Vol. 9, No. 12, Page 12

VISA GRANTS

SECURITY MODULE

LICENCE TO

RACAL-GUARDATA

BOOK REVIEWS

Racal-Guardata Ltd, the data security specialist within

the Racal Electronics Group, has agreed a perpetual worldwide

licence with Visa USA and Visa International to manufacture, sell,

and support the Visa Security Module. Under the terms of the

agreement, Racal-Guardata will supply the device - which encrypts

and decrypts confidential financial information - to Visa's

19 000 member banks.

The Visa Security Module is a microprocessor-based device

which provides a range of cryptographic functions within a secure,

tamper-resistant environment. It was developed by Visa as part of

an expansion of its ATM network. The device currently protects

Personal Identity Numbers (PINS) and related credit card data in

Visa members' ATM networks, and in electronic point of sale

networks.

Due to the increasing success of the Visa Security Module,

Visa searched for a security-oriented company to take over

manufacture, sales, and support. Under the agreement,

Racal-Guardata will develop the module to enhance its

cryptographic capabilities and provide a range of options for

connecting it to host computers. The first new option is a

channel-attached version for use on IBM and IBM-compatible

mainframes. "The added throughput of the new version will be of

great value to our members as the volume of PIN-related

authorizations continues to grow", said Visa's senior vice-

president, Win Derman.

The family of host security modules will be marketed to

non-Visa members by Racal-Guardata as the RGL 6000 Series, for

applications involving message authentication, data encryption,

and computer access control. Racal-Guardata is developing a

growing range of data security products including a plug-in

security module for PCs, and Watchword, a personal authentication

system (see the May 1987 issue of CFSB).

The RGL 6000 Series, like all products in the Racal-Guardata

range, will be supported by a steadily-expanding network of sales

and support centres around the world, which includes sites in the

US, Canada, the UK, Benelux, Italy and New Zealand. Offices will

be opened this year in Australia, Hong Kong, and Scandinavia.

Further details can be obtained from: Racal-Guardata Ltd,

Richmond Court, 309 Fleet Road, Fleet, Hampshire GU13 8BU, UK;

tel: 0252-622144.

Title - Security in Office Systems

Authors - J.R. Ellison and J.A.T. Pritchard

Publisher - NCC Publications, The National Computing Centre

Ltd, Oxford Road, Manchester Ml 7ED, UK.

Much of this book (well over half) discusses office systems,

rather than security. Maybe this is the only way to give a decent

introduction to the subject. The security that is discussed is

dealt with thoroughly. It ranges from physical security, through

” 1987 Elsevier Science Publishers B.V., Amsterdam.i87/$0.00 + 2.20

No part of this publication may be reproduced. storrd in a retrieval system. or transrtiittrd by any form or by any

means. clrxtromc. mechanical. photocopying. recording or otherwise. without the prior permission ofthe publishers.

(Readers in the U.S.A. - please see special regulations listed on back cover.)

Vol. 9, No. 12, Page 13

access control and eavesdropping to the security ramifications of,

using electronic mail.

At 200 pages in A4 format, the book is fairly long,

containing an adequate if not exactly voluminous four page index,

and an inadequate, very short, 37-entry glossary explaining the

technical terms and abbreviations. The Bibliography reads like an

advert for NCC publications. The number of specific errors is

gratifyingly small, one exception being the statement - "A typing

pool is an obvious necessity in any organization" (page 92). This

is nonsense. It may be a good idea, but it is far from being an

obvious necessity.

Page 17 provides a description of how "The UK Data Protection

Act of 1984 has increased user awareness of the need for

security". Oh that this were true! The whole of Chapter 14 is

also dedicated to the Data Protection Act. Neither of these

sections mention what is probably the biggest problem with the Act

- very few people are making more than a token attempt to comply

with it. The main effect of the Data Protection Act seems to be a

plethora of discussion in books and conference proceedings.

Reality rarely intrudes.

The book discusses the possibility of users developing their

own systems, to fulfil specific requirements (page 50). BASIC is mentioned as one example. The text then warns against the possibility of the software being understandable only by the

user, Perhaps a better programming language would make inroads

into this. The lack of a good example surfaces again on page 59.

