INFORMATION SECURITY TECHNOLOGY AND DATA INSURANCE (ISYS)



Similar documents
Participants of the program Program history Internet research in Hungary The concept of the Future Internet Research

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Keynote. Professor Russ Davis Chairperson IC4MF & Work Shop Coordinator for Coordinator for Technology, Innovation and Exploitation.

07/2013. Specific Terms and Conditions Mobile Device Management

Incident Response and the Role of External Services

Banking Application Modernization and Portfolio Management

Guideline for Quality Assurance of the Official Statistics

PARIS AGENDA OR 12 RECOMMENDATIONS FOR MEDIA EDUCATION

Modern Fraud Prevention from a Bank s Point of View

GOVERNMENT OF THE REPUBLIC OF LITHUANIA

21st Century Hungary as Regional Financial Centre

Level 1 Articulated Plan: The plan has established the mission, vision, goals, actions, and key

Executive Master Program Financial Engineering. Technology + Management

Introduction. Corporate Investigation & Litigation Support

SYMANTEC MANAGED SECURITY SERVICES. Superior information security delivered with exceptional value.

SECURITY METRICS: MEASUREMENTS TO SUPPORT THE CONTINUED DEVELOPMENT OF INFORMATION SECURITY TECHNOLOGY

CASE STUDY XAPT - HANSA

AUTOMATED PENETRATION TESTING PRODUCTS

Penetration Testing Service. By Comsec Information Security Consulting

Guideline on risk management and other aspects of internal control in central securities depository

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

Section VI Principles of Laboratory Biosecurity

analytics stone Automated Analytics and Predictive Modeling A White Paper by Stone Analytics

Comprehensive Strategy on Information Security: Executive Summary

A CASE FOR INFORMATION OWNERSHIP IN ERP SYSTEMS TO ENHANCE SECURITY

Advantages and Disadvantages of Quantitative and Qualitative Information Risk Approaches

Business Continuity and Breach Protection: Why SSL Certificate Management Is Critical to Today s Enterprise

OCC 98-3 OCC BULLETIN

Operational Risk Scenario Analysis. 17/03/2010 Michał Sapiński

Using Business Intelligence techniques to increase the safety of citizens The Tilburg case. Abstract

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril.

Module 2. Software Life Cycle Model. Version 2 CSE IIT, Kharagpur

The Danish Cyber and Information Security Strategy

Cyber Security Strategy for Germany

Securing Critical Information Assets: A Business Case for Managed Security Services

The background of the improvement of PISA results in Hungary the impact of the EU funded educational development programs 1

Security Basics: A Whitepaper

Impact of Data Breaches

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

5957/1/10 REV 1 GS/np 1 DG H 2 B LIMITE EN

Insurance as Operational Risk Management Tool

Cyber Protection for Building Automation and Energy Management Systems

An Introduction to SharePoint Governance

Information Technology Security Review April 16, 2012

ENERGY CERTIFICATE, DISPLAY, LAKCÍMKE HOW CAN WE USE THE INFORMATION TOOLS SERVING

2012 雲 端 資 安 報 告. 黃 建 榮 資 深 顧 問 - Verizon Taiwan. August 2012

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

ACTUAL PROBLEMS AND GOOD PRACTICES IN ACCOUNTANCY TEACHING TO STUDENTS IN ALBANIA

A STUDY OF DATA MINING ACTIVITIES FOR MARKET RESEARCH

Using a decision support software in planning a waste management system in Hungary

CONNECTING DATA WITH BUSINESS

Review of the following PhD thesis:

CyberSecurity Solutions. Delivering

Business Analytics, Big Data, and the Cloud

Implementing COBIT based Process Assessment Model for Evaluating IT Controls

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

How To Monitor Your Business

Standard: Information Security Incident Management

Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

How To Help The War On Terror

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Analysis of the act on electronic signatures

Internet Reputation Management Guidelines Building a Roadmap for Continued Success

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Information Security Specialist Training on the Basis of ISO/IEC 27002

Study of the Importance and Applicability of the Factor "Mark-up in the Budgeting of Construction

