Information Security Management Small Systems Security

This book presents the most interesting talks given at ISSE/SECURE 2007 - the forum for the interdisciplinary discussion of how to adequately secure electronic business processes. The topics include: Identity Management, Information Security Management - PKI-Solutions, Economics of IT-Security - Smart Tokens, eID Cards, Infrastructure Solutions - Critical Information Infrastructure Protection, Data Protection, Legal Aspects. Adequate information security is one of the basic requirements of all electronic business processes. It is crucial for effective solutions that the possibilities offered by security technology can be integrated with the commercial requirements of the applications. The reader may expect state-of-the-art: best papers of the Conference ISSE/SECURE 2007.

The 7th Annual Working Conference of ISMSSS (lnformation Security Management and Small Systems Security), jointly presented by WG 11.1 and WG 11.2 of the International Federation for Information Processing {IFIP), focuses on various state-of-art concepts in the two relevant fields. The conference focuses on technical, functional as well as managerial issues. This working conference brings together researchers and practitioners of different disciplines, organisations, and countries, to discuss the latest developments in (amongst others) secure techniques for smart card technology, information security management issues, risk analysis, intranets, electronic commerce protocols, certification and accreditation and biometrics authentication. W e are fortunate to have attracted at least six highly acclaimed international speakers to present invited lectures, which will set the platform for the reviewed papers. Invited speakers will talk on a broad spectrum of issues, all related to information security management and small system security issues. These talks cover new perspectives on secure smart card systems, the role of BS7799 in certification, electronic commerce and smart cards, iris biometrics and many more. AH papers presented at this conference were reviewed by a minimum of two international reviewers. W e wish to express our gratitude to all authors of papers and the international referee board. W e would also like to express our appreciation to the organising committee, chaired by Leon Strous, for aU their inputs and arrangements.

The Eighth Annual Working Conference of Information Security Management and Small Systems Security, jointly presented by WG11.1 and WG11.2 of the International Federation for Information Processing (IFIP), focuses on various state-of-art concepts in the two relevant fields. The conference focuses on technical, functional as well as managerial issues. This working conference brings together researchers and practitioners of different disciplines, organisations, and countries, to discuss the latest developments in (amongst others) information security methods, methodologies and techniques, information security management issues, risk analysis, managing information security within electronic commerce, computer crime and intrusion detection. We are fortunate to have attracted two highly acclaimed international speakers to present invited lectures, which will set the platform for the reviewed papers. Invited speakers will talk on a broad spectrum of issues, all related to information security management and small system security issues. These talks cover new perspectives on electronic commerce, security strategies, documentation and many more. All papers presented at this conference were reviewed by a minimum of two international reviewers. We wish to express our gratitude to all authors of papers and the international referee board. We would also like to express our appreciation to the organising committee, chaired by Gurpreet Dhillon, for all their inputs and arrangements. Finally, we would like to thank Les Labuschagne and Hein Venter for their contributions in compiling this proceeding for WG11.1 and WG 11.2.

Information security is one of the key concerns of an enterprise or organization. To assure suitable management of information security a list of information security management frameworks has been developed by a number of institutions and authors. A condensed information in information security management framework is very important to a small and medium enterprise as this type of enterprise usually lacks resources for information security expertise and deep analysis. Despite the fact, the information security management process and its frameworks, on the other hand, are very complex and require a big number of different elements. At the moment the comparison it is very shallow, as all properties of the comparison are treated equally important. In real life, the importance of different criteria of information security management framework and their suitability for small and medium enterprise vary. Therefore we use the Analytic Hierarchy Process to construct a hierarchy of information security management frameworks quality and applicability in small and medium enterprise and define the weights for each of the criteria. Weighted criteria express the importance of the criteria and executed the final comparison of alternatives (five information security management frameworks) is more realistic (similar to experts opinion) comparing to existing comparisons.

For some small businesses, the security of their information, systems, and networks might not be a high priority, but for their customers, employees, and trading partners it is very important. The size of a small business varies by type of business, but typically is a business or organization with up to 500 employees. In the U.S., the number of small businesses totals to over 95% of all businesses. The small business community produces around 50% of our nation¿s GNP and creates around 50% of all new jobs in our country. Small businesses, therefore, are a very important part of our nation¿s economy. This report will assist small business management to understand how to provide basic security for their information, systems, and networks. Illustrations.

Information security cannot be effectively managed unless secure methods and standards are integrated into all phases of the information security life cycle. And, although the international community has been aggressively engaged in developing security standards for network and information security worldwide, there are few textbooks available that

This book helps you to bring the information security of your organization to the right level by using the ISO/IEC 27001 standard. An organization often provides services or products for years before the decision is taken to obtain an ISO/IEC 27001 certificate. Usually, a lot has already been done in the field of information security, but after reading the requirements of the standard, it seems that something more needs to be done: an 'information security management system' must be set up. A what? This handbook is intended to help small and medium-sized businesses establish, implement, maintain and continually improve an information security management system in accordance with the requirements of the international standard ISO/IEC 27001. At the same time, this handbook is also intended to provide information to auditors who must investigate whether an information security management system meets all requirements and has been effectively implemented. This handbook assumes that you ultimately want your information security management system to be certified by an accredited certification body. The moment you invite a certification body to perform a certification audit, you must be ready to demonstrate that your management system meets all the requirements of the Standard. In this book, you will find detailed explanations, more than a hundred examples, and sixty-one common pitfalls. It also contains information about the rules of the game and the course of a certification audit. Cees van der Wens (1965) studied industrial automation in the Netherlands. In his role as Lead Auditor, the author has carried out dozens of ISO/IEC 27001 certification audits at a wide range of organizations. As a consultant, he has also helped many organizations obtain the ISO/IEC 27001 certificate. The author feels very connected to the standard because of the social importance of information security and the power of a management system to get better results.