Security in office systems : J.R. Ellison and J.A.T. Pritchard NCC Publications, the National...
-
Upload
keith-jackson -
Category
Documents
-
view
213 -
download
0
Transcript of Security in office systems : J.R. Ellison and J.A.T. Pritchard NCC Publications, the National...
Vol. 9, No. 12, Page 12
VISA GRANTS
SECURITY MODULE
LICENCE TO
RACAL-GUARDATA
BOOK REVIEWS
Racal-Guardata Ltd, the data security specialist within
the Racal Electronics Group, has agreed a perpetual worldwide
licence with Visa USA and Visa International to manufacture, sell,
and support the Visa Security Module. Under the terms of the
agreement, Racal-Guardata will supply the device - which encrypts
and decrypts confidential financial information - to Visa's
19 000 member banks.
The Visa Security Module is a microprocessor-based device
which provides a range of cryptographic functions within a secure,
tamper-resistant environment. It was developed by Visa as part of
an expansion of its ATM network. The device currently protects
Personal Identity Numbers (PINS) and related credit card data in
Visa members' ATM networks, and in electronic point of sale
networks.
Due to the increasing success of the Visa Security Module,
Visa searched for a security-oriented company to take over
manufacture, sales, and support. Under the agreement,
Racal-Guardata will develop the module to enhance its
cryptographic capabilities and provide a range of options for
connecting it to host computers. The first new option is a
channel-attached version for use on IBM and IBM-compatible
mainframes. "The added throughput of the new version will be of
great value to our members as the volume of PIN-related
authorizations continues to grow", said Visa's senior vice-
president, Win Derman.
The family of host security modules will be marketed to
non-Visa members by Racal-Guardata as the RGL 6000 Series, for
applications involving message authentication, data encryption,
and computer access control. Racal-Guardata is developing a
growing range of data security products including a plug-in
security module for PCs, and Watchword, a personal authentication
system (see the May 1987 issue of CFSB).
The RGL 6000 Series, like all products in the Racal-Guardata
range, will be supported by a steadily-expanding network of sales
and support centres around the world, which includes sites in the
US, Canada, the UK, Benelux, Italy and New Zealand. Offices will
be opened this year in Australia, Hong Kong, and Scandinavia.
Further details can be obtained from: Racal-Guardata Ltd,
Richmond Court, 309 Fleet Road, Fleet, Hampshire GU13 8BU, UK;
tel: 0252-622144.
Title - Security in Office Systems
Authors - J.R. Ellison and J.A.T. Pritchard
Publisher - NCC Publications, The National Computing Centre
Ltd, Oxford Road, Manchester Ml 7ED, UK.
Much of this book (well over half) discusses office systems,
rather than security. Maybe this is the only way to give a decent
introduction to the subject. The security that is discussed is
dealt with thoroughly. It ranges from physical security, through
” 1987 Elsevier Science Publishers B.V., Amsterdam.i87/$0.00 + 2.20
No part of this publication may be reproduced. storrd in a retrieval system. or transrtiittrd by any form or by any
means. clrxtromc. mechanical. photocopying. recording or otherwise. without the prior permission ofthe publishers.
(Readers in the U.S.A. - please see special regulations listed on back cover.)
Vol. 9, No. 12, Page 13
access control and eavesdropping to the security ramifications of,
using electronic mail.
At 200 pages in A4 format, the book is fairly long,
containing an adequate if not exactly voluminous four page index,
and an inadequate, very short, 37-entry glossary explaining the
technical terms and abbreviations. The Bibliography reads like an
advert for NCC publications. The number of specific errors is
gratifyingly small, one exception being the statement - "A typing
pool is an obvious necessity in any organization" (page 92). This
is nonsense. It may be a good idea, but it is far from being an
obvious necessity.
Page 17 provides a description of how "The UK Data Protection
Act of 1984 has increased user awareness of the need for
security". Oh that this were true! The whole of Chapter 14 is
also dedicated to the Data Protection Act. Neither of these
sections mention what is probably the biggest problem with the Act
- very few people are making more than a token attempt to comply
with it. The main effect of the Data Protection Act seems to be a
plethora of discussion in books and conference proceedings.
Reality rarely intrudes.
