ProtectingAggregatedData USCERT
December5,2005
Produced byUSCERT,agovernmentorganization
TableofContents ExecutiveSummary ....................................................................................................................3
Purposeand Scope ....................................................................................................................4
Background.................................................................................................................................4
UnderstandingtheProblem.........................................................................................................5
Replicationand Persistence ....................................................................................................5
Ownership ...............................................................................................................................6
Transformation ........................................................................................................................6
Valuation .................................................................................................................................7
UnderstandingtheRisksandImpacts.........................................................................................7
ValuePlaced atRisk ...............................................................................................................8
ShorttermImpacts..................................................................................................................9
AbilitytoOffer andFulfillCustomerTransactions.................................................................9
Customerand PartnerIdentityandPrivacy..........................................................................9
LongtermImpacts.................................................................................................................10
Trust ..................................................................................................................................10
Compliance and LegalLiability...........................................................................................10
SecurityManagement for Large Volumesof AggregatedData..................................................11
Understand theInformation ...................................................................................................11
ApplyGoodManagementPrinciples......................................................................................12
ApplyGoodSecurityPractices ..............................................................................................14
AppendixA ...............................................................................................................................19
References ...............................................................................................................................22
Produced2005 byUSCERT,a governmentorganization. 2
Executive Summary Intheir ongoing quest forimproved operationalefficiency,organizationshavecome torelyon theabilitytocollect, access,and processlargevolumesof electronicdata(aggregateddata).Thisreliance hasevolvedwiththedevelopmentofsophisticated databasesoftwareandthe growingavailabilityofhardwarewithstoragecapacitymeasuredinterabytes.Bypossessing suchlargevolumesofdata,however,organizationsassumecertainrisksandresponsibilities:
Large datastoresarevaluableinformationalassetsthathave become targetsforcybercriminals.
Electronic data can be easily copied, modified, and distributed, making the totalretrieval or destruction of compromised or stolen data assets impossible to confirm.
Ownersandcustodiansoflargedatastoresassumeresponsibilityfor maintainingthe privacyandintegrityof theinformationundertheircontrol.
Theftorcompromiseofcustomer,partner,or otherdata heldbyanorganization hasanumber ofshortandlongtermconsequences.The dollar valueoftheseconsequencescan exceedthatofthedataitself.Theseconsequencesinclude
interferencewith an organizationsdaytodayoperations
interferencewith an organizationsabilityto fulfillcustomerandpartner transactions
erosionoftrustrelationshipsbetweentheorganizationanditscustomersand/or partners
violation of federal and/or state laws governing the protection ofaggregated data
exposuretocivillitigationclaims
Byapplyingsoundmanagementprinciplesand goodsecuritypractices,organizationscan mitigatetheserisksandbetterprotecttheaggregateddataundertheircontrol.Organizationsmustunderstandthe natureanddisposition of the data,determineitsvalue,andcalculate acceptablerisk.Theirdatamanagementandsecuritystrategiesmustmakeleadersaccountable foreffective oversightofdatasecurity,heightendatasecurityawareness,ensurelegalcompliance,andrequireregulardatasecurityauditsand the developmentandexecutionofincidentmanagementplans.Leadersandthestrategiestheydevelopshouldalsoaddresssoundsecurityarchitectureand design,physicalsecuritymanagement, themanagementofpartner processesand activitiesthataffectdatasecurity,vulnerabilitymanagement, and businesscontinuity.Byworking toensurethesecurityofthe aggregateddatain theircharge,organizationscan notonlyavoidthe negativeconsequencesassociatedwitha data securitybreach,butstrengthentheirrelationshipswithcustomersandpartnersandenhancetheir reputationsinthecommunityatlarge.
Produced2005 byUSCERT,a governmentorganization. 3
Purpose and Scope The purposeofthispaperisto discussthesecurityissues,businessimpacts,andpotentialstrategiesofU.S.industry,government, and academicorganizationsthatcreateandmaintain large aggregationsofdata,suchasdigitalrepositories, databases,datawarehouses,and aggregatedinformationsystems.Thepaper firstexaminescharacteristicsof data and informationwithrespectto howtheycreatesecuritymanagementchallengeswheninformation iscompiled andaggregated.Thepaperhighlights consequences,negativeimpactsand ramificationsto organizations,partners,and usersdueto datacompromiseincluding manipulations,disruptions,disclosures,thefts,andloss.Finally,thepaperdiscusseseffective securitymanagementapproachesandstrategiestoaddresstheissuesandtomitigaterisks.
Background Organizationsandinformationsecuritystaffare facing anincreasingnumberofattacksagainstmassstoresof theircustomer,private,andsensitiveinformation.All of ushaveread the headlinesidentifyingcorporations,universities,andgovernmentagenciesthathavelostcontroloftheir databaserecordsto attackers.The growinglistof attackersandmethodsofattackagainst suchdatastoresisrealand hasthe potentialtonegativelyimpactbusiness,government,academia,consumers,andthecitizenry.
Atthecenter of the attacksarethecommon databases,repositories, and datawarehousesrequiredtoconductoperationsinthe publicandprivate sectors.Because of thedecreasingcostinstorage devicesandtheincreasingdesire forbusinessintelligenceandanalytics,enormousvolumesofelectronicinformation are beingaggregatedand,consequently,placed atrisk.For instance,twoyearsago,informationtechnologyorientedmediaoutletswerewritingarticlesdescribing onlya handfulof thelargestcommercialdatabasespushing75terabytesinsize [Orzech03].Today,similararticlestalkofthesesizesascommonplace,wherethetypicalorganizationsdatabaserangesbetween hundredsof gigabytestotensof terabytes[Mearian 05].Howbigisthis?Considerthat1terabyte of electronicdataisequivalentto 50,000treesworth of printed paper [Berkeley00].
The termdata aggregationrefersto thetrendtoward amassing,preserving,andusinglarge volumesofelectronicinformation.Organizationsengagedindata aggregationmaydoso for anynumber ofreasons,including archiving,analysis,and operations.Aggregated data alsoincludesthemetadataneeded toindex,flag,define,oraccesstheinformation,aswellasthe contentitself.Thevolumesof thistypeofdataaremostoftenamassedinto anelectronicrepositorywithoutregardtotheirlogicalorphysicalstructure,and are generallyfree from organizationalcompartmentalizationthatresultsfromthe physicalandoperationalrequirementsofthepeoplewhointeractwith them.Aggregated dataismostoften found anddescribedbythe technologythathousesit,such asadatabase,datarepository,storagearray, filesystem,or datawarehouse.
