Purpose This special coverage examines the role of e-Security in the growing trend of using Information and Communication Technologies (ICT) for development. It explores electronic information security issues for national governments and national agencies, and examines ways for governments to assess and implement a cost-effective national e-Security strategy. This topic is important because along with the great potential that ICT brings to allow for rapid transmission of indefinite quantities of information across great distances, it also brings an increased risk to the security of the information it carries. Definition E-security refers to the process of ensuring the confidentiality, integrity, and availability of electronic information and protecting it against malicious attackers who could use or alter the information to disrupt critical national infrastructure and industry. Potential In recent years, information technology has proven to be a critical tool in facilitating the near-instant delivery of information and in increasing the availability of information to billions of new organizations and users. As more and more organizations recognize the potential that ICT can bring, they have begun to use it to exchange increasingly important information, creating a need to have an e-Security strategy to ensure that important information is protected from attackers. Several sets of minimum e-Security standards are already available which can be used in developing and implementing an e-Security strategy for federal governments. The ISO (International Organization for Standardization) has extensive e-Security standards which are used by governments and international organizations across the world, in particular ISO 27001 which is used by the World Bank. Additionally, the US National Institute of Standards and Technology has developed its own set of minimum security standards for federal agencies which are available at http://csrc.nist.gov/sec-cert. It is important to recognize national information technology infrastructure as a critical element of e-Security. In some cases, this infrastructure may be owned and managed by the private sector. If so, it is important to bring in private sector organizations to ensure that all internal e-Security measures are applied externally as well. This should accompany oversight and frequent audits. Limitations The primary limitation to e-Security strategy is the inevitability of breaches of security measures. There is always inherent risk in the transmission of electronic information and the function of an e-Security strategy is to manage that risk so it exists at an acceptable level for a given set of information. As such, breaches will occur regardless of existing security measures and it is the job of e-Security management to continually evaluate and refine e-Security strategy to keep current with technology. Case Studies E-security strategy for Australian Government agencies:
http://www.agimo.gov.au/infrastructure/government Overview of Australian E-security agenda for government information systems, national critical infrastructure, and personal and commercial information systems:
http://www.tisn.gov.au/agd/WWW/rwpattach.nsf/VAP/(930C12A9101F61D43493D44C70E84EAA)~ESNA+brochure.pdf/$file/ESNA+brochure.pdf Overview of the British strategy for security of e-Government services, including legal frameworks supporting e-Security strategy, existing security standards, threats to e-government, and e-Security strategy for delivery of government e-services. Very extensive and detailed.
http://www.govtalk.gov.uk/documents/security_v4.pdf Resources Paper: “Managing Enterprise Risk in Today’s World of Sophisticated Threats: A Framework for Developing Broad-Based, Cost-Effective Information Security Programs”
http://csrc.nist.gov/groups/SMA/fisma/documents/rmf-sz.pdf Presentation by NIST on e-Security strategy, challenges, and the roadmap ahead. Contains extensive information on strategies for managing risk, tips for strategy implementation, and multiple examples of potential weaknesses within organizational structure that threaten e-Security:
http://csrc.nist.gov/groups/SMA/fisma/documents/PPT/fisma.pdf Resources from the National Institute of Standards and Technology (NIST) on US federal standards regarding categorization of information and information systems, minimum information security requirements, guidelines for developing security strategies for government information systems, and guidelines for managing information security risk. This is a trusted, useful site for these documentation, standards and software.
http://csrc.nist.gov/groups/SMA/fisma/library.html E-security checklist for assessing the vulnerability of an organization’s information and information systems:
http://www.agimo.gov.au/infrastructure/government/checklist Site run by the Australian government for home users and small businesses to assess e-Security risk and implement personal e-Security strategies:
http://www.staysmartonline.gov.au The Computer Emergency Response Team Coordination Center's (CERT/CC) charter is to work with the Internet community to facilitates its response to computer security events involving Internet hosts, to take proactive steps to raise the community's awareness of computer security issues, and to conduct reseach into improving the security of existing systems. Their website contains an extensive collection of alerts about past (and current) security problems.
http://www.cert.org |
RSS