Page 1 Green Book Draft 4.0 Green Book Draft 4.0 Page 1 Sect. Issues / Requirement Sect. Issues / Requirement Draft 4.0 October 18, 1993 Table of Contents Preface 1 Summary of Requirements for Action 3 Acknowledgement 7 1. Introduction 10 2. Scope 11 3. General issues 13 3.1. Globalisation of the economy 14 3.2. Internal Market 14 3.3. Human Rights and the Protection of Communications 15 3.4. Social Acceptance 16 3.5. Human Rights and the Safety 17 3.6. Confidence in Communication 18 3.7. Management of Openness and Protection 19 3.8. Common Concerns of Commercial and National Security 21 3.9. Security and Law Enforcement 22 3.10. Economics of the Security 23 3.11. Social Recognition of Information Crime 24 3.12. Human Factors 26 3.13. Safety Critical Environments 26 3.14. Embedding Systems 27 4. Demand Related Issues 29 4.1. Requirements for Enterprises and Individuals 30 4.1.1. Agreement on Security Requirements for Enterprises 30 4.1.2. Security Administration 32 4.1.3. Security Objectives for Enterprises 33 4.1.4. Exploiting Innovation 34 4.1.5. Sectoral Specifics 35 4.1.6. Security Domains 36 4.1.7. Security Labelling 37 4.1.8. Administration of Access to Security Related Data 38 4.1.9. Security Requirements for Individual Users 38 4.2. Requirements for Security Functions 40 4.2.1. Access Control 40 4.2.2. Requirements for Electronic Cash 42 4.2.3. Requirements for Security Services 42 4.2.4. Digital Signature 46 4.2.4.1. The Individual Right to Signature 46 4.2.4.2. Consistency of Legal Principles for Digital Signatures 47 4.2.4.3. Universal Acceptance of Digital Signatures 48 4.2.5. Privacy enhancement 49 4.2.5.1. Perception of Requirements for Privacy Enhancement 49 4.2.5.2. The Case for the Provision of Public Confidentiality Services 51 4.2.6. Use of Names 53 4.2.7. Security of Electronically Stored Information 55 4.3. Requirements for the Safety of Communication Systems 56 4.4. Requirements for Evaluations 57 4.4.1. Trustworthiness of Communication 57 4.4.2. Motivation to Acquire Evaluated Solutions 59 4.4.3. Consistency of Procurement Practices 59 4.5. Requirements for Security and Safety Methodologies 60 4.5.1. Risk Analysis and Management 61 4.5.2. Metrics for Loss Assessment 62 4.5.3. Technology Assessment 63 4.5.4. Analysis of Audit Trails 63 4.5.5. Safety Specific Methodologies 64 4.6. Requirements for Audits 65 4.7. Information Valuation 66 5. Supply Related Issues 67 5.1. Supply Related Issues 67 5.1.1. Security Services 67 5.1.2. Signature Schemes 71 5.1.3. Confidentiality Schemes 72 5.2. Supply Related Issues - Security Management 73 5.2.1. Role of Trusted Third Parties (TTPs) 73 5.2.2. Key Usage 76 5.2.3. Key Management Service 77 5.2.4. Distributed-Secret Escrow Systems 78 5.2.5. Management Services for Names 79 5.2.6. The Management of TTPs 80 5.2.6.1. Operating Principles of TTPs 80 5.2.6.2. Interworking of TTPs 81 5.2.6.3. Interworking of Autonomous Confidentiality Services 82 5.2.6.4. Accreditation 83 5.3. Supply Related Issues - Evaluation of Trusted Solutions 84 5.3.1. Evaluation of Products, Systems, Services and Applications 85 5.3.2. International Harmonisation 85 5.3.3. Vendor Declarations 87 5.3.4. Self-evaluation 87 5.3.5. Evaluation of Applications 88 5.3.6. Evaluation of Communication Services 89 5.3.7. Trusted Network Management 90 5.3.8. Evaluation of Methods and Tools 91 5.3.9. Physical and Procedural Issues 92 5.3.10. Modifications to Evaluated Products 92 5.3.11. Performance Reporting for Trusted Products 94 5.3.12. Rationalisation of Evaluations 94 5.4. Maintenance of Safety and Assurance 95 5.5. Technological Change 96 6. Rights, 99 6.1. Legal Framework 99 6.2. Data held in Electronic Form 100 6.3. Environment 104 6.4. Interaction and Relationships between Private Parties 106 6.5. Harm 106 6.6. Eliminating 107 6.7. Legal Restrictions affecting Technical Solutions 108 6.8. Limitations to Liability 109 6.8.1. Recommendations for Liability Limiting Measures 109 6.8.2. Information Security Audit 110 6.9. Procedural 111 6.10. Insurance 112 7. Spectrum of Measures to provide Information Security 113 7.1. Policy Framework 113 7.2. Agreements 114 7.3. Regulation 114 7.4. Accreditation 114 7.4.1. Accreditation of Services 114 7.4.2. Accreditation of TTPs 115 7.5. Products and Services 115 7.6. Common Practices 115 7.7. Awareness 117 7.8. Specifications 117 7.9. Standards 117 7.10. Technology 118 8. Cross Impact Analysis 121 Annex: Recalling the Action Lines 140 Action line I - Development of a strategic framework for the security of information systems 140 Action line II - Identification of user and service provider requirements for the security of information systems 141 Action Line III - Solutions for immediate and interim needs of users, suppliers and service providers 