Trusted ...or... trustworthy: the search for a new paradigm for computer and network security
暂无分享,去创建一个
On the occasion of the presentation of the Kristian Beckman Award for 2002 it is appropriate to pause and reflect on the state of computer and associated data network security at the start of the new millennium; appropriately in a country that itself pioneered the use of encryption some thousands of years ago. This paper sets out a number of major questions and challenges which include: *Just what is meant by 'trusted' or 'trustworthy' systems after 20 years of experience, or more likely, lack of business level experience, with the 'trusted computer system' criteria anyway? *Does anyone really care about the adoption of international standards for computer system security evaluation by IT product and system manufacturers and suppliers (IS 15408) and, if so, how does it all relate to business risk management anyway (IS 17799)? *With the explosion of adoption of the microcomputer and personal computer some 20 years ago, has the industry abandoned all that it learnt about security during the 'mainframe era'; or - ''whatever happened to MULTICS'' and its lessons? *Has education kept up with security requirements by industry and government alike in the need for safe and secure operation of large scale and networked information systems on national and international bases, particularly where Web or Internet-based information services are being proposed as THE major ''next best thing'' in the IT industry? *Has the 'fourth generation' of computer professionals inherited the spirit of information systems management and control that resided by necessity with the last 'generation', the professionals who developed and created the applications for shared mainframe and minicomputer systems? Overall, this paper proposes that, like other industries before it, from the car industry to food to pharmaceuticals and drugs, the role of government in relation to its community care responsibilities cannot be ignored in societies that have now become dependent upon the safe, secure and reliable operation of computer systems and data networks; so-called ''National Information Infrastructure Protection'' or NIIP. Is it time for government to enact legislation that places firm and legally binding obligations on the information technology industry to create and distribute safe and secure products and systems; to be liable for deliberate, or even negligent, release of faulty software products and the like? For the computer professionals creating the necessary applications that enable such systems to be used, is it time for legal responsibility based around concepts of professional conduct and education? Finally, in relation to specialized information security professionals acting to manage such critical information systems, is it time for government registration of those IT security professionals and, if so, just what has to be the base levels of education and training needed for a person to act as such? Unlike other industries, some professionals given charge of IT security may have had little more INFOSEC education than ''buying a copy of Bruce Schneier's book'' (an actual statement made to the author in relation to IT security training in a business situation and the nomination of an IT manager as the 'security' manager).
[1] D. Kahn. The codebreakers : the story of secret writing , 1968 .
[2] Stephen P. Morse,et al. The 80286 and 80287 Architecture , 1986 .
[3] Stephen P. Morse,et al. The 80286 Architecture , 1986 .