The Binomial Bookstore

INTERNET AND INTRANET SECURITY MANAGEMENT:
RISKS AND SOLUTIONS
by Lech Janczewski, University of Auckland, New Zealand

“In the last 12 years we have observed amazing growth of electronic communication. From
typical local networks through country-wide systems and business-based distributed
processing, we have witnessed widespread implementation of computer-controlled
transmissions encompassing almost every aspect of our business and private lives.

“INTERNET AND INTRANET SECURITY MANAGEMENT: RISKS AND SOLUTIONS
addresses issues of information security from the managerial, global point of view. The global
approach allows us to concentrate on issues that could be influenced by activities happening
on opposite sides of the Earth.”

================================

FROM THE PREFACE:

“In information security, as in all areas of information technology, knowledge and practice is
advancing rapidly. There is a need for up-to-date material, but the rate of change is so great
that a textbook only a few years old will already be obsolete. Covering the most important
changes in the field of information security to produce an updated text before it becomes
obsolete is a lot to ask of one author, so we have asked several, each expert in their own
speciality, to complete one chapter.

“Overlaps are minimal, but chapters are substantially independent. Readers can, therefore,
either follow the text from the beginning to end, or pursue only their special interests without
having to read the whole text.

“The book is divided into four separate parts:

Part I: State of the Art

“Here major issues concerning development of Internet and intranet are discussed. To present
a balanced, world perspective, two points of view have been included: from the United States
(J. Palmer et al) and from a much smaller country, New Zealand (J. Gutierrez). Despite their
different situations both countries face surprisingly similar information security problems.

Interestingly, system malfunctions rather than hackers and similar unwelcome characters are
still considered to be the greatest security threats.

Part II: Managing Intranet and Internet Security

“Three authors discuss issues related to efficient management of the security of distributed
systems.

“Electronic commerce requires not only technology but also people trusting this method of
doing business. In his chapter Dieter Fink discusses the components of trust for electronic
commerce and the methods of building and sustaining it.

“The foundation of every security system is the information security policy (ISP). Lech
Janczewski presents a method to allow rapid creation of an effective ISP. A variety of
documents that standardise development and assessment of information security functions
are discussed.

Fredj Dridi and Gustaf Neuman present an overview of Internet security issues with special
emphasis on Web security. An architecture is presented in which security services are built
to protect against threats and to achieve information security for networked systems. Basic
security protocols like IPSec, SSL, Secure HTTP, and others are also presented.

Part III: Cryptography Methods and Standards

“Cryptography is the major technique allowing secure transport of data through insecure
environments and secure storage of data. In this part three authors discuss a number of
important issues related to cryptography:

“Export of cryptography is restricted by a number of national and international agreements.
Henry Wolfe in his chapter describes and discusses these restrictions. In his opinion, it is
impossible to enforce these restrictions and they should be abolished. To allow a smooth
introduction to more technically challenging issues discussed later in the book, Dr. Wolfe
presents a short description of the most popular types of ciphers.

“Adequate security requires not only implementation of powerful cryptography (for instance
the development of a DES replacement), but also an adequate solution for successful
cryptography deployment. These issues are discussed by Dieter Gollmann.

“In the final chapter of Part III, Chris Mitchell outlines the major standards regulating
cryptographic methods. The OSI security architecture, DES, Message Authentication Codes,
Digital Signatures, Hash Functions, and Key Management are presented

Part IV: Security and The Law

“It is not enough to understand information security merely in terms of technology (like PKI)
and psychology (trust). Understanding the law is also necessary. Technology is advancing so
rapidly that law makers can't keep up and changes, which are often inconsistent, are made in
haste. Issues such as the rights of an employee to keep data on his/her computer at work
private, are not well understood. These issues are discussed by Charles and Nicole Prysby.

“As professionals living in the USA, Charles and Nicole Prysby have an American viewpoint.
To give the reader a wider perspective the last chapter of this book, written by G. Gunasekara
from Auckland, presents similar issues in a New Zealand context.”

================================

TABLE OF CONTENTS

Preface

Part I: STATE OF THE ART

Chapter 1 Security Risk Assessment and Electronic Commerce
A Cross-Industry Analysis
Jonathan W. Palmer, University of Maryland, USA
Jamie Kliewer and Mark Sweat, University of Oklahoma, USA

Chapter 2 Securing the Internet in New Zealand:
Threats and Solutions
Jairo A Gutierrez, University of Auckland, NZ

Part II: MANAGING INTRANET AND INTERNET SECURITY

Chapter 3 Developing Trust for Electronic Commerce
Dieter Fink, Edith Cowan University, Australia

Chapter 4 Managing Security Functions Using Security Standards.
Lech Janczewski, University of Auckland, NZ

Chapter 5 Managing Security in the World Wide Web:
Architecture, Services and Techniques
Fredj Dridi and Gustaf Neumann
University of Essen, Germany

Part III: CRYPTOGRAPHY AND TECHNICAL SECURITY STANDARDS

Chapter 6 Cryptography: Protecting Confidentiality,
Integrity and Availability of Data
Henry B. Wolfe, University of Otago, NZ

