENSURE A CAREFUL ADJUSTMENT TO THE JOB. ESTABLISH A CONTINUOUS SUPERVISION: RISING OF AWARENESS, TRAINING. CONDUCT A PROFESSIONAL SEPARATION OF EMPLOYEES. 6.4.1 DATA ENCRYPTION STEGANOGRAPHY OBJECTIVE IS TO HIDE THE EXISTENCE OF A MESSAGE. SPECIFIC APPLICATIONS OF THIS TECHNOLOGY ARE THE TRANSFER OF MESSAGES OR DIGITAL WATERMARKING. EXAMPLES OF STEGANOGRAPHIC METHODS ARE SPECIAL TERMS AND PHRASES IN TEXT DOCUMENTS, SYMPATHETIC INK OR HIDING OF INFORMATION IN IMAGE FILES THROUGH SETTING OF SINGLE PIXELS. 6.4.1 DATA ENCRYPTION SYMMETRIC ENCRYPTION THE COMMUNICATION PROTOCOL RUNS AS FOLLOWS: A AND B DEFINE A COMMON SECRET KEY. THEN A ENCRYPTS THE MESSAGE AND SENDS THE MESSAGE TO B. B RECEIVES AND DECRYPTS THE MESSAGE THROUGH APPLYING THE KEY. 6.4.1 DATA ENCRYPTION ASYMMETRIC ENCRYPTION THE COMMUNICATION PROTOCOL RUNS AS FOLLOWS: A AND B GENERATE A PAIR OF KEYS (EACH OF THEM) CONSISTING OF A PUBLIC KEY AND A PRIVATE KEY. BOTH PUBLIC KEYS ARE PUBLISHED AND ACCESSIBLE BY ANY THIRD PARTY. IF NOW A WANTS TO SEND A MESSAGE TO B, A ENCRYPTS HIS MESSAGE WITH THE PUBLIC KEY OF B AND SENDS THE MESSAGE TO B. B RECEIVES THE MESSAGE FROM A AND DECRYPTS IT WITH HIS PRIVATE KEY. 6.4.1 DATA ENCRYPTION HASH FUNCTION HASH FUNCTIONS ARE CONSIDERED TO BE ONE STEP TOWARDS AN ELECTRONIC SIGNATURE. BY USING SPECIFIC ALGORITHMS A HASH FUNCTION GENERATES A DOCUMENT SPECIFIC HASH VALUE. THAT IS A HIGH-VALUE NUMBER ASSIGNED TO THE ACTUAL DOCUMENT. IF THE DOCUMENT IS MODIFIED LATER ON IT GETS ANOTHER HASH VALUE. 6.4.1 DATA ENCRYPTION ELECTRONIC SIGNATURE THERE ARE SOME REQUIREMENTS FOR AN ELECTRONIC SIGNATURE, WHICH HAVE THEIR ORIGIN IN TRADITIONAL SIGNATURES, OF COURSE. FIRST IT HAS TO PROOF THE IDENTITY OF THE SIGNER DOUBTLESSLY. THE SIGNATURE SHALL BE APPLIED ONCE ONLY AND VALID ONLY IN CONNECTION WITH THE ORIGINAL DOCUMENT. THE SIGNED DOCUMENT MUST NOT BE CHANGED AFTERWARDS; A CHANGE MUST BE VISIBLE. THE SIGNATURE MUST NOT BE REJECTED. THE SIGNER MUST NOT DENY THAT HE HAS SIGNED THE DOCUMENT. THE GERMAN LAW ON ELECTRONIC SIGNATURES DIFFERENTIATES BETWEEN THREE LEVELS OF ELECTRONIC SIGNATURES: BASIC ELECTRONIC SIGNATURE: THE SIGNATURE IS ADDED TO THE DOCUMENT AND IS USED TO AUTHENTICATE IT. THE PROVIDER OF THE SIGNATURE IS NOT LIABLE FOR CORRECTNESS AND COMPLETENESS OF CERTIFICATE DATA. AN INJURED PARTY HAS TO PROVE THAT THERE IS DAMAGE. ADVANCE ELECTRONIC SIGNATURE: THIS SIGNATURE IS ONLY ASSIGNED TO THE OWNER OF THE SIGNATURE KEY. IT FACILITATES THE IDENTIFICATION OF THE OWNER OF THE SIGNATURE KEY. THE ADVANCED ELECTRONIC SIGNATURE IS GENERATED BY MEANS, WHICH ARE UNDER FULL CONTROL OF THE OWNER OF THE SIGNATURE KEY. IT MUST BE TIED TO THE DOCUMENT IN A WAY SO THAT A LATER CHANGE OF THE DOCUMENT