Page 1 Green Book Draft 4.0 Green Book Draft 4.0 Page 1 Sect. Issues / Requirement Sect. Issues / Requirement Draft 4.0 October 18, 1993 Table of Contents Preface 1 Summary of Requirements for Action 3 Acknowledgement 7 1. Introduction 10 2. Scope 11 3. General issues 13 3.1. Globalisation of the economy 14 3.2. Internal Market 14 3.3. Human Rights and the Protection of Communications 15 3.4. Social Acceptance 16 3.5. Human Rights and the Safety 17 3.6. Confidence in Communication 18 3.7. Management of Openness and Protection 19 3.8. Common Concerns of Commercial and National Security 21 3.9. Security and Law Enforcement 22 3.10. Economics of the Security 23 3.11. Social Recognition of Information Crime 24 3.12. Human Factors 26 3.13. Safety Critical Environments 26 3.14. Embedding Systems 27 4. Demand Related Issues 29 4.1. Requirements for Enterprises and Individuals 30 4.1.1. Agreement on Security Requirements for Enterprises 30 4.1.2. Security Administration 32 4.1.3. Security Objectives for Enterprises 33 4.1.4. Exploiting Innovation 34 4.1.5. Sectoral Specifics 35 4.1.6. Security Domains 36 4.1.7. Security Labelling 37 4.1.8. Administration of Access to Security Related Data 38 4.1.9. Security Requirements for Individual Users 38 4.2. Requirements for Security Functions 40 4.2.1. Access Control 40 4.2.2. Requirements for Electronic Cash 42 4.2.3. Requirements for Security Services 42 4.2.4. Digital Signature 46 4.2.4.1. The Individual Right to Signature 46 4.2.4.2. Consistency of Legal Principles for Digital Signatures 47 4.2.4.3. Universal Acceptance of Digital Signatures 48 4.2.5. Privacy enhancement 49 4.2.5.1. Perception of Requirements for Privacy Enhancement 49 4.2.5.2. The Case for the Provision of Public Confidentiality Services 51 4.2.6. Use of Names 53 4.2.7. Security of Electronically Stored Information 55 4.3. Requirements for the Safety of Communication Systems 56 4.4. Requirements for Evaluations 57 4.4.1. Trustworthiness of Communication 57 4.4.2. Motivation to Acquire Evaluated Solutions 59 4.4.3. Consistency of Procurement Practices 59 4.5. Requirements for Security and Safety Methodologies 60 4.5.1. Risk Analysis and Management 61 4.5.2. Metrics for Loss Assessment 62 4.5.3. Technology Assessment 63 4.5.4. Analysis of Audit Trails 63 4.5.5. Safety Specific Methodologies 64 4.6. Requirements for Audits 65 4.7. Information Valuation 66 5. Supply Related Issues 67 5.1. Supply Related Issues 67 5.1.1. Security Services 67 5.1.2. Signature Schemes 71 5.1.3. Confidentiality Schemes 72 5.2. Supply Related Issues - Security Management 73 5.2.1. Role of Trusted Third Parties (TTPs) 73 5.2.2. Key Usage 76 5.2.3. Key Management Service 77 5.2.4. Distributed-Secret Escrow Systems 78 5.2.5. Management Services for Names 79 5.2.6. The Management of TTPs 80 5.2.6.1. Operating Principles of TTPs 80 5.2.6.2. Interworking of TTPs 81 5.2.6.3. Interworking of Autonomous Confidentiality Services 82 5.2.6.4. Accreditation 83 5.3. Supply Related Issues - Evaluation of Trusted Solutions 84 5.3.1. Evaluation of Products, Systems, Services and Applications 85 5.3.2. International Harmonisation 85 5.3.3. Vendor Declarations 87 5.3.4. Self-evaluation 87 5.3.5. Evaluation of Applications 88 5.3.6. Evaluation of Communication Services 89 5.3.7. Trusted Network Management 90 5.3.8. Evaluation of Methods and Tools 91 5.3.9. Physical and Procedural Issues 92 5.3.10. Modifications to Evaluated Products 92 5.3.11. Performance Reporting for Trusted Products 94 5.3.12. Rationalisation of Evaluations 94 5.4. Maintenance of Safety and Assurance 95 5.5. Technological Change 96 6. Rights, 99 6.1. Legal Framework 99 6.2. Data held in Electronic Form 100 6.3. Environment 104 6.4. Interaction and Relationships between Private Parties 106 6.5. Harm 106 6.6. Eliminating 107 6.7. Legal Restrictions affecting Technical Solutions 108 6.8. Limitations to Liability 109 6.8.1. Recommendations for Liability Limiting Measures 109 6.8.2. Information Security Audit 110 6.9. Procedural 111 6.10. Insurance 112 7. Spectrum of Measures to provide Information Security 113 7.1. Policy Framework 113 7.2. Agreements 114 7.3. Regulation 114 7.4. Accreditation 114 7.4.1. Accreditation of Services 114 7.4.2. Accreditation of TTPs 115 7.5. Products and Services 115 7.6. Common Practices 115 7.7. Awareness 117 7.8. Specifications 117 7.9. Standards 117 7.10. Technology 118 8. Cross Impact Analysis 121 Annex: Recalling the Action Lines 140 Action line I - Development of a strategic framework for the security of information systems 140 Action line II - Identification of user and service provider requirements for the security of information systems 141 Action Line III - Solutions for immediate and interim needs of users, suppliers and service providers 141 Action line IV - Development of specifications, standardisation, evaluation and certification in respect of the security of information systems 143 Action line V - Technological and operational developments in the security of information systems 144 Action line VI - Provision of security of information systems 145 Appendix A: References 147 Appendix B: Abbreviations 148 Appendix C: Index 148 Draft 4.0 Version: Monday, October 18, 1993 Preface The Council adopted in May 1992 a Decision in the field of the security of information systems1 comprising the development of overall strategies for the security of information systems (action plan) and setting up a Senior Officials Group; (SOG-IS) to advise the Commission on action to be undertaken. The Decision having as objective the development of overall strategies aiming to provide users and producers of electronically stored, processed or transmitted information with appropriate protection of information systems against accidental or deliberate threats. The scope of the Decision foresees the following Action Lines; lines of action: I. Development of a strategic framework for the security of information systems II. Identification of user and service provider requirements for the security of information systems III. Solutions for immediate and interim needs of users, suppliers and service providers IV. Development of specifications, standardisation, evaluation, and certification in respect of the security of information systems; V. Technological and operational developments in the security of information systems; and VI. Provision of security of information systems. The Decision is implemented by the Commission, in close association with related actions in Member States and in conjunction with related Community research and development actions. As a step towards the formulation of the "Action Plan" identified in the Council Decision and in accordance with the opinion of SOG-IS2 a Green Book on the Security of Information Systems is being prepared, which addresses, in accordance with the Annex of the Decision, an overall view of the requirements for action in summary form issues involved spectrum of measures that result from an analysis of the issues. The present document sets out the background to the development of a consistent approach to Information Security in Europe taking into account common interests with other countries. The intention of the Commission Services in preparing the present document is to encourage a better understanding with the sector actors in the Community on Information Security issues and to develop a consensus on the requirements to be considered. It therefore does not necessarily represent the views of the Commission Services, or of the Senior Officials Group for Information Security, on the subject, but rather provides a basis for reflection and concertation with sector actors and Member States. The Green Book represents an intermediate step towards the formulation of the Action Plan foreseen in the Council Decision. It is to state the main issues related to the security of information systems in its context. A deliberate effort has been made to present the subject matter in as objective a fashion as possible. By progressively widening the consultation in the preparation of the document the wish is, to obtain a representative and balanced view of the issues and the nature and implications of the options for action one may wish to consider. In its presentation the document is intentionally avoiding to voice an opinion on the framework or organisation which might be adopted to address a given issue or requirement. Such recommendations are to be included in the Action Plan. Note on Draft 4.0 The preparation of the document includes four successive phases including iterative steps in the preparation of the document: Phase I: Preparation of an Outline and Collection of material Phase II: Drafting Phase III: Informal Consultation Phase IV: Formal Consultation In its present form it represents an intermediate step towards Phase IV of the preparation of the Green Book. Summary of Requirements for Action 1. Introduction Rationale The trustworthiness and protection of information is essential for the functioning of a modern society. Information Security threats are growing with the diversification and multiplication of communication services and use of electronic information by business, administrations and the individual. In the last decade, the Community has been working progressively towards the creation of the Internal Market and led a policy of liberalisation and harmonisation in the field of communications services. When the INFOSEC Decision was adopted it was recognised that the threat to information security would need a collective effort on the European level and it set as objective the formulation of an Action Plan to complement the national actions in a well understood spirit of subsidiarity as far as national and internal security was concerned. The purpose of this section of the document is to set out the critical factors for future developments and the action required to ensure trustworthy information services and applications in Europe and in its relations with other parts of the world. It formulates options for future policy and identifies which promises to best meet the needs of the EC in the context of international developments and trends. 2. Proposed Positions and Actions Based on the results of the enquiry having resulted in the Green Book, needs for action on an EC-scale have been identified. These require a concerted approach within Europe and where possible internationally. The following proposed positions and actions are derived from the results of the work so far. General Position Democratic societies engaged in the global economy need to provide for adequate levels of information security. With the growing diversity of services and applications of telematics the security of information systems will need to evolve with the growing demand and reduce the risks of the threats to security and safety while avoiding to obstruct innovation or economic and social developments. A Trust Services Proposed Positions In the emerging information society traditional techniques of securing information, such as signatures, envelopes, registration, sealing, depositing and special delivery need to be matched by electronic equivalents. The protection of the user, service provider, operator and the collectivity should be conserved and the balance between freedom and responsibility not changed in an uncontrollable manner. Service offerings need to cater for the needs for seamless information security for business, the general public, video and multimedia communications and teleworking, in the non-classified domain. The working of the Community Institutions and the EC-wide operation of public administrations of the Member States, can be expected to rely on a combination of these services, as appropriate. The definition of information crime and the rules governing the use of electronic evidence in civil and criminal court proceedings need to be harmonised within the EC to be able to address cases involving trans-European services and applications. In the absence of such harmonisation, safe heavens for illegal activities can form to the detriment of the EC. As the economy becomes global, and the interrelationship among the different actors tighter, the accepted practices and rules to which these actors operate need to be well defined and transparent, implying a coherent codification of essential practices and relations. As Europe formulates and implements policies depending on, or affecting, information security, the consistency overall is demanding a greater attention. Specifically this relates to the new policies under the Maastricht Treaty, Internal Market, Competition, and Telecom Policies and specific actions such as Open Network Provision (ONP Directives) and Trans-European Networks (TENs). Proposed Actions to provide for the setting up of trust services. Trust services include digital signature, non-repudiation, claim of origin, claim of ownership in negotiable documents, fair exchange of values, untraceability, and time stamping. to provide for the establishment of Europe-wide confidentiality services for non-classified information. These could include the following classes: > minimum IS assurance to be maintained by all service providers (level of present letter mail and telephony under national privacy legislation) > enhanced IS assurance for private and professional use (level of registered mail or courier delivery as needed for normal business transactions such as ordering and billing) > professional IS assurance as needed for recognised categories of commercially (or otherwise) sensitive information to establish, accredit and audit a network of Trusted Third Parties for the administration of the service provisions such as for name assignment, key management, certification and directories to formulate a common EC-wide legal and regulatory Framework for the alignment of national conditions to meet the needs of the Internal Market and international developments in information security to establish the liability principles for information providers, intermediates and value added service providers to put in place arbitration mechanisms to resolve liability conflicts to establish the common principles for legislation covering communication crime and for electronic evidence to develop generic codes of practice for the handling of non-classified information, including rules for security labelling to develop sector-specific codes of practice and base line controls. B International Developments Proposed Position In view of the rapidly evolving international communication and security scene, the security needs of the European organisations and individuals must be safeguarded and the competitiveness of the European industry maintained. The creation of barriers to trade and services based on the control over security mechanisms and digital signature schemes needs to be avoided. In case acceptable international solutions can not be found a European option should be considered. Proposed Action to work towards international solutions for information security requiring global assurance to strengthen the support for international standardisation to formulate common positions swiftly with respect to international developments, as they arise consider a European option offering confidentiality and digital signature services internationally. C Technical Harmonisation Proposed Positions Vendors and service providers need to innovate to survive commercially. They have a vital interest in ensuring that their products are adequately secure and safe. Electronic products, systems, services and applications must operate to generally recognised levels of trust. A differentiated approach to the evaluations of trusted solutions is needed which includes vendor declaration, self evaluation or formal evaluation. The choice of either of these mechanisms will depend on the costs and delays involved in formal certification processes, the level of assurance required and national constraints. The international character of service and product supply requires the establishment of mutual recognition of testing, validation, auditing and liability assessment. Safety, security and quality have many commonalities: these must be exploited to reduce cost and delays in evaluations. Proposed Actions to establish an international scheme for evaluation, certification and mutual recognition, that provides for once only security, safety and quality evaluations for applications, services, systems and products to establish the principles for incident reporting obligation for evaluated solutions, and their dissemination to establish principles for incident containment to establish a scheme for service provider and vendor self-evaluations and declarations to specify community-wide quality criteria for the safety of systems, incl. methodologies for the assessment of threats, vulnerabilities, and hazards for safety critical systems establish rules for the assurance of embedded systems. Acknowledgement The present document is the result of numerous contributions received from experts, working in the framework of IBAG, SRI, the Security Investigations and SOG-IS members (over 150 contributions received). To develop the thinking on specific groups of issues, the SOG-IS Advisory Group, reinforced by other experts, were consulted and contributed to the development of the document. In a spirit of openness, qualified contributions were accepted from all parties ready to contribute and to discuss their input in the context of an international workshop, that served to consolidate the views into a coherent presentation. While the experts acted in a personal capacity, their affiliation is included in the list below as an indication of the range of experience which was drawn upon. The contributions and active involvement in the preparation of this document of the following personalities is gratefully acknowledged: C. Amery Zergo Consultants Ltd. UK K. Ansttz BIFOA D Mr. Auer Siemens Nixdorf D G. Axelsson Swedish Agency for Administrative Development S E. Barreto CEC DGIII/B M. Baum Independent Monitoring USA T. Benjamin Defence Research Agency UK E. Bible Cameron, Markby and Hewitt B D. Birch Hyperion UK J. Birenbaum France Telecom F J. Blackwell CEC DGXIII/C C. Blatchford Panacea Ltd UK R.E. Bloomfield ADELARD UK A. Brignone Protexarms F S. Brummel Akin, Gump, Strauss, Hauer, Feld & Dassesse B A.J. Butcher MOD - Royal Air Force UK L. Cabirol SCSSI F R. Cadwallader ENACT Ltd. UK P. Carriot F Telecom F S. Castell CASTELL UK E. Cauvin Agence pour la protection des programmes F D. Cerny Bundesministerium des Innern D B.J. Chorley NPL UK J. Christensen CEC DGXIII/C C. Clark IBAG UK R. Clark University of Dublin Ireland B. Collins PCSL Consulting UK J-F. Cornet ECOLORG F C.J. Coumou Coseco International BV NL J.M. Court Institute of Chartered Accountants UK H. Daniel BSI D P. Daniel GEC Marconi Secure Systems Ltd. UK J. De Decker IBM B D. De Geest ESN B Mr. de Kervasdoue CAP SESA F A. de la Torre Prados Ministerio de Industria E E.R. de Lange Ministry of Transport, Public Works and Water Management NL P. de Lauzanne GSIT F B. De Schutter Free University of Brussels B M. De Soete Philips I.T.S. B T. de Vries KPMG Management Consultants NL D. De Winter Siemens Nixdorf AG D P. Dellios Ministry of Transports and Communications GR Y. Deswarte LAAS-CNRS & INRIA F G. Dietzel CEC DGXIII/C R. Dunkel IBM Europe F D. Duthil Agence pour la protection des programmes F G. Eisen IABG D G. Endersz Telia Research AB S R.A. English Communications Security Establishment UK A. Eriksen Ministry of Justice N P. Fagan Secure Information Systems Ltd. UK Mr. Fravezzi Ministry of Defence B A. Fujioka NTT Laboratories Japan P. Furberg c/o Swedish Agency for Administrative Development S S. Gaskill Dibb Lupton Broomhead UK M. Gasparinetti CEC Consumer Policy Service H. Gebhardt CEC DGXIII/A S. Geyres VERILOG F L. Glanert Deutsche Telecom D A. Hallan L R. Hanouz CEPME F N.G.L. Harding Health Systems Co-ordination UK G. Hardy Touche Ross & Co. UK N. Harwood BT UK P. Haufman SPRI S S. Herda GMD D V. Heyvaert Akin, Gump, Strauss, Hauer, Feld & Dassesse B N. Higham UK G. Hoberg BELGACOM B P. Hoving TeleTrust S S E. Humphreys XiSEC UK D. Hurley OECD F. Iribarne Navarro E K. Iversen Norwegian Centre for Medical Informatics N E. Jahren Ministry of Government Administration N C. Jansen Philips Crypto B.V. NL M. Jones DTI UK M. Kemna CEPIS Task Force NL M. King CESG UK H.M. Kluepfel Bellcore USA P. Knopf Swiss Mission to the E.C. B T. Knowles DMR Group Ltd. UK M. Kopecky SNCF F S. Kowalski Stockholm University S H. Kurth IABG D S. Kurzban PACE P. Landrock Cryptomathic A/S DK J. Lang Perihelion Software Ltd. UK C. Laske Free University of Brussels B Y. Le Roux Digital Equipment F J. Leach Zergo Consultants Ltd. UK A. Legait SYSECA F O. Leiberich D E. Lemmens Programmation de la Politique Scientifique B W. London Cameron, Markby and Hewitt UK W. Madsen Computer Sciences Corporation USA S. Mathews PCSL Consulting UK R.A.J. Middleton British Computer Society UK M. Miloikovitch Thomson-CSF F S. Mohammed European Parliament R. Moses Information Systems Ltd. UK P. Mller Bull Ingnierie F M. Nasrullah Ministry of Transport, Public Works & Water Management NL S.-I. Nilsson ECITC B J. Norman SGS-Thomson Microelectronics F M. Ohlin Swedish Defence Material Administration S T. Osvald CEN B K.W. Ott Ott Technology Software sprl B A. Parondo ISDEFE E A. Patel Teltec IRL L. Pauwels Belgacom B A. Peralta Univ. Politecnica de Cataluna E H. Peuckert Siemens AG D C. Pfleeger Trusted Information Systems (UK) Ltd. UK F. Piau Pari Mutuel Urbain F E. Pimentel Saraiva Banco Totta & Acores P D. Pinkas Bull F R. Pizer Certification Body, UK ITSEC Scheme UK D. Poelmans EDS B nv B R. I. Polis Groupe de Management Genve CH K. Presttun Alcatel F G.R. Price Glynwed Group Services Ltd. UK M. Purser Baltimore Technologies Ltd. IRL G. Rabe Technischer berwachungs-Verein Nord e.V. D K. Rannenberg Universitaet Freiburg D R. Rehorst Telecommunications and Post Department NL K. Rihaczek DuD D E. Roback Computer Systems Laboratory USA G. Roelofsen PTT NL NL T. Roraas Norwegian Telecommunication Regulatory Authority N C. Rossi FTI I R.A. Rueppel R3 Security Engineering AG CH G. Ruggiu Bertin F G. Rumi ETNOTEAM SpA Italy M. Salmon Thomson CSF F E.H. Schfer Deutsche Telecom D I. Schaumller-Bichl Genesis GmbH A T. Schoeller BSI D G. Shuringa Radobank NL H. Siebert IBM Deutschland D F. Simoes European Parliament R. Slegtenhorst Organisation and Technology Research NV B S. Smith EDS B B J. Sneep COSSO NL H. Strack EISS D W. Suchun FUNDP B M. Tuset E R. Urry Digital Equipment Corp. B I. Uttridge Logica Defence & Civil Government Ltd. UK P. van Dijken Shell International Petroleum NL P.W.J. van Dok Cooperative Centrale Raiffeisen-Boerenleenbank B.A. NL H. van Dorp Bazis Foundation NL W. van Gils Intercai NL M. van Lith KPMG EDP Auditors NL N. van Zuuren Prodata Systems B A. Veller Cullen International B A. Verrijn-Stuart Leiden University NL L. Voorham CEC Security Office H. Weerd Coopers & Lybrand NL W. Whitehurst IBM Corporation USA K. Wiessing The Dutch Government Centre for Information Security NL G. Williams ACT/BIS Information Systems Ltd. UK D. Willis DTI UK S. Winkelmann Hochschule fr Technik u. Wirtschaft D H. Wirth Auswrtiges Amt D 1. Introduction Rationale Individual, corporate and national wealth expresses itself increasingly in the form of information. The growth and performance of an estimated 2/3 of the economy relies on manufacturing or services heavily dependent on information technology, telecommunications and broadcasting, and therefore depends critically on the accuracy, security and trustworthiness of information. This is of as great importance and interest for individuals as for commerce, industry and public administrations. Correspondingly, the protection of information Security of Information Systems, definition; in all its aspects, here referred to as Information Security3 , has become a central policy issue and a major concern world-wide. The Council Decision of March 31, 19924 in the field of security of information systems recognises this situation and calls for the development of strategies to enable the free movement of information within the single market; while ensuring the security of the use of information systems throughout the Community. A consistent approach at European level could help to promote the interoperability of systems, lower existing barriers and avoid the formation of new ones between the individual Member States and with other countries5 Therefore, there is an urgent need to address requirements and options for action in the field of security of information systems at national, Community and international level in close collaboration with sector actors and national governments. Any action must take into account both national and international commercial, legal and technical developments. The key issue is to provide effective and practical security for information held in an electronic form to the general users, the business community and administrations without compromising the interests of the public at large. Since information security is involved in the protection not just of property and people, but even of society itself, Member States regard it as a topic which, like defence, touches on national sovereignty. 2. Scope, definition Security is a pervasive subject that arises whenever information is being used in private, business and public life. The scope of the subject and a clear distinction of the of the different dimensions needs to be kept in mind throughout. The diagram below provides a statement of the scope in an aggregate form. Structure of document;this document The core of the document is describing issues and the resulting requirements for action. It was felt necessary to state the problems clearly and concisely before attempting to define solutions. In this sense, the document, in its present form, represents a rather comprehensive analysis of the problems, without being a work programme. The requirements for actions are stated in a general form, without implying any particular organisational responsibility. These issues are grouped under the following headings: General issues. Here some of the basic issues relating to the security of information systems are described. These place security into a fast evolving world economy and states issues like rights and obligations, human rights, openness and protection. Demand related issues.; Issues under this section are concerned with requirements, security objectives, Codes of Practice, and the needs for digital signature and privacy enhanced communications. Supply related issues;. Under this heading, issues are identified which arise when meeting the demand for security and include security services, Trusted Third Parties, evaluation and R&D. Rights, responsibilities and liabilities issues.; Under this heading issues relating to the consequences of security breaches are dealt with. These include civil law and insurance. The measures one can consider addressing the issues identified are aggregated in a separate section. This presentation is used to accentuate the profile of issues which can be addressed by the same kind of measures. The diagram below depicts this structure. 3. General issues; Issues (of general nature) 3.1. Globalisation of the economy; and mobility Issue The internationalisation, diversification, pluralisation and popularisation of the use of communications and information systems. Discussion The unprecedented increase in mobility and the provision of global communications has resulted in manufacturing, trade and leisure activities extending world-wide. Distributed manufacturing, publishing, and financial operations form the back-bone of the modern economic system. Travelling and communications for business or pleasure are common place. This is being supported, and sometimes driven, by a spectacular development in the field of communications and by the proliferation of affordable and easy to use information systems. In the last decade the cost-performance of long-distance transmission has improved by 5 orders of magnitude. This change is providing the basis for a rapid diversification of world-wide services customised to provide access to a full range of information services and utilities wherever and whenever required. Terrestrial, satellite and mobile networks provide the physical infrastructure and an unrestrained number of service applications provide the customised applications. The nature and scope of provision of Information Security in this new world of open, multi-service and multi-media communications with a multitude of alternatives to routing, management and access has profoundly changed the requirements and options for Information Security (IS). Flexibility of access, openness of the network and the service environment have to be balanced against the requirement of accountability of the user and the service provider and the protection of possible third parties involved. Associated with this is a new network of responsibilities and liabilities. Requirements Revision of the scope and approach to information security to reflect the new conditions, challenges and requirements brought about by globalisation adaptation of the respective policies and regulations clearly defined conventions on the expectations, responsibilities, duties and liabilities, related to levels of security, harm, and good practices. 3.2. Internal Market; (four freedoms;) Issue Alignment of the national conditions relating to Information Security with the requirements of the functioning of the Internal Market. Discussion The Internal Market, as adopted in the Single Act, provides for the "four freedoms " within the Community, ie free movement of goods, capital, services and people. The legislation of Member States provides for the internal needs for information security, however the requirements in the case of trans-European communications remains to be addressed. Inconsistent or incomplete provisions of information security and safety represents a technical obstacle to the working of the Internal Market. The measures taken to establish confidence in systems should not adversely affect the flow of goods and services. Standardisation, certification, mutual recognition and administrative procedures should provide for the unobstructed working of the Internal Market. This requires standards that are valid but not overly restrictive on technological solutions, certification regimes that recognise the international aspects of many of the markets (eg in avionics, motor vehicles), the costs of certification, and the likely acceptance by the market of any certification regimes put in place. Beyond the technical aspects, the administration of information security needs to reflect the realities of the needs of the Internal Market. Services are to be increasingly provided on the principle of one-stop and pay-per-use. Information security, as an integral part of services, needs to be provided in a seamless manner throughout the Community and support EC actors in their business world-wide. Related are the issues of liability and insurance. The impact of different states legal systems and the associated liability issues needs to be understood. Requirements Adaptation of the existing provisions with respect to their conformance to the Internal Market policy of the EC implying the removal of existing internal barriers and the avoidance of the formation of new technical barriers due to divergent application of security and safety rules, regulations and legislation provision to business and the public of solutions available throughout the Community and preferably at the international level respecting the one stop and pay-per-use principles consistent deployment of standards and certification where critical for the working of the Internal Market certification and standards that reflect the needs of the different market segments. 3.3. Human Rights and the Protection of Communications; Issue To reconcile the human right to privacy and the obligations of law enforcement to protect public order. Discussion Privacy and the protection of private information is considered one of the fundamental human rights of individuals and is protected to varying degrees in Member States. The European convention on Human Rights states Everyone as a right to respect for his private and family life, his home and his correspondence. Individuals have the legitimate expectation that this right is respected and that solutions are made available to him that ensure the safeguard of this right. This applies to conversation in the home and to a lesser degree when telecommunications is being used. However, prevailing national solutions do not, at present, provide for trans-European services and communications and this lack can be exploited, inter alia, by organised crime. With the rapid growth and diversification of communication services the rights and duties of individuals and law enforcement are being reviewed and redefined, eg FBI supported legislation and the proposal of the government to provide US business and citizens with cryptographic devices including explicit provision for intercept by law enforcement agencies. As the safety and security of the individual provided by the process of law and order is also related to human rights, reconciling these objectives represents a delicate political issue. The diagram below gives an overview of international, Community and national responsibilities for different application categories. Requirements Common approach defining rights, responsibilities and duties of individuals, business and of the authorities. 3.4. Social Acceptance; of Identification; and Authentication; Methods Issue To reconcile the human right to privacy and protection and the use of identification and authentication methods for access control, authentication and accountability. Discussion The use of biometric methods and smart cards is technically feasible and becoming more economically feasible as an identification technique and access control. Biometric methods; rely on a system of machine recognition of a set of personal characteristics to verify the identity of an authorised user in order to allow access to some physical environment. Such personal characteristics include hand-written signatures, fingerprints, voice prints, machine phrenology, lip prints, response of the skeleton to a physical stimulus, hand geometry and retinal patterns. Many other different personal characteristics and recognition techniques are being investigated by researchers. Some of these effect the human right for privacy more than others and some are socially unacceptable. As an example, the retinal blood-vessel pattern of a human eye (retinal vasculature) is highly characteristic of the individual. A typical system might work as follows. The individual is required to look into an optical device and through a process of optical adjustment fixate on a crosswire whereby the recognition machine will locate the fovea of the individual, and scanning with a low intensity infra-red beam detect the nodes and branches of the retinal pattern falling within the scanned area. The measured pattern is compared with the stored pattern of the individual and access is granted or denied depending on the result of the comparison. This method of machine recognition may or may not be considered sociably acceptable on the grounds of hygiene, due to the type of information being stored about the individual (a record of which may be built up which may reveal other information relating to a persons health condition) or the general problem of protection of medically relevant information. There are systems under trial for the recognition of human profiles eg the human face. Again these systems may not in general be socially acceptable and the issue of privacy and human rights may come into play. The use of voice-prints has been introduced in Australia and does not require the consent of the persons concerned. It is used to scan calls for individuals. In addition to biometric controls;, the role of smart cards containing megabytes of personal data may potentially represent an issue. Even a magnetic stripe on a passport or national identity card may contain around 200 characters of information. Security and privacy controls should reflect national conventions and practices. Smart identity cards and national identification numbers may serve as conduits to greater amounts of personal data contained in data bases. Member States treat such technology differently. As identity cards and passports transition to machine readable embedded chips and magnetic/optical stripes respectively, privacy and security controls must be incorporated to prevent abuse of the personal data therein. Progress in bio-technology raises new questions as to the definition of privacy and as to the rights of the individual over information relating to his person and the assurances required for its use. Information relating to genetic defects are of obvious sensitivity and implies corresponding measures for protection. Work may need to be undertaken to set out a clear definition between things that are biometric and things that are medical. At the present time there is low confidence by the general public in the honesty of commerce or government in the field of bio-technology. Requirements Clarification of the ownership of biometric data; and privacy of biometric data; issues related to the use of biometric data agreed classification of biometric data and conditions requiring secure handling of such data definition of the rights of and responsibilities of individuals, business users, corporations and administrations using biometric techniques. 3.5. Human Rights and the Safety; of Systems Issue To reconcile the human right to expect the supply of goods and services that are not life threatening, with the vendors commercial needs to supply goods and services that exploit information systems in safety critical functions. Discussion Safety critical systems differ from security critical ones in that if they fail death or serious injury to people may result. The law treats the liability of suppliers in this situation differently from that where information is lost or property damaged. Suppliers are held strictly liable. Codes of practice for the development of safety critical systems exist in order to reduce the chance of failure and design techniques are invoked to analyse all possible hazards. Nevertheless risks remain. At a Community level, harmonisation of such codes of practice and design techniques would enable citizens to rely on a consistent level of safety in any Member State, and it would reduce the costs of development of codes of practice and design techniques in each country. Community-wide procurement would be facilitated, as would the development of safety critical systems by Community-wide consortia. Requirements Community wide standard for design practices and codes of conduct harmonised legal environment for vendors and users of safety critical systems. 3.6. Confidence in Communication; Systems and Confidence in Services Issue To establish confidence in communication services and systems for all the parties involved (users, public, service providers etc.). This includes confidence in the general ability of the technology as well as confidence in specific solutions and the way they are managed. Discussion Confidence in the security and safety of communication services and systems is a basic requirements if regulators are to discharge their duties, if service providers and vendors are to able to operate in the communication market, and if consumers and users are to benefit from the technologies. In considering confidence we need not only to address it on from an idealised objective viewpoint but also to take into account the behaviour of users, their perception of risks and its volatility. It might only take one incident to undermine user confidence with substantial financial and political repercussions. eg reluctance to use air travel, rejection of certain makes of cars. Confidence is therefore a key notion. It is achieved through the integration of disparate sources of evidence from the process used to develop the system, properties of the system as revealed by analysis and testing, and through experience with the particular systems and other similar ones. The confidence in a service or system should be rigorously and scientifically based: the confidence should not be misplaced. There is a need to understand this integration of evidence and engineering judgement and to develop procedures and techniques for it. An important contributor to confidence is the experience with the system under consideration and similar systems. While many suspect that software and design errors are important factors undermining confidence in systems this is normally supported by anecdotes rather than by statistically significant evidence. There is a need to establish what dependability is being achieved in practice, the relative importance of different parts of the computer systems and how the dependable computer systems are compared wit other components in the wider system. Mechanisms should be put in place for feeding this data back to the development of systems and for providing early warning of problems before these develop into incidents. Ideally, the experience with systems should be related back to the techniques and procedures used to develop them. There is also the issue of how confidence in a service or system can be expressed and communicated. While undoubtedly independent diverse viewpoints are important in the verification and validation of systems and in motivating vendors and service provides the issue of whether these practices need to be codified into formal requirements for third party evaluation and certification needs careful consideration and evaluation of the costs, risks and benefits. The alternatives of self-evaluation, vendor declarations and of using other mechanisms such as liability and the insurance market may be more appropriate. Linked to the concept of confidence is the need to anticipate whether a systems could potentially meet the requirements and to prevent the development of unassurable systems . It may be possible to develop simple rules (eg the notion of claim limits used in parts of the nuclear industry to disallow claims of reliability greater than 10-5 failures per demand for a single system) that, while not restricting innovation unduly, prevents delimiting what is assurable. Requirements Real-time indication for the user of the trustworthiness of a service or system feedback mechanisms for security and safety related incidents involving communications independent assessment of the levels of trustworthiness being achieved investigation of the reasons why the security and safety of systems are compromised understanding of the relative importance of the different system components and the components of the wider system and usage context methods/frameworks for evidence reporting role (costs, benefits) of certification in providing confidence and communicating this in the market place establishment of agreed claim limits to establish assurability. 