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

National Cyber Security Policy -2013

Information Technology Engineers Examination

NICE MULTI-CHANNEL INTERACTION ANALYTICS

A Workshop on Website Quality, Accessibility and Security April 2, Websites & web-enabled applications Hosting and Security

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

CITIZENS' LABOR RIGHTS PROTECTION LEAGUE N.Narimanov street, 11 \ 16, Baku AZ1006, Azerbaijan

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

Methods Commission CLUB DE LA SECURITE DE L INFORMATION FRANÇAIS. 30, rue Pierre Semard, PARIS

Global Headquarters: 5 Speen Street Framingham, MA USA P F

PCI White Paper Series. Compliance driven security

Government Decision No. 1139/2013 (21 March) on the National Cyber Security Strategy of Hungary

OPERATIONAL PROTOCOL OF ACTIVITIES OF LAW ENFORCEMENT PSYCHOLOGY

White Paper. Business Continuity and Breach Protection: Why SSL Certificate Management is Critical to Today s Enterprise

SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM

AUTOMATED PENETRATION TESTING PRODUCTS

Readiness Review The value of being prepared to carry out effective computer forensic activity.

Database and Data Mining Security

Do You Know Where Your Messages Are?

Practical Aspects of Applying the Mandatory Compensation for Payment Recovery Costs Legal newsletter

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

Guidelines 1 on Information Technology Security

Project Management Software - Risk and Benefits

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Managed Security in the Enterprise (U.S. Enterprise)

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

European Commission Per

Guideline on risk management and other aspects of internal control in stock exchange

Part-time PhD program RESORG Nijmegen School of Management

Chapter 7 Information System Security and Control

How To Create An Intelligent Infrastructure Solution

Bernardus. adventures in SEO land

Transcription:

INFORMATION SECURITY TECHNOLOGY AND DATA INSURANCE (ISYS) Duration of the project: Febr 2001 Dec 2003 Home page of the project: <www.kurt.hu> Co-ordinator: KÜRT Computer Rendszerház Rt., Budapest Home page: <http://www.kurt.hu> Address: H-1112 Budapest, Péterhegyi út 98. Phone.: (36-1)-228-5410 Project leader: KÜRTI Sándor dr. <sandor.kurti@kurt.hu> Team leader: REMZSŐ Tibor dr. <tibor.remzso@kurt.hu> Deputy project/team leader: PAPP Attila <attila.papp@kurt.hu> Consortium member(s): Computer and Automation Resarch Institute Hungarian Academy of Sciences (MTA SZTAKI), Budapest Home page: <http://www.sztaki.hu> Team leader: BENCZÚR András dr. <andras.benczur@sztaki.hu> Department of Mathematics and Computing University of Veszprém, Veszprém Home page: <http://www.szt.vein.hu> Team leader: GYŐRI István dr. <gyori@almos.vein.hu> Keywords: (information security; data recovery; statistical analysis; insurance technology; data insurance; cryptography) 1. Introduction The primary aim of the project is to lay the foundation of an information technology risk management and data insurance system. As the value assessment in data insurance greatly differs from the evaluation of other property, an objective information technology value determination methodology is a vitally important research area. The Information Security Technology (ISyS ) to be created by this project shall provide the basis for a homogenous, simple and organized IT infrastructure, upon which we can start planning the introduction of procedures that can guarantee a higher level of information technology infrastructure security in the future. Based on its vast experience in data recovery, KÜRT has gathered a large amount of information about information technology catastrophes and the reasons of data loss. This reservoir of knowledge has not yet been scientifically analyzed before this project. In cooperation with the Computer and Automatization Research Institute (MTA SZTAKI) and the Department of Mathematics and Computing at the University of Veszprém, we intended to determine those factors, which constitute an information technology threat for companies or organizations. Research & Development Division, Ministry of Education, Hungary <http://www.om.hu/nkfp> 1