Chapter 7 Foundations for Cryptography ,
Dieter Gollmann, Microsoft Research, UK

Chapter 8 Developments in Security Mechanism Standards
Chris Mitchell, University of London, UK

Part IV: SECURITY AND the LAW

Chapter 9 Electronic Mail, Employee Privacy and the Workplace
Charles Prysby, University of North Carolina, USA
Nicole Prysby, Attorney at Law, Virginia, USA

Chapter 10 Protecting Personal Privacy in Cyberspace:
The Limitations of Third Generation Data Protection
Laws Such as the New Zealand Privacy Act 1993
Gehan Gunasekara, University of Auckland, NZ

About the Authors
Index

================================

ABOUT THE AUTHORS

Chapter 1

“Jonathan Palmer is an Assistant Professor at the University of Maryland, College Park. His
research interests include the strategic use of IT, electronic commerce, and virtual
organizations. His work has appeared or been accepted for publication in Information
Systems Research, Communications of the ACM, Journal of World Business, Journal of
Computer-Mediated Communication, European Management Journal, The Information
Society, International Journal of Electronic Commerce, International Journal of
Human-Computer Studies, JASIS. Palmer serves on the editorial board of International
Journal of Electronic Markets and Electronic journal of Organizational Virtualness. He served
on the faculty at the University of Oklahoma and taught at the University of Southern
California. Palmer was director of corporate relations at The Peter F. Drucker School the
Claremont Graduate University in California. His previous academic experience includes
administrative positions at The Fletcher School of Law and Diplomacy and The Harvard
Business School. Ph.D. Claremont Graduate University.

“Jamie Kliewer is currently teaching computer science in Phnom Penh, Cambodia. He is a
graduate of the University of Oklahoma in Management Information Systems where he was a
J.C. Penney Leadership Fellow.

“Mark Sweat is a consultant and analyst in MIS and electronic commerce at Koch Industries
in Wichita, Kansas. He is a graduate of the University of Oklahoma in Management
Information Systems where he was a J.C. Penney Leadership Fellow and worked for the
Center for MIS Studies.”

Chapter 2

“Jairo Gutierrez is a Senior Lecturer in Information Systems at The University of Auckland.
Previously he worked as an R&D Manager, Systems Integration Consultant, and Information
Systems Manager. He also conducted seminars on LAN/WAN technologies. He teaches
data communications and computer networking. His current research topics are in network
management systems, programmable networks, and highspeed computer networking. He
received a Systems and Computer Engineering degree from The University of The Andes
(Colombia, 1983), a Masters degree in Computer Science from Texas A&M University (1985),
and a Ph.D. (1997) in Information Systems from the University of Auckland (New Zealand).

Chapter 3

“Dieter Fink is Associate Professor in the School of Management Information Systems at
Edith Cowan University in Perth, Western Australia. Prior to joining academe he worked as a
Systems Engineer for IBM and as Manager Consultant for Arthur Young & Co (now Ernst &
Young). His teaching and research interests are in IS management where he specialises in IT
security, investment justification and benefits management. Dr Fink is the author of
"Information Technology Security -Managing Challenges and Creating Opportunities",
published by CCH Australia. Other publications have appeared in journals such as Long
Range Planning, Australian Journal of Information Systems and Internal Journal of Information
Management. A current research project is the delivery of knowledge services by professional
service firms using Internet technologies.”

Chapter 4

“Lech Janczewski, (MEng - Warsaw, MASc - Toronto, DEng - Warsaw) has over thirty years
experience in information technology. He was the managing director of the largest IBM
installation in Poland and project manager of the first computing center in the Niger State of
Nigeria. He is currently with the Department of Management Science and Information
Systems of the University of Auckland, New Zealand. His area of research includes
management of IS resources with the special emphasis on data security and information
systems investments in underdeveloped countries. Dr Janczewski wrote over 60 publications
presented in scientific journals, conference proceedings and chapters in books. He is the
chairperson of the New Zealand Information Security Forum.

Chapter 5

“Fredj Dridi is a Ph.D. student at the Dept. of Information Systems and Software Techniques
at the University of Essen, Germany. He received his diploma degree in Computer Science
1995 from the University of Kaiserslautern. Between 1992 and 1996 he was working at DFKI
on intelligent engineering systems. Currently, his working areas are Information Systems,
Security Management, Internet/ Intranet Technologies and Software Engineering.

“Gustaf Neumann was appointed Chair for Information Systems / New Media at the Vienna
University of Economics and Business Administration in November 1999. A native of Vienna,
Austria, he graduated from the Vienna University of Economics and Business Administration
(WU), Austria, in 1983 and holds a Ph.D. from the same university. He joined the faculty of
WU in 1983 as Assistant Professor at the MIS department and served as head of the
research group for Logic Programming and Intelligent Information Systems. Before joining the
Vienna University, Gustaf Neumann was Prof. of Information Systems and Software
Techniques at the University of Essen, Germany. Earlier he was working as a visiting
scientist at IBM's T.J. Watson Research Center in Yorktown Heights, NY, from 1985-1986
and 1993-1995. In 1987, he was awarded the Heinz-Zemanek award of the Austrian
Association of Computer Science (OCG) for best dissertation (Metainterpreter Directed
Compilation of Logic Programs into Prolog). Professor Neumann has published books and
papers in the areas of program transformation, data modeling, information systems
technology and security management. He is the author of several widely used programs that
are freely available, such as the TeX-dvi converter dvi2xx and the graphical front-end package
Wafe.”