3.7. Management of Openness and Protection Issue Openness and protection are partially contradictory user requirements, which need to be reconciled depending on the specific circumstances. The user must be able to define the security controls based on need, consistent with national, international and regulatory constraints. These controls need to managed in a way that provides protection in an open environment and do not unduly impede the functioning of the service or usage. Discussion In considering management, one must introduce the concept of a user of an Information System, and the role that they perform in using that system. At any time the user of an Information System will be performing a role, which could be one of: system owner, administrator, auditor, investigator, data provider, or user. It is quite possible for the requirements of these roles to be logical in conflict with each other. Openness of access may be in conflict with protection from general availability. There may also be national, international or regulatory constraints which impose role requirements beyond those needed to satisfy the operational use of the Information System. An open environment must be provided with controls that are capable of providing protection without technical limitations. A single, isolated computer may be effectively protected, as far as confidentiality is concerned, against threats from outside by physical separation and human administration. This does not apply in the context of telematics. Telecommunications and telematics applications are increasingly being designed for maximum openness and inter-operability since the utility of ITT&B-based services and applications depends largely on the possibility of users world-wide being able to freely inter-operate over communication links. Major international efforts are underway to establish standards permitting this, in particular through Open System Interconnection (OSI);, Open Distributed Processing (ODP); and Open Network Provision (ONP);. The acceptance and use of telematics services depends on meeting the justifiable interests of all parties: in particular to be able to chose trade-offs between "openness" and "protection"6. In recognition of this, increasing attention is being given to the provision of Information Security Services and Techniques. The comparison with the way this dilemma is traditionally addressed leads to some observations which also apply when information is handled electronically. These include, for example The User/Originator requires the freedom to decide over the degree of openness/protection depending on his appreciation of the requirement or the applicable rules of conduct for the given activity. Profiles exist setting out the needs of both openness and protection that need to be supported. A single level profile will not support the requirements of all the users involved, and there may need to be mechanisms which allow for negotiation between profiles to determine temporarily agreed common profiles. Infrastructure, services, applications and organisation have to be adapted to provide the openness/protection. To the role holders, both the visibility of and the transparency of the degree of openness/protection is crucial. Accountability for the application of appropriate levels of openness/protection require objective records, which are themselves protected. The management of the openness and the protection of Information Systems requires the definition of security domains. These correspond to the security policies which are in force for the Information Systems in use, as modified by the constraints of the role holders. It should be remembered that computers which are not directly under human supervision may form part of the security domains involved. The development of a generic framework for the management of open and protected communications in a user/business oriented environment must include: 1. Reinforcement of the options to define security domains Terminal users, servers and other computer based resources link into business processes to provide information domains which require corresponding security domains. Such facilities must not only promote the correct degree of openness , but must also provide filters against unauthorised access. This needs to be possible not only at one site eg on LAN-Based applications, but also via MANs and other communication-links. The definition and management of such security domains needs to be possible either from within the user group or provided by a trusted third party. Virtual Private Networks have some of the features, but these would also need to be available in the context of public network based applications. 2. User Interface for the management of openness/protection The normal usage requires the ability to communicate either with specific correspondents, a select group, an open group or indiscriminately. The choice being determined by the nature of the information, its function and the applicable rules. The user-interface needs to cater for this as well as the underlying services and applications. 3. Objective records; and procedures for the accounting of open/protected transactions Processes must be available that provide non-refutable evidence of the origin of, and delivery of, information to all involved partners. Requirements Generic framework for the management of open and protected communications in a user/business oriented environment: - definition of agreed security domains - user interface for the management of openness/protection - objective records and procedures for the accounting of open/protected transactions 3.8. Common Concerns of Commercial and National Security Issue Information Security is a common concern of business, administrations, citizens, law enforcement and defence. Discussion Though not to the same degree, commercial and personal information security shares many aspects with the defence and other classified governmental affairs. This provides an opportunity for commercial and personal applications to build on experience and expertise from the defence and classified government area. The reverse is also true. As commercial security advances and becomes available at a large scale, governments and defence organisations may wish to take into account this body of experience. In addition governments themselves are, of course, in the need of adequate protection of their non-classified information and will wish to make use of public services of this kind. Requirements Common requirements of business, citizens and authorities to adequately protect commercial and personal information and its communication. 3.9. Security and Law Enforcement; on International Scale Issue Crime is exploiting weak information security to further its ends. Strong information privacy may also be used to escape investigation by law enforcement. Discussion Crime, and here organised crime; and terrorism in particular, are relying on weak information security; to prepare and execute their operations. As quite powerful means for information security have been published and are freely available, their increased use in protecting such operations is perceived as a growing problem. Public authorities have in the past used legal and regulatory powers to restrict the use and dissemination of related technologies. With the growing availability of computing power and open networks, this approach is getting less effective, as organised crime, contrary to the legitimate user, feel free to use products that are not authorised. The overall result is that business is seriously constrained in meeting its security requirements, particularly in international communications and in its relations with other organisations. If business requires the legal and regulatory powers to relinquish total control over these security related technologies, business has a duty of care; to manage and control their use for their commercial and business purposes, including the policing and auditing of management environments. Correspondingly, authorities maintaining control carry the responsibility for the potential damage to business, individuals and the economy at large. Privacy and security are impacted by the growth in interconnected law enforcement/criminal information systems;; There is an increasing availability of criminal and law enforcement information from a variety of national data bases (eg, United Kingdom's Police National Computer 2 - PNC2;; Germany's INPOL;; France's fichier des personnes recherches - FPR;; the United States' National Crime Information Centre - NCIC;; Canada's Canadian Police Information Centre - CPIC and Australia's Law Enforcement Access Network - LEAN) and international data bases (eg, Schengen Information System;; INTERPOL's X.400 distributed data base network and the EUROPOL;/Trevi Information System;). Incorrect information can lead to false arrests and a general denial of civil liberties. Non-vetted information can result in individuals being arrested and/or investigated for spurious and non-criminal reasons such as political, trade unionist and religious activities. Requirements Effective, internationally agreed, economic, ethical and usable solutions to meet business, administration and personal needs mechanisms for authorised interception for law enforcement reporting of incidents and crimes adjusted to the conditions of the Internal Market equipment, software and an infrastructure of trusted third parties. 3.10. Economics of the Security; of Information Systems Issue The use of information security impacts on costs;, performance; and availability;. It may also be used to achieve a competitive advantage;. Discussion The cost of security is an integral part of cost of ownership of an information system, ie namely that without security the users system is at risk. The cost of protection against breaches of security needs to be commensurate with the costs (both direct and indirect) that may be incurred from a breach in security. A security breach may have short term (and perhaps, localised) implications such as loss of sales and revenue or fraud or theft. It may also have longer term (and wider) impacts on business communities through loss of confidence and consequential loss of business. The costs of detection, resistance and recovery can be both tangible and high, and although there are techniques available to quantify risks there are no generally applicable methods for estimating the potential costs arising for example from denial of service or loss of integrity. The provision of security measures may also make it harder to use and may constrain overall performance. However, where the security risk is high enough to cause an unacceptable level of compromise, leading to considerable commercial and financial loss, then security measures must be given high priority commensurate with the nature and value of the business in question. If information security is too expensive, clumsy, not effective in the context of actual usage or not available in time its use is avoided and high risks are taken until something drastic happens. The issue for information security is therefore, not only to be effective but also to address other requirements which impact the acceptability and application of information security. In particular, countermeasures; may have to be put in place that meet specific regulatory or legislative requirements, with associated mandatory assurance; needs. To a business, securing information can be thought of as being like an insurance policy - the cost of protection must be balanced against the likely consequences of the perceived threat occurring. This cost is made up of a number of elements, including: the life-cycle costs; of implementing the countermeasures in relation to likely and worst case impact on business performance liability of management for incidents and relationship with customer confidence legal costs. An important experience from the past two years shows that, in commercial applications, the aspects of cost and ease of use are critical for the introduction of information security. For this reason a number of enterprises, including many Governments, are looking to procure Commercial Off The Shelf (COTS); security products to meet their needs, rather than developing bespoke systems. The unit cost of security is affected by market volume. Market volume is unlikely to be achieved without commoditisation of security products to the point where they are part of the IT infrastructure rather than a separate cost factor (on cars, ABS was expensive until it became generally fitted). High volume and commoditisation can be achieved by: the provision of a common architecture and security building blocks which can be used across the widest possible community so that low prices can be achieved development of world-wide standards for secure systems raising awareness of security risks in order to stimulate demand common or mutually recognised security evaluations world-wide vendor self-certification, with appropriate liabilities agreed protection levels with corresponding sets of protection measures (to focus products onto common needs). Current work on baseline controls could provide a basis for an agreed minimum protection level. Other protection levels may be needed for more sensitive or critical information it may be that separate security evaluation criteria and methods need to be developed to allow low price, low assurance assessments to be carried out Requirements IS-to-cost; techniques for business and private users incorporation of good information security design practice in the development of products and services definition of information security as business and marketing factor identification of acceptance levels for insurers, regulators and the commercial courts specification of duties and responsibilities of parties to the use of information systems and their security requirements security architecture and "building blocks" specifications and standards, with a view to minimising the cost of providing commonly needed levels of security. 3.11. Social Recognition of Information Crime Issues Negligence, ignorance and recklessness are the some of the causes of many security breaches and create the opportunity for information crimes. Discussion Information security breaches, like failures to observe safety rules, can in many instances be attributed to a lack of care; or ignorance. This is compounded by the fact that the loss of immaterial goods, for example information, is not considered as serious as the loss of material goods. This is due in part to the fact that electronically stored information can be reproduced at close to zero costs without the loss of the original. Stealing information is therefore often considered as a gain for the thief without a loss to the owner. It is perceived by many to be a game rather than a real problem because people are unable to relate the electronic world to the real one. This has the double effect of inciting negligence by the owner of the information and little concern for the illegal acquisition of information. Because of the widely practised back-up of information resources, this applies even to the intentional or accidental destruction of information. There is much work in establishing and reinforcing "ethical principles;" as applied to specific actions of information ownership, creation, dissemination, etc. These need to be related to sector actors, their control perspective and the assets over which they exercise either explicit or implicit authority. This needs to be related to codes of practice and conduct, legislation and regulation to establish the extent to which protection is dependent upon a formal or informal control environment or can rely on the enhancement of ethical and professional standards. Changes to traditional programming techniques have made it possible for non-IT professionals to deliver programming and systems analysis methods. In many smaller enterprises such work would often be done by non-IT professionals. Two examples of computer crime illustrate the diversity of situations which may arise: Example 1 In a German company (belonging to the "Association for Security") a programmer - unsatisfied with his salary - caused damage by a specific computer-programme. This program modified the data of a data bank by randomly controlled write operations. The programme was intricately hidden among other programme-parts. Within two years the data-bank became more and more defective and damaged. The costs of damages and of reconstructing the data bank were about 500 000 ECU. Example 2 In an office of the German Government a huge computer-system, comprising various storage means and terminals was installed. Suddenly the computer-execution-times and the response times became much longer than expected. After a difficult investigations it turned out, that a programmer, who had founded together with his wife a shop for sending out photo-equipment, has done his complete accounting, mailing, etc. for his shop on the computer in a hidden area. He had camouflaged or suppressed the protocolling of this programme. He caused damage of about 100 000 ECU. Requirements Education and training on the information security requirements and concepts needed to operate in a secure manner in the Information Age clarification of "Info-Ethics" for the professional and individual user in its relationship to information security clarification of responsibilities of the sector actors in general and in their relations within each other, with particular reference to open and distributed applications. 3.12. Human Factors Issue Human interference with information systems constitutes the biggest risk factor to security and the most difficult to address. Discussion The largest potential threat to IT systems arises from the people involved in them be they designers, programmers, operators or users. And more security breaches are caused by human error, often by well intended people, than any other causes. Apart from providing fool-proof system and services, there is thus a need for organisations to give due consideration to the non technical techniques which they should consider to meet this threat. Such techniques could come under the heading of personnel policies and forced users - positive vetting, removal on notice, monitoring changes in life style, avoidance of collusion, job organisation, contracts of employment, etc. And the role of good supervision. Allied to this is the need to emphasise that controls in a system must not only relate to the technical mechanisms but to the system overall, including the clerical and manual workforce. And, of course, they must relate to the overall objectives of the organisation. "Security is an attitude of mind, practice and discipline." Requirements Adjustment of personnel management practices and organisational procedures to reduce the vulnerability by the actions of staff and other people greater use of non-technical management controls. 3.13. Safety Critical Environments Issue Protection of information in safety critical environments;. Discussion Safety and security have a common technological basis, but differ in their objective. In complex systems there is in many cases a duality of objectives. Safe systems need also to be secure. The reverse is not necessarily the case. Safety is defined in terms of hazards and risk. A hazard is a set of conditions (a state) that can lead to an accident, given certain environmental conditions. The analysis of the safety environment involves identifying the hazards within a safety critical environment and then either verifying that hazardous states cannot be reached or that the risk is acceptable. Risk is defined as a function of the probability of a hazard occurring, the probability that the hazard will lead to an accident, and the worst potential loss associated with such an accident. You can diminish risk by reducing any or all of these factors, and there are environmental-safety techniques that focus on each. There is an increase in the use of information systems within various areas of application which are considered as part of a safety critical environment. For example in the area of healthcare (eg medical databases), air traffic control, transportation of hazardous and dangerous goods, industrial processes etc. The increased reliance on electronic information in these various areas of application specifically related to the control and management of safety, has resulted in an increased need for the protection of the information system supplying such information. Therefore the protection of information systems used in safety critical environments is factor to be addressed when considering hazards and associated risks in such environments. Consideration needs to be given to the common requirement of security and safety, common methods for analysing the threats, vulnerabilities and hazards, and the role of security evaluation for safety-critical systems. Requirements Common approach to the handling of security and safety critical requirements methodologies for threat, vulnerability and hazard analysis for the protection of information systems used in safety-critical environments methodologies for the design, development and procurement of safety critical systems, covering project management, development environment, auditing of process, configuration management and change control common approach to security evaluation of information systems in safety-critical environments common approach to information systems recovery in safety critical environments. 3.14. Embedding Systems Embedded systems security Issue There is a marked trend to embed information systems in other products. This raises particular security and safety issues. Discussion: Increasing use of computers and information processing is occurring in a manner that incorporates information/computers into other products to make those products more usable, flexible, etc. These embedded systems, that are usually hidden from the user, depend upon the accuracy of the programs they contain and the information inputs/outputs to preserve the usefulness of the products in which they are placed. Failure of the processor or corruption of the programs or information contained may cause failure or destruction of the device or hazard to the user. Embedded systems are already being used in automobiles for controlling ignition and carburettor systems or braking systems, in television sets and VCRs, in microwave ovens, and so on. As embedded systems proliferate they create potentials for physical hazard to users beyond simple loss of the functionality of the devices in which they are embedded. The potential will also exist that such embedded systems could constitute a hazard to the well-being of bystanders or property. Security hazards; can be introduced quite unwillingly. For flexibility reasons, suppliers of communication systems are moving towards installable firmware in the field. They may thereby overlook the fact that such a facility may create an undefined platform. IEEE standard 1149.1 calls for standard test access ports and also foresees the possibility of remote diagnosis. It is therefore possible to extract data flowing between the components on a printed circuit. To some extent, liability laws will cover product failures which create damage to users. However, there may need to be some added means of ensuring the reliability of embedded systems and the integrity of the systems as they leave the factory. Requirements Methods of testing that enable standards of reliability to be ensured, including tests to destruction where appropriate approach for the certification of safe products definition of requirements for fail-safe system architectures and implementations anti-tampering and protection specifications and standards quality label, that indicates the quality level of the embedded system awareness of designers of the potential impact of innovation in the validity of test technology. 4. Demand Related Issues; Issues (related to demand) 4.1. Requirements for Enterprises and Individuals 4.1.1. Agreement on Security Requirements for Enterprises Issue Identification of real world security requirements and objectives for business and administration. The derivation of security requirements from business requirements is complex and not well understood. Discussion The protection of information systems must include all relevant aspects. Consideration must be given to requirements from the view point of the enterprise, taking into account corporate and organisation plans, goals and strategies of the business or administration. Requirements at this level can be then translated into "Security Objectives" - why the security functionality is required as it applies to the operation of the business or administration environment. There are two elements to this: identifying business requirements which have a security dimension relating that security dimension to security objectives. These security objectives need then to be supported by a definition of the security functionality and related services required necessary to support the user/business. The security model has not included legal, accounting or regulatory requirements which may be imposed upon enterprises rather than forming any integral part of the Enterprise requirements. Given the complexity and diversity of user/enterprise requirements for such protection it is necessary to classify the requirements in some structured way consistent with real world business and operational environments. The protection of information systems needs to consider the enterprise requirements of the business. These requirements not only include functionality that is owned by the enterprise but must include inter-enterprise requirements as well. It must consider the functionality and assurance of IT building blocks, end user applications, integration enablers (such as electronic mail), operating systems, communication services and protocols, and basic hardware and software platforms. The balance of functionality and assurance; (what it does) and assurance (how well it does it), both generic and application specific, will determine the extent to which electronic information systems are accepted as an integral part of both the public and corporate IT infrastructure to underpin business actions. The prime requirement for any secure system must be a set of architectural principles that can be effectively translated into an overall design framework. Secure systems must be created at different grades of assurance from a set of policies, standards and procedures. Specific security requirements relating to open systems will come from a threat assessment and risk analysis which will form part of the overall system security policy process. The cost of security; is an integral part of the cost of ownership of an IT system ie namely that without security the users system is at risk. The cost of protection against breaches of security needs to be commensurate with the costs (both direct and indirect) that may be incurred from a breach in security. A security breach may have short term (and perhaps, localised) implications such as loss of sales and revenue or fraud. It may also have longer term (and wider) impacts on business communities through loss of confidence and consequential loss of business. The cost of detection;, resistance and recovery can be tangible and high, and although there are techniques available to quantify risks there are no generally applicable methods for estimating the potential costs arising for example from denial of service or loss of integrity. The provision of security measures may also make it harder to use and may constrain overall performance. However, where the security risk is high enough to cause an unacceptable level of compromise, leading to considerable commercial and financial loss, then security measures must be given high priority commensurate with the nature and value of the business in question. Sectoral requirements vary widely, as do requirements by size of enterprise within a sector. Sectoral requirements may be varied by regulation, bilateral international agreements, general trading agreements or conventions. Increased demand for Electronic trading; from all kinds of businesses, both public and private sector, will place requirements for security on the communal service infrastructure that provides the capability for such business activities. The regulatory and legal environment within which such service organisations work will become a factor for economic growth in the community, and security of service provision an element of such services. Requirements Taxonomy and directory of user requirements and security objectives derived from experience with practical applications. 4.1.2. Security Administration Issue Security administration operates within the overall management. It should not compromise its mission. Discussion Security administration is an indispensable function for the normal working of any organisation and falls within the "control" aspect of management's activities. The function's objectives will be to ensure the existence and maintenance of security of: hardware, firmware, software personnel communications and networks physical environment. It will also be concerned about disaster recovery and contingency planning; compliance with legislation such as data protection and privacy laws, and maintaining auditability. Corporate governance issues are now starting to require directors of listed companies in UK to state publicly whether they consider that their companies' system of internal control has been working, and this specifically includes information security consideration. Security administration represents a non-negligible cost factor in an enterprise. It may also unduly restrict personnel to do their job. Therefore, security administration and management needs must be reconciled. Personnel in the security administration function need not only to have adequate awareness, information and training in order to recognise threats and vulnerabilities and to be aware of appropriate counter-measures, but also to understand the enterprises mission. Management is responsible for reviewing audit reports and taking corrective action where necessary. Audit is responsible for ensuring that security technology has been implemented in accordance with the organisation's security policy. Specific items to be considered under this area also include control over safety critical and process control information, and security logs and the need for real-time alarms to detect intruders, where appropriate. It is important to be realistic about controls and not be overlook simple matters such as the possibility of passwords being sold. Requirements Guidelines for establishment of security administration function recommendation on moving towards commonality of laws on data privacy and protection, particularly relating to individuals means to provide increased awareness and relevant education and training guidelines for consideration of balanced security, taking account of level of risk in different areas (physical, personnel, hardware, software, data, etc). 4.1.3. Security Objectives for Enterprises Issue Definition of Security Objectives for enterprises. Discussion A security objective is a description of what security the enterprise is trying to achieve eg why this security control/function is wanted. It is a mission statement of the user/enterprise which describes why an aspect of security is needed. It is a user/business target or purpose to which security is being addressed. For example, consider the subject of data integrity and the objective "Prevent unauthorised modification to data". The security objective has the objective "Appropriate mechanisms should exist to preserve the integrity of data". For example this may be related to data held on a medical database, on a company financial database, in airline reservation system or a geography information system. The organisation of security; within enterprises in terms of business control structures or in the case of some user environment (eg legal, accounting, audit etc.) and functions (eg IT, human resources, insurance) needs to be integrated with a set of security policies, standards (both public and in-house), and made compliant with laws and regulations (eg computer crime manual), guidelines and codes of practice etc. The process of producing a security policy; may require the use of a set of security methodologies, tools and evaluation criteria. For example risk analysis methods, baseline controls, and evaluation criteria (eg ITSEC, Federal Criteria etc.). Security objectives; thus encompasses a set of objectives (and possibly sub-objectives) and a set of related issues that reflect specific points of concern, problems, questions relative to business requirements, controls and applications. The diagram below shows the relationship between Security objectives, Security organisation, and Security methodologies;. Laws apply to the user environment directly. Their presence generates some of the security objectives. Standards may be both mandatory and discretionary, and may incorporate methodologies. The final box covers security methods and techniques. Requirements Standard techniques for drawing-up security policies for typical situations methods and techniques for agreeing levels of security and security objectives. 4.1.4. Exploiting Security and Innovation Issue To establish how service providers and vendors could exploit the benefits of innovation without compromising security and safety. Discussion Vendors and service providers need to innovate to survive commercially. They have strong vested interest in ensuring that their products are adequately secure and safe. Businesses by their very nature need to take risks to survive and this commercial imperative for a risk taking culture has to be reconciled with the needs for an inherently risk averse security and safety culture in a way that is effective yet does not stifle innovation. There are many aspects to innovation. On the one hand there is innovations which change the technology that is being used to implement systems (eg from electrical or electronic to programmable). Other innovations concern the domains of application (new forms of command and control, remote diagnosis and maintenance, ultra-critical applications) and other innovations concern the technology. This can either be in the technologies deployed (eg new forms of fault tolerance, different types of open systems) or in the technologies used to develop systems (eg code generation. novel testing regimes, formal methods, neural nets). These innovations are likely to continue the trend for greater integration and internationalisation of systems, a convergence of dependability safety and security problems, a blurring in the distinction between hardware and software. Systems are likely to more open in the past, and be the result of evolution and make grate use of components already deployed in other applications. The safety and security concerns will change as a system evolves and changes in the environment of a system (eg organisational changes, removal of other systems ensuring safety) can cause a system to evolve into a higher level of criticality. There is a need that the measures taken to provide confidence in systems can cope with these innovations and that businesses have predictable certification or regulatory costs where these are relevant. This has a number of implications for the regulatory and certification regimes and poses challenges to the standards making process. Innovation can bring with it new hazards. There is a need to identify these and either remove them via redesign, provide measures to tolerate them or at worst, measures to mitigate their consequences. Requirements Assessment methods for impacts of changes on systems procedural and regulatory framework needs to address convergence of safety and security, etc (implications for standards) methods for identifying early on where innovations are likely to be unacceptable from a safety perspective or will result in such economic penalties that they are not viable commercially. 4.1.5. Sectoral Specifics Issue Beyond the normal requirements common to different business sectors and user environments there may also be additional requirements and priorities specific to the operational nature and commercial mission of a particular business. These specific requirements can be normally expressed in terms of codes of practice and baseline controls. Discussion Legal and regulatory provisions can be supported by Codes of Practice in an attempt to achieve due care and diligence. There are those of general application and those that are industry specific. A general Code of Practice may achieved by the establishment of a security management handbook, maybe based upon the approach taken for achieving a Quality code of practice (ISO9000). The application of information security is a prerequisite for the successful conduct of business for particular sectors, especially when these sectors a highly interactive. The traditionally prominent among them are: Finance Trade Medical Telecommunications Manufacturing industry Process industry Administrations. There may be other market led requirements, that will result in a different security based segmentation. Requirements Consolidation and development of a set of Codes of Practice and baseline controls addressing specific business sector requirements. 4.1.6. Security Domains Issue Openness and protection. Discussion In practice, the level of information security is dynamically adapted to a given situation. This leads to the concept of Dynamic IS Management and the need to be able to define domains, in which information security is applied homogeneously. Domains are user groupings sharing some of their functions and support. For some activities they operate as virtually closed user groups, but have the possibility to interwork with other domains as long as certain minimum requirements ensure no loss of trust or a transparent downgrading. The notion of a security domain is therefore important for two reasons. Namely, It can be used to describe how security is managed and administered, and It can be used as a building block in modelling security relevant activities that involve elements under distinct security authorities. Examples of domain activities are: accesses to elements (eg a database for network management) a communications link operations relating to a specific management function non-repudiation operations involving a notary. The organisation of security within enterprises in terms of business control structures or in the case of some user environment (eg legal, accounting, audit etc.) and functions (eg IT, human resources, insurance) needs to be supported by a set of security policies, standards (both public and in-house), laws and regulations (eg computer crime manual), guidelines and codes of practice etc. The security policy defines what is meant by security within the domain, the rules by which security may be obtained to the satisfaction of the security authority, and the activities to which it applies. The security policy may also define which rules apply in relations with other security domains in general, and in relations with particular other security domains. The management of inter-domain openness and protection may be different depending on similarities in purpose, and agreements will be needed to achieve appropriate levels of assurance. Mechanisms by which TTPs achieve efficient, coherent management of policies, procedures and controls between domains need development: Requirements Mechanisms for management of policies, procedures and controls between domains for TTPs generation of guidelines for domain creation, management and control development of a common framework for domain interworking agreement on management, TTPs, accreditation, auditing and relations with law enforcement agencies. 4.1.7. Security Labelling Issue Transfer of information among domains requires agreements on the expression of the sensitivity of information, ie the syntax and semantics of the associated information labels, and of the procedures and mechanisms for handling labelled information. Discussion The basis for the trustworthiness of a domain and the trust between domains is the assurance that the processes that are used to manipulate information behave in a way that corresponds to the protection requirements of the information in terms of confidentiality and possession, integrity and authenticity, and availability and utility. Labels are a method for expressing the sensitivity of information. They can be based on different scales, like the value of information or the impact of a security breach affecting the information. The need for comprehensive labels has become acute because of the increasing degree to which organisations interoperate electronically. This has led to increased reliance on technical measures to achieve adequate security. It is quite feasible for trusted systems to switch on or off technical measures automatically providing that the label adequately expresses the security requirement associated with a piece of information. Labels could then be used to make decisions on information routing, transmission enveloping, requirements for confirmation and so on. However, decisions on information routing etc. cannot be made without user labelling, that is, some indicator of the categories of information which can be allowed into end systems or to users. Organisations have to agree on the range of options that do meet any particular security requirement. Part of the solution to the handling of labelled information lies in the development of Codes of Practice specifying procedures and mechanisms. There is also a need for accreditation and audit of communicating partners. The introduction of independent third parties avoids the pairwise interactions that would otherwise be necessary to establish trust. Requirements Guidelines for security labelling. standard on how to express labels and on the meanings of a basic set of security labels Codes of Practice and accreditation methods for domains claiming to support standard labels, and their mutual recognition. 