2. Main objectives of the project IT protection now concentrates on 2 basic functions: - prevention of information loss, and - prevention of information theft. The creation of secure IT systems requires substantial investment of both money and manpower, logically preceded by risk assessment. Today s situation, however, is that a large number of organizations don t even have a set of security regulations, security strategy, security manual. If the management of an organization can make a distinction between safe and unsafe, and it can assign a required degree of security to its business procedures, then IT security experts can create a protection system which can control the technical gateways and shut the door to intruders. IT and Security Objectives According to the above, the strategic aim of the consortium s IT development program, is to lay the foundation of international IT utilization which shall be a lot more efficient than it is today, enhancing progress in some important areas: - ensuring quality and security of IT activities, so that the systems quality and security requirements be met in a harmonized fashion; - securing the IT system components and their connections; - documented regulation of IT security systems; - a definition of the range and priorities of systems, files, and data intended for protection; - minimizing material damage in case of data loss; - minimizing damages resulting from human error or negligence; - creation and applicability analysis of mathematical solutions connected with IT security; - creation of the theoretical basis of data insurance activity; - analysis of the target areas and applicability of data insurance activity; - feasibility of risk management in the IT infrastructure of business organizations; - analysis of Hungarian IT infrastructure and IT literacy compared to EU requirements; assessment of deviations and deficiencies; promotion of bringing about the conditions necessary to the country s joining the EU; - preparation of the country for joining the EU, and contribution to IT elements of legal harmonization. ISyS The organic parts of Isys are the following: - Framework - Data protection modul - Data security modul - IT system procedures - IT Organizational procedures Research & Development Division, Ministry of Education, Hungary <http://www.om.hu/nkfp> 2

- Audit preparation - Emergency plan Data insurance KÜRT possesses a large amount of information (almost 10 thousand case histories) related with IT catastrophes, emergencies, data losses, and this treasury of information is yet scientifically unexplored. The projected Information Security Technology (ISyS ) will create the fundamentals of a homogenous, simple and organized IT infrastructure. However, due to the rapid progress of information technology and the limited resources available we have to realize that providing a complete and final solution for every conceivable risk and problem is next to impossible. There always may be unexpected problems, and the new solutions can bring about the emergence of new risks and problems. In our research aiming at the creation on company IT security, we intend to follow and study the trends of international assault cases, because whatever happens in the outside world can also happen in Hungary. During our research, we will attempt to assess the number and direction of potential attacks. For insurance risk assessment, we will specialists with expertise in cryptography systems. Relying on the theoretical and practical cryptography expertise of our researchers, our target is to explore the available literature and standards, in order to incorporate this expertise into our security technology directives and requirements, and also, in case of damage, to provide adequate means for finding the reasons, and detect insurance fraud attempts. On the above mathematical basis, within our research and development activity, we intend to examine primarily the practical applicability of mathematical methods (statistics, probabilities, game theory, risk analysis) suitable for modeling simple handling and analysis of large quantities of data, decision making based on insufficient information, and prognostication of future processes on the basis on current information, in order to practical utilization of these techniques in the industry. Data insurance is a brand new concept in insurance business, and it is very hard, in not impossible to grasp, mainly because value definition differs from value definition of other kinds of property. An important field of research shall be to examine how computer data can become an object of insurance in mass proportions, like automobiles. The intent of this consortium is to engage into this research project, making use of the vast experience available in information technology, data recovery, and mathematics. An insurance methodology that can be used simply, coherently and with the necessary automation, can only be created on two conditions. One that it guarantees adequate compensation for the client in case of damage, and on the other hand, the insurance companies can make a reasonable profit on this kind of service. The objective of this research and development project is to increase data security, to reduce the risk of data loss and unauthorized data access, and to outline the foundations Research & Development Division, Ministry of Education, Hungary <http://www.om.hu/nkfp> 3