Therisksposedtoaggregated data are numerousand derive from both externalandinternalthreats, suchasnaturaldisasters,failuresofinternalcontrols,sabotage,andattacks.Thispaper isconcernedwith aggregateddatasecurityasitpertainstolossesdueto attackersthatare
Produced2005 byUSCERT,a governmentorganization. 4
externalto theorganization thatisresponsiblefor managingtheaggregateddata.The following scenariodescribesthisproblem:
Adatabasecontaining100,000recordsforcurrentand paststudentsatalargeuniversityin the northeastwasattacked byunknownpartiesontheInternet.The compromiseddatacontained admissions,health,academictranscript, disciplinaryaction,residency,housing,studentemployment,andemergencycontactinformation. Theschoolsresponsewastowarncurrentstudentsandalumnioftherisksposedto themby theirinformationbeingpossiblycopiedand stolen.Theyclaimedthepotential formisuse ofsomeor alloftheirinformationcouldinclude identitytheft and financialfraud.Theyinstructedthevictimstokeepawatchfuleyeontheir creditreports.The universitystatedthattheywereinvestigatingtheincidentin anattemptto preventthistype of problemin the future.
Ifwe holdittobetruethatinformationisthelifebloodofan organizationwemustalsorecognizethesignificanceofourinformationresources,suchasvolumesof aggregateddata.Thissignificanceisamplifiedbythe desire ofattackerstoexploittheseresourcesfortheirgainandourneedtoroutinelytransfer,store,andprocesstheseresourcesto conductbusiness,governmentaffairs,etc.Customers,users,andstakeholdersdemandincreasinglymoreprivacyandprotection fortheinformationtheyprovide to organizationsinreturn forproductsand services.Theyplaceconfidenceinorganizationstoperform effectiveenterprisesecuritymanagementandunderstandtherisksnotonlyto an organizationssensitivedatabutto a customersprivateinformation.Theyexpecttheserisksto bemanagedregardlessofwherethe informationisstored,transmitted,or processed,beitinternaltotheorganization orthrough partnerships.Thiscustomer focusissometimeslostinthemassofmultiterabyte databasesofaggregated data.
Understandingthe Problem Whenarchivistslookto preserveinformation,theyunderstandthatthemediaservesthe content, notviceversa.Hence,thecontentdrivestheretention standard and policy,notthe storagemedia,beitpaper,microfiche,or tape.Similarly,ininformationsecurityitisthecontentthatdrivesthe securityrequirementsandinformationsystemsthatserveto fulfillthese requirements.In organizationsattemptstosecureinformation(thecontent),theyneedto considerthatthe systemswheretheinformationresidesareatargetofattacksandthusakeyconcern forinformationprotectionactivities.
Inlarge databasesystems,thecontentisacompilationofaggregated data.Asmuchasdatabaseslend themselvestosupporting organizationalprocesses,theyalsomake clear targetsforattacks:onestopshoppinglocationsforinformationthieves.The problemsassociatedwithdatabasesarenotthestructureofinformationtheyliemorewiththe characteristicsof electronicinformation,especiallyaggregateddata.Problemsalsostem from aggregating datainoneor a fewlogicallocations andthe potentialforlossofcontrol,inuse,andownership.Thissection brieflyexploressomeof these problemsandissues.
ReplicationandPersistence Whenleftunprotected,aggregateddatacan be easilyreplicated,shared,altered,and destroyed.Whenaphysicalobjectiscreated,suchasa car,itexistsuntilitiscompletely
Produced2005 byUSCERT,a governmentorganization. 5
consumedor becomesobsolete.In eithercase,the finaldispositionisthatthe objectisdestroyed andceasestoexist.
Thissamecharacteristicshouldapplytovolumesof aggregated data.The exceptionistheease withwhichinformation canbereplicatedatanypointduringitslifetime.Thiscreatesa potentialsituationwhereinformationcannotbedisposed of easilyduetotheproliferation ofcopies. Worseyet, aggregateddata,inelectronicform,canexistpastthe pointofobsolescence,persistinginperpetuity.
Ownership Anothersetofcharacteristicsdescribe ownership andcustodianshipofaggregated data.Continuingtheanalogywith a physicalobject,the identificationofwhoownsandoperatesacar isusuallyboundedandwellunderstood.Weknowtwothings:first,thatacar hasatitle,itsownershipisdocumented,andthereisa defined processfortransferring ownership.Second,mechanicswho servicethecarmaintainit, butdo notownit.In contrast,aggregated datararelyhasawelldefinedtitleofownership.Aggregated dataisconstantlychangingin both ownershipandcustodianshipbecauseofthe easewithwhichelectronicinformationisshared,transferred,andreplicated.For example, each time apieceofinformationisusedinconjunctionwith other information,itislikelythatthe ownerand custodianaredifferent.Here,ownersarethe proprietorsof anorganizationalprocessusing aggregateddatawhilecustodiansaretheusersandadministratorsof thetechnologyused to accessthe aggregated data.
Transformation Aggregated data undergoesaconstanttransformation.Information bydefinitionisthe communication orreception ofknowledgeorintelligence [Webster 05].For our purposes,data isprocessed,analyzed,and aggregatedtoproduceinformation.Thetransformation of datainto informationoccursbecauseorganizationsuserawdataintheaggregate andwithina given context,yieldinginformation andintelligence.
Info Data Process Process Info
Data
Figure 1:TheInformationCycle
Thecontinualcycle ofmovingsetsofdatathrougha processthatcreatesinformation(see Figure 1)presentschallenges for determiningclearownershipof aggregateddataandthe information fromwhichitderives.Data fromdifferentsourcesisoftencombined tocreate newinformation.Thisisanimportantproblemforintangible assetslikeaggregated data,asaclear
Produced2005 byUSCERT,a governmentorganization. 6
boundaryfortheassetanditsownershipisrequired beforeitsvaluecan be determined.Value iskeyto determiningthelevelofinvestmentfor protectionstrategies.
Valuation Valuinginformationofanytype hasproventobedifficultformostorganizations.Information assetsarenotoftencarriedon thebooksascapitalassets,sodetermining amonetaryvalueisnotstraightforward.Often,thevalueofaninformation assetisfoundintheprocessitsupportsandnotintheinformationitself.Thevalue of the aggregateddatato an organizationcan onlybe determinedif theperson orpersonsresponsible fortheorganizationalprocessitsupportsunderstandandagreeon exactlywhatisbeingvalued.