4.1.8. Administration of Access to Security Related Data; Issue Support of functions for the administration of security related data. Discussion Management of rights is an administrative function available to both security administrators and resource owners. While management functions reserved to security administrators can be rather sophisticated, functions available to resource owners have to be kept simple and easy to use. The management of rights can be separated into security information related to users (eg privileges, keys and/or passwords) and security information related to resources (eg access control lists, labels; keys). Management functions need to be performed form the place where the administrator/resource owner is sitting and apply to a number of remote resources. It is therefore important that the management of access rights is done in a secure fashion (eg using appropriate security protocols). Requirements Easy to use tools for access right management and key management secure solutions for remote administration awareness for control issues concerning security related data, and implications of non-action. 4.1.9. Security Requirements for Individual Users Issue Individuals and small companies have "enterprise requirements" but often have little opportunity to choose appropriate security protection when dealing with large organisations (eg equipment and software suppliers, service suppliers, banks). Discussion The individual user, in their role as a private citizen or as a member of a liberal profession (eg a lawyer or medical doctor), has a natural interest, and sometimes a legal requirement, to protect some of their information. Unlike in the case of the enterprise, the individual user will not normally go through a systematic process of establishing goals, definition of security objectives, etc., unless they are subject to professional standards of conduct. The individual normally has at his disposal a PC (or small network of PCs) and some communication links, eg telephone, fax, e-mail. Often physical security is likely to be weak. Most liberal profession work under some codes of practice or conduct. These codes are of a general nature and do not normally specify particular security arrangements. The common and specific requirements of individual users, with regard to the protection of their computer installation (physical and electronic), the protection of their data (against accidental and deliberate loss) and the protection of their communications (eg signed communications, privacy enhanced communications) must be established. The individual user has also an interest that the totality of processing of any matters relating to the user is correct and confidential to the extent required. Requirements User profiles identifying standard types of users together with typical requirements. 4.2. Requirements for Security Functions 4.2.1. Access Control Issue Access control procedures to many systems need to be standardised and well managed to meet their objectives. Discussion Computer systems and services impose control procedures on persons (or other systems) attempting to access them directly or over local or wide-area networks. These access control procedures apply to "connections"; that is, they determine whether or not a connection, association or session is allowed to be established. These control procedures have been often primitive and relatively insecure, as the occurrence of "hacking" demonstrates. The requirement for secure access control is not confined to access to host computers by persons at terminals. Reciprocal (mutual) access control is often needed between two (or sometimes more) systems. Access control can apply across general telecommunication networks, determining (for example) who may call whom by telephone; or who may receive which programme on a cable TV network. In addition to applying to end-to-end (trans-network) communications, access control also applies to users and (even more importantly) operators accessing the network and to access by human users to terminal devices. Although the importance of access control is widely recognised, the practical application of security techniques in solving the problem is more limited. This is for a variety of reasons including technical complexity, lack of agreed standards and lack of user acceptability. Secure access control relies on a mixture of: identification mechanisms; (authentic naming;) identifying the remote person or system authorisation mechanisms;, determining the authority of the remote person or system to carry out different types of actions random (unpredictable) components;, affording protection against the re-use of once-valid access control messages under invalid circumstances (replay) cryptographic techniques to protect the above from modification, copying, etc. Without some analysis of access control scenarios, followed by some outline standardisation work, users and systems are going to find themselves having to implement and use (depending on their current application) a range of incompatible techniques, which in turn rely on only partially interoperable infrastructures (such as naming and identification authorities, certification authorities, key management systems, directory services, etc.). Access control very often involves only two parties: one making the access and one granting/denying the access. In some environments this is however inadequate as some intermediaries cannot do the access on their behalf but on the behalf of someone else. This applies in a number of cases, in particular for distributed applications or transaction processing. For example, in a distributed service the requester addresses its request to the nearest server able to fulfil the service and then the request has to be forwarded so that it can be honoured by the appropriate server within the service. This problem is called delegation. For the server point of view different policies may apply: it may be interested only by the privileges of the initial requester and by the privileges of all the intermediaries. The access control decision may then be based on the properties of the initial requester only or on all of the entities involved. In addition restrictions about what intermediaries are or are not allowed to do may be specified by the initial requester. There is a need for widely accepted solutions to the most common access control scenarios. Requirements Group access control scenarios and schemes based on levels of commonality techniques, products, specifications and standards addressing access control matched to the scenarios identified parameters common to most or all of the above techniques, products, specifications and standards and the feasibility of establishing common formats for them identification of the key features for coherence in the supporting infrastructure basic access control mechanisms for pilot implementation development of delegation scenarios identification of techniques, products, specifications and standards addressing delegation and their association with the identified scenarios. 4.2.2. Requirements for Electronic Cash Issue A general purpose system is needed for providing electronic cash. Discussion The securing of electronic cash shares some problems with negotiable documents, and may also need additional properties such as privacy (untraceability) and dividability. Large scale solutions already exist for paying small amounts of money in special situations, such as special cards for telephones and travel. Other systems exist for large amounts of money - prepayment and credit cards;. Between these two, there is a need for a system to make general purpose payments for relatively small amounts of money. This means that the system must have low transaction costs, and will thus be able to compete with existing special cards. The system should ideally include the following properties: unlimited transferability (from one user to another) dividability into any sub-amount required independence from on-line TTP services privacy / untraceability security and uniqueness - ie cannot be forged or copied. It should give users complete control over the amount transferred in each transaction, and allow them to know the amount remaining. It should be relatively easy to refill the device with electronic money, possibly via unsecured network services. Requirements Agreement on the concepts underlying electronic cash international standards. 4.2.3. Requirements for Security Services Issue Various security services have been identified. Agreement on their requirements must be established. Discussion A variety of security services has bee identified. Although several of these are used in practice at a limited scale, their general requirements have not yet been agreed and their availability to the general user is not yet established. Some of the more important services are described below. Non-Repudiation Services Non-repudiation of origin respectively receipt means that a particular user, called the originator respectively the receiver, cannot repudiate (ie deny) to have signed respectively received a particular electronic document. It does not prove who has actually created the document. We have exactly the same problem with paper documents: the fact that someone puts his signature on a hand-written transcript of music does not mean he is the composer. Non-repudiations services are precisely the services which in electronic communication can cover all legal functionalities of a hand-written signature, but in a much more secure way: The main difference is that the digital signature which supports the non-repudiation provides a logical connection to the message. Claim of Origin Copyright is a very important security service in the electronic handling of a document. The major problem with enforcing copyright of, say, a software program, is that of two different versions it is difficult to decide which one is the original. This problem is of course not restricted to electronic documents only. In fact, one runs into exactly the same kind of problems as in the paper world. The service required here is "claim of origin". This is the counterpart to non-repudiation in the sense that the point is to allow the creator to prove who created the document, as opposed to non-repudiation of origin, which allows everybody to prove that someone has signed a particular document (which typically commits him to something). The difference is that with non-repudiation services, the receiver is able to prove something, whereas claim of origin pertains to the transmitter. Claim of ownership Some conventional physical documents, such as eg the bill of lading and the bill of exchange, must be negotiable. The possession of the document must allow to give title to anybody who can present it. The electronic equivalent is also needed. The goal to achieve here is that an electronic document at any particular time can be proved to be the (temporary) property of a particular user. With ordinary paper documents, the problem is solved by giving the original of a document certain physical attributes that are difficult to reproduce. With this precaution, it makes sense to speak of the original of a document, and define the owner simply as the person holding the original. Negotiable documents entail that their physical uniqueness must be protected against duplication; it must be easy to distinguish a copy from its original. This is the case with hand signed paper documents; the hand-written signature cannot be copied such that the copy could not be distinguished from the original. Although a digital signature does protect the integrity of the signed electronic document, it can, however, easily be copied so that the physical original cannot be distinguished from its copies. This impedes the usage of electronic communication eg in maritime trade. The sender of a cargo produces a unique document, the bill of lading, hands a copy to the shipper and sends the protected original to the receiver. The receiver may trade the original and its title or keep it. Whoever presents the original to the shipper will be handed over the cargo. The shortcoming of the paper bill of lading is the fact that it takes time to transport it, particularly as it is a piece of value and must be well protected. Therefore, an electronic substitute should be found that protects the uniqueness of the original document, and which can be transacted over communication systems. The technique should support recovery after equipment or communication failure. Besides issuing negotiable documents there are other ways of securing correct title to property. Instead of a person proving his claim by the presence of a token, the claim may be addressed to a distinct person who then is expected to prove his identity. This is the case with the freight bill, which is another way to deliver a cargo to the authentic receiver. However, the freight bill cannot be traded as effectively as the bill of lading. The provision of electronic negotiable documents must include: document uniqueness, ie a document should only exist in one single valid copy (and can therefore not be sold more than once by an owner) document authenticity, ie a document should not be able to alter, and the origin of a document should be possible to identify transferability, ie the document should be possible to transfer through communication networks fail-safe storage and communication, ie recovery after failure should be possible both when document is stored and transferred between parties. One should expect that, unless proper electronic documents will be available, the use of paper for negotiable documents will be continued at the expense of effectiveness and more paper. Transaction of negotiable documents are often a part of a larger business transaction, eg the seller of a document receives a payment, or negotiable documents are exchanged between the parties. When such transactions are taking place over a telecommunication network, there might be a need for a service giving fair exchanges of values, ie a service that can guarantee that either will the whole exchange be performed or it will perform no exchange. Such a service will secure fraud during exchange of values. Fair Exchange of Values When negotiable trade documents change hands, they are often handed over in exchange for something else, for example another negotiable document, some form of payment, or simply some piece of information that may be of sufficient value to the receiver. The party who gives a document away may of course be concerned with the possibility that he may not receive in exchange the object or the information he was supposed to. If the parties meet physically and exchange ordinary documents, this concern may not be very serious; an attempt of abuse is likely to be detected early enough to prevent a successful fraud. In the world of (interactive) EDI, however, the problem can be more serious. Efficient communication is possible over great distances with parties to which there may be little or no existing business relations. Such parties may well be found worthy of less trust than those with which physical meetings can be arranged. Untraceability As electronic registration and transportation of data becomes more common, there are an increasing number of scenarios where individuals face new threats against their privacy. Since many types of personal data can easily be traced to particular individuals, the fact that the data are electronically stored introduces the possibility that someone could efficiently collect comprehensive dossiers on individuals, even without this becoming known to the users themselves. In its most general form, anonymity or untraceability is a service with the goal of preventing such personal data from being traced and collected. The issue is therefore to allow accesses, calls or transactions to be performed without revealing the identity of the user. In some cases, anonymity of the user is required or identification of the user is unnecessary. Examples where anonymity is required are about electronic cash or electronic shopping where this is related to the privacy of the user. Practical cases are about road toll systems and mobile phone billing without revealing location history of user. Examples where identification of the user is unnecessary by the target system is where a service is opened to thousands of users but where subscription to the service is not managed directly by the service but by another company: The service manager is only interested in the fact that charges can be paid when the service is used. Who is using the service is not relevant. In some cases the user would also like to know that the service manager is not able to trace back the user. Another category where anonymity is required is non-traceable calls. Reporting fraud or corruption will only happen if the call (either phone or e-mail) is not traceable to the caller. There is a need to have mechanisms able to fulfil these needs. However these kinds of techniques should not be used when there is at the same time a requirement of auditability. For cases where both requirements exist there can be solutions where tracing an event can only be achieved by co-operation between different auditors. Time-Stamping In electronic communications, a digital equivalent is required for the date and time stamp in the paper world. Such a time stamp must be issued by an organisation that is trusted. If time stamps are simply attached internally by the sender or receiver of a message, then, in case of litigation, it will be difficult to establish if these were erroneous or have been forged. In direct communications, both parties may agree on a mutual time reference, but in store-and-forward type communications time stamping by a third party is particularly important . Depending on sectoral differences, different granularities of time stamps may be needed. Some sectors may be content with the date, some with the nearest second. Requirements Scenarios for the use of electronic security services user specifications for electronic security services establishment of international application rules that can operate under the different legal frameworks and that ensure international communicability identification of different scenarios where it is appropriate for the public interest to mask or hide the identity of the end user, taking into account the balance between full anonymity and audit. 4.2.4. Digital Signature 4.2.4.1. The Individual Right to Signature Issue Individuals have the right to sign any information. Discussion Like with hand-written signatures, anybody is entitled to use a digital signature. Therefore, the distribution of keys for the purpose of signature must be non-discriminatory and non-restrictive. Separate from the signature is the question of entitlement, ie if a certain person is empowered to sign a certain element of information, document or transaction. Signature verification is therefore a two step process: formal verification of the signature and verification of the entitlement of the sender. This process is depicted below. It is assumed in this simple model, that the sender adds his certificate (name plus his public key) to the signed document. The formal verification then establishes that a person with a certain name has correctly applied his signature and that the document has not been modified in transfer. Verification of entitlement checks that the name has the legal power to sign a particular document. Note that as a consequence, the powers given to a person should not be included in the attributes of the certificate, otherwise any change in these powers would invalidate the certificate. The situation maybe further complicated by the fact that several signatures maybe required for certain documents, eg husband and wife plus notary, two company directors. Requirements Clarification of the right to signature and the attached entitlement. 4.2.4.2. Consistency of Legal Principles for Digital Signatures Issue The legal functions have to be clearly identified for the authority of digital signatures, before a code-of-practice can be developed and introduced. Discussion In legal practice security and functional requirements for hand-written signatures differ widely. In some cases a hand-written signature is only to indicate that the signer has concluded his train of thought or his expression of will; under the given circumstances its authenticity may be obvious and needs not be provable. In other cases, for evidence, the signature must be provably authentic. In yet other cases authenticity requirements may demand attestation or even ask for more than one person's signature or for public notification. The spectrum of legal requirements can be matched by the spectrum of technical realisations which may differ with respect to security provisions just as widely as legal requirements. Yet the signing process must be transparent to the signer. For this reason it must follow standardised rules; specific man-machine interfaces must be familiar to the signer; ie they must follow a standardised layout principle. For ease of transition (in judicial thinking) from hand-written to digital signatures traditional functional requirements for hand-written signatures should be met by the technical implementation of digital signatures as closely as possible. A particular problem is the validity period of a digital signature. One must distinguish the validity period of the signature itself and the validity period of the entitlement. The validity period of the digital signature; itself may have to be limited for technical reasons. These reasons include: Insufficient key length;. One may discover that some years from now, new progress in mathematics and technology makes it plausible that keys of the originally chosen limited length can be broken. (For instance, several European banks have introduced remote banking with RSA keys of length 512 bits. One cannot guarantee that this will be safe in 10 years, or even less, from now.) Poor key generation;. One cannot be sure that programs at the desired quality level will be used by all key management centres. Hence users of those key management centres may find that their keys are breakable, and they have to cancel their certificates. Weak protection of workstation;. The secret key of a user may be compromised accidentally or through negligence. It may also be possible to tap the password of a user through a Trojan horse on his PC and subsequently get access to the secret key. (Fraudulent users may even claim this happened, and give away their key on purpose, in order to dispute that a certain signature did originate from them.) Taking the necessary precautions, and taking a differentiated approach to the validity period of signatures, then most digital signatures would fall inside the scope of applicability of hand written signatures The entitlement attached to a signature normally changes much faster. The authority given to a person should therefore not be included in the attributes of the certificate, otherwise any change in entitlement would invalidate the certificate. However, in all the work that has been carried out so far, there is no solution offered to the following problem: If messages have been signed with a key and needs to be kept for a number of years, and that key is denounced by the user as being compromised, how can the value of the already calculated signature be left intact? One possibility might be to use a TTP for time stamping, but further study into this problem seems in place. An example may illustrate this point. If a user A signs a message in 1993, which has legal consequences to user B until 2003, and A then cancels his certificate in year 1995, claiming that his key has been compromised, he will probably claim that the signed document from 1993 was falsified in 1995 by B, who could have bought a copy of A's secret key. However, if B upon receipt in 1993 had gone to a TTP and had the signature of A time stamped and signed by the TTP, or even registered, he can prove that A in fact did produce the said signature back in 1993. For some sectors and/or applications the granularity of the time stamping will be critical. It is conceivable that trusted time down to one second accuracy will be needed. Requirements EC-wide/international agreement on the legal functions of signatures; clarification of the conditions of acceptance of the authority of a digital signature;, eg for legally binding purposes, ie as substitute for hand-written original signatures recommendation for the implementation for a public digital signature scheme; for use by business, administrations and the general public legislative rules and, where appropriate, liabilities, for keys, certificates and TTPs to cover revocation of any or all the entities involved in the chain of proof needed in the signature technique. 4.2.4.3. Universal Acceptance of Digital Signatures Issue For digital signatures to become a full alternative to hand-written signature universal acceptance is required. Discussion All functions of the hand-written signature should also apply to digital signatures. Where legal functions are carried out by digital signature, consensus with the legal profession is essential. Requirements Development, together with the legal profession, of recommendations for the practical use of digital signatures as a full equivalent to hand-written signatures in legal transactions demonstration, through pilot projects, that digital signatures can be used as equivalent to hand-written signatures inclusion in the curriculum of relevant educational institutes (eg engineering, law and business schools) the use of digital signature. 4.2.5. Privacy enhancement ;issues 4.2.5.1. Perception of Requirements for Privacy Enhancement Issue Confidentiality is, at times, essential for the good functioning of administrations, business and human relations. Discussion Business user of telecommunications and information systems cannot obtain full business benefit without confidentiality services being available. There is a clear need for confidentiality services in the exchange of information in the business as well as in the private use. Today the exchange of sensitive information requiring confidentiality is often done in non-electronic form because for electronic transmission confidentiality is either not available or its use not permitted. With the increasing demand for fast exchange of all kind of data, demand for confidentiality;confidentiality will become pressing. It is already present in some applications such as medical information systems. Most business and private users of communication systems are aware of the conflict between their confidentiality requirements and national security issues which require the possibility to intercept the communication in a way regulated by national laws. They accept the national authorities ability for this interception provided there are adequate safeguards to prevent unauthorised interception even by government employees. Expectations of confidentiality of electronic message services can currently not be met in the absence of international standards or internationally accepted methods. Uptake of these services by commercial users to support business processes will therefore have a natural limit, ie to those messages that someone usually writes on a postcard. Examples of commercially sensitive information includes pricing and bidding strategies, mergers and take-overs, or from a privacy point of view (transmission of personnel and medical data). User needs for confidentiality, user needs In analogy with confidentiality offered by existing physical mail and archiving services, ie envelopes, registration, courier services, etc., there is a need for confidentiality in the situation of electronic interchange and storage of data. Even more so because electronic data can much more easily be copied or disclosed in its usual form, eg only channel coding and formatting as the "envelope", than its physical counterpart. At present certain unclassified but sensitive information on physical media such as paper, microfilm, or photograph, of business enterprises or medical centres are protected against unauthorised disclosure by physical and procedural methods. Today the trend is towards more electronic communication and storage of data and hence there is a need for appropriate confidentiality services in an agreed or standardised form to be readily available for all users of electronic information systems. Service provision The extent to which confidentiality services are provided for a specific business or citizen could depend on a system of licenses or certificates. A particular business might qualify for a confidentiality license depending on its internal procedures and activities. A general (minimum) level of confidentiality could be provided to all users. It should be possible for certain user groups or businesses to use other confidential services (egproprietary) than the standard ones provided. There are strong indications of emerging "bottom up" solutions for these needs (eg the Pretty Good Privacy offering on Internet, beginning 1993). Other initiatives (eg the announcement of the "Clipper Chip", 16April 1993) illustrate the growing awareness of governments of the needs of their citizens for confidentiality services. Awareness In general users of electronic data processing systems are not aware of the threats involved in using those systems. Only after they have noticed (the consequences of) an unwanted or unauthorised disclosure of their information will they start to think of the inherent vulnerability of the system they are using. In view of this one should try to create more security awareness. Users, service providers, operators and authorities should achieve a certain minimum level of awareness of the issues involved in using confidentiality services before embarking on their use. Granularity (meeting differentiated needs) Confidentiality services at different granularity and for different types of telecommunication services are needed. Based on his risk analysis the user can then decide which level of confidentiality he needs and then use the services which provides this required level. Some users may want a range of services of different assurance levels (analogy of courier services, registered mail, ordinary mail). Some users may want visibility of assurances to different extents. Impact of loss of information ;and Impact of theft of information By its nature, actual risks and impacts of disclosure are hard to quantify. But the absence of a baseline of protection of confidentiality will undoubtedly have a negative impact on commercial (and other) usage of international electronic communications in a wide range of business processes. Actors and roles Individuals may have a number of roles in more than one organisation - these need defining or clarifying. Their "role" as a private citizen is an important case. The organisations that act as custodians of roles need to be classified also. These are essential ingredients for domain management. Mutual confidence and TTPs; TTPs (mutual confidence of) Users and mechanisms to ensure that they get assurance of compliance to agreed rules of procedure from their trading partners, or other private citizens, with whom they are interacting using confidentiality services. TTPs are one mechanism for achieving this, but other lower assurance, lower cost solutions may also need to be considered. Requirements Frameworks and architectures which are accepted as well by the business users as by the national security agencies and the service providers standards for services and service provision compatibility of confidentiality services with existing communication standards and practices where possible verification of practicability of proposed solutions through suitable pilot projects model contracts for confidentiality services awareness improvement of sector actors of the potential losses due to the absence of confidentiality services. 4.2.5.2. The Case for the Provision of Public Confidentiality Services Issue The provision of public confidentiality services have to reconcile the needs of the business sector and general public with the obligation of public authorities to provide adequate protection while at the same time maintaining its capability to fight organised crime, maintain public order and national security. A well developed public confidentiality service would provide for the obligations in a transparent manner. Discussion Business operates increasingly in an international and open environment. The communications take place via private and public networks. Modern network management techniques use alternative routing depending on traffic conditions. This implies that the physical communication is under the control of a variety of intermediaries working under different regulatory and legal conditions for data protection and privacy, and therefore one must consider the network as inherently vulnerable. This means that end-to-end protection is required. This applies also to the general public using international public telephone networks. It is a fact that business and the general public have been addressing their needs with public domain solutions (published algorithms and freely available software). However, the approach is awkward and its utility therefore limited, since, for example, there is no public directory and he has to manage the keys himself. A public solutions open to all users requiring electronic signature and confidentiality would remove the need for the use of ad hoc solutions. It would also provide for a transparent solution to the need for legally authorised intercepts. If a public confidentiality scheme is offered, organised crime could also subscribe to such a scheme, but as it would include provisions for legal intercept, it would hardly be attractive. One would expect that such users would continue to find their own solutions as will the classified domain. An open and public service offering a credible level of confidentiality would therefore provide for the honest user, while not worsening the situation with respect to public order or national security. The combination of international communication and national security regulations require a common framework for confidentiality services, which on the one hand interoperate within all Community Member States as well as with countries outside the Community which themselves may establish their confidentiality services. This requires either an overlay approach or gateways which link the different national or regional services. These gateways are only required where multinational agreements for co-operation on national security concerns is not yet established. In this case these gateways may provide at least an interim solution. In order to fulfil its function and eliminate the need for home-made" solutions, the public confidentiality service must be open to world-wide use and provide its service in a non-discriminatory way. Confidentiality services should ensure that Users are protected and obtain assurance against non authorised interception and disclosure. The confidentiality service is of high (technical, procedural) quality and evaluated as such by all Member States. Authorised disclosure of the protected user information (undo the confidentiality service) is under certain well-defined circumstances possible, eg by secret-sharing. With this approach, confidentiality mechanisms details (description) do not need to be published or disclosed to the public in general. While the use must be largely unrestricted, the systems and sub-systems or equipment for the independent implementation of aforementioned confidentiality services can be made subject of export controls, eg export is possible if: The users comply with the rules of the exporting nation (end-user declaration) with respect to the disclosure mechanism. Multinational business users form EC countries with "central" organisations. Other countries on a bilateral agreement liaise with EC if they comply with the rules. Export restrictions are, inter alia, based on the concern that cryptography may be used by hostile governments or other organisations for the concealment of subversive information. The same concern does not apply to the use of cryptography for integrity and authenticity enhancing service. There are technical solutions to provide only integrity, integrity plus signature, and integrity, signature and confidentiality. Confidentiality enhancement is de facto only meaningful in communications with also the two other functions being provided. The problem remains that organised crime and hostile governments are not restrained from adopting public domain solutions or from developing home-made mechanisms. Furthermore they are able to exploit legitimate users of systems and solutions to their own ends by use of traditional criminal mechanisms of bribery, blackmail or threats to personal safety. Legislation could discourage non-authorised use, but cannot be expected to prevent it, particularly in the case of organised crime. Restrictive legislation impacts the law-abiding user much stronger than others. Choice versus interoperability The users and service providers may feel the need to choose solutions to achieve the assurance levels they require. But interoperability will dictate a limited set of possible choices being available, and costs of service provision will also focus debate onto efficient solutions. Advice and instruction versus prohibition This may vary from country to country, however certain minimum-rules will need to be adhered to between parties offering interworking public schemes which includes beyond simply usage also systems and sub-systems or equipment for the independent implementation of such confidentiality services The confidentiality that users enjoy will depend upon the robustness of the service that is offered. This in turn will depend upon the robustness of the architectures available to perceived threats: key theft, masquerade, deliberate denial of service, inadequate disaster recovery are examples of threats the vulnerability to which may be different for alternate architectures. Mechanisms are needed that provide for a defined way to pass from one domain to another. This will require collective or multilateral agreements for interoperation. Requirements Architecture that minimises service vulnerability framework for the provision of trans-domain confidentiality services guidelines for pan-European confidentiality service providers (including accountability) model contract for relationship between service providers across national boundaries assurance criteria for service providers and operators accreditation process for mutual recognition. 4.2.6. Use of Names; and Certification of Credentials Issue Use of names and of credentials (eg the public key) in international communications. Discussion Name Assignment and Certifications Authorities are Trusted Third Parties. Their purpose is to allow for individual and authentic addressing of communication system users by means of their authenticated Distinguished Names. A user may ask a Naming Assignment Authority for a Distinguished Name. The Naming Authority will give him a Relative Distinguished Name and supplement it by its own Distinguished Name to the user's Distinguished Name. Thus, although a person may ask several Naming Authorities for the same Relative Distinguished Name, each of his Distinguished Names will be unique, because the Distinguished Names of the Naming Authorities, by definition, will be unique. The concept of an agent that handles the interfaces between the end-user and the naming authorities is important in providing a user friendly interface to this process. The two functions of name assignment (or identification) and certification are binding operations. Name assignment binds a particular name to an entity (a person or device), and certification binds certain credentials to a name. The diagram below shows the double binding process. A Distinguished Name; and a unique cryptographic Public Key ;are made part of the user's Credentials. The Public Key can be used to verify a (ciphertext) signature which has been effected by the user's complementary Secret Key (not contained in the Credentials). Credentials are signed/certified by the Certification Authority. Thus the user's Certificate consists of the Credentials, their signature by the Certification Authority and, if necessary, the Certification Authority's own Certificate. The user is given his certificate, preferably in a tamper resistant chipcard. After signing a message with his Secret Key; the user concatenates his Certificate to the message and its signature. The receiver of the signed message can use the Certification Authority's widely available Public Key to verify the signer's Certificate and Public Key. With the latter the authenticity and integrity of the message can be verified. The security services related to name assignment and certification need further standardisation as well as legal recognition, both preferably on an international level. The United States have already begun to apply relevant US national standards. Therefore, corresponding standardisation action should be started on a European level. Its results should be made the basis for a European contribution to international standardisation. At the same time an interface toward a legal usage of naming and certification services should be defined to ease the adaptation to and to provide for the compatibility of the various EC legal systems. Other related issues are pseudonyms and anonymity, for which a business requirement has been identified. Different degrees of anonymity should be provided for according to the specific needs in digital cash, tele-shopping, registration in data bases for statistical purpose etc. As described above, the ability to sign a piece of data is to be distinguished from the entitlement an entity possesses. This relationship is depicted below: It is necessary to identify requirements and to develop guidelines for the use of names, in relation to: > requirements to meet by naming authorities > requirements to meet by the user > naming principles > format of Distinguished Name/Relative Distinguished Name > handling protocol between naming authorities, user and certification authority > change of names > recording of information pertinent to de-referencing of names (by the Directory). It is further necessary to develop guidelines covering the creation and use of certificates, in relation to: > certificate semantics and format > certificate handling (production, issuance) > signature and its certification (method, process) > authentication of certificate owner (method, process) > expiry dates > renewal of certificates (periodical) > renewal of TTP public key (periodical) > handling compromises of secret information (secret keys, PIN etc.) > revocation of certificates and notification > black listing and execution of certificates > security standards to be met by certification authorities. Requirements Guidelines covering the use of names guidelines covering the use of certificates. 