The 2011 Survey of Information Security and Information Assurance Professionals

Information Assurance (IA) is an intensively discussed discipline. Perhaps the most striking feature of IA is that everyone has a different opinion about what it actually is. The literature analysis enables us to distinguish three different approaches to Information Assurance: 1) Technical approach, concentrated on protection of networks; 2) Business approach, where IA is perceived as the comprehensive and systematic management of Information Security (InfoSec); 3) General approach, where IA is considered as a way to establish a level of confidence in information. Interviews with InfoSec practitioners reveal that they interpret the term IA differently and have contradictory views on how IA relates to InfoSec. It was felt that a survey with a greater number of practitioners might help to identify a commonly accepted perception of IA and to clarify the goals of the discipline. In 2011, a survey was conducted among one hundred InfoSec and IA professionals across the world. This chapter presents the results of the survey.

Information Security and Information Assurance

Despite great interest of researchers and professionals in Information Security (InfoSec) and Information Assurance (IA), there is still no commonly agreed understanding of the disciplines. This chapter clarifies the meaning, scope, and goals of InfoSec and IA as well as the relationship between the disciplines. Clarity of the scope and goals of InfoSec and IA is important because this knowledge serves as a foundation for the definition of (1) curricula for the InfoSec and IA education programs, (2) responsibilities of practitioners, and (3) organisations' InfoSec strategy and policies. The study analyses US and European InfoSec- and IA-related official publications and standards and discusses the perception of the disciplines in academic and industry works. The study highlights the importance of clear and precise definitions of InfoSec and IA and a need for the definitions to promote open-mindedness among practitioners and researchers. Since the existing definitions of InfoSec and IA do not fully reflect the complexity and the evolving nature of the disciplines, the contemporary adapted definitions of InfoSec and IA are elaborated in the chapter.

Cloud Computing

Cloud computing evolved as a key delivery model for Information Technology (IT) and data provision for both the private and public sectors. Addressing its governance, legal, and public policy aspects is a condition sine qua non for successful deployment, whether done by the in-house IT department or outsourced. Stakeholders ask for new applications that consumerization is providing. Therefore, IT governance should be adapted to consider this new business pressure. However, the law plays a double role in respect to cloud computing; it functions as a legal framework set by mandatory regulations and as a contractual instrument to manage the cloud technology and information provisioning in an effective way, based on the strategic objectives of any organization. This chapter is devoted to where IT governance frameworks should consider the decisions about specific cloud computing compliance, how to measure them through several indicators, and which are their general legal and public policy aspects.

Redressing Violations of Privacy

The chapter discusses the role of CNPD (Comissão Nacional de Proteção de Dados) in case of violation of privacy, like dissemination or revelation of personal data by a public/private organization or entity. About this subject, the CNPD can issue a recommendation to the Portuguese Treasury to take some measures to strictly protect the security of the personal information using the Portuguese “E-Invoice.” Portuguese people must be protected against the misuse of personal data by the use of the “E-Invoice.” A Security System Administrator continuously monitors the network and all data traffic to prevent any misuse or abuse of the system. A prerequisite for trust and acceptance of these information systems is that appropriate data protection measures are implemented against possible misuse of personal data decreasing the risks in its utilization. Protective measures should be taken by the Treasury referring additional procedures against the misuse of data because the administrative control system is inefficient regarding unauthorized access, disclosure, misuse of localization data or loss, modification, and appropriation of information linked with the use of the Portuguese “E-Invoice.”

Due Diligence in Cyberspace

Within the chapter, the author discusses the possibility of introducing an international due diligence standard for Internet Service Providers (ISPs). She analyzes the due diligence standard in public international law as the common element of two accountability regimes binding upon states: the regime of state responsibility for the breach of an international obligation and international risk-liability for transboundary harm. They are both aimed at preventing transboundary harm originating from state territory. Such harm may presently be inflicted also with the use of cross-border electronic networks. Since the Internet is considered a global resource, the analysis provided is based upon international environmental law doctrine with its detailed due diligence standard and principle of prevention. The author goes on to propose their application to cyber-security. The idea argued within the chapter is for the development of an international cyberspace-specific due diligence standard and possibly a liability mechanism, as based on the multistakeholder principle recognized within Internet governance. The author aims to answer the question of whether a due diligence standard for cyberspace may and if so ought to be introduced through particular obligations laid upon Internet Service Providers, in particular Critical Internet Resources operators and introduction of an international ISP liability fund.

A Conceptual Framework for Big Data Analysis

Big data is a term that has risen to prominence describing data that exceeds the processing capacity of conventional database systems. Big data is a disruptive force that will affect organizations across industries, sectors, and economies. Hidden in the immense volume, variety, and velocity of data that is produced today is new information, facts, relationships, indicators, and pointers that either could not be practically discovered in the past, or simply did not exist before. This new information, effectively captured, managed, and analyzed, has the power to enhance profoundly the effectiveness of government. This chapter looks to the main challenges and issues that will have to be addressed to capture the full potential of big data. Additionally, the authors present a conceptual framework for big data analysis structured in there layers: (a) data capture and preprocessing, (b) data processing and interaction, and (c) auxiliary tools. Each has a different role to play in capturing, processing, accessing, and analyzing big data.

Role of Cloud Systems as Enabler of Global Competitive Advantages

The goal of cloud systems is to provide easy, scalable access to computing resources and IT services. However, the ability of the cloud system to transfer knowledge to assist the innovator should also be a key objective of cloud system deployment. This chapter presents an approach for assessment of cloud systems for innovation on the basis of the system’s abilities to differentiate between the various types of knowledge. In this regard, the chapter also proposes a number of success factors for deployment of cloud systems for innovation in a global setting.

Criminal Liability of Organizations, Corporations, Legal Persons, and Similar Entities on Law of Portuguese Cybercrime

In Portugal, and in much of the legal systems of Europe, “legal persons” are likely to be criminally responsibilities for cybercrimes, for example, “false information,” “damage on other programs or computer data,” “computer-software sabotage,” “illegitimate access,” “unlawful interception,” and “illegitimate reproduction of protected program.” However, there are exceptions to the “question of criminal liability” of “legal persons.” Some “legal persons” cannot be blamed for cybercrime. The legislature did not leave! These “legal persons” are the following (“public entities”): legal persons under public law, which include the public business entities; entities utilities, regardless of ownership; or other legal persons exercising public powers. In other words, and again as an example, a Portuguese public university or a private concessionaire of a public service in Portugal cannot commit any one of the highlighted cybercrimes. Fair? Unfair. All laws should provide that all legal persons (rectius organizations) can commit cybercrimes.

Beyond Compliance

This chapter focuses on the relationship between law and information systems administration. It highlights how technological choices can facilitate regulatory compliance, reduce legal costs, and allow agile responses to emerging risks. The reader should not regard this chapter as a comprehensive introduction to all of the world’s criminal and civil IT related statutes, regulations, and case law. It should be used as a basis for discussions with local counsel.

Practical Approach for Data Breach Cases in ERP Systems

This chapter is based on a case study scenario where a major data breach happens in one institution of public sector, a municipality, in Portugal. The focus of this chapter is to explain the gap between software development and security specialists because these are two fields of information and technology with specialized staff, but they do not work together. Quality Software may increase if these two fields work together and all specialists work for a good end product. At the other extreme are organizations with security problems because the software is bad in the security field, and these organizations do not have mechanisms that help internal teams in case of security incidents. If security is not a concern when companies are developing software, the security specialists have a lot of problems when trying to audit the system.