of an IT insurance system which should provide a high quality risk management service for its clients. Both on the field of ISyS and in data insurance, the factors threatening the individual system components must be identified, the probability of their occurrence and estimated damage must be previously defined, the effects of the elements on each other have to be assessed, and an overall risk value has to be defined for the entire system. These values must not be the matter of intuitive guesswork; to get exact figures, a number of complex mathematical tools and methods must be applied. These tools are available at the Mathematics and Computing Department at the University of Veszprém, and also at the research base of MTA SZTAKI. The system to be realized by this project presents a number of theoretical problems on various fields of mathematics: mathematical statistics, risk analysis, database theory, combinatorics, image recognition, and cryptography. The range of phenomena commonly known as data loss also presents a number of questions we want to find the answer to in our research; such as, - Statistical examination of the damage process (the total sum of damages up to the given moment, as a function defined by time and chance). The data loss cases of KÜRT s data recovery experience can provide the causes (virus, operating system malfunction, human error, etc.) to prepare such statistics. - The distribution of (physical and intellectual) damages converted to financial terms. It must be determined which of the distribution patterns (Pareto, lognormal, etc.) described in insurance mathematical literature can be fitted to the data available. - The above models and results will provide a foundation to define net insurance charges, according to various theoretical principles, e. g. expected value principle, positive distribution principle, average value principle, etc. By studying public statistics of data file evaluation, credibility theory can also be utilized for assessing net charges. Completing this project will inevitably require tools from the area of data mining. The study and processing of KÜRT s data bank of damage cases and other public and relevant data collections can lead to such tasks to be fulfilled. Information extraction, characteristic of such activity, starts with data cleansing the handling of noisy, faulty, defective data. The next step is data integration and data selection to precisely define the range of data used for analysis, and convert the data into a unified form, independent of the source. The next move can then be the exploration of the regularities (patterns, association rules, etc.) within the data. The results of the statistical analysis can also be utilized on a shorter time span, within risk management. Based on the analysis and the connected research, KÜRT s ISyS technology can be improved by a new component which provides a finer and more exact risk assessment. 3. Utilization, expected economic results, direct and indirect effects of the project The whole world seems to be entangled in a network of information technology. Real life events and visions concerning Internet opportunities are the driving force for the quality improvement on IT devices. The concept of IT quality shall bring about a new product, information technology insurance. Traditional industries have gone through the same line of progress. Research & Development Division, Ministry of Education, Hungary <http://www.om.hu/nkfp> 4

The insurance technology in its current form primarily offers value-for money, optimized security solutions for large, multi-national organizations. In 2004, we intend to launch a subset of the whole technology (IT Protection Shield (ITPS)). IT Protection Shield is simpler than ISyS, providing efficient and cost-effective planning, modeling, execution, and regulation procedures for small and medium size enterprises. Generally speaking, data insurance is a sound investment for a company or organization if the elimination of the risks discovered in its system would cost a lot more than the damage in case of data loss. Future target groups of data insurance services can be found on both sides of the business sphere. Data insurance as a product shall undoubtedly be offered by insurance companies. Data insurance as a service will presumably be spreading among such clients, as - Internet service providers; - content providers; - banks and other financial institutions; - companies, organizations, and institutions which store large quantities of electronic data, considered valuable for business or personal right reasons; - companies and organizations which utilize massive IT support in business and production processes; - companies and organizations which utilize valuable business-to-business or business-toconsumer techniques; - companies and organizations which utilize valuable business-to-administration or consumer-to-administration techniques; - government organizations in which IT security and IT insurance measures should be mandatory in the near future. 4. European Dimensions In December 1999, the Europe Committee announced eeurope initiative for harvesting the fruits of available digital technologies and to create an overall Information Society in Europe. Europe Council s decision of Feira, made in June 2000, states that the action plan made there has to be executed by the end of 2002. This action plan puts extra emphasis on network security and the fight against network crime. Europe Committee shall initiate, among others, to establish a police force against international computer crime in countries where such units have not been set up, and support training courses and programs. On technology level, the Committee will support research and development in the field of exploration of methods for risk and vulnerability elimination, and the dissemination of pertaining know-how. The realization of this project may result in Hungary joining and playing a prominent role in this initiative. Besides direct home utilization, this project can also help Hungary to receive the appropriate position in European IT security research and development, a position appropriate to the country s reputation and intellectual capacity. Research & Development Division, Ministry of Education, Hungary <http://www.om.hu/nkfp> 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information