4.2.7. Security of Electronically Stored Information Issue As legally and commercially significant information is transferred and stored electronically, the implications of this on long-term (10's of years) secure storage and retrieval must be properly understood. Discussion Industry is moving increasingly towards electronic trading in all its aspects. Governments are encouraging the use of electronic communication of commercially and legally significant information. As a result, there is a need both to establish irrefutably the origin of, and the delivery of, such information and, particularly, that the information has been signed and stored in an unforgeable way. This unforgeable electronic signature must be trusted for at least 10's of years for some information, and the associated information must be retained in a secure manner that is capable of human interpretation at any time during that period. Any system proposed for electronic signature storage must be as secure and robust as that currently used for hand-written signatures. Any such system must allow for not just technical evolution, but also social change and other factors (eg the continued existence of trusted public key directory centres, or the way businesses merge, change or collapse).It is not currently clear that the way this can be achieved is yet accepted legally, or the full implications are even properly understood Requirements Common approach to the security of electronically stored information unforgeable secure storage. 4.3. Requirements for the Safety of Communication Systems Issue Safety requirements for communication systems must be expressed in ways that capture users expectations, reflect the engineering viewpoints of vendors and service providers and are appropriate for regulators. Safety requirements have to be integrated with other types of requirement, eg reliability and security. Discussion End user requirements for safety of products or services are often implicit or stated in very "soft" terms or in terms that assume regulation and certification is looking after their needs. These user requirements can be contrasted with the engineering specifications needed by vendors and service providers to build systems and provide for their assurance. In addition safety is just one attribute and has to integrated with all the other types of requirements and potential conflicts identified and resolved. For example, the requirement for visibility of evidence for safety assurance may conflict with security considerations, the need to make access impossible for security reasons may conflict with the need for emergency procedures. (eg evacuation). However users main concerns are ones of cost and choice and these have to be addressed in the dialogue between service providers, vendors and regulators. In the safety field the notion of the tolerability of risk and the use of both qualitative and quantitative risk assessments provides a lingua franca between regulators and service providers as well as in a modified form for users and those with professional interests. This discussion needs to be broadened and integrated with security requirements particularly for domains (eg medical informatics) where open, heterogeneous computer systems have significant IT security and safety components. In addition to the risks from products or services that the user is willingly engaging in or purchasing there are the risks from indirect accidents (eg major chemical or nuclear accident) and normally in discussions of policies towards the acceptability of risk a distinction is made between these two types of risk with the requirements for indirect risk being more onerous than those entered into voluntary. Again, there is the need to integrate the discussion of these risks with those from security breaches. Requirements Platform for a dialogue on risk including users, regulators, vendors and service providers policy on risk management on a societal level based on objective risk assessment methods techniques that permit an integrated approach to the different types of risk (safety, security, commercial, direct, indirect). 4.4. Requirements for Evaluations 4.4.1. Trustworthiness of Communication ;Solutions Issue Establishment of trust in components, products, systems, services and applications . Discussion The trustworthiness of a given communication solution and its use imply that the system owners and especially the users need confidence in its security and safety. They also need to be able to compare different solutions with regard to the security and safety capabilities, cost, functionality, performance, availability and reliability. The diagram below shows schematically the major roles of the actors involved. The end-user normally runs an application, eg a particular banking application. The application is provided by the application provider, who, in turn, may use various services, offered by service providers, eg communication services. To run and provide applications and services, systems are required, supplied by, normally, several system suppliers. System suppliers purchase components and products from sub-suppliers. In the end, the trustworthiness of the application must be established. This overall trustworthiness is a function of the trustworthiness of the application provider, the service providers, and the systems, products and components. Depending on the needs of the user, vendor declarations,; self evaluations; or formal evaluations; may be required at the various stages. The choice of either of these mechanisms will depend on the costs and delays involved in formal certification processes, the level of assurance required and national constraints. Another major factor is the recognition of certificates in other markets and their utility, eg in protecting the user or vendor against liability claims, where it is possible to do so. The qualifications, experience and motivation of project managers, evaluators, certifiers, accreditors and system administration staff also affect the resultant level of trust achievable in the operational system. Users continually need to upgrade their hardware platforms and change or add to software systems to remain commercially competitive and to follow trends, etc. Thus the ease with which systems and products can be re-evaluated or the portability of evaluation results are important issues when deciding on the needs of the user. For example, portability of products and systems across different hardware platforms. For how long will a vendor support the evaluated hardware and software configuration? Will a vendor re-evaluate all upgrades of their product in a timely manner? Requirements International agreement on criteria and evaluation methods, and mutual recognition of test results clarification of the commercial value of certified products, eg in terms of liability limitation clarification of the status and implied liability of vendor declarations international agreement on the methods for evaluating security and safety critical system development processes, and the qualifications and experience needed for individuals that are involved in these processes. 4.4.2. Motivation to Acquire Evaluated Solutions Issue The advantage of the use of evaluated/certified solutions is not generally accepted for commercial applications. Discussion Formal security evaluations have been carried out at a national level by a comprehensive, costly and time consuming process. The investment in the evaluation process by the vendor has resulted in higher prices for the resulting secure IT product. The duration of the evaluation process, has resulted in many secure products falling behind the technical state of the art. Up to now, this has often detracted from their broader relevance in the commercial market. Users have often preferred lower cost, more functionality rich products unless forced to purchase evaluated and certified products through some public procurement policy. Vendors, historically, had products evaluated separately by each national market and their supporting criteria. The resulting limited revenue opportunity did not justify the high cost of getting products evaluated. It is necessary to change this view by convincing users of the advantages of purchasing evaluated/certified solutions. Rapid adoption of Common evaluation and certification criteria is essential to reduce cost and speed-up mutual recognition of the resulting certificates. Requirements Rapid adoption of Common Criteria agreement on common evaluation method portability of test results and mutual recognition work sharing between vendors, test centres and users to speed up the evaluation process establishment of the value-added for the use by administrations and business, eg in terms of liability protection and in relation to insurance costs 4.4.3. Consistency of Procurement Practices Issue National procurement guidelines for the purchase of evaluated/non-evaluated products are not consistent throughout the EC, nor is there a general agreement on when there is an obligation to use evaluated products, and when it is recommended but discretional. Discussion Some security evaluated IT and communications products are purchased as a result of a risk analysis where it is determined that the evaluated communications product better suits the organisation's security needs than a non-evaluated product. However, a survey conducted of over 200 organisations indicated that, to a large extent, evaluated products are purchased today by organisations in the EC because of the expectation they will be required by law to use certified products. This type of legislated market is occurring especially in those Member States that were involved in the development of ITSEC. Unless the procurement policies in the EC are harmonised, the public sector use of IT products will become a patchwork of evaluated and unevaluated products. This may create new barriers to the efficient flow of information. Ways should be found to assist those member states not involved in the early stages of ITSEC to develop and test procurement policies that are based on evaluated communications products. Requirements Identification of categories of applications requiring evaluated solutions alignment of national procurement policies concerning evaluated products development of guidelines on applicability of evaluation levels. 4.5. Requirements for Security and Safety Methodologies 4.5.1. Risk Analysis and Management Issue A number of Risk Analysis and Management methods are available within the market place. However, potential purchasers have no recognised method to establish which method is the most effective for their purposes. Discussion It is a fundamental requirement that such enterprise should manage the security of its Information Systems (IS). The strategy to manage information security must be based on, and compatible with, overall Corporate Security Policy, which , in turn, must reflect and support the key business objectives of the enterprise. However, in addition, any security implemented must be commensurate with the levels of risks to which the enterprise is subject, so as to ensure that adequate, but not excessive, investment is made to protect corporate assets. The Information Security Strategy will help to ensure the most effective use of resources, and will, where appropriate, ensure a consistent approach to security across a range of different systems. How the Information Security Strategy is to be implemented should be described in detail in a Corporate Information Security Policy. Strategic objectives should be produced. These are general security objectives which may be defined, for instance, in terms of the levels of confidentiality, integrity and availability that the enterprise wishes to attain. The application of baseline security standards has a place within an Information Security Strategy, but not as a substitute for Risk Analysis and Management. The implementation of the Corporate Information Security Policy is thus based upon the process of Risk Analysis and Management: that is the assessment of the levels of risks to which corporate assets are subject and the implementation of appropriate security safeguards. Risk Analysis and Management is therefore the key process for the effective protection of information security. Risk Analysis and Management is relevant to, and should be applied over, the complete life cycle of each information security. It can be applied at differing degrees of detail and rigor depending on the size of the organisation and the complexity of information security. To enable successful Risk Analysis and Management requires a set of security methods, tools, evaluation criteria, and, of course, products, standards and guidelines. There are a number of Risk Analysis and Management methods, supported by appropriate tools, available in the market place and some organisations will have developed their own in-house methods. Enterprises need a means by which they can establish which method is the most effective for their purposes. It is appropriate that such a means is agreed, implemented and fully supported within the EC. As a result of previous CEC sponsored projects, Risk Analysis and Management models have been developed an encompassed in the supporting "Claims Structure". This "Claims Structure" will allow the evaluation of Risk Analysis and Management methods to be achieved. Currently it is being actively considered by the ISO SC27 Working Group 1 for inclusion in international standards. This is a good example where European expertise, backed and supported by the CEC, is influencing the establishment of International Standards. Related to these issues are: the proposed standards for security incident reporting; schemes, the output from which can improve Risk Analysis and Management reviews; the availability of methods and tools for contingency planning/disaster recovery, which need to be aligned to the "Claims Structure" and Risk Analysis and Management methods; evaluation criteria within ITSEC, the Federal Criteria (Draft criteria produced by NIST in the US) and a EC/US Government Editorial Board to produce a "Common Information Technology Security Criteria". Requirements Consideration of the "Claims Structure" as a standard mechanism for specification of requirements, evaluation and the selection of Risk Analysis and Management methods evaluation of the "Claims Structure" for applicability in the safety domain support for the "Claims Structure" as an international standard further evaluation of methods using the "Claims Structure" accreditation of organisations to conduct Risk Analysis and Management method evaluations. 4.5.2. Metrics for Loss Assessment Issues There is a fundamental need for guidance of any kind on how to assess the loss and damages an organisation might face and how much of this might be addressed by evaluation and certification. Such metrics would increase the perception of the value of a formal evaluation scheme. Discussion Action is necessary to ensure the effective international exploitation of the security product evaluation and certification scheme. There must be a competitive business advantage of developing, implementing and using certified security products, and there must be a well understood correlation between a certified security product and the problems that it can solve. Progress is hindered by lack of independent measures of the business relevance of the certified product. Measures can be obtained by: vendor/user studies (from actual risk assessment) product comparisons (using loss reduction models) insurance contracts (both direct and consequential damage assessment) vendor cost/benefit profiles (market penetration, Software engineering costs, etc.). Such studies would prove invaluable to the SMEs who cannot justify extensive Security controls yet are probably the most vulnerable to the consequences of information abuse. The ITSEC actions should reflect a balance between the product based concepts of security objectives (codes of good practice) and quantitative risk/loss assessment. This should result in measured, affordable controls as a prerequisite to developing a European and international security market. Requirements. Mapping of certified product features to specific security incidents common, product independent risk analysis processes. 4.5.3. Technology Assessment Issue The solution of many IT security issues requires anticipation of complex future scenarios. Technology Assessment (TA) provides a framework in which the use of new and future technology can be investigated to provide security safeguards for a particular application under consideration. Discussion When considering new applications, especially those that are likely to have a substantial life cycle, new or developing technology may be of use in providing effective security safeguards. Technology Assessment is designed to involve relevant factors from different areas and to consider all pertinent perspectives (technical, economical, psychological, political, etc.). Technology Assessment aims at preparing options for political action based on the results of a multidisciplinary approach. Technology Assessment is well established in the US. There is a pilot Technology Assessment project in the field of IT security in Germany funded by BSI. Requirements Identification of the information security issues may be solved within the Technology Assessment process Technology Assessment pilot in Europe in the field of information security to assess the consequences for future information security applications and provide options for political and legal actions. 4.5.4. Analysis of Audit Trails Issue The lack of efficient tools and associated framework prevents the efficient management and analysis of audit trails. Discussion The analysis of audit trails is the last recourse solution to facilitate detection of misuse of information systems. However several drawbacks prevent their efficient analysis in large and distributed information systems: Even though the nature of audit information is often well-defined by existing security standards, there are no standards for the storage and distribution of such information. The hierarchical ordering and merging of information coming from numerous security services of various nature and location is not possible, thus preventing an efficient synthetic analysis thereof. The enormous volume of audit information requires specialised analysis tools. Existing tools are often based on statistical or relational search techniques. They usually leave the Security Officer with fastidious and boring scrutinising tasks and often significant combinations of events remain unnoticed. Artificial Intelligence (AI) based techniques could be of help in this domain. Of course, such tools cannot provide absolute and exhaustive scrutiny. The acquisition and exploitation of audit information may infringe on the right to privacy of individuals, eg in teleworking systems where such information could be exploited to oversee workers' performance on the job. Similarly, the analysis of credit card payment records provides insight on holder's private habits, even though it is necessary to detect security-critical behaviour. These concerns may warrant the recourse to TTP services to prevent abusive analysis of audit trails. These services fall in the same domain as presented in paragraph 6.1.7. Requirements Rules and regulations for the design, handling and exploitation of audit trail information, in conformance with privacy laws and practices prevention of audit data base compromise (eg techniques of separation of information) services for the independent acquisition, management, and/or analysis of audit trails development of innovative technologies (AI-based) for the exploitation of large audit trails. 4.5.5. Safety Specific Methodologies Issues To establish the processes, techniques and methodologies for achieving safety. Discussion Despite the large resource devoted to research and development in software and systems engineering there is still little data on the effectiveness and costs of different methods and techniques for building dependable systems. The best consensus that can be achieved is reflected din emerging generic international safety standards which either decline to provide guidance or do so in very vague terms. There is a need to define what software engineering processes should be put in place to build systems, how these should be applied and how the results from them can be demonstrated to meet the requirements. There is also a need to establish variation of requirements throughout the system lifecycle and to understand the role of process maturity and models and its interaction with technologies for development. The tendency in safety (and other) applications to require a bureaucratic documentation based process needs evaluation and the cost/benefits established. The relative importance of process based approaches, the competency of those involved and analytical techniques need to be addressed. Safety is of course just one aspect of dependability and many of the problems in achieving safety are general problems. In order to facilitate the exploitation of generic work on dependable systems and to focus this work on the needs of safe and secure systems there is a need to understand in what ways the engineering of safety systems are different. For example, we need to understand how safety analysis techniques (Hazops, fault tree analysis etc.) fit into requirements capture, the need for special fail-safe architectures and design, the special requirements for hardware fault detection, tolerance and management. The approaches to achieving safety should also recognise not just the software issue but also the problems of designing trusted hardware and the increasing blurring between hardware engineering and software arising from the use programmable ROMs. Requirements Software engineering processes and techniques for safety applications including their application and evaluation understand the special needs for engineering safe systems. 4.6. Requirements for Audits Issue Identification of security and control weaknesses and the identification of corrective actions. Discussion Audit and auditability are becoming increasingly important and should be an independent part of an organisations approach to security administration, or brought in on a contract basis. The purpose of an audit function is to identify security and control weaknesses and/or failures in enterprises so that corrective action can be recommended to management. An independent audit review ensures that all authorities are not focused under the same management. It is necessary to confirm compliance with standards, check system records and activity, and to ensure that organisation policies are being carried out. Management is responsible for reviewing audit reports and taking corrective action where necessary. An increasingly important area of information security auditing activity is the involvement of auditors (internal or external) at the initial stages of system development, both to ensure that adequate controls are built in to the system and also to assess whether the development process itself is adequately controlled. This applies not only to in-house developments, but also third-party developers where bespoke work is being undertaken. The latter situation may need a legal or contractual requirement for audit access to the development staff and environment. Such a requirement (to audit development stages and methods) should be included in public codes of practice and relevant professional standards. Requirements Guidelines for audit review of information security activities audit tools to enable reviews of security implementations and identify weaknesses (eg using artificial intelligence) guidelines on reviewing any or all security changes suitable and consistent level of competence for security auditors and organisations to be accepted throughout the Community greater commonality of formats for audit trails, so that they can be used between systems. mechanisms to enable qualified auditors to be involved in system development. 4.7. Information Valuation of information Issue: A recognised and common means is required to value information for a range of information security purposes, including insurance, tort law cases, risk analysis and management. Discussion: Within the information security arena Information Valuation is required for a number of purposes. These include: insurance purposes, where, essentially, a financial cost is required for an insurable asset against an insurable event; tort law cases, where again a financial cost is required to assess corporate or individual loss, and therefore compensation, for a failure or action involving the provision of or use of information security; risk analysis and management activities, in which Information requires to be valued not only on a financially quantifiable basis but also on non-financial impacts, such as failure to meet legal responsibilities and obligations, personal safety, corporate embarrassment; infringement of personal privacy, etc. Some Risk Analysis and Management methods do this already, but not in any standard form. In addition should Green Book information security activities be extended to cover safety critical systems, further valuations associated with loss of life or injury will become relevant. To value the cost of re inputting lost information is relatively easy. However, to value the impact of, for instance, the disclosure of highly confidential information which causes the resignation of the Managing Director is less straightforward. Thus there is a need for a common approach that will allow information to be valued in a way that will allow relative comparisons between financial loss and non-financial impacts, through unavailability of information, unauthorised disclosure of information or unauthorised modification of information or software. Requirements Development of common practices for information valuation assessment of current methods for information valuation definition of the rights and duties of information ownership development of guidance for owners of information to avoid negligence charges with regard to the protection of their assets. 5. Supply Related Issues 5.1. Supply Related Issues; - Ways to Meet the Security Demands Issues (related to supply) 5.1.1. Security Services Issue Agreement on the provision of particular security services is needed to meet the needs of business, administrations and the individual. Security services are offered mainly to prevent disputes, or resolve them in a way that is structured, efficient, accepted by all parties involved and non-controversial. Discussion Prevention of disputes arises essentially from the very ability of security services to assign responsibility and fault, should one occur. Thus, security services must essentially be able to verify the application or non-application of rules and the evidence pertaining to them. Security services may or may not generate the evidence itself. In other words the question is whether a third party offering a trusted service also arbitrates litigations pertaining to its principal service. For example, does a signature generation service also provides signature-verification services? Two issues arise in this topic: What is the legal status of evidence generated by security services ? Does it imply liability? What is the legal status of decisions made par security service providers when they are not judicial but private(and corollary, what are the rules of appeal)? If evidence is not generated by the arbiter, how is the evidence acquired and authenticated and how is responsibility assigned? One is faced with the general problems of TTPs : operating rules and legislation, standardisation, inter-operability and accreditation. Possible solutions to the following service categories have been identified: Non-Repudiation Services These can be achieved through straightforward application of the digital signature mechanism. In an open environment, this would imply the use of public key techniques. Each entity (user) possesses a public key pair, consisting of a public key P, which can be made known to everybody, and a matching secret key, S. The secret key is used to create a digital signature on a message, and the corresponding public key is used to verify the digital signature as been created by means of the secret key. If the public key scheme is an encryption scheme, like RSA, the public key may alternatively be used by anybody to encrypt a confidential message to the owner of the secret key, as this is the only key which can recover the original message. Claim of Origin It is possible to prove that claim of origin can only be achieved by using a trusted center, where the electronic documents are registered or authenticated. The point is that in order to establish the origin, we need a digital signature. Of course, anybody can apply his own digital signature to the document, but this will not imply proprietary. Hence the only solution is some kind of registration or notary service. In particular, cryptographic techniques have nothing useful to offer in any other way than to apply nonrepudiation services to prove that a document was registered, or by using encryption to protect the content of a document. When such as center has been established, it will be trivial to integrate security. Claim of Ownership ; in electronic negotiable documents By the use of digital signatures and TTPs electronic negotiable documents can be provided in different ways. Three schemes are presented here. 1. Negotiable documents; can be stored by a TTP in that the TTP at any time on request can provide a copy of the document and the name of the document owner. The TTP guarantees that the document is unaltered and that the correct owner is registered. Document transaction is performed on request from the document owner, which could even be authenticated by a digital signature, which also secure against repudiation. In this scheme the users have to have unconditional trust in the TTP. If the TTP is corrupted it might alter the documents or the owners identity. Several systems exist today that use this approach. 2. If digital signatures; are used in the scheme presented in (1) in that the negotiable documents and the "sales contract" proving document transaction are digitally signed, the TTP has only to be trusted to keep the documents securely stored. The owner of a document can be identified by anyone by verifying the signatures of the document and all the "sales contracts" (the identity given in the last "sales contract" in the chain will be the document owner). In this scheme only functional trust in the TTP to keep the digitally signed documents and "sales contracts" securely stored and presented in copy to anyone (or at least to potential document buyers) upon request. 3. By the use of chipcards; the negotiable documents can be securely stored and protected against copying or multiple selling by an owner. The only other way to provide uniqueness is to physically prohibit free copying. This would involve tamper resistance to realise a protected communication with restricted functionality. A message encrypted under a key known to only one entity (eg, the entity's public key) is unique, as long as it is encrypted, and establishes indisputable ownership by the mere fact that it will only be useful to the owner of the key. Only the person in possession of the right key can make any use of the document, which in effect is the property of uniqueness. A negotiable document is transferred from one chipcard to another, through a public network, in such a way that a) It can only be transferred to one particular chipcard only. b) Recovery is possible, if the transfer is unsuccessful c) the protocol cannot be simulated by any other device than an authorised chipcard. This solution would require a functionally trusted CA to register the chipcards by their public key. Also for non-negotiable documents a limit to proliferation may be useful. Consider eg contracts. Generally each party to a written contract holds one original document which cannot be proliferated. When the contract is superseded by a new version, the old version can be located and devalidated. This cannot be paralleled with the usual electronic means. Unless the number of original electronic documents can be limited, devalidation is of little use. The Document originality can be provided by the use of chipcards. A chipcard can store a secret and protect it. The secret is essential to authenticate the signature of the document. As the chipcard cannot be explored, the secret cannot be transacted into another chipcard. Thus it is practically impossible to duplicate the original chipcard. Such a chipcard can be made a substitute of the negotiable paper document. In order to produce and to transact chipcard documents via telecommunication trusted equipment is needed. It Should be operated by trusted third parties, eg by public notaries. They may be bestowed with the responsibility to produce chipcard documents and to transact and receive them by means of their trusted equipment. Transaction may be performed by depleting the original chipcard at the sending end, securely transmitting its information and feeding it into another chipcard at the receiving end. This process must be protected for its integrity and confidentiality. Not even the "public notary" must be in a position to alter the information. Beside issuing negotiable documents there are other ways of securing correct title to property. Instead of a person proving his claim by the presence of a token, the claim may be addressed to a distinct person who then is expected to prove his identity. This - continuing with the above example - is the case with the freight bill, which is another way to deliver a cargo to the authentic receiver. However, the freight bill cannot be traded as effectively as the bill of lading, although, by omission of additional chipcards and other trusted equipment, it makes it easier to design the electronic substitute process. One should expect that, unless proper electronic documents will be available, the use of paper for negotiable documents will be continued at the expense of effectiveness and more paper. Fair Exchange of Values It is possible to exchange electronic documents of value, such as unique documents or commitments with digital signatures in an interactive protocol, which will not allow any participating party to cheat. The framework for this could be the forthcoming UN/EDIFACT recommendation for Interactive EDI, which is sufficiently flexible to integrate the communication required for fair exchange of values. Untraceability Methods have been developed in cryptography, which would allow the implementation of central data base systems, based on individuals in say the EEC, which at the same time would provide complete anonymity to the individual, yet be open to extract any reasonable statistical information. The impact would be quite important. It would be possible at the same time to have all data available for statistical evidence, say for AIDS infected persons, who volunteer to register, yet guarantee the protection of the individual, not based on unconditional trust, but on logical protection, which can only be penetrated if some of the hardest known mathematical problems can be solved. Time-Stamping The third party must be trusted by both parties, or at least the dispute resolution mechanism, for the correctness of the date and time supplied, but also for the confidentiality with which they handle the contents of the correspondence. Requirements Harmonisation of legislation on the legal status of evidence generated by any TTP and especially on the intra- and extra- community recognition thereof litigation services based on existing international bodies such as the International Chamber of Commerce techniques for the establishment, handling and recording of electronic negotiable documents date and time stamping for time-critical transactions and applications, including a range of granularities of timing international harmonisation of rules and services for time stamping, with the objective of achieving general recognition and acceptance of time stamps and their provision by suitably accredited service providers. 5.1.2. Signature Schemes Issue Introduction of an international digital signature and identification schemes. Discussion Open communication requires standardised publicly available algorithms. It is possible, however, to develop a scheme for digital signatures, to get laws, regulations or directives in place, to develop supporting profile standards and to develop fully implementable models for TTPs, without specifying in detail the underlying algorithms. The characteristics required of a digital signature mechanism include that it is practically unbreakable has a sufficiently large key space, performance (time and space requirements for signing and verification), reasonable size of key, etc. includes key generation. In order to allow for world-wide, unrestricted use of a digital signature scheme, the mechanism should not be usable for the concealment of message content. The minimum requirement should include an estimate of error probability if probabilistic methods are used an estimate of probability of occurrence of weak keys (perhaps completely improbable) a guarantee of sufficiently high degree of uniform distribution. In so-called identification schemes (for access control), which do require public key techniques rather than conventional schemes, practical zero-knowledge protocols must be developed and standardised that fit a corresponding digital signature standard. Requirements Specifications and standards for an international signature scheme specifications and standards for the integration of the signature schemes into practical applications general application programming interface (API) for the integration of signature schemes into applications . This should include codes which explain the purpose of the applied signature development of transaction-oriented multiple signature schemes licensing of cryptographic algorithms. 5.1.3. Confidentiality Schemes Issue Agreements on the confidentiality schemes to be used, taking into account the needs of individuals, business, administrations and the duties of law enforcement. Discussion Confidentiality of message contents can be achieved in many different ways and, historically, many ingenious methods have been proposed and applied. Different requirements exist because of different levels of sensitivity and of different media, eg for data, audio and video communications. Symmetric encryption;, where the sender and the receiver share a common key, is the classically preferred method, because of the speed that can be achieved. The common key must be exchanged via a secure channel before communication can take place. Examples of widely used symmetric mechanisms are the Data Encryption Standard (DES); and the proprietary mechanisms used in mobile communications. Asymmetric encryption; methods, where the sender and receiver use different, but related, keys are simpler to use, because key exchange via a secure channel is not required. These methods are also called public key cryptology, because the encryption key can be made public. However, it is not possible to use asymmetric encryption in high speed applications (the fastest hardware implementations work in the area of several tenth of kilobytes per second). An example of an asymmetric mechanism is Rivest, Shamir, Adleman (RSA);. For practical applications, a combination of symmetric and asymmetric methods is often used. In these cases, the (session) key is exchanged via an asymmetric mechanism and the actual data to be protected is encrypted at high speed with a symmetric algorithm. Other key exchange schemes are also possible, eg the Diffie-Hellman method, where each partner in a (two-way) communication contributes part of the session key. The confidentiality level; that can be achieved depends on many factors. Besides the quality of the algorithm itself, these factors include its mode of operation, the key length and the key generation method. Key management; is an important factor in confidential communications. In asymmetric encryption, in addition to key pairs being generated, the public key is certified and included in a directory. For confidential communications to take place, the sender and the receivers require agreement on the method and protocol used. If confidential communication between different domains using different methods is required, security gateways may perform the necessary translations. These gateways must be trusted. Although not required for normal business use, it is possible today to produce hardware and even software solutions that produce practically unbreakable cryptograms. This fact potentially represents a threat to public order and may hinder law enforcement in their duties. Requirements Consensus on the principles of confidentiality services for use by individuals, enterprises and administrations trustworthy confidentiality scheme and its supporting administration. 