Aggregated data oftenhasmanyowners,users,andcustodians.Thiscreatessituationswhere theexactvalue(or even an approximate,relative value) ofthe aggregated dataisdifficultto calculate.Determiningthe valueisanattempttocapture howimportantthe aggregateddataistotheorganization.Datavaluederivesprimarilyfromitsuse,butorganizationsneed to alsoconsidertheimpactofitslossorunavailability.Valuingaggregated data,takingintoaccountitsuniquecharacteristics,iscriticalfordeterminingtherisks,theimpacts, andthusthe necessaryinvestmentsin protectionstrategiesandsecurityactionstoadequatelyprotectsuch data.
Understandingthe RisksandImpacts Considerwhatitcostsyouif
customerdataiscompromised anditmakesthe headlines
your brand andreputation are negativelyaffected byadatarelatedsecuritybreach,resultingin alossofcustomer confidence andloyalty
sensitiveintellectualproperty(such asgovernmentortradesecretsand newproductinformation)isstolenbyacompetitorormadepublic
your organizationisfound tobenoncompliantwithprivacyanddata protection/reportingregulations(international,national,state,local)
your networkgoesdownbecauseofa data compromise
youcantdetecta datacompromise
Therisksassociatedwithmanaging aggregatedandsensitive datainelectronicformandwith networkaccessaremany.Organizationsoften findthemselvesinthe positionofcustodian for criticalsensitiveinformationbelonging tootherswho trustthe organizationtohandlethisinformationresponsibly.Reciprocally,ownersassignresponsibilityfor protection tocustodiansthisdemandsthatownerscommunicatesecurityrequirementsexplicitlyand ensurecustodiansmeettheestablishedrequirements.
Produced2005 byUSCERT,a governmentorganization. 7
Determiningtherangeofactionsan organization needsto taketoreduce aggregateddata securityriskto anadequateor acceptableleveldependsonwhatan organization needsto protectandwhatitneedsto prevent.Considerthe following questions:
Whatresponsibilitydowehave for protecting theinformationin ourcomputer systems,particularlyinformationthatbelongsto others? Whatneedsto be protected? Whydoesitneedtobe protected? Whathappensifitisnotprotected?
Whatare ourworstcasescenariosforsecuritycompromise?Mostlikelyscenarios? Whatpotentialadverseconditionsandconsequencesneed to be prevented?Atwhatcost?
Howmuchdisruptioncanwe standbeforewetakeaction?
Howdowedetermine andeffectivelymanageresidualrisk(theriskremaining aftermitigationactionsaretaken)?
The answerstothese questionscan helporganizationsdeterminehowmuch toinvest,whereto invest,andhowfasttoinvestindataprotection.Theyserveasonemeanstoidentifysecurityrisksto aggregateddataand quantifythedegree ofriskexposure.Intheabsenceofanswersto these questions(andaprocessfor periodicallyreviewing and updatingthem),an organization mayfinditdifficultto defineand deployaneffectiveaggregated datasecuritystrategyandthusunabletoeffectivelysustainanadequatelevelofprotection.
ValuePlacedatRisk Organizationalassetsthatcan benegativelyaffectedif aggregated data securityisinadequate,performed poorly,orcompromisedinclude
trust
customerandpartneridentityandprivacy
theabilitytooffer and fulfillcustomertransactions
theabilitytomeetcompliance,legal,andregulatoryrequirements
Organizationscanexperience animmediateimpactintheshorttermasaresultofa compromiseofaggregated datasecurity,andimpactscanberealizedin thelongerterm.Aspectsof each assetandimpactstothemaredescribedinthe followingsections.
Produced2005 byUSCERT,a governmentorganization. 8
ShorttermImpacts
AbilitytoOfferand FulfillCustomerTransactions TheInternethasequalizedaccesstoinformation andaggregated dataworldwide.Risksand opportunitiesincreasinglyderive fromwho youareconnectedto andwhoisconnectedtoyou,ratherthan fromwhereyou are physicallylocated.Because of thereadyand directaccesscustomershavetothosewithwhomtheywishtotransactbusiness,and the easewithwhich theycanchangethesechoicesforanyreason,customersdrivetodaysmarketplace.
An organizationsability(orinability) tocompetentlyofferand fulfillcustomertransactionsismostvisibletothecustomer.Thisincludesacustomersprofile,preferences,and historicalbuying habits,oftenstoredin aggregateddatabases.Inthecase ofcommercialbusiness,makingitemsofinteresteasyto find,with accurateandcompetitive pricing,withimmediate orderconfirmation,andwithtimelydeliverycontributetothe growthofInternetbasedbusiness.Onlinebankingprovidesa goodexampleofhowaggregateddatasecurityenablescustomer transactions.Bankcustomersare typicallyassuredofidentityandprivacyprotectionwith respecttotheir personalinformation,transactionhistories, and asecure flowoffundsvia an Internetconnection.Imaginehowthischangesifthecustomersdataiscompromised and thisispubliclyreported.Imaginewhattheimpactwouldbeifthe entirerosterofcustomerswere negativelyaffected byasecuritybreach of thebanksvolumeofaggregatedcustomer accountdata.
The abilitytolowertransactioncosts(discovery,negotiation,arbitrage,settlement,and adjudication) dependson electronicallyaccessibleand aggregated data.TheInternetandthe electroniccommerceitenableshavelowered transactioncostscomparedwithpredecessor technologies.However,the natureofelectroniccommunicationisthatitislocationindependent, essentiallyinstantaneous,andunlessmodifiedanonymous[Geer 04].Thesequalitiesintroducenewrisksto aggregated datathatmustbe takenintoaccountbyorganizationsowning andserving ascustodiansforsuchdata.
CustomerandPartnerIdentityandPrivacy Concernsabouttherisksassociatedwith personalprivacyandidentityare growing.Violationsofthesetypeandtheircosts,legalconsequences,and effectsonreputation areregularlyreportedinthemedia. Atypicalexamplestates,TheFederalTradeCommissionestimatesthatapproximately3,000,000 Americanswerethevictimsofidentifytheftin 2002.A businessthatobtainsconsumerspersonalinformationhasalegaldutyto ensure thattheuse and handling ofthatdatacompliesinallrespectswithrepresentationsmade aboutthecompanysinformationsecurityand privacypractices[Braun 04].Disclosure of personalinformation entrusted to an organizationcanhaveaprofoundimpactonthatorganizationsreputation.