Chapter 6

“Henry B. Wolfe has been an active computer professional for more than 40 years. He has
earned a number of university degrees culminating with a Doctor of Philosophy from the
University of Otago. The first ten years of his career was spent designing systems in a
manufacturing environment. The next ten years of ever increasing responsibility was devoted
to serving in the U.S. Federal Government rising to the position of Director of MIS for the
Overseas Private Investment Corporation. After a short (and successful) foray into the oil and
natural gas business Dr. Wolfe took up an academic post at the University of Otago and for
the past fifteen or so years has specialized in computer security. During that period he has
earned an international reputation in the field of computer virus defenses. Dr Wolfe
occasionally writes about a wide range of security and privacy issues for Computers &
Security, Network Security and the Computer Fraud & Security Bulletin (where he is also an
Editorial Adviser).”

Chapter 7

“Dieter Gollmann was a scientific assistant at the University of Karlsruhe, Germany, where he
was awarded the 'venia legendi' for computer science in 1991. At Royal Holloway, University
of London) he worked as a Lecturer, Senior Lecturer, Reader, and finally as a Professor in
Computer Science. He was a Visiting Professor at the Technical University of Graz in 1991
and an Adjunct Professor at the Information Security Research Centre, QUT, Brisbane, in
1995. He has been acting as a consultant for HP Laboratories (Bristol) and joined Microsoft
Research in Cambridge in 1998. He has published a textbook on Computer Security and over
50 research papers on topics in cryptography and information security. He has served on the
program committees of the major European conferences on computer security (ESORICS)
and cryptography (EUROCRYPT), as well as other international conferences in these areas.

Chapter 8

“Chris Mitchell received his B.Sc. (1975) and Ph.D. (1979) degrees in Mathematics from
Westfield College, London University. Prior to his appointment in 1990 as Professor of
Computer Science at Royal Holloway, University of London, he was a Project Manager in the
Networks and Communications Laboratory of HewlettPackard Laboratories in Bristol, which
he joined in June 1985. Between 1979 and 1985 he was at Racal-Comsec Ltd. (Salisbury,
UK), latterly as Chief Mathematician. He has made contributions to a number of international
collaborative projects, including two EU ACTS projects on security for third generation mobile
telecommunications systems, and is currently convenor of Technical Panel 2 of BSI IST/33,
dealing with Security Mechanisms and providing input to ISO/IEC JTC1/SC27 on which he
currently serves as a UK Expert and as editor of two international security standards. He is
academic editor of Computer and Communications Security Abstracts, and a member of the
Editorial Advisory Board for the journals of the London Mathematical Society. He has
published over 100 papers, mostly on security-related topics, and he continues to act as a
consultant on a variety of topics in information security.”

Chapter 9

“Charles Prysby is a professor and head of the department of political science at the
University of North Carolina at Greensboro. He received his Ph.D. from Michigan State
University in 1973. His primary areas of research are in voting behavior, political parties,
southern electoral politics, and contextual effects on political behavior. His articles have
appeared in a number of journals and edited books, and he is the coauthor of Political
Behavior and the Local Context (Praeger, 1991). He also is the coauthor of the
computer-based instructional packages on voting behavior in presidential elections published
by the American Political Science Association as part of the SETUPS series. For a number
of years he has taught a graduate course on computer applications in public administration.

“Nicole Prysby is an attorney with interests in the area of employment law. She received her
J.D. with honors from the University of North Carolina School of Law in 1995. She is a
contributing author for several publications in the employment and human resource law area,
including the State by State Guide to Human Resource Law, and the Multistate Payroll
Guide, and is a co-author of the Multistate Guide to Benefits Law (all Aspen/Panel). She
currently is working in the field of environmental consulting, for Perrin Quarles, Associates, in
Charlottesville, Virginia. From 1995-1997, she was an attorney in the Public Law Department
at the National Legal Research Group, Charlottesville, Virginia.”

Chapter 10

“Gehan Gunasekara (BA,LLB Wellington, LLM (lions) Auckland) is a lecturer in Information
Technology Law at the University of Auckland. He teaches law subjects at the University's
School of Business and Economics including undergraduate and postgraduate papers on
privacy and data protection law. He has published articles in legal journals in both New
Zealand and the United Kingdom and has contributed to several text books. His most recent
and on-going research is a study of New Zealand's privacy legislation. Gehan is also
interested in several other areas of commercial law. He is a Barristor and Solicitor of the High
Court of New Zealand.”

================================
2000, 302 pages. Order #DR457.

The Binomial Bookstore

Info & Network Security, Info Protection

Rothstein Associates Inc.