5.2. Supply Related Issues - Security Management 5.2.1. Role of Trusted Third Parties (TTPs) Issue Some of the security services necessarily require involvement of a third party. Any such party is trusted in some way. These trusted third parties (TTP) can also be involved in the provision of administrative services. This may satisfy business as well as law enforcement needs. Discussion When a group of users wants to communicate securely using cryptographic methods, some measures must be taken to distribute and update the keys that are needed. Typically, each user must obtain a key coming from every other user he wants to communicate with, no matter which service is required. For a small, constant user group, this may be a fairly straightforward problem, which can be solved without involving any other parties than the users themselves. For larger and more open user groups, the problem quickly becomes difficult, however, and one needs to involve a so called Trusted Third Party (TTP). Although several variants exist, there is a main distinction usually made between two types of TTPs: functionally Trusted Third Parties and unconditionally Trusted Third Parties. The first type arises from the obvious need for reliable registration of users of the system. If public key methods are used, this will usually include certification of public keys as belonging to certain users. A TTP trusted to perform this function is called functionally trusted. It is clear that if the registration is not done in a reliable manner, users cannot even be sure with whom they are communicating. So functional trust represents a minimal amount of trust that must be placed in a TTP. Note that this type of TTP does not need to know the secret key of any user, nor does in need to know any conventional keys used for data communication between users. The functionality required in this instance is comparable to the functionality of a phone book. It provides a reliable connection between people, or their residence, rather, and their phone numbers. The second type of TTP is typically needed in systems that use conventional cryptography only. In addition to the registration function mentioned above, such an unconditionally trusted TTP will generate keys for data communication and then communicate them securely to the users who need them. This means that the TTP knows and in principle could make use of all the secret information in the system. Thus measures must be taken to prevent such misuse. This usually involves the use of tamper resistant hardware, ensuring that no key will appear in the clear outside of the trusted environment. In any case, whichever approach is chosen, Trusted Third Parties must be introduced to handle a number of administrative functions related to the management of users, in particular registration, and the distribution of all relevant information on keys. However, a number of other functions, such as time stamping, are relevant, and all these requirements must be clearly understood to reach the objective of the project. One single TTP world-wide is clearly impractical. So there will be one or more networks of TTPs. Some network may only support closed user groups. International networks for an open environment need some framework. Trusted Third Party services can be considered as value-added communication services available to users wishing to enhance the trust of the services he uses. Therefore TTPs have to be able to offer value added with regard to availability, integrity, confidentiality and assurance. Although TTPs may be set up on a national basis within national law, they must be trusted internationally. There are different types of functions which may all or in part be fulfilled by TTPs. The exact nature and extend to which these functions are provided by TTPs will be dictated by practical considerations and may vary considerably. In general the TTPs operate on the basis of information provided by the user. Certification of information is carried out on the basis of evidence of correctness provided by the user or generated by the TTP itself, eg the keys. The major services a TTP may offer include some or all of the following: Name assignment;, ie the function of assigning individuals and enterprises unique names and addresses. Individuals may possess several different distinguished names, according to their role, eg as private citizen and as employee of a corporation. Certification;, ie the function to validate that a name and address has certain credentials, eg a public key for signature. Key Management; for signature, ie the generation, distribution, establishment, and administration of public and private keys. Key Management for confidentiality, ie the function to generate, distribute and administer keys used for confidential communications. Management Services for Names and Credentials;, ie the function to establish, administer and make available registers with the names of individuals and their certified credentials. Security services, ie functions usually performed by the legal profession, mostly concerned with non-repudiation. These include: - non-repudiation services - Claim of origin - Claim of ownership - Fair exchange of values - Untraceability - Time stamping. Common to Trusted Third Party service providers is that they have to be accredited and audited, and that they have to operate under the law of the country using common guidelines. The figure below provides an analysis of the different functions involved in the establishment and operation of TTPs. The diagram identifies four functions in this process. The functions are: the provision of the required good practices, rules and regulations for the accreditation and operation of TTPs the accreditation, re-accreditation and audit of TTPs the TTP functions themselves the use of communications and of the TTP. This diagram does not imply any particular allocation of responsibility for the functions indicated. The information flow contains the following major elements: National Laws. The operation of TTPs will take place within the laws of the country in which they are located. It is conceivable that some legislation has to be updated to allow TTPs to operate in an international environment. Good practices, rules and regulations for the accreditation, operation and audit of TTPs. Standards for communications. Good practices, regulations and laws for the use of communication services. Requirements Establishment of international framework for the operation of TTPs Setting up of conditions for the operation of TTPs in the EC adapted to the needs of national and international users. 5.2.2. Key Usage Issue Digital signatures imply the specification of a full set of procedures dealing with the three phases of key management - user enrolment, key and certification distribution, and operational maintenance (revocation, blacklist, destruction), which must be agreed and accepted. Discussion To apply security to any message or process, four logical layers are relevant: Legal intentions and implications (including social requirements) The definition and identification of the relevant security service to be applied. The underlying mechanisms. The algorithm and protocols. Without standardising or agreeing on the 4th layer, it will not be possible to communicate. In order to adopt electronic versions of negotiable and quasi-negotiable documents, such as bills of lading, new security services have been identified to meet business requirements, in particular claim of ownership for exchange of values. This needs to go through a standardisation process. But also for more " classical" services, the current standards do not reflect the granularity of eg non-repudiation needed by business requirements. ISO 7498-2 only addresses non-repudiation of origin and delivery (sometimes called receipt). However, one needs at least origin, submission, delivery and receipt, where submission and delivery would correspond to the services required when a registered letter is mailed. For hand-written signatures , a person typically knows what he is signing, which is important for legal implications. This is not so easy to achieve with electronic data. In particular it must be clarified to what extent the system must indicate to the user what he is actually signing. Requirements Standards and profiles in particular to support and improve CCITT X.509. 5.2.3. Key Management Service Issue Key management services for signed and privacy enhanced communications between organisations and individuals. Discussion General Definition of responsibilities and obligations for services that provide trust in the integrity of communications and those that provide confidentiality. Development of codes of practice for the generation, distribution and storage and destruction of keys for both purposes (integrity and confidentiality) in environments that have varying levels of assurance. Definition of escrow services. Some of the secrets may be of paramount importance and may have to be distributed among trusted parties (distributed-secret-escrow agents) so that none of the parties know the complete secret and not less than a defined minimum of those trusted parties must contribute their part of the secret in order to produce the complete secret. Mechanisms and criteria for assessing applicants suitability for the use of TTP services. Not all potential users of TTPs may have the necessary attributes (eglegal status, financial viability, etc.). This essentially applies to TTP services for closed user groups. Integrity and digital signatures Relationship between the key management functions, directory management and certification needs to be clarified. Timeliness of issuing signatures when an application is made - verification of "signature worthiness" of applicant - periodic review of "worthiness" of existing constituency of signature holders. Removal of signatures from "active list" and initiation of "attempted illegal use" audit. This is a "certificate management" - "key management" interface management issue. Privacy Enhancement Management of the domain within which the confidentiality keys are valid. The identity of authorised subjects within the domain: Key distribution to those authorised subjects (people and automated processes.). Should the TTP define the domain as well as manage it: if not should another TTP hold the definition (ietable of authorised subjects). Assessment of the assurance level of the domain within which the confidentiality keys are to be used, ranging from vetted, cleared people with physical and logical access controls to un-cleared people in open environments. Domains are an important concept in confidentiality provision. The following questions require an answer: 1. What is the scope of validity of a domain for certification and the scope of validity for a confidentiality mechanism? Who manages the domains? Who manages inter-domain issues? Does each domain need a different TTP? 2. Who determines the scope of a domain? Who is authorised to change it? (for both certification and confidentiality.) Is a domain a contract, and under which circumstances? 3. What are the assurance criteria for domain management? Who audits a domain manager? Who maintains the principles of domain management as technology changes? 4. Should domains for certification and confidentiality be different in view of the fact that a confidentiality domain will be transitory and that therefore key management principles are different? 5. When should the use of escrow services be mandated to ensure domain integrity. Requirements Single digital signature mechanism and specifications preferably consistent with other leading countries adoption of a confidentiality algorithm standard and specification, and a key distribution mechanism based on an asymmetric public key algorithm establishment of "domain assurance" levels and criteria for TTPs to use for confidentiality key management purposes codes of practice for TTPs engaged in key management activities, and the provision of escrow services; and the methods by which those codes of practice would be audited set of criteria for mutual recognition between TTPs acting on behalf of organisations who wish to communicate securely. Merging of signature directories and secure inter-domain communications are fundamental issues. 5.2.4. Distributed-Secret Escrow Systems; Escrow Systems Issue Some secrets (eg the secret key of a user) may be of paramount importance and may have to be distributed among trusted parties (escrow agents) so that none of the parties knows the complete secret and not less than a defined minimum of those trusted parties must contribute their part of the secret in order to produce the complete secret. Discussion Such schemes are intended to protect the secret against corruption or destruction of the secret holder. Escrow agents are jointly more trustworthy than any of its members. Normally escrow agents, like information brokers, will use communication services to provide added value services. A US Presidential Initiative of April 16, 1993, announced a "key-escrow system" Which is to protect both confidentiality of (basic) telephone communication as well as the society's interests against misuse of legal encryption for illegal purposes. Telephone users are to hold trusted "Clipper Chips" which they can use to encrypt their conversations. Each such device will have two unique keys, numbers that will be needed by authorised government agencies to decode messages encoded by the device. When the device is manufactured, the two keys will be deposited separately in two "key-escrow" data bases that will be established by the Attorney General. Access to these keys will be limited to government officials with legal authorisation to conduct a wire tap. There are many possible ways of using distributed-secret escrow systems. The system proposed in the US provides improved protection against corruption of a single secret holder; however, it increases the threat of destruction, because loss of either of the two key-escrow data bases will render the system unavailable. This threat can be met by distributing the secret over a larger number of escrows, so that a subset can reproduce it (eg 2 out of 5). In view of the international character of communications, the consequences of the US Presidential Initiative and possible improvements should be studied. The US development should be closely observed and should be influenced towards a better compatibility with European regulations. Requirements Investigation and configuration of an escrow systems adapted to European needs. 5.2.5. Management Services for Names ;and Management Services for Credentials Issues Whenever parties engage in bi- or multi-lateral electronic transactions, they need beforehand some non-transient information on their partners (such as identity, legal representatives or any other kind of credentials eg public keys). This does not imply permanent recording of such information. Discussion Management Services for Names and Credentials are established to facilitate access to this type of information, whereby service subscribers are provided with up-to-date data pertaining to the parties listed in there. Because partners may conclude the transactions on the basis of the information (at the minimum, the authenticated identity of their partners) they are provided with, and because some of the information stored by such a service may be protected by privacy legislation, the service itself must be trustworthy and the data it provides correct. Management Services for Names and Credentials keep objects which are referred to by "Distinguished Names". A Distinguished Name is unique to a communication subject. A subject may have a number of (unique in the above sense) "Alias Names". It is required that the service can reference Alias Names to their subject's natural names. An Alias Name may be a pseudonym. Whether or not the service is allowed to reference a pseudonym and let inquirer know the result will depend on the subject's data privacy rights. If, as is likely going to be the case, there is more than one provider and certifier of information, the Management Services for Names and Credentials must be part of a network of information suppliers. Network can be organised according to either geographical distribution or business sector or information taxonomy or all three of them. Users may have to subscribe to more than one such service or service type (eg "Public Key directory for the banking sector"). Users may have a number of different roles in an enterprise, each of which needs access to a set of different services. In the case of a multiple service and network of providers, one can speak of a system of Management Services for Names and Credentials. Because of the damages that could be caused by the distribution of false information, the Management Services for Names and Credentials must apply due care in its operations. In the case of proven negligence the service could be held liable if inaccurate information were provided. The creation, update and destruction (eg in the case of certificate revocation) of information is either mandatory or forbidden. In critical cases (eg; certificate revocation), the update may have to be notified to subscribers without request. The management of the Management Services for Names and Credentials must thus be accountable. There must be legislation, rules and regulations governing it. Obviously, the service must cover and be available on an international level. Obviously there is the issue of standardisation of the service at the user end (external interface) and between service providers (internal interface). Since international Management Services for Names and Credentials are akin to internationally distributed data bases, they face the same legal questions: who is legally responsible for the information (between the creator, the storer, the distributor)? Market pressures are bound to promote the advent of sectorial Management Services for Names and Credentials, and possibly their subsequent interconnection or integration into larger network. In order to avoid fragmentation among proprietary services, there may be a need to lay down base rules for naming, binding, certificates and the associated IPR rules. Requirements Provision of Management Services for Names and Credentials, to include identity, name information, and credentials such as public keys or any signature-verification data interoperability specifications and standards for names and credentials international harmonisation of legislation, rules and regulations for Management Services for Names and Credentials. 5.2.6. The Management of TTPs; TTPs (management of) 5.2.6.1. Operating Principles of TTPs; TTPs (operating principles of) Issue The need for common operating principles for TTPs. Discussion To be effective, TTPs must: operate within a consistent legal framework across the Community offer a range of services, with a defined minimum conform to European or international standards, where available follow accepted good practice allow for independent arbitration, without compromising security be independent in its operation within accreditation rules have a public policy on service refusals, if applicable assume responsibility of liability within defined limits for availability and quality of service. The key questions include: Has the TTP a contractual obligation of results in terms of availability, integrity and confidentiality? How and by whom are the loss and penalty determined in cases of fraud, negligence or failure of the TTP? What assurance to the final user is offered by the accreditation of the TTP? Requirements Harmonised legislation to provide an appropriate framework for arbitration, supervision and litigation model for TTPs meeting the requirements of users and authorities. baseline for accepted good practice including a study of the level of availability, privacy and security required for the TTP by the final users and how much they are ready to pay for it definition of quality of service, including availability, confidentiality, response-time, rules of disclosure to law enforcement agencies operational guidelines, including descriptions of minimum set of services and standards to conform to standard clauses for the contract between the TTP and the user, concerning the liability of the TTP. 5.2.6.2. Interworking of TTPs; TTPs (interworking of) Issue Openness and protection. Discussion In practice, the level of information security is dynamically adapted to a given situation. This leads to the concept of Dynamic IS Management and the need to be able to define domains, in which information security is applied homogeneously. Security Domain Concept Domains are user groupings sharing some of their functions and support. For some activities they operate as virtually closed user groups, but have the possibility to interwork with other domains as long as certain minimum requirements ensure no loss of trust or a transparent downgrading. The notion of a security domain is therefore important for two reasons. Namely, It can be used to describe how security is managed and administered, and It can be used as a building block in modelling security relevant activities that involve elements under distinct security authorities. Examples of domain activities are: accesses to elements (eg a database for network management) a communications link operations relating to a specific management function non-repudiation operations involving a notary. Security Policy The organisation of security within enterprises in terms of business control structures or in the case of some user environment (eg legal, accounting, audit etc.) and functions (eg IT, human resources, insurance) needs to be supported by a set of security policies, standards (both public and in-house), laws and regulations (eg computer crime manual), guidelines and codes of practice etc. The security policy defines what is meant by security within the domain, the rules by which security may be obtained to the satisfaction of the security authority, and the activities to which it applies. The security policy may also define which rules apply in relations with other security domains in general, and in relations with particular other security domains. The management of inter-domain openness and protection may be different depending on similarities in purpose, and agreements will be needed to achieve appropriate levels of assurance. Mechanisms by which TTPs achieve efficient, coherent management of policies, procedures and controls between domains need development. Requirements Guidelines for domain creation, management and control common framework for domain interworking agreement on management, TTPs, accreditation, auditing and relations with law enforcement agencies. 5.2.6.3. Interworking of Autonomous Confidentiality Services Issue Till such time that a universal service is being offered, interworking between autonomous confidentiality services is likely to be the normal situation because of the differentiated requirements. This implies the need for generally accepted rules for the relationship between these services. Discussion For quite a time the conflict between national security issues and the business need for international communications has blocked significant progress in the area of confidentiality services in telecommunications. With the recent US initiatives, pressure from European companies will grow to have access to equivalent services. But within Europe we have the situation that neither the legal situation in the different EC countries nor their national security policies are harmonised enough to have a single confidentiality service scheme with a single algorithm established within the foreseeable future. Therefore it is necessary to have a framework, which enables user-transparent interoperability between different national or regional schemes and which do not block the way for a single scheme which may be established in the far future. Interoperability is also required with non-European schemes like the US. scheme. To provide this interoperability the way information is passed from one national security domain to another has to be specified and the national schemes have to be compatible with this specified way. The establishment of such a framework for interoperability is therefore a subject which needs international harmonisation. Aspects related to this are requirements for the cryptographic algorithms and for key management issues. Requirements Minimum requirements to ensure interoperability, including standards, specifications, rules of procedure and operating practices demonstration of trans-European confidentiality services using a suitable application, eg the realisation of administrative telematics applications. 5.2.6.4. Accreditation of TTPs ;and Audit of TTPs; TTPs (accreditation of, audit of) Issue The need for harmonised procedures for the accreditation and audit of TTPs. Discussion Although the accreditation and audit of TTPs may be a local or national responsibility, the procedures to be followed must be harmonised and have a common basis in order to ensure mutual trust. It is assumed that national governments will be responsible for approving accrediting bodies. This may require to create new national laws or to adapt existing laws. From the TTP point of view, timely and fair responses to requests for accreditation will be important. From the user point of view, the agreed terms of the accreditation need to be properly documented and inspectable. To maintain public trust in TTPs, an audit process must be put in place. Other issues are related to the requests for accreditation from service providers in other EC and non-EC countries certification of certificates authority and accreditor signatures. Existing Community rules for accreditation (eg of test centers) should be used as a basis for this work. Requirements Development of international guidelines for the accreditation and audit of TTPs adaptation of applicable legislation or regulations to provide an appropriate legal framework for use throughout the Community and in the relations with third countries. 5.3. Supply Related Issues - Evaluation of Trusted Solutions 5.3.1. Evaluation of Products, Systems, Services and Applications Issue Need for evaluations in support of communication requirements in both the public and private sectors. Discussion There is a whole spectrum of possible evaluation methods in use today. These range from: vendor declarations; without accepted liability (the most common practice at the moment where the vendor's product information states the intended functionality and quality of the product but no liability is accepted if the product turns out not to be strong), acceptance testing; by the purchaser (also common, where the purchaser trials the product before committing to it), indirect evaluation; (where a supplier has a product range with a common product architecture, and the top-of-the-range product has been put through a formal evaluation. Though the other products in the range have not been evaluated directly, assurances can be inferred from the fact that one product has been successfully evaluated), acceptance testing by a third party (also known as a Security Qualification, where a third party performs specific security testing on behalf of the purchaser, but without the formality of a formal evaluation), formal evaluation;. Obviously, mutual recognition and acceptance of standards, criteria and evaluation processes are necessary to achieve fully cost effective solutions from all perspectives, ie user, supplier and service provider. Requirements Commitment of management to the security function within enterprises establishment of common definitions for the different evaluation options Community and international standards for criteria and methodology choice in the access to independent evaluation capabilities. 5.3.2. International Harmonisation ;and International Mutual Recognition Issue At the moment different evaluation criteria and evaluation schemes are in use. These are especially the US, TCSEC, the European ITSEC and the Canadian CTCPEC. Other countries like Japan have first drafts of criteria. This situation is not acceptable to international manufacturers who would have to perform different evaluations against different criteria and schemes for a single product. This will unnecessarily increase the cost of the product without enhancing the security features. Discussion Various activities are currently under way to harmonise evaluation criteria and evaluation schemes. The ITSEC and ITSEM is the result of such a harmonisation process within Europe. The United Kingdom, France, Germany and the Netherlands are discussing the mutual recognition of each other's certificates based on ITSEC and ITSEM, with the intention of achieving agreement in 1994. In North America, the US and Canada co-operated in the production of the first draft of the Federal Criteria. Following publication of the Federal Criteria in early 1993, it has been decided to make all effort to align the ITSEC and the Federal Criteria to produce a joint European/North American set of Criteria compatible with existing practices in both North America and Europe in 1994. This is the first step towards international harmonisation between the two groups and would be a major step forward. ISO/IEC JTC1/SC27, Working Group 3 is also working on an ISO standard for evaluation criteria, based on the ITSEC and the Federal Criteria. Harmonisation of evaluation criteria is only the first step to reaching mutual recognition of evaluation results. It will need to be accompanied by agreement on evaluation methodology, evaluation schemes, certification and accreditation practices. Only then will mutual recognition between North America and Europe be possible. Even within the European Community mutual recognition has turned out to be an arduous task and mutual recognition of certificates is not yet achieved, mainly for legal reasons. This indicates that world-wide mutual recognition of certificates requires many, yet unknown, problems to be solved. Looking into the international arena, the only evaluation process and certification scheme in the area of communications security (ie computer networks) which has been in place for a significant time is the US TCSEC evaluation scheme. The focus of this scheme is mainly to evaluate and certify commercial operating system products suitable for government applications. Currently the US are trying to widen this scope with the Federal Criteria and the accompanying trust technology programme of NIST whose main goal is to establish a more commercially oriented evaluation and certification scheme with industrial evaluation facilities like the ITSEFs in Europe. Both the Federal Criteria as well as the trust technology program look like a much better basis for international harmonisation but nevertheless a considerable amount of work is necessary to achieve this goal. Also, since both the new US criteria and commercial evaluation process are not yet well established there is an opportunity to influence this process. The fact that the US have sponsored two parallel ITSEC evaluation of their TMach operating system show clearly that the US side watches the European activities in this area very carefully and tries to get as much information as possible (both positive and negative!) about the European evaluation process. Thus there is a will for co-operation which is clearly based on the fact that US manufacturers sell a large quantities of products in Europe. Other countries like Sweden, Australia and Japan are watching this process very carefully. Requirements Establishment of conditions and procedures for mutual recognition of evaluations establishment of conditions and procedures for EC-wide/international evaluations international and EC standardisation of evaluation criteria and methods. 5.3.3. Vendor Declarations Issue For solutions that need security, but not the kind requiring formal evaluations, vendor declarations are used. Currently, these are not defined in terms of what they cover, what assurance they offer compared to formal evaluation or who is liable if such products or systems fail. Discussion Between the requirements for formally evaluated solutions and no evaluation at all, there is a market for security products used by business and the general public. Vendors do incorporate security features in their products and provide some level of assurance, by virtue of the normal quality standards used to develop and maintain the product and the specific claims made by the vendor about the product. Currently, end-users are not able to reliably compare such products from different manufacturers because there are no guidelines which specify the minimum content of vendor declaration documentation. Users have to rely on vendor sales literature. Vendor declarations also need to address the issue of assurance and liability, if a fault in the product causes loss, injury or death to users. This would then enable the user to calculate what the risks are in using products covered by vendor declarations rather than products that have been formally evaluated. It may be possible to extend the formal evaluation scheme to include vendor declarations as a sub-E1 methodology. The scope of vendor declarations could be specified, together with the documentation required (for example, the claims on security features could use the same format as the ITSEC security target), quality procedures needed and auditing of vendor (perhaps by EDP auditors). This method would also allow users to see how vendor declarations compared with formal evaluation, in terms of security features and assurance requirements and keep a single, coherent evaluation scheme. It may also be necessary to ascertain exactly where vendor declarations could be used, or more importantly, where they should not be used. For example, it may not be applicable for use in safety-critical systems. Requirements Agreed definition of scope and liabilities of vendor declarations incorporation of vendor declarations in the ITSEC/ITSEM evaluation scheme specification of the types of systems which should not incorporate products covered by vendor declarations. 5.3.4. Self-evaluation Issue To reduce the time and cost of formal evaluations, and to facilitate re-evaluation, there is an opportunity for vendors and service providers to both develop and formally evaluate systems, products and services. Discussion Currently there are two methods used by users to assess the technical security measures provided by a product or service and their assurance: vendor declarations;, and impartial assessment by an organisation licensed to undertake formal evaluations; using an evaluation scheme such as that used in the UK or Germany based on the ITSEC/ITSEM evaluation criteria. In general, vendors and service suppliers have a quality assurance department which monitors and audits the development of products and the use of services, ensuring that this is all done to the company quality standards. This provides support for vendor declarations. Vendors and service suppliers could set up a department which would be an in-house evaluation facility and would undertake formal evaluations in the same manner as current independent ITSEFs Such in-house ITSEFs would be monitored and controlled in the same way as independent ITSEFs. The only difference would be that the in-house ITSEFs would be a part of the vendors organisation, and not independent. Self-evaluation may speed up evaluations, reduce their costs, and help with re-evaluation as the evaluations could be done as an integrated part of the development planned and executed by the same company, but different departments. There are certain types of systems for which self-evaluation would be deemed not appropriate due to them requiring high-levels of assurance. End-users may also wish to have independent formal evaluation rather than self-evaluation to ensure that there is no conflict of interest. For example, there may be financial and commercial pressures on the in-house ITSEFs to take short cuts to speed up evaluations, not to investigate certain aspects of the product/system or not to report certain deficiencies in the product to the certifiers because this would cause the product/system to be delayed, etc. Therefore a product assessed using self-evaluation would not have as high an assurance as a product independently evaluated. End-users must be made aware of the advantages and disadvantages of vendor declarations, self-evaluation and independent evaluation so that they can procure a product/system with full knowledge of the security features and assurance they are getting. Self-evaluation compliments independent formal evaluation. The ITSEC/ITSEM evaluation criteria should be extended to incorporate self-evaluation and specify how it fits in between vendor declarations and independent evaluation. Requirements Extension of the ITSEC/ITSEM evaluation criteria to include self-evaluation. 5.3.5. Evaluation of Applications Issue The user interest is finally with the security of his application. The use of secure products, systems and services is a necessary but not a sufficient condition to meet the user requirements for the protection of the application. Discussion At present, evaluations and certification schemes address primarily products and systems. Communication services are only partially addressed and applications running on the products and via networks (in particular public networks) are left to the user to address. However with the restrictive handling of confidentiality mechanisms and opposition against end-to-end encryption, the user is left exposed. Requirements Methods for evaluations to cover services and applications. 5.3.6. Evaluation of Communication Services Issue With the ITSEC and ITSEM Europe has already a scheme for the independent security evaluation of IT-products and (to some extent) IT-systems. At the moment this scheme does not fully cover the aspect of the evaluation of communication services, but extensions to this scheme seem possible which are able to address the items not yet covered by the current ITSEC/ITSEM scheme. Discussion The main item where communications security is considered in the public is in the area of telecommunication services. Especially when people send sensitive information to others using telecommunication services they are interested that this information gets to the intended recipient(s) in time is not altered by the service it not received by anyone else than to the intended recipient(s). Not all these aspects are of the same importance for each kind of communication. The level of importance is highly dependent on the kind of information one wants to transfer. The use of telecommunication services grows rapidly as more powerful equipment and services become available. A lot of companies and especially administrations have policies which forbid the use of specific telecommunication services for highly sensitive information since they do not trust the communication services providers that some of the above mentioned security issues are enforced adequately. They use conventional techniques for the exchange of sensitive information with conventional security measures (eg sending sealed letters by registered mail or by courier). In a time where industrial success depends on the fast exchange of all types of information these conventional techniques become more and more unacceptable. So the service providers will incorporate security provisions within their services. But nevertheless a lot of companies (and the national governments) will continue to use the conventional techniques since they do not trust those security services unless they are under their own control or being verified by independent experts. Providing a security service as part of a telecommunication service will normally result in all entities involved in the provision of the telecommunication service being involved in providing the security service. Additional entities may even be necessary (like eg a trusted third party for key management issues or authentication services). These entities use systems and products to provide their part of telecommunication (and security) service. The total service is therefore provided by an interaction of all the entities. The current ITSEC/ITSEM scheme is aimed at the technical evaluation of security measures within products and systems. It does not cover organisational, personnel, administrative or non-IT related physical security measures. Still many security services for telecommunication will heavily rely not only on IT-security measures but also on the above mentioned other security controls. For example a trusted third party will surely need extensive organisational, personnel and non-IT physical control. So it is clear that an extension to the ITSEC/ITSEM evaluation scheme is necessary to cover these aspects. The following section tries to identify how this can be done and which areas are not yet covered. Looking at communication services one can easily identify several different types of communications-products and systems which have to co-operate to provide the service. This includes for example the end user equipment (telephone, modem or even his computer) digital dialling switches data concentrators conventional computer systems with databases for eg user profiles, directory information conventional computer systems providing mailbox services the communication media gateways etc. For a specific telecommunication service one can identify the task each of these products or systems has to fulfil to provide this service. The same is true for security services. Each component involved contributes for one aspect of the security objectives or functions. These will then differ significantly in the functionality as well as in the assurance level required. Various topics regarding this may lead to problems, for instance:. assumptions on the security provisions to be taken in the environment of the product or system. Some of the security measures will heavily depend on hardware features. Evaluation of non-IT security features, like effectiveness of personnel and administrative security measures has to be established. The integration of all security measures has to be checked for consistency, completeness and effectiveness. For the evaluation of a communication service, therefore, different evaluations of systems involved in providing the service are necessary before the whole service can be evaluated. Requirements Evaluation of communications hardware and infrastructure security features formal accreditation scheme for secure communication services accreditation guidelines for the telecommunication sector trial service evaluations for existing telecommunication services articulation of the requirements of service evaluation. 