Asidentitytheftandrelatedviolationsof privacybecomemoreprevalent, publicbacklash from bothcustomersandlegislatorscouldbesignificant.Increasingly,customersandorganizationalpartnersexpectacertainstandardofaggregated datasecuritypractice fromanycompetentorganization.Thisexpectedstandardislikelytocontinuetoescalate.However,reputationneed notbeconsideredsolelyinnegativeterms.Leadersshouldalsoask,Howmuchisitworth for ustobeseen byourcustomersandpartnerstobeactivelyconcernedwithsafeguardingtheir information?Proactive approachestosecuritycanenhance anorganizationsreputation asa trusted partner [Charette 05].
Produced2005 byUSCERT,a governmentorganization. 9
Internationalprivacyregulations,suchasthosein theEuropeanUnion(EU),Japan,and Australia,aremorestringentthantheirU.S.counterparts,soapproachestocomplywith such regulationsmustbe developedwithproperappreciationofcountryorregionalrequirements. Givengreatercustomer privacyconcerns,data protectionauthoritiesinseveralcountriesare mostconcernedwith protecting healthcare,pharmaceutical,and financialservicesdata[Gartner 04].
U.S.ormultinationalorganizationsshouldbeespeciallywaryofhowtheytreatEUemployee data andhowtheymonitor EUemployeeselectronicactivities.EUemployeetribunalsare common,andEUemployeesfrequentlytaketheir employerstocourt.
Increasingly,organizationsare findingthataglobalapproach to privacycanmeetthemajorityofnationalorregionalprivacyrequirements,providingsome opportunity forcostcontainmentthroughstandardization.
Almostallorganizationscollect,process,store,disseminate,and transfercustomerinformation insome form,mostlikelydigital.Protectingsuchinformationandpreventingactionsthatcan causeunintended disclosure and useareincreasinglyrequired tomeetlegalrequirementsand preservecustomertrust.
LongtermImpacts
Trust Achievingand preservingtrustareamongthemostessentialoutcomesofprotectedaggregated data.Trustisanelementofprotectingcustomersandtheirinformation,protectingmarketshare,sustainingmarketandcustomerconfidence,preservingreputation,andenhancingan organizationsbrandandimage.Trustishardtobuildandeasytoloseinthe face of a publicbreach ofsecurityorcustomerprivacy.Justconsidercompaniesenjoying headline attentionastheircustomerdatabasesarecompromised,raisingwidespreadconcernsaboutidentitytheft.Someare findingthatregaining trustonceitislostmaynotbepossible.
Anincreasingnumber oforganizationsunderstandtheinextricablelinkbetween trustand securing aggregated dataintodaysgloballyconnected environment.OneCISOstatesSecurityisanecessaryconsiderationineverything thatwedo.We needtoprotectcustomersand employees.We are thecustodian foralotofinformationthatbelongsto other people.
ComplianceandLegalLiability Failureto protectstakeholderinterestswithrespecttocertaincategoriesofinformationor failure to preventunauthorizedaccessto personalinformationmayhave seriouslegalconsequences.Acomprehensiveapproach to protecting aggregated datacanhelpanorganizationmaintaincompliancewith newand expandinglawsandregulationsand avoidlegalliabilityrelatedto statutoryorcommonlaw.
Ratherthan focusing ona frameworkforcyberorinformationsecurity,currentU.S.federallegislation andrelatedregulatoryprogramshave focused onaninterestineither of the following:
Produced2005 byUSCERT,a governmentorganization. 10
protectingtheprivacyofindividuallyidentifiableinformationheldonprivate computersystems
improvingprivatesector oversightoffinancialreporting
ThreecurrentU.S.lawsneed to beconsideredwhen addressingresponsibilitiesto protectaggregated data:
theU.S.GrammLeachBlileyActof 1999(protecting personalinformation for financialinstitutioncustomers)
theU.S.HealthInsurancePortabilityand AccountabilityActof 1996 (protectingpersonallyidentifiablehealthinformationheldbycertain entities)
theU.S.SarbanesOxleyActof2002(mandating expandedpubliccompanyfinancialcontrolaudits,includinginformationsecurity)
Theselawshave allprovidedregulatoryincentivesforseniorlevelmanagersand oversightagencies(such asboardsof directorsand trustees)to paycloserattentiontoinformation security,includingtheprotectionofcustomer privacyandidentity.Asimilarsecurityeffectderives from bothstate andinternationallaw.The CaliforniaDatabaseProtectionAct(CASB 1386(notification of personalsecurityinformation breaches) and EuropeanUnion(EU) Directiveson data protection and privacyand electroniccommunicationsare affectingmultistateandmultinationalorganizations[CRS05].Consideration for extendingaspectsof the Californialawto allU.S.statesisinprogress.
Complianceissuesrelatedtolegislativeandregulatoryprogramsandthe criminalandcivil liabilitiesthatcan arisefromtheirviolation are onlyone partofthelegalliabilityexposure.There remainsthesignificantliabilitythatcanresult fromnational/federalandstatecourtlitigation claimsbasedon abreach ofcontract,tort,or propertyrights.Civillitigation providesaneffective platform forthe promotionofindividualprivacyandidentityprotection.Suchlitigationmightdrivetheadoption ofstandardsgoverningsecuritycontrolsonaggregated data.
Security Management forLargeVolumes ofAggregatedData
Understand theInformation The firststepin protecting anythingisto understandit.For aggregateddata,thisentailsunderstandingwhatinformationexists,whereitexists,andinwhat form.Determiningan adequatelevelof protection alsorequiresknowingthesecurityrequirements, ownersand custodians,and potentialrisksandimpacts.Once thebasicinformationisknownaboutlarge volumesofaggregated data,thedatacan bebrokenintosmaller unitsandprofiled.
Produced2005 byUSCERT,a governmentorganization. 11
Profiling,or the processofdescribing,categorizing,andboundinginformation,isonewayto understandtheuniquecharacteristicsand protectionrequirementsofinformation.Inthiscase,a smallerandmoremanageablesetof aggregated dataisused forprofiling.Ownersuseprofiling techniquestoexplicitlyandunambiguouslydefine:
informationdescriptionsand boundaries
designationsofowners,custodians,and users
informationsecurityrequirements,suchasaccessand authentication requirementsofusers
logicaland physicallocationswheretheinformationisstored,transported,andprocessed
informationvalue andsensitivity
Ownersmustknowthevalueoftheirinformationtodevelopameaningfulprofile.Suchaprofileisused bycustodianstoselectappropriatesecuritycontrolsto protecttheinformation.The owner oftheinformationassetanditsstakeholdersdeterminethevalue oftheinformation to the enterpriseor organizationalunit.Thecontribution oftheinformationto theownersgoalachievement(orthe potentialtoimpede goalachievement)isreflectedinthevaluation.One waytoconsiderthe value of anassetistolookat thepotentialimpactontheorganization(and theowner)ifsomethingweretohappen toit.