IS RECOGNIZED. QUALIFIED ELECTRONIC SIGNATURE: THIS SIGNATURE IS BASED ON A QUALIFIED CERTIFICATE, WHICH IS VALID AT THE TIME OF GENERATION OF THE SIGNATURE. IT HAS BEEN GENERATED WITH A SO-CALLED SECURE SIGNATURE GENERATION UNIT. THE CERTIFICATE ASSIGNS A SIGNATURE CHECK KEY TO A SPECIFIC PERSON AND CONFIRMS HIS/HER IDENTITY. PUBLIC KEY INFRASTRUCTURE (PKI) A PKI IS BUILT AND OPERATED FOR A SECURE GENERATION, DISTRIBUTION, CERTIFICATION, STORAGE/ ARCHIVING AND DELETION OF (ENCRYPTION) KEYS. ELEMENTS OF A PKI ARE: CA (CERTIFICATION AUTHORITY): PUBLICATION AND CALL-BACK OF CERTIFICATES, RA (REGISTRATION AUTHORITY): LINKS KEY AND PERSON, CPS (CERTIFICATION PRACTICE STANDARD): RULES FOR ISSUING AND MANAGING OF CERTIFICATES, CRL (CERTIFICATION REVOCATION LIST): LIST OF BLOCKED KEYS, DIRECTORY OF ISSUED CERTIFICATES. 1. SMART CARDS A SMART CARD, CHIP CARD, OR INTEGRATED CIRCUIT CARD (ICC) IS ANY POCKET-SIZED CARD WITH EMBEDDED INTEGRATED CIRCUITS. USUALLY SMART CARDS ARE MADE OF PLASTIC. THE APPLICATION FOCUS IS THE PROOF OF IDENTITY. SMART CARDS CAN PROVIDE IDENTIFICATION, AUTHENTICATION, DATA STORAGE AND APPLICATION PROCESSING. THEY MAY PROVIDE STRONG SECURITY AUTHENTICATION FOR SINGLE SIGN-ON (SSO) WITHIN LARGE ORGANIZATIONS. 1. LEGAL ASPECTS OF E-COMMERCE THE FOLLOWING CONSIDERATIONS ARE MADE ON THE BACKGROUND OF THE SITUATION IN GERMANY RESP. IN EUROPEAN UNION. MANY QUESTIONS WILL BE THE SAME OR SIMILAR IN OTHER LEGAL ENVIRONMENTS. HOWEVER, SOME ISSUES MAY BE CONSIDERED DIFFERENTLY IN OTHER LEGAL ENVIRONMENTS 1. 6.5.1 RELEVANT LAWS IN GERMANY THERE ARE SEVERAL OTHER LAWS BEING RELEVANT FOR E-COMMERCE: TELECOMMUNICATIONS ACT (TELEKOMMUNIKATIONSGESETZ (TKG)), TELEMEDIA ACT (TELEMEDIENGESETZ (TMG)), DATA PRIVACY LAWS (ON FEDERAL AND STATE LEVEL), SIGNATURE LAW (WITH A SIGNATURE ACT, A SIGNATURE POLICY AND A SIGNATURE BY-LAW), ADMINISTRATIVE PROCEDURES LAWS (E.G. NOTIFICATION REFORM ACT, FORMAL REQUIREMENTS ADJUSTMENT ACT, JUSTICE COMMUNICATIONS ACT), ANTITRUST AND PUBLIC PROCUREMENT LAWS (WITH CONTRACTING RULES AND A LAW AGAINST RESTRAINTS ON COMPETITION). 1. 6.5.6 RIGHTS OF EMPLOYEES IN GERMANY THE EMPLOYER IS THE OWNER OF HIS WEB AND MAIL SYSTEM. AN EMPLOYEE IS NOT ALLOWED TO USE IT FOR PRIVATE REASONS IF THERE IS NOT AN EXPLICIT PERMISSION OF THE ORGANIZATION. IF THE PRIVATE USE IS PERMITTED THEN THE EMPLOYER IS CONSIDERED TO BE A PROFESSIONAL TELECOMMUNICATION SERVICES PROVIDER. HE IS NOT LONGER ALLOWED TO CHECK MAILS BECAUSE THE PRIVACY OF CORRESPONDENCE, POSTS AND TELECOMMUNICATIONS DOMINATES THE EMPLOYER’S RIGHT TO CHECK THE ACTIVITIES OF HIS EMPLOYEES. THEREFORE THE EXPLICIT PROHIBITION OF PRIVATE USE OF ANY SYSTEM OF THE ORGANIZATION IS STRONGLY RECOMMENDED.