5.3.7. Trusted Network Management Issue Trusted Network Management systems need to maintain a given assurance level while optimising the use of communication assets to achieve good economics and quality of service. Discussion There is a growing dependence in the security of network management systems for managing and controlling the provision of telecommunications. This is due to an increased reliance on distributed systems, the provision of new value added services and operations, and on the increased sophistication and richness of network and service functionality. Such dependency is placing greater demands on performance and quality of service. Tomorrows electronic highways should be managed networks that should ideally interoperate in a seamless way to ensure efficient "self-healing" network operations and flexible creation and provision of a broad range of services, including those supplied by third party suppliers. The management of telecommunications systems security is thus growing in complexity commensurate with the growth in communications systems and the associated services and business use. The major network management issues involve the protection of electronic information in storage, in transmission and being processed. Information used and applied to the controlling and maintenance of networks and services. Information that is used as input to the process of decision making and operational support, and which is also used as input to the emerging new wave of intelligent systems and communications. The provision of appropriate and effective network management solutions is fundamental to the success of the future telecommunications infrastructure for Europe. Given the complex telecommunication systems that are evolving, the interrelationships that are needed for multi-domain working, grade of service requirements against a future European framework for legislation and regulation needed to maintain multi-domain working, the provision and maintenance of network management security the question of security evaluation is a key issue. What is the alternative if evaluation of network management security is not carried out ? There are a number of constraints imposed by end users, service providers and network operators on the provision of security for network management eg concerning the employment of intelligence in networks and the idea of securing shared resources, dealing with different threat analysis and the responsibility for service liability. Requirements Methods for network management evaluation definition of Functionality Classes (or Protection Profiles) suitable for systems, products and services used in network management systems accreditation guidelines for the trusted network management trial evaluations for existing network management systems. 5.3.8. Evaluation of Methods and Tools Issue The methods and tools used to design, develop and maintain trusted products and systems need to be trustworthy. Discussion Methods and tools used to develop trusted products and systems must be trusted to function correctly. For example, a compiler and linker must be trusted not to include malicious code in the resulting executable image. Such malicious code may only be visible if the executable image or object code is directly investigated (ie decompiled). There is a need for trusted compilers, linkers, semi-formal tools (CASE; tools) and formal methods tools (eg 'Z;' and LOTOS; tool, etc.), configuration management tools, etc. The evaluation may take the form of a straight forward assessment of tools or the production of rules for how each specific tool should be used to develop trusted products. A register could be produced and maintained of methods and tools which are suitable (or not suitable) for the development of trusted products and systems. When a new tool is developed, the vendor will have to ensure that the tool is added to the list, if he wishes to use it (or sell it to a third party to use) on developing trusted software. The register may also be able to say which tools can be used for which assurance level. Requirements Guidelines for the evaluation of methods and tools used to develop trusted products, systems and services register of methods and tools which can be used to develop trusted solutions. 5.3.9. Physical and Procedural Issues Issue Need to produce a common standard for the physical and procedural issues required to maintain the security of evaluated products and systems. Discussion There is no point in two countries buying the same ITSEC 'E3 product, configuring them in the same way only to find that their physical and procedural security measures (eg personnel, system administration, system operation, end-user organisation, building security, system maintenance etc.) are incompatible with the security of the system. Each country would have a product with a security target that included the same environment assumptions, but these may be interpreted differently and the different interpretations may be accepted by the system accreditors in each country. As well as having international harmonisation on the evaluation criteria, effort should also be made to produce guidelines for the physical and procedural measures required to maintain trusted systems which apply internationally. Thus as well as having mutual certification, it would also be possible to have mutual accreditation. Requirements Guidelines for physical and procedural measures required to maintain trusted systems. 5.3.10. Modifications to Evaluated Products ;and Re-evaluation Issue The shortening life cycle of products and the rapid evolution of services and applications due to competitive pressures implies the need for frequent adaptations and therefore re-evaluation. Discussion The impact of Open System, with its emphasis on portability and interoperability, has resulted in many new products being incremental releases of existing products, for new operational platforms, applications, etc. There may be multiple releases or versions of a hardware or software solution in a short period of time. The evaluation and certification of the product may take longer than the period between releases or updates to the solution. A certificate currently applies to a specific release or version. Changes may invalidate the certificate. There is a need to devise a method to cope with these product or system changes so that the certified status of a product may be maintained. Particular concerns include: Scope of the evaluation; - Is an evaluation necessary for every single platform-dependent configuration of a product already certified? Assurance; - Is it necessary to have an entire new release evaluated again in which only a small modification occurred (eg a spelling mistake in the user interface)? Re-use; of previous evaluation work and results - Must the evaluation of sensitive and relevant but unmodified components of a product be repeated? ITSEC and ITSEM have created a good basis on which to identify the key issues of re-evaluation and subsequent re-certification. Practical experience of re-evaluation is limited but the problem may be mitigated by identifying key requirements. One approach is to categorise code in the security Target of Evaluation (ITSEC-TOE). This Traffic Light approach includes: a) GREEN code that has no bearing on the security functionality of the product or system and that may be modified in future releases without impact on the security of the product or system. b) YELLOW code that might impact the security of the product or system and that must be inspected by an independent party (such as an ITSEF) before re-certification can be considered. c) RED code that is critical to the security functionality of the product or system for which may modifications may require re-evaluation of the whole product or system. This approach will assist developers, evaluators and certifiers in containing the level of necessary re-evaluation commitment following any modifications. feedback on how well this approach works is required. Experience is available on the parallel field of quality evaluation of software products. A framework for re-evaluation is outlined in ISO9126 and associated processes. It is likely that the impact of software quality on "operational" correctness of security products will force alignment of the various processes. Requirements Definition of rules and procedures for re-evaluation based on methods currently used alignment of the design process with the principles of re-evaluation, design-for-change. 5.3.11. Performance Reporting for Trusted Products Issue Obligation to take corrective action in the case of faults found in evaluated products. Discussion Despite the successful evaluation and certification of a product or system, there is a small chance, smaller with the higher assurance levels, that a security related fault will be detected. The Developer or Vendor is likely to have this fault reported to him and ought to take steps to correct this fault as quickly as possible and issue a new release of the software or hardware. The Certification Body needs to be informed of the occurrence of such a fault and the steps the Developer intends to take to correct the fault. The Certification Body and the Developer need to discuss the need for any re-evaluation work and agree a timescale for this. Where a Developer is unwilling to correct the fault, the Certification Body needs to decide whether to withdraw the certified status and publish the fact that a fault exists (although not necessarily the details of the fault) or, perhaps, change the conditions upon which the certificate was granted. When a fault does occur, perhaps due to the way a system has been configured, or due to a specific fault with the product, end-users should be obliged to report the fault to the Developer and to their Certification Body. If this product is in wide spread use throughout the World, it may be necessary to inform all end-users who could be affected that a fault exists, detailing the security implications. In-order to be able to this, it would be necessary to set up an international register of evaluated product users (or an equivalent system). Requirements Incident reporting system for Certification Bodies user and supplier obligations to report incidents supplier obligations to take corrective actions, and to initiate re-evaluation register of evaluated product and their owners. 5.3.12. Rationalisation of Evaluations Issue Speeding up and lowering cost of evaluation and thereby improve attractiveness of security evaluations. Discussion Two key factors to the success of a security market enhancement are that evaluations are approachable and that the products or systems are developed in a way that is meant to meet the ITSEC requirements beforehand. It must also be understood that in many industrial cases, security, while indeed an important feature of a product or service, is only one aspect of an even larger target which is product quality or the quality of service. Considerable work has been carried on in the broad field of software quality; and its engineering which might be valuable to the security community. Several standards address quality through an evaluation and certification approach, eg ISO 9000 and ISO 9126, at the organisation level, at the process and at the product level. Those standards are well established and the demand for certificates; based on them is growing rapidly. There is an urgent need to consider the harmonisation of the ITSEC and ITSEM contents, to take into account to a much larger and clearer extent the benefits brought by these standards to security and to help reduce costs and needs of several, disconnected or even conflicting evaluation and certification processes. The ITSEC approach seems to be sufficiently well accepted today to consider its integration into a broader context. A closer technical look at quality standards and ITSEC/ITSEM taken together shows that, although they are all based on the same fundamental ideas and principles, there are residual conflicts when evaluations are to be carried out, either due to different requirements or to different evaluation approaches. The following steps seem relevant: While preserving the current technical principles and requirements, a better distinction between specifically security related requirements and more quality related requirements should be made so that it becomes clearer, if not explicit, what the various other evaluation systems and associated requirements can cover and/or contribute to. As all standards evolve, the ITSEC and ITSEM will have to be updated, at the level of the actual required deliverables, for instance, to be directly compatible with what the other domains require, while still remaining specific. Parts of the current ITSEC requirements might eventually be replaced by requirements for relevant quality certificates, and hopefully vice versa. Requirements Alignment of security evaluation criteria and methods with those for quality and safety, where sensible portability of results between quality, safety and security evaluations. 5.4. Maintenance of Safety and Assurance Issues To maintain safety and assurance in operation for systems in changing environments, with changing system elements over long periods of time (30 years) Discussion There is a need to maintain the safety and assurance of systems during operation and after decommissioning. These problems are exacerbated by the emergence of large, distributed systems with safety implications and the changing nature of the organisations n which they are embedded. There is the danger that key safety or security properties are established by properties of the organisation that are not made explicit and are undermined as the organisation changes. This could include the move to contract out work to contractors with a different mindset to the service provider; the slow undermining of safety culture (this is especially important in some Eastern European countries) and the consequential problems of relying on procedures and drills; ; the changing technical and linguistic skills rate of the workforce. There are also the technical issues associated with the evaluation and development of systems and the need for methods and techniques that recognise the impact of these changes and allow for appropriate design and engineering measures to be implemented. Coupled to these changes to the system is the problem posed by the relatively rapidly changing technology and the likely obsolescence of the systems being used. The need to plan for obsolescence should be recognised from the outset and consideration given to the extent of information required for re-engineering. This covers the capture of expertise, design rationale, development documentation and the access to tools used in developing the system that themselves may be obsolete and may involve IPR issues as well. Organisations need t know how to plan for obsolescence, how to determine the best approach to re-engineering (complete redevelopment, translation of software, emulation of old hardware etc.), when it should be done and the risk, costs and benefits. Many systems are already obsolete and do not posses the documentation necessary for re-engineering. Strategies for dealing with these systems in a cost effective manner that preserves safety need to be developed and associated reverse engineering techniques developed for the system (hardware, software, people, organisation). There is also a need to address the reuse of old systems in new applications and the implications for safety assurance and certification. Requirements Approach for tracking the evolution of systems and identifying when significant changes to safety and security requirements are taking place strategies and techniques for re engineering of obsolete systems. 5.5. Technological Change Issue Changes in the way in which technology is used throughout society will result in demands for new technological approaches; to information security. Discussion Over the next decades it is to be expected that the macro economic climate will change dramatically. This is mainly driven by the shift in geographic location of the generation of the worlds GDP from North America and Europe to a more even spread, with the Pacific rim countries producing a larger share. The health and nutrition problems that will face the developing world will become more acute as a greater fraction of their population enters adulthood. Information underpins these processes in a number of ways. The financial aspects of global businesses will become vital to their survival and the timely, accurate and where appropriate private communication of financial information on a global and adaptable scale will be critical. Health care information will need to be routinely available as health carers deal with the health problems of an increasing number of mobile people. Transportation of food to areas in need will require logistic information to be available in remote and underdeveloped parts of the world quickly and accurately. The developed world will make increasing use of their less structured employment patterns to earn money in a variety of ways and in performing a range of tasks, less and less to do with manufacturing. Success will only be possible by the exploitation of mobility and wide bandwidth telecommunications services. It has the potential to provide quality of life together with high productivity. The effectiveness of this approach, in providing a method of revenue generation, will depend, inter alia, upon the performance, reliability and security of the information and transportation infrastructures. Driving technologies within this scenario are: Wide bandwidth telecommunications, including - Multi media applications and communications - Global teleconferencing Mobile services for all applications Gigabyte storage in portable systems Robotically controlled transportation mechanisms. It will be essential for a range of security and safety features to be embedded as a matter of design in all infrastructures, services and applications for them to deliver the benefits that are expected by their users. Broadband communications Bandwidth will become a commodity on telecommunication systems. The added value in using it comes from the quality of service provided. One aspect of such quality is that of security. To provide security on wide-band public switched networks, investment is needed that is focused on those aspects of security that are required by a) the telecom service provider for his own purposes and b) the end user to support his application. Community wide and international specifications on security in ATM, SDH and associated signalling structures will be necessary. Multi media applications ;and communications Multi media applications will integrate all known representations of information into files, documents, messages and displays. Representations such as voice, audio, still image, text, video and graphics will become interchangeably available from a range of equipments that users interact with, including mobile telephones, personal computers, television sets and personal communicators. All aspects of security must be incorporated for potential implementation an all of these systems in order that a user may implement a level of security service appropriate to the application and the environment. A key issue is to maintain the veracity of the information transmitted. Veracity is the feature of a piece of information (eg a video sequence) to be true. Veracity is a wider concept than integrity which is only concerned with the protection of information during transmission and storage. Another issue is concerned with the protection of information through copyright. Without suitable technical means to safeguard the interests of the information owner, the evolution towards the information society will be seriously hampered. Global teleconferencing Teleconferencing is becoming the substitute for travel. In order to make it really cost effective all the above applications, multimedia, mobility, access to mass data and if necessary access to one or more parties who are travelling in private vehicles need to be incorporated within the teleconferencing application. True geographic independence will come only if such an application works on a global scale and provides all the security services that are needed by the community of users. Such an application will demand the integration of the security services provided for each of the sub-applications alone. Specifications to allow such integration should be defined and the technology to provide the security functionality developed. Mobile services; for applications. Mobility provides the end user with geographic independence. The price paid for this independence is infrastructural information and process that allows his demands on the infrastructural services to be met wherever he is. Such information and process has to, by design, have security features incorporated. At the community level extensions of the GSM concepts to allow all applications to function securely in the way telephony does on GSM will require significant technological investment. Mass data storage; and communications in portable systems Access to huge amounts of data from a mobile terminal will be essential. Such data needs to be communicated securely, whether it be held in volatile memory, in the form of mechanically read ROM or transmitted over a network. Specifications for securing such data need to be developed as do the necessary bulk encryption services for huge data volumes . The technology components of such services will be a major challenge and need to be defined now. Robotically controlled transportation mechanisms Automated systems Human involvement in controlling mass transportation mechanisms is already decreasing as technology becomes more reliable. If human involvement for individual transportation is to shrink in the same way then mass production of cost effective safety assured technologies will be essential. Collision avoidance , guidance and navigation systems will be essential parts of every domestic vehicle and the requirements for the information safety and security critical elements of such systems need to be defined, standardised and developed . Real time tools for IS diagnostics and counter measures Information security and safety depending on the collaboration of several information systems face a serious problem of providing seamless assurance. Once established the assurance level has to be monitored and maintained throughout the transaction or service. Technologically this represents a major challenge going well beyond present day techniques. Requirements Incorporation of information security requirements into R&D and engineering of new systems, services and applications information security technology for multi-media and other advanced services and applications. 6. Rights,; Responsibilities; and Liabilities Liability 6.1. Legal Framework Issue A differentiated approach needs to be taken to the establishment of a legal framework for information security. Discussion To formulate such an approach, one must to look first at the special problems that electronic data presents, why electronic data is or may be (legally) different from data in paper form, and what needs to be done about it. In terms of the latter, the issues identified as crucial to the establishment of a legal model for the security of electronic data include: meshing Community rules, regulations and guidelines about the security of electronic data with those already in force on the supranational, international and national levels; ascertaining the best legal measures for dealing with the legally relevant features of electronic data that are different from those of data on paper; dealing with the expectations and awareness of suppliers, users and third parties vis-a-vis their own interaction with and response to the law of the security and the evidence of electronic data; asserting defences such as certification, information security audits and the adoption of an appropriate duty of care addressing substantive and procedural issues relating to information security law and law of evidence; and ensuring that the model which is created supports and is not inconsistent with public policy. In addition, any model which is developed must be valid for not only computer-driven electronic data, but also for electronic data which is communicated by or transmitted over telecommunications networks, satellites or other communications facilities, especially as the distinctions between the technologies blur. It is against this backdrop that the following framework for developing an approach to the rights, responsibilities and liabilities relating to the security of information systems was developed. In this, a glossary of concepts and terms must be developed so that the ideas, recommendations and conclusions discussed in this chapter can be understood and applied and so that there can be a guarantee, to the extent possible, of consistency in the analysis of the subject matter. A report consisting of preliminary recommendations for the necessity and (realistic) potential for the evolution of a new model for the protection of and economic rights deriving from electronic data and information should be prepared. Requirements Glossary of concepts and terms model for the evolution of protection of and economic rights deriving from electronic data and information. 6.2. Data held in Electronic Form Issue A distinction must be made of data held in electronic form and data held in material form. Discussion7 Adopting the widest possible definition of information security is fundamental to creating a model for information security legislation. For example, a substantial body of current legislation relating to information security is based on the protection of intellectual property rights or (personal) data, and not necessarily on physical intrusions to systems. As such, new rights and liabilities Liability ;may have to created, and these run to the protection of economic as well as to intellectual property interests. Also, as much attention needs to be devoted to the data (and information) which systems generate as to the systems themselves. Thus, consideration must be given to such issues as how data is: generated (by systems) valued (as an asset) perceived (by users; owners; and individuals and organisations who are subject to this information) potentially itself a threat. A paper document normally consists of three aspects: the carrier (the sheet of paper) text and pictures (the physical representation of the information) information about the originator to verify the authenticity (usually a written signature) The connections among carrier, text and signature are self-evident. Therefore normally only the carrier (the paper) is mentioned. It gives delimitation and structure to one finalised representation of the content. These aspects are physically "locked" via the paper that carries the information in one "unchangeable" and durable combination. Paper documents are normally given the necessary signs of authenticity by a written signature: the reader has confidence in the information about the originator and in that the text is not altered. A signature also gives a warning before a judicial act and conforms the final content in a contract, etc. Paper documents are in principle unique physical examples; originals. The stored state and readable state are identical. The paper document is immediately readable and the storing is normally in a language that the user will understand without special training. A manipulation of a paper document has to be a material attack, traceable upon the physical object. An individual makes - often unconsciously - a visual authenticity control when he is reading an important paper document. The information within a paper document is directly transcribed from a human thought process. Electronic documents confer new dimensions. The carrier, the text and the "signature" are not related to each other in the same "locked" and durable form as in a paper document. Descriptions of electronic documents will normally make immaterial wordings, not physical objects, the starting point. It could on occasion be difficult to obtain information about how the user intended to process stored text-data and compute programs. Without certain technical authentication procedures there is no "lock" for the information in an electronic document and such objects are not immediately readable. Manipulation of a digital record consists of untraceable alterations of a bit pattern. The visual authenticity control of a paper document has no correspondence in the area of electronic information services. Computerised materials often are the result of automatic processing that at times may not be directly connected to a human thought. The following may be considered factors which differentiate electronic from material (ie non-electronic) data: Evidence Special rules apply in certain jurisdictions relating to the production and admissibility of computer generated information and data and the burden of proof regarding computer generated information submitted to court. Form In certain jurisdictions the law requires insists upon the adoption of a certain form (embodiment) in order for a document or other instrument to be legally valid, eg in the UK, a will must be a paper document. Processing Automated processing, which characterises electronically held data, means that electronic data can be processed in a way which is far faster, more efficient and more accurate than processing which can practicably take place in terms of paper-based systems. For example, census data in the United States can be processed in a meaningful timescale only in an automated environment; such processing would be virtually impossible if this data were manipulated only on paper. Preservation Some jurisdictions require that documents be available for consultation and review for up to 150 years. The preservation and storage of material form documents is increasingly a problem while the preservation and long-term storage of non-material (ie electronic) documents is currently uncertain, especially as to their integrity. Accessibility Data in electronic form is, by definition, not in a form in which a human being can readily without other aids, inspect, review supervise, read or understand the data. In all cases, highly specific methods are needed to represent electronic data in human processable form, and these methods may not be readily subject to verification. Data Compression Data is more and more accessible both in terms of cost and physical convenience as data compression techniques make it possible to reduce vast quantities of data to, for example, a few, manageable CD-ROMs, thus increasing the opportunity for harm. Aggregation Aggregation involves reorganising (ie sorting, merging, appending and deleting) the data contained in disparate databases - a fundamental and commercial reason for implementing automated data processing systems. 'New' information, or even 'potential documents' (ie documents which are either properly or fraudulently constructed) can be derived through aggregation, thus creating information which was neither understood nor intended at the time or point of collection. Quasi-material form Whilst the data itself may be processed in a non-material form, it is commonly fixed within a material form of some kind particularly, but not exclusively, for the purpose of storage. It is therefore difficult to ascertain which legal principles should apply. Dissemination Once information is made publicly available in an electronic form it is for all practical purposes impossible to prevent the further dissemination of that material, material which might be inaccurate, incomplete or invalid. Persistence Related to dissemination is persistence. Persistence characterises the condition where inaccurate, invalid or incomplete data may persist on multiple computers and databases, and may even be erroneously reinstated on computers and databases on which corrections or deletions were thought to have been properly made. Original Legal and practical requirements for original documents require particular measures in terms of electronic data as it is difficult (and sometimes impossible) to differentiate between originals and copies. Ownership ;(s.a. intellectual property rights) Information cannot be 'owned' in most jurisdictions. Often, this status derives from public policy which mandates that information must be in free circulation and available to all or from a strand of legal analysis which renders it impossible to exert sole domain over information, or permanently deprive its 'owner' of use. It is possible, however, to own the intellectual property rights in such information, rights such as: copyright, the right to confidentiality and trade secret protection. This model is not dissimilar to that for information held in material form, but the nature of electronic information (which allows it to be cut, sliced, transmitted, transformed, etc.) may require new rights and protections to be developed (see reference to economic rights, above). Durability Documents in material form generally continue to retain their legal status even though they may suffer minor damage such as, for example, bent corners, small tears or moisture spots. However, minor damage to documents in electronic form may severely affect the durability of these documents unless special processes and techniques have been introduced to resist such damage. Expectations Non-specialists in electronic information and data processing and storage are largely ignorant and often frightened of computer processing and computer-generated information and documents. One consequence of these perceptions is that unreal expectations of the confidential nature and the exclusivity of the data being collected, stored and processed exist. Data exchange Data and information have traditionally been exchanged in material form, thereby maximising the (perceived) control over dissemination and monitoring which people have of the data and information being exchanged. None of these comfort factors operate in the electronic exchange of data unless they have been made explicitly available. People may not know enough to put them in place, or to complain about their absence. In particular, in a face-to-face conversation the exchange is specifically not fixed in a material form, and is limited to 'processing' by the parties present. On the other hand, an electronic conversation may be fixed, may persist and may unwittingly convert slander (spoken) into libel (embodied in electronic form and then generated into material form). Standardisation of the use of electronic data Conventional paper based systems are based on methods and interpretations which are assumed to be well understood by all individuals involved. Data in electronic form must closely follow complete sets of standards (codes, formats, etc) and instructions for equipment use to be as intellible as recorded conventional information. To some degree such standards and instructions must still be developed. Requirements Identification, categorisation and analysis of existing (current) rules and laws dealing with data held in electronic form definition of the dependent and consequent legal relationships, obligations and liabilities Liability;for each of the characteristics (differences) in the context of information systems security. 6.3. Environment Issue The legal, commercial and political environment which gives rise to the requirement for information security has changed more in the last five years than in the previous two thousand. It is likely that this change will become even more rapid, and will develop in ways which cannot be readily foreseen at present. Discussion Legislative environment It is within this environment that legislators, government officials and politicians must write legislation that is not only effective today, but will endure for some time, and not be overtaken by technological change as it occurs. This means that information security legislation cannot be drafted on a reactive basis (ie it cannot be written to correct problems which have occurred in the past), but rather on a proactive basis, ie it must anticipate the effect of technology on society. To achieve a proactive approach to information security legislation, legislators and their advisers must have detailed knowledge of information and information security. If this knowledge - and control - does not exist, real dangers can emerge. For example, legislation based on incomplete or skewed research can result in: the unnecessary expenditure of money to make up for weak legislation threats to the democratic processing of data the evasion of weak legislative controls by such means as siting businesses in data havens. New thinking about information security law also requires: a realignment of the legislative balance between privacy and the free circulation of data the management of technology vis-a-vis data protection responsibilities a complete re-examination of the existing framework of commercial, company and other regulatory legislation so that the new law of information security can be incorporated Commercial environment The rate of technological change mentioned in the previous section has an especially critical effect on organisations: the rate of day-to-day changes in technology currently exceeds the rate at which organisations can change in order to adopt and implement these changes. It is unlikely that this situation will change. Attempts at implementing rapidly changing technology requires substantial investment from either capital or income and introduces a reliance upon third parties to provide essential technical infrastructure and support which was never present when information could only be processed in a material form. In some instances, organisations may be specifically forbidden from providing some elements of infrastructure themselves, for example, telecommunications providers. This shift in expertise from inside organisations to third parties means that vulnerability and dependency is significantly increased and to some extent, organisations may be driven by their service providers. Similarly, organisations find technology change difficult to manage because the requisite expertise is not always present at the right level, and indeed it may never be cost effective for any but the largest organisations to develop and retain such expertise in-house. Political environment Tension exists between governments' vested interest in maximising the development and exploitation of technology as a way of guaranteeing their country's commercial success and their duty to preserve the privacy and rights of individuals. Consequently, there is a danger that government policy in promoting economic growth may result in the distortion of the decision-making process for selecting sound technological solutions. It is essential that an informed public debate take place as to whether a special regime is required for the management and regulation of electronic data handling and processing in the political environment. This debate must take place in the light of existing legal frameworks but the conclusions must be sufficiently flexible as to withstand the constantly changing technological and political environment. Requirements Re-examination in the context of information security rights, responsibilities and liabilities Liability;of the management of information systems security within organisations and organisations' relationships with third party providers of information security (and related) services models to introduce certainty and consistency with respect to legal obligations for owners, directors, managers, employees, consultants, contractors, Trusted Third Parties, auditors and lawyers model clauses relating to information security which can be included in contracts or other agreements in place between parties an understanding of the rights, responsibilities and obligations which underpin and define the relationship between information security and the political environment requires: - examination of the context in which governments collect and process data. - review of the role of information in investigatory activities and in ensuring the public order - resolution of the conflict between supra-national government objectives and national governmental objectives with respect to data collection, processing, transmission and storage, etc. 6.4. Interaction and Relationships between Private Parties Issue Central to the environment in which information security exists are the relationships which are formed between private parties. Discussion These relationships include: mere communication between them (by electronic means) regulation of their society, ie by the laws which govern their interaction contracts and other agreements forged between them Requirements Identification of the economic stakes and benefits will be required in order to ascertain what interests need to be protected, regulated and redressed if and when something goes wrong. 6.5. Harm Issue The harm that can be caused by the reliance on electronic communication systems. Discussion Harm is the negative by-product of reliance on electronic data systems without being able to develop a reliable trust in them either purposively (ie where the user or beneficiary of the data processing is otherwise in a position to take appropriate security measures) or passively (ie where the user or beneficiary is otherwise not in a position to take appropriate security measures). This is in direct contrast with the trust which has evolved in (as well as the controls over and the management of) paper-based systems throughout their history. As a result, there is a great deal of work which needs to be done to close the gap between the methods of inculcating trust in and controlling and managing electronic systems as opposed to paper-based systems so as to be able to deflect potential harm to them. It is also important to ensure that this is done in no greater nor more burdensome manner than characterises paper-based systems. A comprehensive list of the common and extraordinary threats which endanger electronic communication must be constructed so that the boundaries of harm can be established. It is likely that most threats will fall under the following headings: theft and fraud mis- and dis-information invasion of privacy harm due to inadequate technology Listings of some of these threats may be obtained from work published by standards bodies or carried out for national and supra-national administrative bodies. It may be that additional work may be needed in order to avoid legislative delay. Requirements Comprehensive list of the common and extraordinary threats which endanger electronic communication. 