S.H. von Solms

Information Security Management: A Hierarchical Framework for Various Approaches

The present article is aimed at clarifying the oft-times confusing terminology and at elucidating the various approaches obtaining to the realm of Information Security (IS) management. The IS management approaches selected for discussion in this article will specifically address those rudiments and concepts that play a key role in the assessment of the IS status of an organization. Following, a hierarchical framework will be developed in terms of which to elucidate ill-defined terms and concepts. By so doing, issues such as certification, benchmarking, guidelines and codes of practice will come under consideration. IS management approaches widely accepted in the international arena will also be mapped onto the said hierarchical framework.

A framework for information security evaluation

Abstract Information Security Management consists of various facets, such as Information Security Policy, Risk Analysis, Risk Management, Contingency Planning and Disaster Recovery; these are all interrelated in some way, often causing uncertainty and confusion among top management. This paper proposes a model for Information Security Management, called an Information Security Management Model (ISM 2 ), which puts all the various facets in context. The model consists of five different levels, defined on a security axis. ISM 2 introduces the idea of international security criteria or international security standards. The rationale behind these is to enable information security evaluation according to internationally accepted criteria. Due to the lack of internationally recognized and/or accepted information security standards and criteria, this model cannot be implemented in its totality at this time. A restricted form is implemented, forming an information security evaluation tool. This tool can be used for information security management with great success within an organization.

Some notes on ETOL-languages

In this paper we investigate the effect of adding some regulated rewriting properties to ETOL-systems. It follows that if we specify the order in which the tables of an ETOL-system must be applied, or if we add a forbidding context to the tables of the system, the generating power of the system is not increased. If a permitting context is added to the tables, then the resulting class of languages generated, coincides with a subclass of the class of context-free programmed languages.

Refereed paper: Electronic commerce with secure intelligent trade agents

Electronic commerce on the Internet has the potential to generate billions of transactions, but the number of merchants providing goods or services on the Internet will be so large that it will become impossible for humans to visit each site and decide where it is best to buy or sell goods. In this paper we develop intelligent trade agents that are able to roam a network, collect and analyze data from servers on the network and make decisions to buy and sell goods on behalf of a user. The combination of distributed-object technology and single and public key encryption mechanisms make these agents secure intelligent trade agents. We show that distributed-object technology is an enabling technology for intelligent trade agents.

The characterization by automata of certain classes of languages in the context sensitive area

A new automaton, called a contraction automaton of complexity ( n, k ), n > 0, k > 1, is defined, and several well-known classes of formal languages, which had up to date only been characterized by grammars, are characterized by this new automaton.

A path context model for addressing security in potentially non-secure environments

Many commercial computer environments have established architectures and followed directions which give rise to circumstances which are classified as non-secure in terms of traditional logical security standards. To accommodate increasing demands for security in such environments, a research project was undertaken to analyse them and propose solutions. By using context-sensitive grammars and analysing the structure of computer security models, an alternative was originated. The model is able to accommodate a wide variety of computer environments, accommodates secure environment concepts as a special case and forms a basis for automatic security evaluation and profile generation. A number of case studies illustrate the use of this model in different circumstances including wide area networks, local area networks, multiple executions in single-address spaces and multi domain resource access.

A technique to include computer security, safety, and resilience requirements as part of the requirements specification

Provisions to ensure computer security, safety, and resilience are often implemented only after a system has been developed. This leaves many potential risks that must be accounted for at huge costs at a later stage. This article takes computer security, safety, and resilience to the beginning of the systems development life cycle: the user requirement specification. Limited reference was found in the literature on how to determine the requirements for computer security, safety, and resilience. This article proposes a technique for identifying and specifying computer security, safety, and resilience requirements and including these as part of the requirement specification. By use of this technique, a complete set of computer security, safety, and resilience requirements can be identified and specified as early as possible during the development phase. This technique is based on the definition of a requirements matrix by a constraints engineer. The importance of the different computer security, safety, and resilience requirements will be rated in relation to the functional requirements, and applicable counter measures will be allocated. This will lead to justifiable costs for implementing computer security, safety, and resilience for applicable systems. The complete set of computer security, safety, and resilience requirements can be used as a reference after implementation of the system to determine whether all the computer security, safety, and resilience requirements have been accounted for.

A hierarchy of random-context grammars and automata

Abstract Random-context grammars are progressively extended to three dimensions. Random-context structure grammars that generate three-dimensional digital structures are introduced. The characterization of random-context array grammars and random-context structure grammars by two-dimensional random-context array automata and three-dimensional random-context structure automata respectively is investigated. A possible practical application of random-context structure grammars and automata in the modeling of chemical molecules is speculated on.

An object-based version of the path context model

A number of formal models have been proposed for computer security, the best known being the Bell and LaPadula model. Formal models provide a solid foundation for security, making it possible to precisely specify security requirements, to reason with mathematical assurance about security issues and to prove security properties formally. However, most security models do not realistically reflect the complexity of current computer systems. The Path Context Model (PCM) is a recent formal security model attempting to solve this problem. A number of aspects of PCM have not yet been defined precisely. This paper starts by giving a formal definition of PCM. It is then shown that it is difficult to protect composite objects—objects consisting of other, less complex objects—with PCM. This problem can be solved by modifying PCM so that every level of such a composite object can do the access checks relevant to that level of the object. This is illustrated in the last section of the paper, where an object-based vers...

Five Non-Technical Pillars of Network Information Security Management

Securing information is vital for the survival of many organizations. Therefore, information must be proactively secured against harmful attacks. This securing of information becomes more complex when such information is transmitted over networks. This paper identifies five non-technical pillars (essentials) for network security management. For each pillar a number of specific actions are specified, resulting in a check list for a high level evaluation of the security status of these 5 pillars in a networked environment.