141 Action line IV - Development of specifications, standardisation, evaluation and certification in respect of the security of information systems 143 Action line V - Technological and operational developments in the security of information systems 144 Action line VI - Provision of security of information systems 145 Appendix A: References 147 Appendix B: Abbreviations 148 Appendix C: Index 148 Draft 4.0 Version: Monday, October 18, 1993 Preface The Council adopted in May 1992 a Decision in the field of the security of information systems1 comprising the development of overall strategies for the security of information systems (action plan) and setting up a Senior Officials Group; (SOG-IS) to advise the Commission on action to be undertaken. The Decision having as objective the development of overall strategies aiming to provide users and producers of electronically stored, processed or transmitted information with appropriate protection of information systems against accidental or deliberate threats. The scope of the Decision foresees the following Action Lines; lines of action: I. Development of a strategic framework for the security of information systems II. Identification of user and service provider requirements for the security of information systems III. Solutions for immediate and interim needs of users, suppliers and service providers IV. Development of specifications, standardisation, evaluation, and certification in respect of the security of information systems; V. Technological and operational developments in the security of information systems; and VI. Provision of security of information systems. The Decision is implemented by the Commission, in close association with related actions in Member States and in conjunction with related Community research and development actions. As a step towards the formulation of the "Action Plan" identified in the Council Decision and in accordance with the opinion of SOG-IS2 a Green Book on the Security of Information Systems is being prepared, which addresses, in accordance with the Annex of the Decision, an overall view of the requirements for action in summary form issues involved spectrum of measures that result from an analysis of the issues. The present document sets out the background to the development of a consistent approach to Information Security in Europe taking into account common interests with other countries. The intention of the Commission Services in preparing the present document is to encourage a better understanding with the sector actors in the Community on Information Security issues and to develop a consensus on the requirements to be considered. It therefore does not necessarily represent the views of the Commission Services, or of the Senior Officials Group for Information Security, on the subject, but rather provides a basis for reflection and concertation with sector actors and Member States. The Green Book represents an intermediate step towards the formulation of the Action Plan foreseen in the Council Decision. It is to state the main issues related to the security of information systems in its context. A deliberate effort has been made to present the subject matter in as objective a fashion as possible. By progressively widening the consultation in the preparation of the document the wish is, to obtain a representative and balanced view of the issues and the nature and implications of the options for action one may wish to consider. In its presentation the document is intentionally avoiding to voice an opinion on the framework or organisation which might be adopted to address a given issue or requirement. Such recommendations are to be included in the Action Plan. Note on Draft 4.0 The preparation of the document includes four successive phases including iterative steps in the preparation of the document: Phase I: Preparation of an Outline and Collection of material Phase II: Drafting Phase III: Informal Consultation Phase IV: Formal Consultation In its present form it represents an intermediate step towards Phase IV of the preparation of the Green Book. Summary of Requirements for Action 1. Introduction Rationale The trustworthiness and protection of information is essential for the functioning of a modern society. Information Security threats are growing with the diversification and multiplication of communication services and use of electronic information by business, administrations and the individual. In the last decade, the Community has been working progressively towards the creation of the Internal Market and led a policy of liberalisation and harmonisation in the field of communications services. When the INFOSEC Decision was adopted it was recognised that the threat to information security would need a collective effort on the European level and it set as objective the formulation of an Action Plan to complement the national actions in a well understood spirit of subsidiarity as far as national and internal security was concerned. The purpose of this section of the document is to set out the critical factors for future developments and the action required to ensure trustworthy information services and applications in Europe and in its relations with other parts of the world. It formulates options for future policy and identifies which promises to best meet the needs of the EC in the context of international developments and trends. 