The book discusses the possibility of users developing their
own systems, to fulfil specific requirements (page 50). BASIC is mentioned as one example. The text then warns against the possibility of the software being understandable only by the
user, Perhaps a better programming language would make inroads
into this. The lack of a good example surfaces again on page 59.
Anyone who thinks MS-DOS is "user-friendly" does not use it very
much.
There are curious omissions. A long discussion of alleged
security weaknesses in the Telecom Gold UK electronic mail service
ends in a statement that the authors believe it to be reasonably
secure. But the recent successful appeal against conviction for
what was a proven hack into Prestel, the UK public viewdata
service, is not even mentioned (see the September issue of CFSB).
The appeal may well have postdated publication, but the original
court case was some time ago now.
All in all, this book seems to be a supreme example of the fact that there is a lot of talking about security, a lot of
"Consultancy" time is used up, but the general level of technical
expertise in the field of computer security is very low. The book
mirrors this. It deals at great length with why you need a
corporate plan, a security policy (formulated by a steering
committee of senior management), an office systems policy and
monitoring controls. It rarely descends into technical detail.
If you feel the need to set up a large department, dedicated
to controlling the security of your office systems, then buy the
book. You won't go off the rails by following its suggestions
like a recipe. Don't bother to purchase it if you are looking for
anything that has not been said many times before (often in a far
more readable manner), as there are better books around. There's
nothing seriously wrong with Security in Office Systems. It's
just mind-numbingly boring. The stated fact that it is the final
Vol. 9, No. 12, Page 14
output of an NCC project rather than simply a written publication
shines through.
Keith Jackson
Title - Third Report of The Data Protection Registrar
June 1987
Publisher - Her Majesty's Stationery Office, London; g5.60
This Report reviews developments in an interim year (1 June
1986 to 31 May 1987) between the completion of the registration
period (May 1986) and the full establishment of the UK Data
Protection Act on 11 November 1987. Reading between the lines, it
is clear that Mr Eric Howe, the UK Data Protection Registrar, has
a number of very important battles ahead. The most significant of
these arises over the proposed UK Government Data Network which is
to link up four major Government departments - Health and Social
Security, Customs and Excise, Inland Revenue, and the Home Office.
Over the course of the past year Mr Howe has elicited
statements in private that UK Government Departments impose their
own strict rules on disclosures of personal data between
themselves. He states, in this Report, that he believes it would be valuable if these rules were published as they would help
ensure an informed public debate on data protection and privacy
issues. He wants the way the rules are managed to be made known
together with exceptions to them, the level at which decisions are
made on the rules, and how they are applied. He wants to know if
there are disciplinary proceedings for breaches of the rules,
whether review and monitoring procedures are in operation, and
whether reports can be made available on the way the rules work in
practice. It is nice to know that he is trying, but I do not give
his chances of success in any of these areas much hope.
Moving to the private sector, Mr Howe is concerned about the
development of a National Credit Reference Register. As the
volume of personal loans increases, the banks, shops, and credit
card companies are wanting to be able to share information
regarding the personal indebtedness of customers. Proposals for
this register have not yet been fully defined but Mr Howe has
fired off a warning shot by stating that the Data Protection
Principles should be applied with particular diligence and care in
this case. He should have more success here than with Government.
If the Data Protection Act is to work effectively, then the
good practices stated in the Data Protection Principles must be
related to the myriad ways in which organizations use this
process. They establish relevant practices for whole sectors of
activity at a time. They provide a benchmark against which a
particular course of action can be tested. It is thus very
pleasing to note that the Association of Chief Police Officers has
devoted considerable effort to the production of a code for the
use of personal data in the Police National Computer and the
systems run by individual UK police forces. Mr Howe hopes to see
this code published in Autumn 1987.
The first public library version of the Data Protection
Register was placed in over 170 libraries throughout the UK in
January 1987. Registration applications are now being received at
C 1987 Elsevier Science Publishers B.V., Amsterdam./87/$0.00 + 2.20 No part uf this publication may be reproduced. storrd in a retrieval wstem. or transmitted by any form or by any means. vlw:trorlic, mechanical. photocopying. recording or otherwise. wlthnut the prior pcmmission of the publishers (Kuaders in the U.S.A. ~ please see special regulations listed on back cowr )