Asignificantamountofguidancehasbeenissued to help federalgovernmentagenciesdetermine and assignvaluetotheirinformationandinformationsystems.FederalInformation ProcessingStandard(FIPS)Publication199and NationalInstituteofStandardsand Technology(NIST)SpecialPublication80060 provide explicitguidance.Informationvalueisdetermined bylookingatthepotentialimpactonthe organizationif thesecurityof the informationiscompromised.Informationisfirstclassified bytype(publicrelationsinformation,forexample).Then for each type ofinformationthepotentialimpactisrated on a high,medium,orlowvaluescale foreachsecurityobjective,whichNISTdefinesasthetriadofconfidentiality, integrity,andavailability.
Everyorganizationneedsto determineitsownapproachto and processforinformation valuation.Oncethevalue oftheinformation andthe degreetowhichrisksandimpactscan negativelyaffectitare known,anorganization candevelop ameaningfulprofile againstwhichto applymanagementandsecuritycontrolstomitigaterisksandmanageimpacts.
Apply GoodManagementPrinciples Agoodsetofcommonlyacceptedmanagementprinciplesaidsanorganizationsleadersin determiningwhatprotectionstrategiesarebestapplied to secure aggregateddata.Organizationscanuse principlestoselect,interpret, prioritize,deploy,andreinforcepolicies, strategies,plans,actions,and expected behaviors.To beeffective and of greatestvalue,principleselection andinterpretationshouldalign withorganizationalobjectivesincludingthe requirementtoprotectsensitiveaggregated data.
Produced2005 byUSCERT,a governmentorganization. 12
The following principlesapplytoprotectingandsecuring aggregateddata.These are brieflydescribedinthissection:
Accountability
Adequacy
Awareness
Compliance
Measurement
Response
RiskManagement
Eachofthe principlesisstatedusing the presenttense,conveyingwhatactions,behaviors,and conditionsdemonstrate the presenceofthe principleinthe organizationscultureandconduct.
Accountability:Organizationalleadersareaccountablefor providing effective oversightofaggregated data security,including ensuringeffectiveexecution oftheagreedtoprotection strategies.Suchaccountabilityandresponsibilityare explicit,defined,acknowledged,and accompaniedbythe authoritytoact. Leadershipaccountabilityandresponsibilityfor aggregated data securityarevisibletoallstakeholders.
Leaderspossessthe necessaryknowledge,skills,and abilitiesto fulfillthese responsibilities.Individualroles,responsibilities,authorities,and accountabilitiesare assigned.Leadersensurethatall userswith accessto aggregateddataunderstandtheir responsibilitieswithrespecttothisaccess.Leadersconductregularevaluationsoftheir aggregated data securityprogram,reviewthe evaluationresults,andreportonperformance to oversightauthorities,includingaplan forremedialaction torectifyanydeficiencies.
Forexample,oneareareviewed andreported on wouldbedataretentionpolicyand procedure.Leadersworkwith aggregateddataownersandcustodiansto ensure processesare documented,implemented,andsecure forpurgingdatawhen theneed orrequirementtomaintainthedatahasexpired.
Adequacy:Investmentin aggregateddataprotectionstrategies(principles,policies,procedures,processes,controls)iscommensuratewithrisk.Determinationofriskisbased on thevalue,sensitivity,andcriticalityofsuchdatawithrespecttoitsvulnerabilitytoloss,damage,disclosure,ordenied/interruptedaccess.Probability,frequency,andseverityofpotentialvulnerabilitiesareconsidered.Leadersensurethatsufficientresources(people, time,equipment, facilities,dollars) are authorized andallocatedtoachieve andsustainan adequatelevelof aggregateddatasecurity.
Forexample,leadersensuredata ownersandcustodiansworktogetherto understandthe compartmentalizationthatsensitiveaggregateddatasetsrequire.Leadersusepoliciesto directownerstodeclarevalue andidentifysecurityrequirements(confidentiality,availability,
Produced2005 byUSCERT,a governmentorganization. 13
integrity,andauthentication)and directcustodianstoimplementsoundandmeasurablesecuritycontrols.
Awareness:Leadersare awareofandunderstandthe needtoprotectaggregated data.Theyunderstandwhatactionsarenecessaryto protectstakeholdervaluewithrespectto such data.All usersare awareofaggregated datasecurityrisksandprotection strategiesandunderstandtheirconcomitantrolesandresponsibilities.Awarenessisdemonstrated bythemotivation,training,and educationprovided touserswhoaregiven accesstosensitive aggregated data and byattendanceatperiodictraining asarequirementofcontinued access.Performancereviewsincludean evaluationofhowwelltheseresponsibilitiesare fulfilled.
Compliance:Aggregated data protectionstrategiesareincompliancewithlegaland regulatoryrequirements,requirementsof conducting business,andrequirementsestablished byexternalstakeholders.Actionsnecessaryto evaluatecomplianceobjectively(such asinternalandexternalaudits)arebuiltintothesecuritycomplianceprogram.Thisincludesregularmonitoring,review,andreporting ofcompliance findingstoaffected and interested parties.Leadersensurethatremedialand timelyactionistaken for anyaggregated data securitydeficiencies.
Measurement:Leadersidentifyandrequestperiodicreportsonmeasuresandindicatorsthatdemonstrate thevalueand adequacy(orlackthereof) of aggregateddatasecurityprotectionstrategies.Whatgetsmeasured getsdone.Metricsareabouttransformingpolicyinto action andmeasuring performance.Metricsindicatehowwellpoliciesandprocessesare functioningandwhetheror nottheyare producing desired performance outcomes[CISWG04b].
Response:Allusers(includingleaders)actina timely,coordinatedmanner to preventor respondtothreatstoaggregated datasecurityandcompromisesofit.Suchresponse requiresdevelopmentandregularexerciseofbusinesscontinuity,disasterrecovery,crisismanagement, andincidentmanagementplansso thatthe enterpriseisadequatelyprepared inthe faceofan attackandisabletoresume normaloperationsasquicklyaspossible.