6.6. Eliminating harm; or Mitigating Harm Issue Legal possibilities to eliminate or mitigate harm caused directly or indirectly through the use of electronic communication. Discussion Options for eliminating or mitigating harm already exist in the form of treaties, laws and rules ("legislation") which address to some extent the harms which threaten electronic data and processing. However, in many cases, this legislation has been drafted: in the context of the behaviour of paper-based systems and as such is applied by analogy; or by attempting to adapt existing and often ill-suited legislation to electronic data and processing; or by bolting on to existing legislation provisions which relate specifically to electronic data and processing but which are not followed through in the main body of the legislation (and thus creating ineffective, incomplete or confusing rights, obligations or liabilitiesLiability;); or by interpreting existing legislation so that it encompasses electronic data and processing (eg "record-keeping" provisions) Existing legislation which follows one or more of these four patterns exists as or in the form of: Supra-national and international treaties; and guidelines, eg the European Convention of Human Rights Constitutional rights Consumer protection Criminal acts;, eg theft; and the deprivation of ownership;, forgery;, fraud;, counterfeiting;, destruction to property Civil acts;, eg libel; and slander;, trespassing;, unauthorised disclosure;, laws granting judicial immunity Company and organisational law;. Legislation created specifically to address the harms relating to electronic data and processing also exists but often does not go far enough in protecting the underlying rationale (usually economic) or take into account the complete matrix of rights, responsibilities and liabilities on the one hand, and technical obligations on the other (eg in the form of physical and organisational measures): Data protection laws ;and principles Computer crime laws Law protecting intellectual property rights (s.a. ownership);,. There is, however, one instrument which can be distinguished and which constitutes a strong foundation from which future legislation can be built, and that is the OECD Principles. Any action must: take into account the potential threats to the rights and responsibilities associated with electronic information systems consider the possibility that greater liabilities will attach in the absence of appropriate remedies. Requirements Threat analysis so as to be able to identify, develop and implement new legal remedies to deflect harm re-examination of the applicability and suitability of existing legislation to the mitigation of harm. 6.7. Legal Restrictions affecting Technical Solutions Issue Legal restrictions to the use of technically feasible solutions often exist. Discussion It is essential to recognise that technology and custom and practice must be considered in the context of and balanced with law and legal solutions. A process must be undertaken to ensure that technical solutions are legal ones, and that technical custom and practice adhere to the laws, codes of practice, guidelines and other regulatory instruments in force. For example, a technological breakthrough in speeding up the production of multiple copies of copyrighted works may be technically valuable, but illegal when used in all but a narrow range of circumstances. Technical countermeasures to different kinds of attacks, such as cryptography, exist for communication system security which are both economically and operationally effective. However, legal restrictions to their use often exist, usually because of fears over national security and their use to hide criminal acts. Political debate involving governments, law enforcement agencies, commercial enterprises and individuals needs to take place. Requirements Identification of any real dangers which could exist where confidentiality measures are used balance illegal against valid use and extract those uses for and conditions under which the balance militates in favour of valid use. 6.8. Limitations to Liability 6.8.1. Recommendations for Liability Limiting Measures Issue In case of a security incident, liability need to be properly apportioned. Discussion Codes of practice comprise an essential element in the development of information systems security regulation. They may provide both a basis for regulation (by setting out principles and guidelines to be followed) and for a possible defence (against claims of negligence). Points to be addressed include: Definition of their role, function and effect Identification of the concerned parties, eg the beneficiaries, those obligated to comply, suppliers of goods and services, integrators and facilitators, suppliers of raw products Coverage, eg physical security devices, practices, services Legislative/regulatory aspects, eg - individual or body empowered to issue the code (eg secretary of state, professional body) - scope of the issuer's authority - intended effect (eg statutory or merely persuasive) Standards to be adopted, eg - "in a good and workmanlike manner" - "using materials of good quality and fit for their several purposes" - effect of standards of care, eg "due regard" Types of liability Accountability and directors (compliance statements) Adjudication of claims under a code Structure of codes, Drafting of baseline controls Requirements Recommendations for liability limiting measures. 6.8.2. Information Security Audit Issue Ensurance of adequate compliance to security measures, Codes of Practice, laws and regulation. Discussion Many organisations currently undertake an information security (or computer) audit on a regular basis. It is a tool for ensuring that the appropriate and relevant security measures are in place, and it can be a defence against claims of fraud or negligence in the operation of the organisation's electronic data processing systems or the data which those systems process. The following are key issues to be examined with respect to the information security audit: Compliance and disclosure - Requirement for audit through company or other organisational law - Responsibility for failure to protect, eg - civil penalties for non-compliance - shareholder suits - automatic disqualification and loss of position - restitution of losses Creation of the defences to liability - Identification of existing - minimum standards for security - legislation and regulation - Creation of - the proper balance between compliance and protection - appropriate security measures Recommendations for the coverage and timing of audits, Requirements Framework for the monitoring of compliance to regulations, recommendations and good practices. 6.9. Procedural issues ;Jurisdictional Issues Issue The creation of any rights or responsibilities and the identification of liabilities must be done within the framework of jurisprudentially acceptable procedures and mechanisms. Discussion Within the framework of international law are concepts and definitions of procedural issues relating to jurisdiction which are recognised by all legal systems found within the Community. The procedural issues and mechanisms to be addressed with respect to breaches of contract and of torts (specific ones relating to information security may/will have to be created) and the commission of crimes relating to information security include: The competence of Community and Member State courts, administrative bodies, tribunals, etc. to hear and rule on actions and disputes arising from and charges relating to information security The formulation of rules relating to: - the collection, presentation and authentication of evidence (in any form) - procedure (eg service and form of writs, drafting of pleadings, statutes of limitations, etc.) The effect and application of the Brussels Convention and other conventions and treaties Jurisdictional issues such as: - proper forum and (geographical) jurisdiction - viability and legality of criminal jurisdiction Territoriality Mutual Assistance. There are a number of substantive issues which fall squarely within the goals of information security measures and regulation but which are outside the jurisdiction of the Commission: insider trading (using computerised trading and computerised information systems) pornography (using computers for definition, dissemination and access) transborder data flow (using communication networks) interception (generally, as found in the telecommunications sphere but which involves computerised components of telecommunications systems) encryption (used illegally and therefore used in contravention of the criminal law) computer crime Because rules relating to procedural issues are detailed and by definition require the co-operation, involvement and assent of all parties to the legal and judicial process, the most effective way of collecting and publishing these rules is through the construction of codes. In order to accommodate the different categories of rules outlined above, model codes should be developed. A debate involving the Member States, the judicial and administrative bodies of the Community and other interested parties needs to take place in order to decide if the Community can legally assume jurisdiction over these substantive areas and if so, how that jurisdiction will be implemented and the results enforced. Requirements Agreement on electronic evidence agreement on civil procedures relating to information security and electronic evidence code on the commercial procedures relating to the use of electronic records. 6.10. Insurance ;Issues Issue Obtaining insurance coverage for purely known risks and the definition of insurance obligations where this corresponds to the need of a collective sharing of risks, similar to third party insurance in road transport. Discussion For the public safety risks are addressed by the Insurance Industry with the premiums calculated on the basis of the assessment of risks reflecting past experience. For the risk associated with information systems there are only the beginning of an extension to cover this kind of risks. As the taking out of insurance policies is a natural, or partial alternative to information security measures, an improved methodology for the assessment of risks is important in adopting the most economic and practicable solution. Of course, there are some application areas where this approach is not or only partially acceptable. For certain categories of risks involving several parties one will need to define common rules relating to situations where for security or safety reasons insurance cover should become obligatory. Requirements. Criteria and procedures for the assessment of insurance risks identification of situations which may need to be covered by an insurance obligation as a pre-condition of service provision, operation or usage. 7. Spectrum of Measures to provide Information Security 7.1. Policy Framework; and Consensus Purpose To provide a minimum framework for trusted information and communications services on an international scale and to establish a multi actor consensus on essential requirements and options for the provision of information security and related issues. Background Information and its exchange via global networks is inextricably associated with all public and private activities involving the citizen, service providers, operators, vendors, administrations and authorities in numerous ways for all kind of purposes. With the increasing globalisation of the economies an agreed framework for the protection of information either associated with intellectual property, privacy, internal security and other legitimate reasons is needed. While there are several conventions and recommendations, the rapid evolution of technology and services implies the need to reflect on a common framework which could assist countries and regions to maintain interworking and avoid technical barriers to trade and communications without compromising their priorities in the protection of information assets. Solutions for open communications between a variety of parties on a global scale do exist. They differ in detail and convenience in usage. However, the ability to use them depends critically on a broad consensus on the use of one or the other option. Nationally constrained solutions, such as DES, RSA in the USA are of little utility if they can not be used by US business in the pursuit of their global business interests and vice versa if others can not make use of these techniques for their communications with US partners. To achieve agreement and reasonably general acceptance by the users concerned is as important as the technical performance of the solution in question. 7.2. International Agreements Purpose International agreements on a minimum set of features and operational concepts as required for trusted and open service provision. Background While a common framework and general consensus may go a long way, there is the need to get formal agreement on certain aspects. These may, for example, relate to issues surrounding liability, accreditation and certification and the fighting of organised crime.. 7.3. Regulation; and Legislation Purpose Adjustment of national regulations and legislation to permit seamless interworking of trusted services. Background The provision of information security is seen to related in some areas closely to public order and defence issues. The related national regulations and legislations vary considerably. In order to avoid the creation of technical barriers to trade and communications outside the domains of internal order and national security, adjustments of legislation and regulations may be required in some countries. 7.4. Accreditation 7.4.1. Accreditation of Services Purpose Evaluation of communication services. Background Common criteria for security evaluation are mainly focused on IT products and IT systems. However, there is a perceived need for criteria to support the evaluation of communication services. This later criteria may be considered as an extension to the current criteria or there may be a need to develop separate criteria. The evaluation of a service and its subsequent accreditation will be a critical requirement in many user applications, in particular those that need to use trans-European communication services. The consistency, completeness and effectiveness of the security enhancements of communication services needs to be checked for an overall fitness for purpose. Hence there is a need for a framework for accreditation of communications services. 7.4.2. Accreditation of TTPs Purpose Procedures for the accreditation and audit of TTPs. Background TTPs will need to interwork and communicate internationally to provide a service infrastructure to support a range of security services such as digital signature and confidentiality. TTPs will thus need to process, store and distribute a range of security-related information for the use and management of such services. This implies the need for a set of harmonised procedures for the accreditation and audit of TTPs in order to ensure mutual trust by the public in TTPs and the services they provide. 7.5. Products and Services Purpose In order to facilitate a harmonious development of the provision of security of information systems in the Community for the protection of the public and of business interests, it will be necessary to develop a consistent approach as to its provision of security. Where independent organisations will have to be mandated, their functions and conditions will need to be defined and agreed and, where required, embedded into the regulatory framework. The objective would be to come to a clearly defined and agreed sharing of responsibilities between the different actors on a Community level as a prerequisite for mutual recognition. Background At present, the provision of security of information systems is well organised only for specific areas and limited to addressing their specific needs. The organisation on a European level is mostly informal, and mutual recognition of verification and certification is not yet established outside closed groups. With the growing importance of the security of information systems, the need for defining a consistent approach to the provision of security for information systems in Europe and internationally is becoming urgent. The most urgent needs identified relate to digital signatures and confidentiality services. 7.6. Common Practices; and Codes of Conduct Objectives Development of Codes of Practice to support the development and harmonisation of sectorial practices support the development of a standardised approach to the development of baseline controls support the development and harmonisation of baseline controls. Background Codes of practice are found in many industries and disciplines. They encapsulate the collective wisdom and experience of the practitioners of a trade or profession or of an industry. For example codes of practice for the building trade. To the practitioners of a trade or profession, the need for codes of practice is self evident. Codes of practice are not always obvious because they are often given other names. In some situations they may be called standards manuals in others requirements specifications. The property that sets them apart and makes them recognisable as codes of practice is the encapsulation of collective wisdom. The collective wisdom represents the means by which all parties to a transaction are protected from harm. In legal or business management terms this may be called a standard of due care. Any professional discipline needs to have a vehicle to encapsulate the collective wisdom of its practitioners. They help to ensure consistency across the wide spectrum of practitioners. That has to be true of something as important as information processing. We have mentioned elsewhere the move towards empowerment and distributed systems. Empowerment means that the person responsible for an operating unit of an enterprise is free to obtain its services and resources anywhere. Where once information processing was done in-house, it is now just as likely to be out-sourced. When information was once processed centrally the computer centre was well protected, both physically and logically. Indeed the protection of computer centres was the trigger for the development of corporate information security programmes. With information processing spread throughout the enterprise, the need for a central site vanishes. With it goes the ease of justifying the costs of high levels of security. These two factors taken together mean that responsibility for information security is fragmented and put in the hands of people who have other responsibilities. Their mind set does not contain the same awareness of the need for security. Neither do they understand the interdependence of security and control measures. The growth of legal, regulatory and contractual requirements for security create the need for a generally accepted set of controls and security measures. Words like due diligence and compliance with best practice can be satisfied by compliance with codes of practice. They provide the baseline needed for any comparison of actual with best practice. Looking to the future we can see that information processing will become a basic skill for any skilled worker or manager. Where industries have their own codes of practice governing the way they operate, information security should become a sub-set. Codes of practice must be formulated in such a way that audits can be performed to establish compliance. 7.7. Awareness;, Education and Training Purpose Improved awareness of the issues of information security by specific actions and a greater emphasis in the education and training of related professions. Background In the end it is the human factor which decides the level of information security, irrespective of the technical and operational measures one may wish to deploy. In this sense awareness and the teaching of appropriate skills in the context of the information professions, is an important measure to be considered. This may entail the creation of special training schemes and curricula, but most of all the appropriate inclusion of information security related issues in the teaching of information professions in general. This is in many cased essential, since information security is very closely related to the way information is used in a given context, ie often it has to be embedded in the application and management procedure and can not be added on as an external procedure. 7.8. Specifications Objectives To develop specifications for the application of security, in order to ensure interworking, interoperation and mutual recognition. Background Functional specifications for products or services are documents that are to be used as parts of purchase specifications. They specify the functions of a solution and the required performance characteristics. Implementation aspects are only dealt with if they are particularly important for the fulfilment of a specific function. Specifications call up standards and profiles, as far as available. Options in the standards are resolved in specifications. Common specifications for methodologies, eg evaluation, serve as a basis for mutual recognition. 7.9. Standards Purpose Development of standards for information security. Background European security standards developed over the next decade will have a decisive influence on the technological structure of the entire European market and will change the conditions of trade in export markets and national markets. The standards making infrastructure for the development of IT and telecommunication standards has become increasingly complex. The number of groups, the range of work items and the overall process at different levels of international, regional and national standardisation is a complex maze. Security standardisation is no exception to this situation. In general there is a reoccurring problem which is that of coordination between groups developing standards similar in nature and scope. Such coordination is necessary to avoid duplication of work and the unnecessary waste of resource, and to ensure that the standards that are developed are consistent and they form a coherent set. At the European level the establishment of the Advisory Expert Group ITAEGV has provided an ideal mechanism for the coordination of security standards work within Europe. In addition, ITAEGV is in the process of developing a European Memorandum, M-IT-06, which is a Taxonomy and Directory of European Standardisation Requirements for Information Systems Security based on market driven requirements. This memorandum also contains a future work programme for security standardisation. Hence Europe is now demonstrating through this action a clearly defined strategic stance on security standardisation. One that is demonstrating effective coordination, leadership and a market driven focused approach to standardisation. Traditionally the principal contributors to standards making have been suppliers, designers and professionals. The end user of products and services has only been peripherally interested or involved. The end user has been concerned that standards have been used in relation to the products he buys but not greatly interested in what they are. There is a need for a more effective mechanism and framework through which user interest is able to collectively express their requirements and priorities so that they can contribute to the standardisation process in a way which will balance the very strong interest of the supply industry. This mechanism should be used to provide greater user input into the development of the European Memorandum, M-IT-06 (The Taxonomy and Directory of European Standardisation Requirements for Information Systems Security). This memorandum also contains a future work programme for security standardisation. The long-term benefits of security standardisation requires investment by companies and users and as such they must be prepared to organise themselves more effectively to participate in the standards making process. 7.10. Technology Purpose Systematic investigation and development of the technology to permit economically viable and operationally satisfactory solutions to a range of present and future requirements for the security of information systems. Background Work on security of information systems would need to address development and implementation strategies, technologies, and integration and verification. The strategic R&D work would have to cover conceptual models for secure systems (secure against compromise, unauthorised modifications and denial of service), functional requirements models, risk models and architectures for security. Verification and validation of the security of the technical system and its applicability would be investigated through integration and verification projects. In addition to the consolidation and development of security technology, a number of accompanying measures are required concerned with the creation, maintenance and consistent application of standards, and the validation and certification of IT and telecommunication products with respect to their security properties, including validation and certification of methods to design and implement systems. The fourth RD&T Community Framework Programme might be one of the tools to foster co-operative projects at precompetitive and prenormative levels. 8. Cross Impact Analysis 3. General issues 3.1. Globalisation of the economy and mobility Revision of the scope and approach to information security to reflect the new conditions, challenges and requirements brought about by globalisation Adaptation of the respective policies and regulations Clearly defined conventions on the expectations, responsibilities, duties and liabilities, related to levels of security, harm, and good practices. 3.2. Internal market (four freedoms) Adaptation of the existing provisions with respect to their conformance to the internal market policy of the EC implying the removal of existing internal barriers and the avoidance of the formation of new technical barriers due to divergent application of security and safety rules, regulations and legislation Provision to business and the public of solutions available throughout the community and preferably at the international level respecting the one stop and pay-per-use principles Consistent deployment of standards and certification where critical for the working of the internal market Certification and standards that reflect the needs of the different market segments 3.3. Human rights and the protection of communications Common approach defining rights, responsibilities and duties of individuals, business and of the authorities. 3.4. Social acceptance of identification and authentication methods Clarification of the ownership and privacy issues related to the use of biometric data Agreed classification of biometric data and conditions requiring secure handling of such data Definition of the rights and responsibilities of individuals, business users, corporations and administrations using biometric techniques. 3.5. Human rights and the safety of systems Community wide standard for design practices and codes of conduct Harmonised legal environment for vendors and users of safety critical systems 3.6. Confidence in communication systems and confidence in services Real-time indication for the user of the trustworthiness of a service or system Feedback mechanisms for security and safety related incidents involving communications Independent assessment of the levels of trustworthiness being achieved Investigation of the reasons why the security and safety of systems are compromised Understanding of the relative importance of the different system components and the components of the wider system and usage context Methods/frameworks for evidence reporting Role (costs, benefits) of certification in providing confidence and communicating this in the market place Establishment of agreed claim limits to establish assurability 3.7. Management of openness and protection Generic framework for the management of open and protected communications in a user/business oriented environment: Definition of agreed security domains User interface for the management of openness/protection Objective records and procedures for the accounting of open/protected transactions 3.8. Common concerns of commercial and national security Common requirements of business, citizens and authorities to adequately protect commercial and personal information and its communication 3.9. Security and law enforcement on international scale Effective, internationally agreed, economic, ethical and usable solutions to meet business, administration and personal needs Mechanisms for authorised interception for law enforcement Reporting of incidents and crimes adjusted to the conditions of the internal market Equipment, software and an infrastructure of trusted third parties. 3.10. Economics of the security of information systems IS-to-cost techniques for business and private users. Incorporation of good information security design practice in the development of products and services Definition of information security as business and marketing factor Identification of acceptance levels for insurers, regulators and the commercial courts Specification of duties and responsibilities of parties to the use of information systems and their security requirements Security architecture and "building blocks" specifications and standards, with a view to minimising the cost of providing commonly needed levels of security. 3.11. Social recognition of information crime Education and training on the information security requirements and concepts needed to operate in a secure manner in the information age Clarification of "info-ethics" for the professional and individual user in its relationship to information security Clarification of responsibilities of the sector actors in general and in their relations within each other, with particular reference to open and distributed applications. 3.12. Human factors Adjustment of personnel management practices and organisational procedures to reduce the vulnerability by the actions of staff and other people Greater use of non-technical management controls 3.13. Safety critical environments Common approach to the handling of security and safety critical requirements Methodologies for threat, vulnerability and hazard analysis for the protection of information systems used in safety-critical environments Methodologies for the design, development and procurement of safety critical systems, covering project management, development environment, auditing of process, configuration management and change control Common approach to security evaluation of information systems in safety-critical environments. Common approach to information systems recovery in safety critical environments 3.14. Embedding systems embedded systems security Methods of testing that enable standards of reliability to be ensured, including tests to destruction where appropriate Approach for the certification of safe products Definition of requirements for fail-safe system architectures and implementations Anti-tampering and protection specifications and standards. Quality label, that indicates the quality level of the embedded system Awareness of designers of the potential impact of innovation in the validity of test technology. 4. Demand related issuesissues (related to demand) 4.1. Requirements for enterprises and individuals 4.1.1. Agreement on security requirements for enterprises Taxonomy and directory of business user requirements and security objectives derived from experience with practical applications. 4.1.2. Security administration Guidelines for establishment of security administration function. Recommendation on moving towards commonality of laws on data privacy and protection, particularly relating to individuals. Means to provide increased awareness and relevant education and training. Guidelines for consideration of balanced security, taking account of level of risk in different areas (physical, personnel, hardware, software, data, etc.) 4.1.3. Security objectives for enterprises Standard techniques for drawing-up security policies for typical situations Methods and techniques for agreeing levels of security and security objectives. 4.1.4. Exploiting security and innovation Assessment methods for the impact of changes on systems Procedural and regulatory framework needs to address convergence of safety and security etc. (implications for standards) Methods for identifying early on where innovations are likely to be unacceptable from a safety perspective or will result in such economic penalties that they are not viable commercially. 4.1.5. Sectoral specifics Consolidation and development of a set of codes of practice and baseline controls addressing specific business sector requirements. 4.1.6. Security domains Mechanisms for management of policies, procedures and controls between domains for TTPs Generation of guidelines for domain creation, management and control Development of a common framework for domain interworking Agreement on management, TTPs, accreditation, auditing and relations with law enforcement agencies. 4.1.7. Security labelling Guidelines for security labelling. Standard on how to express labels and on the meanings of a basic set of information labels. Codes of practice and accreditation methods for domains claiming to support standard labels, and their mutual recognition. 4.1.8. Administration of access to security related data Easy to use tools for access right management and key management. Secure solutions for remote administration. Awareness for control issues concerning security related data; and implications of non-action. 4.1.9. Security requirements for individual users User profiles identifying standard types of users together with typical requirements. 4.2. Requirements for security functions 4.2.1. Access control Group access control scenarios and schemes based on levels of commonality Techniques, products, specifications and standards addressing access control matched to the scenarios identified Parameters common to most or all of the above techniques, products, specifications and standards and the feasibility of establishing common formats for them Identification of the key features for coherence in the supporting infrastructure Basic access control mechanisms for pilot implementation. Develop delegation scenarios. Identification of techniques, products, specifications and standards addressing delegation and their association with the identified scenarios. 4.2.2. Requirements for electronic cash Agreement on the concepts underlying electronic cash International standards. 4.2.3. Requirements for security services Scenarios for the use of electronic security services User specifications for electronic security services Establishment of international application rules that can operate under the different legal frameworks and that ensure international communicability Identification of different scenarios where it is appropriate for the public interest to mask or hide the identity of the end user, taking into account the balance between full anonymity and audit. 4.2.4. Digital signature 4.2.4.1. The individual .I.Right to signature Clarification of the right to signature and the attached entitlement. 4.2.4.2. Consistency of .I.Legal principles for digital signatures EC-wide/international agreement on the legal functions of signatures Clarification of the conditions of acceptance of the authority of an digital signature, e.g. For legally binding purposes, i.e.. As substitute for hand-written original signatures. Recommendation for the implementation for a public digital signature scheme for use by business, administrations and the general public. Legislative rules and, where appropriate, liabilities, for keys, certificates and TTPs to cover revocation of any or all the entities involved in the chain of proof needed in the signature technique. 4.2.4.3. .I.Universal acceptance of digital signatures Development, together with the legal profession, of recommendations for the practical use of digital signatures as a full equivalent to hand-written signatures in legal transactions Demonstration, through pilot projects, that digital signatures can be used as equivalent to hand-written signatures Inclusion in the curriculum of relevant educational institutes (eg engineering, law and business schools) the use of digital signature. 4.2.5. Privacy Enhancement 4.2.5.1. Perception of Requirements for Privacy Enhancement Frameworks and architectures which are accepted as well by the business users as by the national security agencies and the service providers Standards for services and service provision Compatibility of confidentiality services with existing communication standards and practices where possible Verification of practicability of proposed solutions through suitable pilot projects Model contracts for confidentiality services Awareness improvement of sector actors of the potential losses due to the absence of confidentiality services. 4.2.5.2. The case for the .I.Provision of public confidentiality services Architectures that minimises service vulnerability Framework for the provision of trans-domain confidentiality services Guidelines for pan-European confidentiality service providers (including accountability) Model contract for relationship between service providers across national boundaries Assurance criteria for service providers and operators Accreditation process for mutual recognition. 4.2.6. Use of names and certification of credentials Guidelines covering the use of names. Guidelines covering the use of certificates. 4.2.7. Security of electronically stored information Common approach to the security of electronically stored information Unforgeable secure storage 4.3. Requirements for the safety of communication systems Platform for a dialogue on risk including users, regulators, vendors and service providers Policy on risk management on a societal level based on objective risk assessment methods Techniques that permit an integrated approach to the different types of risk (safety, security, commercial?, Direct, indirect) 4.4. Requirements for evaluations 4.4.1. Trustworthiness of communication solutions International agreement on criteria and evaluation methods, and mutual recognition of test results Clarification of the commercial value of certified products, e.g. In terms of liability limitation Clarification of the status and implied liability of vendor declarations International agreement on the methods for evaluating security and safety critical system development processes, and the qualifications and experience needed for individuals that are involved in these processes. 4.4.2. Motivation to acquire evaluated solutions Rapid adoption of common criteria Agreement on common evaluation method Portability of test results and mutual recognition Work-sharing between vendors, test centres and users to speed up the evaluation process Establishment of the value-added for the use by administrations and business, e.g. In terms of liability protection 4.4.3. Consistency of procurement practices Identification of categories of application requiring evaluated solutions Alignment of national procurement policies concerning evaluated products Development of guidelines on applicability of evaluation levels 4.5. Requirements for security and safety methodologies 4.5.1. Risk analysis and management Consideration of the "claims structure" as a standard mechanism for specification of requirements, evaluation and the selection of risk analysis and management methods Evaluation of the "claims structure" for applicability in the safety domain Support for the "claims structure" as an international standard Further evaluation of methods using the "claims structure" Accreditation of organisations to conduct risk analysis and management method evaluations. 4.5.2. Metrics for Loss Assessment Mapping of certified product features to specific security incidents common, product independent risk analysis processes. 4.5.3. Technology assessment Identification of the information security issues may be solved within the Technology Assessment process Technology Assessment pilot in Europe in the field of information security to assess the consequences for future information security applications and provide options for political and legal actions. 4.5.4. Analysis of audit trails Rules and regulations for the design, handling & exploitation of audit trail information, in conformance with right-of-privacy laws and practices. Prevention of audit data base compromise (e.g. Techniques of separation of information) Services for the independent acquisition, management, and/or analysis of audit trails Development of innovative technologies (AI-based) for the exploitation of large audit trails). 4.5.5. Safety specific methodologies Software engineering processes and techniques for safety applications including their application and evaluation Understand the special needs for engineering safe systems 4.6. Requirements for audits Guidelines for audit review of information security activities Audit tools to enable reviews of security implementations and identify weaknesses (eg using artificial intelligence) Guidelines on reviewing any or all security changes Suitable and consistent level of competence for security auditors and organisations to be accepted throughout the Community Greater commonality of formats for audit trails, so that they can be used between systems. Mechanisms to enable qualified auditors to be involved in system development 4.7. Information valuation of information Development of common practices for information valuation Assessment of current methods of information valuation Definition of the rights and duties of information ownership Development of guidance for owners of information to avoid negligence charges with regard to the protection of their assets. 5. Supply related issues 5.1. Supply related issues - ways to meet the security demands 5.1.1. Security services Harmonisation of legislation on the legal status of evidence generated by any TTPs and especially on the intra- and extra- community recognition thereof. Litigation services based on existing international bodies such as the international chamber of commerce Techniques for the establishment, handling and recording of electronic negotiable documents. Date and time stamping for time-critical transactions and applications, including a range of granularities of timing. International harmonisation of rules and services for time stamping, with the objective of achieving general recognition and acceptance of time stamps and their provision by suitably accredited service providers. 5.1.2. Signature schemes Specifications and standards for an international signature scheme Specifications and standards for the integration of the sigature schemes into practical applications General application programming interface (API) for the integration of signature schemes into applications . This should include codes which explain the purpose of the applied signature. Development of transaction-oriented multiple signature schemes Licensing of cryptographic algorithms. 5.1.3. Confidentiality schemes Consensus on the principles of confidentiality services for use by individuals, enterprises and administrations Trustworthy confidentiality scheme and its supporting administration. 