COMPSEC ‘95 Paper Abstracts

cause for concern. However, the Internet did not come Title: Writing Infosec Policies to an end, and the net effect of the project appears to be Author: Charles Cresson Wood, Information Integrity

positive. Investments

Title: Securing Access and Privacy on the Internet

Author: Wayne Madsen, CSC

This session will examine the current debate over whether the Internet should be a free and open information exchange conduit or should be subject to various access fees and government restrictions on use (including the use of encryption). The battle to control ‘the Net’ encompasses almost every part of the world, from Singapore and Hong Kong, to India and Macedonia, to the states ofchiapas in Mexico and Idaho in the United States.

STREAM 2: Management Issues

Title: Controls in the Next Millennium: Anticipating the IT-Enabled Future

Author: Alan Krull, Business & Professional Education

Information technology enables an explosive growth of computing and the uninhibited, worldwide movement of information. Now there are opportunities on a grand scale for errors, or for unethical, disruptive and costly behaviour by users, organizations and governments.

Here is a candid look at today’s flawed practices and what security and control must be in the next millennium. Today’s information protection strategies often are based on illusions, philosophical blunders, and logical inconsistencies. Reliance is primarily on gadgets - hardware and software - when the key is reliance on people. Security and audit counterimplement what management wants to do and may even interfere with the conduct of business.

Tomorrow’s strategies, already in place in some organizations, rely less on intensive surveillance, policing, and the micro-management of peoples behaviour. Creating a better future starts with the ability to envision it. What should be done in your organization? Who will take a leadership role?

Title: Software Piracy - An Update Author: Geoffrey Webster, FAST

Clear and relevant policies form the backbone for every successful information security effort. Based on his consulting work with over 100 organizations, Charles Cresson Wood identifies the essence of successful policies, and the roles they play He additionally defines the critical factors that lead to management approval of policies. The process of writing and updating in-house policies is covered, together with responsibility for policy making, compliance testing, and enforcement.

Title: Outsourcing - Ensuring Security Compliance

Author: Ray Tanner, SISL

Outsourcing, or the provision of IT services by someone external to your organization, is an issue that is being addressed in various guises throughout industry and government departments. There are many things to consider and security is a key element that must not be forgotten. The aim of this paper is to highlight the security issues associated with outsourcing. It does not however just present you with an extra set of problems, as it also offers views on the potential route to finding solutions.

STREAM 3 (a.m.): Access Controls

Title: Role Based Access Control Author: Tom Parker, ICL

An individual’s role in an organization has always been a significant factor in assessing that individual’s privileges in the organization, and the use of the role concept in computer systems is becoming increasingly popular because of its ability to mirror these realities in this more abstract world. This paper describes how roles should be used in support of defining and policing an access control policy, as well as their use for other more general purposes. Particular emphasis is given to distributed systems, where the value of roles really starts to be demonstrated.

Title: Smart Cards and Biometrics: An Overview of Current Technologies, Threats and Opportunities.

418