Risk Management:Leaderscontinuallyreview,assess,andmodifyaggregateddata securityprotectionstrategiesinresponse to thedynamicallychangingriskenvironmentin whichtheyoperate.Leadersarticulateacceptablelevelsofriskto aggregateddataassetsbased ontheirvalue,sensitivity,andcriticality(seeAdequacy).Suchlevelsare examined duringregularreviewand assessmentprocesses.
Costsofcompromise(loss,damage,disclosure,denied/interrupted access,coststo reconstitute) are quantifiedtothe extentpossible aspartof ongoingriskmanagement. Controlsareselected to effectivelymitigateriskandtheirperformanceisregularlymeasured andreviewed.Plans forremedialactiontorectifyriskmitigationdeficienciesaredeveloped andexecuted following eachassessment.
Apply GoodSecurityPractices Aswithmanagementprinciples,a good setofcommonlyacceptedsecuritypracticeshelp an organizationmeettheprotectionrequirementsof aggregated data.Practice selectionand adoption derive fromthesecuritystrategyofan organization.Organizationsusepracticesastheyimplementsecuritypolicies,strategies, plans,and actions.To be effective andofgreatest
Produced2005 byUSCERT,a governmentorganization. 14
value,practicesshouldguidecontrolselection andaddressriskmitigation effortsnecessaryto adequatelyprotectsensitive aggregateddata.
The following practice areasapplyto protecting andsecuringall typesofinformation,including aggregated data.Thesearebrieflydescribedinthissection:
InformationSecurityStrategy
InformationSecurityPolicy
SecurityArchitecture andDesign
IncidentManagement
PartnerManagement
ContingencyPlanning andDisasterRecovery
PhysicalSecurityManagement
InformationTechnology
AuditandMonitoring
VulnerabilityManagement
Eachofthe practice areasisstated usingthepresenttense,conveyingwhatactions,behaviors,andconditionsdemonstrate thepresenceofthe practiceintheorganizationscultureand conduct.
InformationSecurityStrategy:Thesecuritystrategyispartofthe organizationsoverall strategicplanning activityandservesasasystematicplanofaction forimplementing,maintaining,andimprovingthesecuritypostureofanorganization.Thestrategyencompassesand describesthe organizationsinformationsecurityprogram,includingall oftheactivitiesandprocessesthatare performedto ensurethemissionssurvivability.Thisincludestheprotectionofaggregated data,consideredinthecontextof allothersecuritystrategyactions.Itconsidersthe uniqueoperatingcircumstancesofthe organization,aswell asitsculture,mission,andcriticalsuccessfactors.Effectivesecuritystrategyalignswith,andsupports,the businessstrategiesanddriversofthe organization.
InformationSecurityPolicy:Aninformationsecuritypolicyisthecompilation of guiding principlesthe organizationdefinesto establishthelimitsandboundariesofbehaviorsfor usinginformationresourcesand assets,including aggregated data.Thecore ofthe informationsecuritypolicydefinesthe organizationsrisktolerance,whichisindicative of the range ofsecurityeventsthe organizationisprepared towithstand.Forexample,ahigher risktolerancemaysignifythatthe organizationbelievesitwouldnotsuffer asignificantor materialimpactifasecurityweaknessorvulnerabilityisintroducedand/orexploited.Asthe organizationsrisktolerance narrows,amore extensivesecuritystrategyisnecessaryaswellaswelldefinedandprescribed guidelinesfor behaviorand action.
Produced2005 byUSCERT,a governmentorganization. 15
Security ArchitectureandDesign:Securityarchitecture anddesignisthephysicaland logicalimplementationofthe organizationssecuritystrategies, policies, and procedures.Itistheorganizationstechnicalimplementation ofsecuritystructure throughoutthevariouslayersofthetechnicalinfrastructure.Thisincludesphysicaldevices,hardware,software,andthewaysinwhichsecurityismanagedand administeredin thisinfrastructure.Securityarchitectureanddesignaddressesthe uniquerequirementsreflectedintheprofileforeach subsetof aggregateddata.Thispracticeincludes ensuring systemsonwhich aggregated dataisstored,processed,and transmittedaresecurelyconfigured andthatconfigurationsarekeptupto date usingawelldefined and enforcedchangemanagementprocess.
Incident Management:Incidentmanagementisthe organizationsprocess foridentifying,reporting,andrespondingtosuspectedsecurityincidentsandviolations,includingthose involvingaggregated data.Theorganizationisprepared forincidentsinvolvingthe organizationsnetworkandtechnicalinfrastructure,physicalfacilities,andhumanresources,such associalengineering attempts.The organizationsabilityto addressincidentsasapartoftheoverallsecuritystrategyprovidesanother toolformonitoringitsenvironment, understandingwhatthreatandvulnerabilitiestheyaresusceptibleto,andto develop proactivemitigating and protectivestrategies.For aggregated datain particular,incidentmanagementincludesthe processesforrequired communication andnotification of affected parties,such ascustomers.Incidentmanagementmayalsoincluderemedialandcorrective actionsnecessarytorestorecustomerconfidence.
PartnerManagement:Partnermanagementprocessesand activitiesrequirethatvendorsandserviceprovidersactinwaysthatsupportthe survivabilityof the parentorganization.Organizationscommunicate to these partnerswhatisimportanttotheorganization,and howtheyareexpectedto behavesothattheydonotexposetheparentorganization to further risk.Parentorganizationsrecognizetheyultimatelyretainresponsibilityfor ensuringthe tasksarecompleted andthatthe goalsandobjectivesare achieved.Itisessentialthatpartner organizationsunderstandtheirrolesandresponsibilitiesandareheldcontractuallyliablefor adequatelyprotecting aggregated datathatisowned bytheparentorganization and forwhichthe partnerisacustodian oruser.
ContingencyPlanningandDisasterRecovery:Contingencyplanningand disaster recoverydirectthe approachesandactionstaken bythe organizationtocontinue normaloperational functionswhenconfrontedwithsignificantor adverse disruption.Contingencyplanninginvolvesthe proactiveandreactivestepsto facilitate aneffective and efficientrecovery from anycontingencythatputsthe organizationsmissionatrisk.Managingthe impactsinvolvesandrequiresappropriate policies,plans,and proceduresto be documented,communicated,tested,and evaluatedbefore acontingencysituation occurs.Contingencyplanningand disasterrecoverypracticesinclude ensuring aggregateddata backupsareregularlymade,transmittedsecurely(encrypted),reach theirbackupstorage location,arestoredsecurely,andthataggregated datacan berestoredtoaknownstate fromanygivenbackupmedia.