5.2. Supply related issues - security management 5.2.1. Role of trusted third parties (TTPs) Establishment of international framework for the operation of TTPs. Setting up of conditions for the operation of TTPs in the EC adapted to meeting the needs of national and international users. 5.2.2. Key usage Standards and profiles in particular to support and improve CCITT X.509. 5.2.3. Key management service Single digital signature mechanism and specifications, preferably consistent with other leading countries Adoption of a confidentiality algorithm standard and specification, and a key distribution mechanism based on an asymmetric public key algorithm Establishment of "domain assurance" levels and criteria for TTPs to use for confidentiality key management purposes Codes of practice for TTPs engaged in key management activities, and the provision of escrow services and the methods by which those codes of practice would be audited Set of criteria for mutual recognition between TTPs acting on behalf of organisations who wish to communicate securely. Merging of signature directories and secure inter-domain communications are fundamental issues. 5.2.4. Distributed-secret escrow systemsescrow systems Investigation and configuration of an escrow systems adapted to European needs 5.2.5. Management services for names and management services for credentials Provision of Management Services for Names and Credentials, to include identity, name information, and credentials such as public keys or any signature-verification data Interoperability specifications and standards for names and credentials International harmonisation of legislation, rules and regulations for Management Services for Names and Credentials. 5.2.6. The management of TTPs 5.2.6.1. Operating principles of TTPs Harmonised legislation to provide an appropriate framework for arbitration, supervision and litigation Model for TTPs meeting the requirements of users and authorities. Baseline for accepted good practice including a study of the level of availability, privacy and security required for the TTP by the final users and how much they are ready to pay for it Definition of quality of service, including availability, confidentiality, response-time, rules of disclosure to law enforcement agencies Operational guidelines, including descriptions of minimum set of services and standards to conform to Standard clauses for the contract between the TTP and the user, concerning the liability of the TTP. 5.2.6.2. Interworking of TTPs Generation of guidelines for domain creation, management and control Common framework for domain interworking Agreement on management, TTPs, accreditation, auditing and relations with law enforcement agencies. 5.2.6.3. .I.Interworking of autonomous confidentiality services Minimum requirements to ensure interoperability, including standards, specifications, rules of procedure and operating practices Demonstration of trans-European confidentiality services using a suitable application , e.g. the realisation of administrative telematics applications. 5.2.6.4. .I.Accreditation of ttps ;and .I.Audit of TTPs; .I.Ttps (accreditation of, audit of) Development of international guidelines for the accreditation and audit of TTPs Adaptation of applicable legislation or regulations to provide an appropriate legal framework for use throughout the community and in the relations with third countries. 5.3. Supply related issues - evaluation of trusted solutions 5.3.1. Evaluation of products, systems, services and applications Commitment of management to the security function within enterprises Establishment of common definitions for the different evaluation options Community and international standards for criteria and methodology Choice in the access to independent evaluation facilities. 5.3.2. International harmonisation and international mutual recognition Establishment of conditions and procedures for mutual recognition of evaluations Establishment of conditions and procedures for EC-wide/international evaluations International and EC standardisation of evaluation criteria and methods. 5.3.3. Vendor declarations Agreed definition of scope and liabilities of vendor declarations Incorporation of vendor declarations in the ITSEC/ITSEM evaluation scheme Specification of the types of systems which should not incorporate products covered by vendor declarations. 5.3.4. Self-evaluation Extension of the ITSEC/ITSEM evaluation criteria to include self-evaluation 5.3.5. Evaluation of applications Methods for evaluations to cover services and applications. 5.3.6. Evaluation of communication services Evaluation of communications hardware and infrastructure security features Formal accreditation scheme for secure communication services Accreditation guidelines for the telecommunication sector Trial service evaluations for existing telecommunication services Articulation of the requirements of service evaluation. 5.3.7. Trusted network management Methods for network management evaluation Definition of functionality classes (or protection profiles) suitable for systems, products and services used in network management systems Accreditation guidelines for the trusted network management Trial evaluations for existing network management systems. 5.3.8. Evaluation of methods and tools Guidelines for the evaluation of methods and tools used to develop trusted products, systems and services Register of methods and tools which can be used to develop trusted solutions. 5.3.9. Physical and procedural issues Guidelines for physical and procedural measures required to maintain trusted systems. 5.3.10. Modifications to evaluated products and re-evaluation Definition of rules and procedures for re-evaluation based on methods currently used Alignment of the design process with the principles of re-evaluation, design-for-change. 5.3.11. Performance reporting for trusted products Incident reporting system for certification bodies User and supplier obligations to report incidents Supplier obligations to take corrective action and to initiate re-evaluation Register of evaluated product and their owners. 5.3.12. Rationalisation of evaluations Alignment of security evaluation criteria and methods with those for quality and safety, where sensible Portability of results between quality, safety and security evaluations. 5.4. Maintenance of safety and assurance Approach for tracking the evolution of systems and identifying when significant changes to safety and security requirements are taking place Strategies and techniques for re engineering of obsolete systems. 5.5. Technological change Incorporation of information security requirements into R&D and engineering of new systems, services and applications Information security technology for multi-media and other advanced services and applications 6. Rights, responsibilities and liabilities liability 6.1. Legal framework Glossary of concepts and terms Model for the evolution of protection of and economic rights deriving from electronic data and information 6.2. Data held in electronic form Identification, categorisation and analysis of existing (current) rules and laws dealing with data held in electronic form Definition of the dependent and consequent legal relationships, obligations and liabilities .I.Liability;for each of the characteristics (differences) in the context of information systems security. 6.3. Environment Re-examination in the context of information security rights, responsibilities and liabilities .I.Liability;of the management of information systems security within organisations and organisations' relationships with third party providers of information security (and related) services Models to introduce certainty and consistency with respect to legal obligations for owners, directors, managers and employees, consultants, contractors, trusted third parties, auditors and lawyers Model clauses relating to information security which can be included in contracts or other agreements in place between parties. An understanding of the rights, responsibilities and obligations which underpin and define the relationship between information security and the political environment requires: Examination of the context in which governments collect and process data Review of the role of information in investigatory activities and in ensuring the public order. Resolution of the conflict between supra-national government objectives and national governmental objectives with respect to data collection, processing, transmission and storage, etc. 6.4. Interaction and relationships between private parties Identification of the economic stakes and benefits will be required in order to ascertain what interests need to be protected, regulated and redressed if and when something goes wrong. 6.5. Harm Comprehensive list of the common and extraordinary threats which endanger electronic communication. 6.6. Eliminating harmor mitigating harm Threat analysis so as to be able to identify, develop and implement new legal remedies to deflect harm Re-examination of the applicability and suitability of existing legislation to the mitigation of harm. 6.7. Legal restrictions affecting technical solutions Identification of any real dangers which could exist where confidentiality measures are used balance illegal against valid use and extract those uses for and conditions under which the balance militates in favour of valid use. 6.8. Limitation of liability 6.8.1. Liability management Recommendations for liability limiting measures 6.8.2. .Information security audit Framework for the monitoring of compliance to regulations, recommendations and good practices. 6.9. Procedural jurisdictional issues Agreement on electronic evidence Agreement on civil procedures relating to information security and electronic evidence Code on the commercial procedures relating to the use of electronic records 6.10. Insurance issues Criteria and procedures for the assessment of insurance risks Identification of situations which may need to be covered by an insurance obligation as a pre-condition of service provision, operation or usage. Annex: Recalling the Action Lines; from the Council mandate Action line I - Development of a strategic framework for the security of information systems Issue Security of information systems is recognised as a pervasive quality necessary in modern society. Electronic information services need a secure telecommunications infrastructure, secure hard- and software as well as secure usage and management. An overall strategy, considering all aspects of security of information systems, needs to be established, avoiding a fragmented approach. Any strategy for the security of information processed in an electronic form must reflect the wish of any society to operate effectively yet protect itself in a rapidly changing world. Objective A strategically oriented framework has to be established to reconcile social, economic and political objectives with technical, operational and legislative options for the Community in an international context. The sensitive balance between different concerns, objectives and constraints are to be found by sector actors working together in the development of a common perception and agreed strategy framework. These are the are the prerequisites for reconciling interests and needs both in policy-making and in industrial developments. Status and trends The situation is characterised by growing awareness of the need to act. However, in the absence of an initiative to co-ordinate efforts, it seems very likely that dispersed efforts various sectors will create a situation which will de facto be contradictory, creating progressively more serious legal, social and economic problems. Requirements, options and priorities Such a shared framework would need to address and situate risk analysis and risk management concerning the vulnerability of information and related services, the alignment of laws and regulations associated with computer/telecommunications abuse and misuse, administrative infrastructures including security policies, and how these may be effectively implemented by various industries/disciplines, and social and privacy concerns (eg the application of identification, authentication, non-repudiation and possibly authorisation schemes in a democratic environment ). Clear guidance is to be provided for the development of physical and logical architectures for secure distributed information services, standards, guidelines and definitions for assured security products and services, pilots and prototypes to establish the viability of various administrative structures, architectures and standards related to the needs of specific sectors. Security awareness must be created in order to influence the attitude of the users towards an increased concern about security in information technology (IT). Action line II - Identification of user and service provider requirements for the security of information systems Issues Security of information systems is the inherent prerequisite for the integrity and trustworthiness of business applications, intellectual property and confidentiality. This leads inevitably to a difficult balance and sometimes choices, between a commitment to free trade and a commitment to securing privacy and intellectual property. These choices and compromises need to be based on a full appreciation of requirements and the impact of possible options for the security of information systems to respond to them. User requirements imply the security functionalities of information systems interdependent with technological, operational and regulatory aspects. Therefore, a systematic investigation of security requirements for information systems forms an essential part of the development of appropriate and effective measures. Objective Establishing the nature and characteristics of requirements of users and service providers and their relation to security measures of information systems. Status and trends Hitherto, no concerted effort has been undertaken to identify the rapidly evolving and changing requirements of the major actors for the security of information systems. Member States of the Community have identified the requirements for harmonisation of national activities (especially of the IT security evaluation criteria). Uniform evaluation criteria and rules for mutual recognition of evaluation certification are of major importance. Requirements, options and priorities As a basis for a consistent and transparent treatment of the justified needs of the sector actors, it is considered necessary to develop an agreed classification of user requirements and its relation to the provision of security in information systems. It is also considered important to identify requirements for legislation, regulations and codes of practice in the light of an assessment of trends in service characteristics and technology, to identify alternative strategies for meeting the objectives by administrative, service, operational and technical provisions, and to assess the effectiveness, user friendliness and costs of alternative security options and strategies for information systems for users, service providers and operators. Action Line III - Solutions for immediate and interim needs of users, suppliers and service providers Issues At present it is possible to protect adequately computers from unauthorised access from the outside world by isolation, ie by supplying conventional organisational and physical measures. This applies also to electronic communications within closed user group operating on a dedicated network. The situation is very different if the information is shared between user groups or exchanged via a public, or generally accessible, network. Neither the technology, terminals and services nor the related standards and procedures are generally available to provide comparable security for information systems in these cases. Objectives The objective has to be to provide, at short notice, solutions which can respond to the most urgent needs of users, service providers and manufacturers. This includes the use of common IT-security evaluation criteria. These should be conceived as open towards future requirements and solutions. Status and trends Some user groups have developed techniques and procedures for their specific use responding, in particular, to the need for authentication, integrity and non-repudiation. In general, magnetic cards or smart cards are being used. Some are using more or less sophisticated cryptographic techniques. Often this implied the definition of user-group specific authorities. However, it is difficult to generalise these techniques and methods to meet the needs of an open environment. ISO is working on OSI Information System Security (ISO DIS 7498-2) and CCITT in the context of X400. It is also possible to insert security segments into the messages. Authentication, integrity and non-repudiation are being addressed as part of the messages (EDIFACT) as well as part of the X400 MHS. At present, the Electronic Data Interchange (EDI) legal framework is still at the stage of conception. The International Chamber of Commerce has published uniform rules of conduct for the exchange of commercial data via telecommunications networks. Several countries (eg Germany, France, the United Kingdom and the United States) have developed, or are developing, criteria to evaluate the trustworthiness of IT and telecommunication products and systems and the corresponding procedures for conducting evaluations. These criteria have been co-ordinated with the national manufacturers and will lead to an increasing number of reliable products and systems starting with simple products. The establishment of national organisations which will conduct evaluations and offer certificates will support this trend. Confidentiality provision is considered by most users as less immediately important. In the future, however, this situation is likely to change as advanced communication services and, in particular, mobile services will have become all-pervasive. Requirements, options and priorities It is essential to develop as soon as possible the procedures, standards, products and tools suited to assure security both in information systems as such (computers, peripherals) and in public communications networks. A high priority should be given to authentication, integrity and non-repudiation. Pilot projects should be carried out to establish the validity of the proposed solutions. Solutions to priority needs on EDI are looked at in the TEDIS programme within the more general content of this action plan. Action line IV - Development of specifications, standardisation, evaluation and certification in respect of the security of information systems Issues Requirements for the security of information systems are pervasive and as such common specifications and standards are crucial. The absence of agreed standards and specifications for IT security may present a major barrier to the advance of information-based processes and services throughout the economy and society. Actions are also required to accelerate the development and use of technology and standards in several related communication and computer network areas that are of critical importance to users, industry and administrations. Objective Efforts are required to provide a means of supporting and performing specific security functions in the general areas of OSI, ONP, ISDN/IBC and network management. Inherently related to standardisation and specification are the techniques and approaches required for verification, including certification leading to mutual recognition. Where possible, internationally agreed solutions are to be supported. The development and use of computer systems with security functions should also be encouraged. Status and trends The United States, in particular, has taken major initiatives to address the security of information systems. In Europe the subject is treated in the context of IT and telecommunications standardisation in the context of ETSI and CEN/CENELEC in preparation of CCITT and ISO work in the field. In view of growing concern, the work in the United States is rapidly intensifying and both vendors and service providers are increasing their efforts in this area In Europe, France, Germany and the United Kingdom have independently started similar activities, but a common effort corresponding to the United States is evolving only slowly. Requirements, options and priorities In the security of information systems there is inherently a very close relationship between regulatory, operational, administrative and technical aspects. Regulations need to be reflected in standards, and provisions for the security of information systems need to comply in a verifiable manner to the standards and regulations. In several aspects, regulations require specifications which go beyond the conventional scope of standardisation, ie include codes of practice. Requirements for standards and codes of practice are present in all areas of security of information systems, and a distinction has to be made between the protection requirements which correspond to the security objectives and some of the technical requirements which can be entrusted to the competent European standards bodies (CEN/CENELEC/ ETSI). Specifications and standards must cover the subjects of security services of information systems (personal and enterprise authentication, non-repudiation protocols, legally acceptable electronic proof, authorisation control), their communication services (image communication privacy, mobile communications voice and data privacy, data and image data-base protection, integrated services security), their communication and security management (public/private key system for open network operation, network management protection, service provider protection) and their certification (assurance criteria and levels, security assurance procedures for secure information systems). Action line V - Technological and operational developments in the security of information systems Issues Systematic investigation and development of the technology to permit economically viable and operationally satisfactory solutions to a range of present and future requirements for the security of information systems is a prerequisite for the development of the services market and the competitiveness of the European economy as a whole. Any technological developments in the security of information systems will have to include both the aspects of computer security and security of communications as most present-day systems are distributed systems, and access to such systems is through communications services. Objective Systematic investigation and development of the technology to permit economically viable and operationally satisfactory solutions to a range of present and future requirements for the security of information systems. Requirements, options and priorities Work on security of information systems would need to address development and implementation strategies, technologies, and integration and verification. The strategic R&D work would have to cover conceptual models for secure systems (secure against compromise, unauthorised modifications and denial of service), functional requirements models, risk models and architectures for security. The technology-oriented R&D work would have to include user and message authentication (eg through voice-analysis and electronic signatures), technical interfaces and protocols for encryption, access control mechanisms and implementation methods for provable secure systems. Verification and validation of the security of the technical system and its applicability would be investigated through integration and verification projects. In addition to the consolidation and development of security technology, a number of accompanying measures are required concerned with the creation, maintenance and consistent application of standards, and the validation and certification of IT and telecommunication products with respect to their security properties, including validation and certification of methods to design and implement systems. The third RD&T Community Framework Programme might be used to foster co-operative projects at precompetitive and prenormative levels. Action line VI - Provision of security of information systems Issues Depending on the exact nature of the security features of information systems, the required functions will need to be incorporated at different parts of the information system including terminals/computers, services, network management to cryptographic devices, smart cards, public and private keys, etc. Some of these can be expected to be embedded in the hardware or software provided by vendors, while others may be part of distributed systems (eg network management), in the possession of the individual user (eg smart cards) or provided from a specialised organisation (e. g. public/private keys). Most of the security products and services can be expected to be provided by vendors, service providers or operators. For specific functions, eg the provision of public/private keys, auditing authorisation, there may be the need to identify and mandate appropriate organisations. The same applies for certification, evaluation and verification of quality of service which are functions which need to be addressed by organisations independent of the interests of vendors, service providers or operators. These organisations could be private, governmental or licensed by government to perform delegated functions. Objective In order to facilitate a harmonious development of the provision of security of information systems in the Community for the protection of the public and of business interests, it will be necessary to develop a consistent approach as to its provision of security. Where independent organisations will have to be mandated, their functions and conditions will need to be defined and agreed and, where required, embedded into the regulatory framework. The objective would be to come to a clearly defined and agreed sharing of responsibilities between the different actors on a Community level as a prerequisite for mutual recognition. Status and trends At present, the provision of security of information systems is well organised only for specific areas and limited to addressing their specific needs. The organisation on a European level is mostly informal, and mutual recognition of verification and certification is not yet established outside closed groups. With the growing importance of the security of information systems, the need for defining a consistent approach to the provision of security for information systems in Europe and internationally is becoming urgent. Requirements, options and priorities Because of the number of different actors concerned and the close relations to regulatory and legislative questions, it is particularly important to pre-agree on the principles which should govern the provision of the security of information systems. In developing a consistent approach to this question, one will need to address the aspects of identification and specification of functions requiring, by their very nature, the availability of some independent organisations (or interworking organisations). This could include functions such as the administration of a public/private key system. In addition, it is required to identify and specify, at an early stage, the functions which in the public interest need to be entrusted to independent organisations (or interworking organisations). This could, for example, include auditing, quality assurance, verification, certification and similar functions. Appendix A: References EEC Report "Security in Open Networks", SOGITS Document Nr. 303 CEN/CENELEC Workshop on Security Aspects of OSI Functional Standards, October 1992.ISO/IEC JTC1/SC18 "User Requirements for Security in TOS", Jan 1990. CCITT 1990 X.400 Series of Recommendations, "Message Handling System" CCITT 1991 X.509 Directory System Authentication Framework ISO 7498-2 (CCITT X.800) "OSI Security Architecture" ISO/IEC/CCITT Open Systems Security Frameworks, November 1992 - Frameworks Overview - Authentication Framework - Access Control Framework - Non-repudiation Framework - Integrity Framework - Confidentiality Framework - Security Audit Framework Trusted Computer Systems Evaluation Criteria, DoD 5200,28-STD, Department of Defense, United States of America, December 1990. Information Technology Security Evaluation Criteria (ITSEC), Harmonised Criteria of France, Germany, the Netherlands, the United Kingdom, Version 1.2, June 1992. NIST Special Publication 500-160 "Report of the International Workshop on Integrity Policy in Computer Information Systems", January 1991. ETSI/EWOS X. 400 Functional Profile A/3311 Council Decision concerning the Community Programme in the field of telecommunications technologies - Research and Development in Advanced Communications Technologies in Europe (RACE) - 88/28/EC, Dec. 1987 Council Decision concerning the European Strategic Programme for Research and Development in IT (ESPRIT) - 88/279/EC, Dec. 1987. Communication from the Commission to the Council on Trade EDI Systems (TEDIS) COM (86)/662, Dec. 1986. Federal Criteria for Information Technology Security, Volume II, Version 1.0, Dec. 1992, NIST. Information Security INFOSEC 92 - Security Investigations, CEC/DGXIII/F/GE1190/GI, Jan 1992. Information Security INFOSEC 93 - Security Investigations, CEC/DGXIII/F/IN933448, July 1993. IT Security Evaluation Manual - ITSEM, CEC/DGXIII/B/243/93-EN.,Version 1.0, September 1993. Minimum Security Functionality Requirements for Multi-User Operating Systems, NIST, Computer Security Division, Issue 1, January 1992. Scope of the Federal Criteria Project, Joint NIST/NSA Statement, January, 1992 The Canadian Trusted Computer Product Evaluation Criteria, Canadian System Security Centre, January 1993 Appendix B: Abbreviations ABS Automated Breaking System AI Artificial Intelligence AMHS Automated Message Handling System API Application Programming Interface ATM Asynchronous Transfer Mode BSI Bundesamt fr Sicherheit in der Informationstechnik (D) BT British Telecom CASE Computer Aided System Engineering CCITT Commit Consultative International Tlgraphique et Tlphonique CD Compact Disc CEC Commission of the European Communities CEN Comit Europen de Normalisation CENELEC Comit Europen de Normalisation Electrotechnique CESG Communication Electronics Security Group COMPUSEC Computer Security COMSEC Communication Security COTS Commercial off the Shelf CPIC Canadian Police Information Centre CSBM Confidence and Security-Building Measure CTCPEC Canadian Trusted Computer Product Evaluation Criteria DES Data Encryption Standard DIS Draft International Standard EC European Community ECU European Currency Unit EDI Electronic Data Interchange EDIFACT EDI for Administration, Commerce and Transport EDP Electronic Data Processing ESE Electronic Security Environment ETSI European Telecommunication Standards Institute FBI Federal Bureau of Investigation (US) FPR Fichier des Personnes Recherchees GDP Gross Domestic Product GSE Global Security Environment GSM Groupe Special Mobile IBAG INFOSEC Business Advisory Group IBC Integrated Broadband Communication IEC International Electrotechnical Commission IEEE Institute of Electrical and Electronics Engineers INTERPOL International Police IPR Intellectual Property Rights IS Information Security ISDN Integrated Services Digital Network ISO International Organisation for Standardisation ITAEGV IT Advisory Expert Group for Information Security ITSEC Information Technology Security Evaluation Criteria ITSEF Information Technology Evaluation Facility ITSEM Information Technology Security Evaluation Manual JTC 1 Joint Technical Committee One LAN Local Area Network LSE Local Security Environment MHS Message Handling System MOD Ministry of Defence NCIC National Crime Information Centre NIST National Institute of Standards and Technology (US) ODP Open Distributed Processing OECD Organisation for Economic Cooperation and Development ONP Open Network Provision OSI Open System Interconnection PGP Pretty Good Privacy (Encryption Software) PIN Personal Identification Number PNC2 Police National Computer 2 (UK) R&D Research and Development ROM Read Only Memory RSA Rivest, Shamir and Adleman (asymmetric encryption algorithm) SCSSI Service Central de la Scurit des Systmes d'Information (F) SDH Synchronous Digital Hierarchy SME Small and Medium Enterprise SOG-IS Senior Officials Group - Information Systems Security SRI Stanford Research Institute SSPS System Security Policy Statement TA Technological Assessment TCSEC Trusted Computer System Evaluation Criteria TEDIS Trade EDI System TOE Target of Evaluation TTP Trusted Third Party UN United Nations WAN Wide Area Network Appendix C: Index acceptance testing, 85 access control, 40 access to security related data, 38 accessibility, 102 accreditation, 114 accreditation of services, 114 accreditation of TTPs, 83, 115, 135 Action Lines, 1, 140 actors and roles, 50 advice and instruction versus prohibition, 53 aggregation, 102 assurance, 93 asymmetric encryption, 72 audit of TTPs, 83, 135 audit trails, 63 audits, 65 authentic naming, 41 authentication, 16 authorisation mechanisms, 41 authority of a digital signature, 48 automated systems, 98 availability, 23 awareness, 50, 117 biometric controls, 17 biometric methods, 16 broadband communications, 97 CASE, 92 certification, 74 certification of credentials, 53 chipcards, 69 choice versus interoperability, 52 civil acts, 108 claim of origin, 43, 68 claim of ownership, 43, 68 codes of conduct, 115 commercial and national security, 21 commercial environment, 105 commercial off the shelf (COTS), 24 common practices, 115 company and organisational law, 108 competitive advantage, 23 computer crime laws, 108 confidence in communication, 18 confidence in services, 18 confidentiality level, 72 confidentiality schemes, 72 confidentiality, user needs, 49 consistency of procurement practices, 59 constitutional rights, 108 consumer protection, 108 cost of detection, 32 cost of security, 32 costs, 23 counterfeiting, 108 countermeasures, 23 credentials, 74 credit cards, 42 criminal acts, 108 data compression, 102 Data Encryption Standard (DES), 72 data exchange, 104 data held in electronic form, 100 data protection laws, 108 demand for certificates, 95 demand for confidentiality, 49 demand related issues, 29 demand related issues., 11 demands for new technological approaches, 96 deprivation of ownership, 108 destruction to property, 108 digital signature, 46, 47 digital signatures, 69 dissemination, 103 distinguished name, 54 distributed-secret escrow systems, 78 durability, 103 duty of care, 22 economics of the security, 23 education and training, 117 electronic cash, 42 electronic negotiable documents, 68 electronic trading, 32 eliminating harm, 107 embedded systems security, 27 escrow services, 78 escrow systems, 78 ethical principles, 25 European Convention of Human Rights, 108 EUROPOL, 22 evaluation of applications, 88 evaluation of communication services, 89 evaluation of methods and tools, 91 evaluation of trusted solutions, 84 evidence, 102 expectations, 103 fair exchange of values, 44, 70 forgery, 108 form, 102 formal evaluation, 85 formal evaluations, 58 four freedoms, 14 FPR, 22 fraud, 108 functionality and assurance, 31 general issues, 13 global teleconferencing, 97 globalisation of the economy, 14 granularity (meeting differentiated needs), 50 human factors, 26 human rights and the protection of communications, 15 human rights and the safety, 17 identification, 16 identification mechanisms, 41 impact of loss of information, 50 impact of theft of information, 50 indirect evaluation, 85 information security audit, 110 INPOL, 22 insurance, 112 integrity and digital signatures, 77 intellectual property rights (s.a. ownership), 108 interconnected law enforcement/criminal information systems, 22 internal market, 14 international mutual recognition, 85 international agreements, 114 international harmonisation, 85 international scale, 22 interworking of autonomous confidentiality services, 82, 135 interworking of TTPs, 81 IS-to-cost, 24 issues (of general nature), 13 issues (related to demand), 29 issues (related to supply), 67 judicial immunity, 108 jurisdictional issues, 111 key generation, 47 key length, 47 key management, 72, 74 key management service, 77 key usage, 76 lack of care, 25 legal framework, 99 legal functions of signatures, 48 legal principles for digital signatures, 47, 128 legal restrictions affecting technical solutions, 108 legislation, 114 legislative environment, 104 liability, 99, 101, 104, 105, 107, 109, 137, 138 liability limiting measures, 109 libel, 108 life-cycle costs, 23 loss assessment, 62 LOTOS, 92 maintenance of safety and assurance, 95 management of openness and protection, 19 management of TTPs, 80 management services for credentials, 79 management services for names, 79 mandatory assurance, 23 mass data storage, 98 measures to provide information security, 113 mitigating harm, 107 mobile services, 98 mobility, 14 modifications to evaluated products, 92 motivation to acquire evaluated solutions, 59 multi media applications, 97 mutual confidence and TTPs, 50 name assignment, 74 names, 53 NCIC, 22 negotiable documents, 69 non-repudiation services, 43, 68 objective records, 21 Open Distributed Processing (ODP), 20 Open Network Provision (ONP), 20 Open System Interconnection (OSI), 20 operating principles of TTPs, 80 organisation of security, 33 organised crime, 22 original, 103 ownership, 103 ownership of biometric data, 17 performance, 23 performance reporting for trusted products, 94 persistence, 103 physical and procedural issues, 92 PNC2, 22 policy framework, 113 political environment, 105 portable systems, 98 preservation, 102 privacy enhancement, 49, 77 privacy of biometric data, 17 procedural issues, 111 processing, 102 products and services, 115 protection of information in safety critical environments, 26 protection of workstation, 47 provision of public confidentiality services, 51, 129 public digital signature scheme, 48 public key, 54 quasi-material form, 103 random (unpredictable) components, 41 rationale, 3, 10 rationalisation of evaluations, 94 re-evaluation, 92 re-use, 93 real time tools for IS diagnostics and counter measures, 98 regulation, 114 relationships between private parties, 106 requirements for action, 3 requirements for evaluations, 57 responsibilities, 99 right to signature, 46, 128 rights,, 99 rights, responsibilities and liabilities issues., 12 risk analysis and management, 61 Rivest, Shamir, Adleman (RSA), 72 safety of communication systems, 56 safety specific methodologies, 64 schengen information system, 22 scope of the evaluation, 93 scope, definition, 11 secret key, 54 sectoral specifics, 35 security administration, 32 security and innovation, 34 security and law enforcement, 22 security and safety methodologies, 60 security domains, 21, 36 security functions, 40 security hazards, 27 security incident reporting, 61 security labelling, 37 security management, 73 security methodologies, 34 security objectives, 34 security objectives for enterprises, 33 security of electronically stored information, 55 security of information systems, definition, 10 security policy, 34 security requirements for enterprises, 30 security requirements for individual users, 38 security services, 42, 67 self evaluations, 58 self-evaluation, 87 senior officials group, 1 service provision, 49 signature schemes, 71 single market, 10 slander, 108 social acceptance, 16 social recognition of information crime, 24 software quality, 94 specifications, 117 standardisation of the use of electronic data, 104 standards, 117 structure of document, 11 supply related issues, 12, 67 supra-national and international treaties, 108 symmetric encryption, 72 technological change, 96 technology, 118 technology assessment, 63 theft, 108 time-stamping, 45, 70 trespassing, 108 trevi information system, 22 trusted network management, 90 trusted third parties (TTPs), 73 trustworthiness of communication, 57 TTPs (accreditation of, audit of), 83, 135 TTPs (interworking of), 81 TTPs (management of), 80 TTPs (mutual confidence of), 50 TTPs (operating principles of), 80 unauthorised disclosure, 108 universal acceptance of digital signatures, 48, 128 untraceability, 44, 70 valuation of information, 66 vendor declarations, 85, 87, 88 vendor declarations,, 58 weak information security, 22 Z, 92 1 OJ No L 123, 8.5.1992, p.19 2 SOG-IS Opinion of 17.11.92 on objectives, scope and approach 3 Information Security is concerned with the protection of information stored, processed or transmitted in electronic form, against deliberate or accidental threats. Information is acquired, communicated, processed and stored by Information Services. Electronic Information services need a secure communication infrastructure, secure terminals (including processors and data bases) as well as secure usage. The management of the service provision itself must also and foremost be secure. Therefore the approach to information security starts form an analysis of the needs of an individual or organisation for Information Services. 4 92/242/EEC 5 This danger has already been identified and OECD Member Countries have, in the context of Protection of Privacy and Transborder Data Flow of Personal Data, recognised the risk of new technical barriers forming. They have therefore agreed to endeavour to remove and to avoid to create in the name of privacy protection, unjustified obstacles to transborder flows of personal data, co-operate in the implementation of the Guidelines and agree as soon as possible on specific procedures of consultation and co-operation for the application of these Guidelines. 6 Openness necessitates the following requirements 1) Accessibility to anyone 2) Accessibility at any place 3) Accessibility at any later time 4) Transparent functionality 5) Standardised modes of use 6) Formalised legal evidence These requirements must be met and protected by appropriate security measures. 7 The following definitions are used in the text of this section: "data" means a representation of facts, concepts or instructions in a formalised manner suitable for communication, interpretation or processing by human beings or automatic means; "information" is the meaning assigned to data by means of conventions applied to that data; "information systems" means computers, communication facilities, computer and communication networks and data and information that may be stored, processed, retrieved or transmitted by them, including programs, specifications and procedures for their operation, use and maintenance.