Anyone who thinks MS-DOS is "user-friendly" does not use it very

much.

There are curious omissions. A long discussion of alleged

security weaknesses in the Telecom Gold UK electronic mail service

ends in a statement that the authors believe it to be reasonably

secure. But the recent successful appeal against conviction for

what was a proven hack into Prestel, the UK public viewdata

service, is not even mentioned (see the September issue of CFSB).

The appeal may well have postdated publication, but the original

court case was some time ago now.

All in all, this book seems to be a supreme example of the fact that there is a lot of talking about security, a lot of

"Consultancy" time is used up, but the general level of technical

expertise in the field of computer security is very low. The book

mirrors this. It deals at great length with why you need a

corporate plan, a security policy (formulated by a steering

committee of senior management), an office systems policy and

monitoring controls. It rarely descends into technical detail.

If you feel the need to set up a large department, dedicated

to controlling the security of your office systems, then buy the

book. You won't go off the rails by following its suggestions

like a recipe. Don't bother to purchase it if you are looking for

anything that has not been said many times before (often in a far

more readable manner), as there are better books around. There's

nothing seriously wrong with Security in Office Systems. It's

just mind-numbingly boring. The stated fact that it is the final

Vol. 9, No. 12, Page 14

output of an NCC project rather than simply a written publication

shines through.

Keith Jackson

Title - Third Report of The Data Protection Registrar

June 1987

Publisher - Her Majesty's Stationery Office, London; g5.60

This Report reviews developments in an interim year (1 June

1986 to 31 May 1987) between the completion of the registration

period (May 1986) and the full establishment of the UK Data

Protection Act on 11 November 1987. Reading between the lines, it

is clear that Mr Eric Howe, the UK Data Protection Registrar, has

a number of very important battles ahead. The most significant of

these arises over the proposed UK Government Data Network which is

to link up four major Government departments - Health and Social

Security, Customs and Excise, Inland Revenue, and the Home Office.

Over the course of the past year Mr Howe has elicited

statements in private that UK Government Departments impose their

own strict rules on disclosures of personal data between

themselves. He states, in this Report, that he believes it would be valuable if these rules were published as they would help

ensure an informed public debate on data protection and privacy

issues. He wants the way the rules are managed to be made known

together with exceptions to them, the level at which decisions are

made on the rules, and how they are applied. He wants to know if

there are disciplinary proceedings for breaches of the rules,

whether review and monitoring procedures are in operation, and

whether reports can be made available on the way the rules work in

practice. It is nice to know that he is trying, but I do not give

his chances of success in any of these areas much hope.

Moving to the private sector, Mr Howe is concerned about the

development of a National Credit Reference Register. As the

volume of personal loans increases, the banks, shops, and credit

card companies are wanting to be able to share information

regarding the personal indebtedness of customers. Proposals for

this register have not yet been fully defined but Mr Howe has

fired off a warning shot by stating that the Data Protection

Principles should be applied with particular diligence and care in

this case. He should have more success here than with Government.

If the Data Protection Act is to work effectively, then the

good practices stated in the Data Protection Principles must be

related to the myriad ways in which organizations use this

process. They establish relevant practices for whole sectors of

activity at a time. They provide a benchmark against which a

particular course of action can be tested. It is thus very

pleasing to note that the Association of Chief Police Officers has

devoted considerable effort to the production of a code for the

use of personal data in the Police National Computer and the

systems run by individual UK police forces. Mr Howe hopes to see

this code published in Autumn 1987.

The first public library version of the Data Protection

Register was placed in over 170 libraries throughout the UK in

January 1987. Registration applications are now being received at

C 1987 Elsevier Science Publishers B.V., Amsterdam./87/$0.00 + 2.20 No part uf this publication may be reproduced. storrd in a retrieval wstem. or transmitted by any form or by any means. vlw:trorlic, mechanical. photocopying. recording or otherwise. wlthnut the prior pcmmission of the publishers (Kuaders in the U.S.A. ~ please see special regulations listed on back cowr )