PhysicalSecurityManagement:Physicalsecurityisacomponentofthe comprehensive protectionstrategy,particularlyfortangibleaggregated dataresources(such ashardware,software,andmedia).Itcomplimentsthe organizationsnetworkandsystemsecuritybyphysicallyprotectingand acknowledgingthelogicalinstantiation ofsystemsand networksecuritycontrols.
Produced2005 byUSCERT,a governmentorganization. 16
InformationTechnology:Informationtechnologysecurityistherange of technicalmechanismsthatthe organization deploysto enableand enforcepolicy,standards,and procedures.Technicalpracticesandmechanismsare appliedtocounterknownand anticipatedthreatsandvulnerabilitiesto aggregated data,software,systems,and networks.Inadditiontothreatavoidance,resistance,detection,andrecovery,technologyalso supportssecuritycontrolssuch asleastprivilege/separation of duties,accesscontrol,rolebased authentication, firewallsincludinguse of policysegregatednetworks,changeand patchmanagement, aggregateddatabaseserver configurationcontrol,encryption,redundancy,adequateimplementationofaggregateddataprofiles(includingseparating sensitive fromnonsensitivedata),etc.
Thesecurityofaggregated dataisgovernedbytheinformationsecuritystrategyandplans,andspansphysical,logical,and operationaldomains.The physicaldomainincludesthe networksandthe directlyconnectedsystems.Thelogicaldomainincludesthewaysin which usersaccessandauthenticate tosystemandnetworkresourcesrelatedto aggregated data.Thisdomainistypicallygovernedbyaninformationsecuritydepartmentandbytheimmediate departmentwherethesystemsreside.The operationaldomain,somewhatmore fragmented,considershowand where certainmissionrelated functionsare performed,ultimatelybytheownersand usersof aggregated data.
AuditandMonitoring:Monitoring andauditinginspectsandexaminesthe degreetowhich theorganizationspoliciesarebeingimplemented and followed.Monitoringactivitiesarethe meansbywhichthe organizationsystematicallychecksitssecurityposture forweaknessesandvulnerabilities,andinitiatesappropriateresponseswherenecessary.Thisincludesobservingsystemandnetworkevents,configurations,and processesunderroutine operation forsuspiciousorunauthorized eventsrelatedtoaggregated datasecurity.The practicesandtechnologiessupportingmonitoring requirethe expected ornormalstate ofthe system andnetworkenvironmenttobeknown anddefined foraggregated datain processing,storage,and transmission. Wheremonitoringisthemorecontinuousactivityintegratedintothe organizationsroutinesystem administration andmanagement, auditing inspectsthesecuritysafeguardsand controlsto determinewhethertheycomplywith regulatoryandlegalrequirements,policies,andstandards.
Vulnerability Management:Vulnerabilitymanagementdeterminesthestateoftechnicalandoperationalweaknessesinthetechnicalinfrastructurewhere aggregateddataresides,andhowto appropriatelymitigatetheweaknesses.Vulnerabilityassessmentisaproactive orpreventivemonitoringactivitywheresystemsand networksare examined forknowntechnicalflawsorweaknesses.Resultsofa vulnerabilityassessmentareanalyzed,prioritized,andreported,with actionstracked to completion.
Aggregated dataisone formofinformationand benefits from thesame organizational,process,technical,and humansecuritycontrolsthatarewellknownandpracticedininformationsecurity.Problemsandissuesuniquetoaggregated data anditsinherentcharacteristicshavebeen describedin Section3.Risksandimpactsto electronicinformationhave beensummarizedin Section 4 andinterpreted forsome of theunique challengesthatcomewithowning,using,and servingascustodians for aggregateddata.The principlesand practicesbrieflydescribedin Section 5 applytomosttypesofinformation andinformationsystems.Thispapersuggestsusingsuch principlesandpractices,aspartof an organizationwidesecuritystrategy,to
Produced2005 byUSCERT,a governmentorganization. 17
adequatelyprotectaggregateddata.Bydoingso,organizationsaremorelikelyto be ableto demonstratethattheyare exercising duediligencethrough followingcommonlyaccepted good practice.
Produced2005 byUSCERT,a governmentorganization. 18
AppendixA The principlesdescribedin Section5 are derived fromseveralcredibleandreputableorganizationsand thesourceslistedinTable1.
Table1:SourcesofEnterpriseSecurityPrinciples
Organizations References
AmericanChemistryCouncil [ACC99,ACC03]
BusinessSoftwareAlliance [BSA03]
Corporate GovernanceTaskForce [CGTF04]
CorporateInformationSecurityWorking Group [CISWG04a,CISWG04b]
InformationSystemsSecurityAssociation [ISSA 04]
InformationTechnologyGovernanceInstitute [ITGI01,ITGI04]
InstituteofInternalAuditors [IIA01]
InternationalStandardsOrganization(ISO) [ISO00a,ISO00b]
NationalAssociation ofCorporateDirectors [NACD01]
NationalInstituteofStandardsand Technology
[NIST96,NIST04]
Organisation for EconomicCooperationand Development
[OECD 02]
Software EngineeringInstitute [CMMI03]
Produced2005 byUSCERT,a governmentorganization. 19
[ACC99] AmericanChemistryCouncil.ResponsibleCare Guiding Principles,1999.http://www.americanchemistry.com/.
[ACC03] AmericanChemistryCouncil.ResponsibleCare SecurityCode ofManagementPractices,2003.http://www.americanchemistry.com/.
[BSA03] BusinessSoftwareAlliance.InformationSecurityGovernance:Toward a FrameworkforAction.October 2003.http://www.bsa.org /resources/loader.cfm?url=/commonspot/security/getfile.cfm&pageid=5841&hitboxdone=yes.
[CGTF04] Corporate GovernanceTaskForce.Information SecurityGovernance:ACallto Action.NationalCyber SecurityPartnership,April2004.http://www.cyberpartnership.org.
[CISWG04a] CorporateInformationSecurityWorking Group.AdamH.Putnam,ChairmanSubcommittee onTechnology,Information Policy, IntergovernmentalRelations&theCensusGovernmentReformCommittee,U.S.House ofRepresentatives.ReportoftheBestPracticesSubgroup.March3,2004.http://reform.house.gov/TIPRC /News/DocumentSingle.aspx?DocumentID=3030.
[CISWG04b] CorporateInformationSecurityWorking Group.AdamH.Putnam,ChairmanSubcommittee onTechnology,Information Policy, IntergovernmentalRelations&theCensusGovernmentReformCommittee,U.S.House ofRepresentatives.ReportoftheBestPracticesandMetricsTeams.November17,2004updatedJanuary10,2005.http://www.educause.edu/LibraryDetailPage/666&ID=CSD3661.
