INFORMATION SECURITY MANAGEMENT & SMALL SYSTEMS SECURITY

Transcription

1 INFORMATION SECURITY MANAGEMENT & SMALL SYSTEMS SECURITY

2 IFIP - The International Federation for Information Processing IFIP was founded in 1960 under the auspices of UNESCO, following the First World Computer Congress held in Paris the previous year. An umbrella organization for societies working in information processing, IFIP's aim is two-fold: to support information processing within its member countries and to encourage technology transfer to developing nations. As its mission statement clearly states, IFIP's mission is to be the leading, truly international, apolitica! organization which encourages and assists in the development, exploitation and application of information technology for the benefit of ali people. IFIP is a non-profitrnaking organization, run almost solely by 2500 volunteers. It operates through a number oftechnical committees, which organize events and publications. IFIP's events range from an international congress to local seminars, but the most important are: The IFIP W o rid Computer Congress, held every second year; open conferences; working conferences. The flagship event is the IFIP World Computer Congress, at which both invited and contributed papers are presented. Contributed papers are rigorously refereed and the rejection rate is high. As with the Congress, participation in the open conferences is open to ali and papers may be invited or submitted. Again, submitted papers are stringently refereed. The working conferences are structured differently. They are usually run by a working group and attendance is small and by invitation only. Their purpose is to create an atrnosphere conducive to innovation and development. Refereeing is less rigorous and papers are subjected to extensive group discussion. Publications arising from IFIP events vary. The papers presented at the IFIP World Computer Congress and at open conferences are published as conference proceedings, while the results of the working conferences are often published as collections of selected and edited papers. Any national society whose primary activity is in information may apply to become a full member ofifip, although full membership is restricted to one society per country. Full members are entitled to vote at the annual General Assembly, National societies preferring a less committed involvement may apply for associate or corresponding membership. Associate members enjoy the same benefits as full members, but without voting rights. Corresponding members are not represented in IFIP bodies. Affiliated membership is open to non-national societies, and individual and honorary membership schemes are also offered.

3 INFORMATION SECURITY MANAGEMENT & SMALL SYSTEMS SECURITY IF/PTC11 WG11.1/WG11.2 Seventh Annual Working Conference on lnformation Security Management & Sma/1 Systems Security September 30-0ctober 1, 1999, Amsterdam, The Nether/ands Edited by Jan H.P. Eloff Rand Afrikaans University South Africa Les Labuschagne Rand Afrikaans University South Africa Rossouw von Solms Port Elizabeth T echnikon South Africa jan Verschuren Evaluation Centre for lnstrumentation and Security Techniques The Netherlands '' SPRINGER SCIENCE+BUSINESS MEDIA, LLC

4 Library of Congress Cataloging-in-Publication Data IFIP TC11 WG11.1/WG11.2 Working Conference on Infonnation Security Management & Small Systems Security (7th: 1999: Amsterdam, Netherlands) Infonnation security management & small systems security : IFIP TC11 WG11.1/WG11.2 Seventh Annual Working Conference on Infonnation Security Management & Small Systems Security, September 30-0ctober 1, edited by Jan H.P. Eloff... [et al.]. Includes bibliographical references (p. ). ISBN ISBN (ebook) DOI / Computer security-management Congresses. I. Eloff, Jan H.P. II. Title. III. Title: Infonnation security management and small systems security. QA76.9.A '.0558-dc CIP Copyright 1999 Springer Science+Business Media New York Originally published by Kluwer Academic Publishers in 1999 All rights reserved. No part ofthis publication may be reproduced, stored in a retrieval system or transmitted in any fonn or by any means, mechanical, photo-copying, recording, or otherwise, without the prior written permission of the publisher, Springer Science+ Business Media, LLC. Printed on acid-free paper.

5 The original version of the book frontmatter was revised: The copyright line was incorrect. The Erratum to the book frontmatter is available at DOI: / _19

6

7

8 PREFACE The 7th Annual Working Conference of ISMSSS (lnformation Security Management and Small Systems Security), jointly presented by WG 11.1 and WG 11.2 of the International Federation for Information Processing {IFIP), focuses on various state-of-art concepts in the two relevant fields. The conference focuses on technical, functional as well as managerial issues. This working conference brings together researchers and practitioners of different disciplines, organisations, and countries, to discuss the latest developments in (amongst others) secure techniques for smart card technology, information security management issues, risk analysis, intranets, electronic commerce protocols, certification and accreditation and biometrics authentication. W e are fortunate to have attracted at least six highly acclaimed international speakers to present invited lectures, which will set the platform for the reviewed papers. Invited speakers will talk on a broad spectrum of issues, all related to information security management and small system security issues. These talks cover new perspectives on secure smart card systems, the role of BS7799 in certification, electronic commerce and smart cards, iris biometrics and many more. AH papers presented at this conference were reviewed by a minimum of two international reviewers. W e wish to express our gratitude to all authors of papers and the international referee board. W e would also like to express our appreciation to the organising committee, chaired by Leon Strous, for au their inputs and arrangements. Finally, we would like to thank Les Labuschagne and Hein Venter for their contributions to this conference of WG 11.1 and WG 11.2, which was essential for its becoming a success. WGll.l (lnformation Security Management) Chairman: Rossouw von Solms rossouw@ml.petech.ac.za WG11.2 (Small Systems Security) Chairman: Jan Eloff eloff@rkw.rau.ac.za

9 ACKNOWLEDGEMENTS Organised by: IFIP TC -11 Working Group 11.1 (lnformation Security Management) and Working Group 11.2 (Smalt Systems Security) Supported and sponsored by: 1NO (The Netherlands Organisation for Applied Sciences) CMG Finance, Division Advanced Technology Concord Eracom ISACA NL chapter (lnformation Systems Audit & Control Association) NGI (Dutch Computer Society) NGI SIGIS (Special Interest Group on Information Security) NOREA (Dutch Association ofregistered EDP-Auditors) Philips Crypto Sensar ISACA BeLux chapter NGI SIG EDP-Aidit Conference General Chair Jan Eloff, Rand Afrikaans University, South-Africa Rossouw von Solms, Port Elizabeth Technikon, South-Africa Programme Committee Jan Eloff, Rand Afrikaans University, South-Africa Rossouw von Solms, Port Elizabeth Technikon, South-Africa Rene Struik, Philips Crypto, The Netherlands Jan Verschuren, 1NO-TPD-Effi, The Netherlands Les Labuschagne, Rand Afrikaans University, South-Africa

10