[ISSA 04] InformationSystemsSecurityAssociation.GenerallyAcceptedInformation SecurityPrinciplesv3.0.http://www.issa.org/gaisp/gaisp.html(2005).
[ITGI01] InformationTechnologyGovernanceInstitute.InformationSecurityGovernance:Guidance forBoardsofDirectorsandExecutiveManagement.InformationSystemsAuditand ControlFoundation,2001.http://www.itpi.org.
[ITGI04] InformationTechnologyGovernanceInstitute.COBITSecurityBaseline:An InformationSecuritySurvivalKit.ITGI,2004.Individualchecklistsare availableathttp://www.itgi.org.
[IIA01]TheInstitute ofInternalAuditorsetal.InformationSecurityGovernance:WhatDirectorsNeedtoKnow.IIA,2001.http://www.theiia.org/iia/index.cfm?doc_id=3061.
[ISO00a] InternationalStandardsOrganisation.ISO9000:2000QualityManagementSystemsFundamentalsandVocabularySecondEdition20001215.ISO9000:2000(E),2000.
[ISO05] InternationalStandardsOrganization.ISO/IEC17799/InformationTechnologySecurityTechniquesCodeofPractice forInformationSecurityManagement/Secondedition/. ISO/IEC17799:2005(E).June 2005.
[NACD01] NationalAssociation ofCorporateDirectors.RiskOversight: Board LessonsfromTurbulentTimes.DirectorsMonthlyNewsletter,27,1.NACD,January2003.
Produced2005 byUSCERT,a governmentorganization. 20
http://www.theiia.org/iia/index.cfm?doc_id=3061http:http://www.itgi.orghttp:http://www.itpi.orghttp://www.issa.org/gaisp/gaisp.htmlhttp://www.educause.edu/LibraryDetailPage/666&ID=CSD3661http://reform.house.gov/TIPRChttp:http://www.cyberpartnership.orghttp:http://www.bsa.orghttp:http://www.americanchemistry.comhttp:http://www.americanchemistry.com
[NIST96] Swanson,Marianne &Guttman,Barbara.GenerallyAccepted Principlesand PracticesforSecuringInformationTechnologySystems(NISTSpecialPublication 80014).NationalInstituteofStandardsandTechnology,September1996.http://csrc.nist.gov/publications/nistpubs/.
[NIST04] Stoneburner,Gary,etal.EngineeringPrinciplesforInformationTechnologySecurity(ABaseline for AchievingSecurity),Revision A.NISTSpecialPublication80027RevA,NationalInstituteofStandardsandTechnology,June 2004.http://csrc.nist.gov/publications/nistpubs/.
[OECD 02] Organisation for EconomicCoOperation andDevelopment.OECDGuidelinesforthe SecurityofInformation SystemsandNetworks:TowardsaCulture of Security.OECD,2002.http://www.oecd.org/document/42/0,2340,en_2649_34255_15582250_1_1_1_1,00.html.
[CMMI03] CapabilityMaturityModel Integration.Carnegie MellonUniversity,Software EngineeringInstitute.http://www.sei.cmu.edu/cmmi/cmmi.html.
Produced2005 byUSCERT,a governmentorganization. 21
http://www.sei.cmu.edu/cmmi/cmmi.htmlhttp://www.oecd.org/document/42/0,2340,en_2649_34255_15582250_1_1_1_1,00.htmlhttp://csrc.nist.gov/publications/nistpubshttp://csrc.nist.gov/publications/nistpubs
References URLsarevalidasofthe publication date ofthisdocument.
[Allen05] Allen,Julia.GoverningforEnterpriseSecurity(CMU/SEI2005TN023).Pittsburgh,PA:SoftwareEngineeringInstitute,CarnegieMellonUniversity,June 2005.http://www.sei.cmu.edu/publications/documents/05.reports/05tn023.html.
[Berkley00] Anonymous.DataPowersofTen.UniversityofCaliforniaatBerkley, 2000.Avaliableathttp://www.sims.berkeley.edu/research/projects/howmuchinfo/datapowers.html.ReferencesoriginalworkbyRoy Williamsof theCaliforniaInstituteofTechnologyinthemid1990s.
[Braun 04] Braun,Robert&Stahl,Stan.AnEmergingInformationSecurityMinimum Standard ofDueCare.CitadelInformationGroup,Inc., 2004.http://www.citadelinformation.com/minstdduecare.pdf.
[Charette05] Charette,Robert.Reviewcommentson[Allen05],May2005.
[CRS05] Fischer,Eric.CreatingaNationalFrameworkfor Cybersecurity:AnAnalysisofIssuesandOptions.OrderCodeRL32777.CongressionalResearch Service,LibraryofCongress,February22,2005.http://www.thecre.com/pdf/secure/20050404_cyber.pdf.
[Gartner 04] Hallawell,Arabella.Gartner GlobalSecurityand PrivacyBestPractices.GartnerAnalystReports,March16,2004.Availableathttp://www.csoonline.com/analyst/report2332.html.
[Geer04] Geer,DanielE.WhyInformation SecurityMatters.CutterConsortiumBusinessITStrategiesVol.7,No.3,2004.
[Mearian05] Mearian,Lucas.The 100YearArchiveDilemma.ComputerWorld,July25,2005.Availableathttp://www.computerworld.com/hardwaretopics/storage/story/0,10801,103382,00.html.
[Orzech03] Orzech,Dan.RapidlyFallingStorageCostsMeanBiggerDatabases,NewApplications.CIOUpdate TechnologyTrends,June4,2003.Availableathttp://www.cioupdate.com/trends/article.php/2217351.
[Webster05] MerriamWebster,Inc.MerriamWebster OnlineDictionary,2005.http://www.mw.com/.
Produced2005 byUSCERT,a governmentorganization. 22
http://www.mhttp://www.cioupdate.com/trends/article.php/2217351http://www.computerworld.com/hardwaretopics/storage/story/0,10801,103382,00.htmlhttp://www.csoonline.com/analyst/report2332.htmlhttp://www.thecre.com/pdf/secure/20050404_cyber.pdfhttp://www.citadelhttp://www.sims.berkeley.edu/research/projects/howmuchinfo/datapowers.htmlhttp://www.sei.cmu.edu/publications/documents/05.reports/05tn023.html
Structure BookmarksTable of Contents
Top Related