2. Proposed Positions and Actions Based on the results of the enquiry having resulted in the Green Book, needs for action on an EC-scale have been identified. These require a concerted approach within Europe and where possible internationally. The following proposed positions and actions are derived from the results of the work so far. General Position Democratic societies engaged in the global economy need to provide for adequate levels of information security. With the growing diversity of services and applications of telematics the security of information systems will need to evolve with the growing demand and reduce the risks of the threats to security and safety while avoiding to obstruct innovation or economic and social developments. A Trust Services Proposed Positions In the emerging information society traditional techniques of securing information, such as signatures, envelopes, registration, sealing, depositing and special delivery need to be matched by electronic equivalents. The protection of the user, service provider, operator and the collectivity should be conserved and the balance between freedom and responsibility not changed in an uncontrollable manner. Service offerings need to cater for the needs for seamless information security for business, the general public, video and multimedia communications and teleworking, in the non-classified domain. The working of the Community Institutions and the EC-wide operation of public administrations of the Member States, can be expected to rely on a combination of these services, as appropriate. The definition of information crime and the rules governing the use of electronic evidence in civil and criminal court proceedings need to be harmonised within the EC to be able to address cases involving trans-European services and applications. In the absence of such harmonisation, safe heavens for illegal activities can form to the detriment of the EC. As the economy becomes global, and the interrelationship among the different actors tighter, the accepted practices and rules to which these actors operate need to be well defined and transparent, implying a coherent codification of essential practices and relations. As Europe formulates and implements policies depending on, or affecting, information security, the consistency overall is demanding a greater attention. Specifically this relates to the new policies under the Maastricht Treaty, Internal Market, Competition, and Telecom Policies and specific actions such as Open Network Provision (ONP Directives) and Trans-European Networks (TENs). Proposed Actions to provide for the setting up of trust services. Trust services include digital signature, non-repudiation, claim of origin, claim of ownership in negotiable documents, fair exchange of values, untraceability, and time stamping. to provide for the establishment of Europe-wide confidentiality services for non-classified information. These could include the following classes: > minimum IS assurance to be maintained by all service providers (level of present letter mail and telephony under national privacy legislation) > enhanced IS assurance for private and professional use (level of registered mail or courier delivery as needed for normal business transactions such as ordering and billing) > professional IS assurance as needed for recognised categories of commercially (or otherwise) sensitive information to establish, accredit and audit a network of Trusted Third Parties for the administration of the service provisions such as for name assignment, key management, certification and directories to formulate a common EC-wide legal and regulatory Framework for the alignment of national conditions to meet the needs of the Internal Market and international developments in information security to establish the liability principles for information providers, intermediates and value added service providers to put in place arbitration mechanisms to resolve liability conflicts to establish the common principles for legislation covering communication crime and for electronic evidence to develop generic codes of practice for the handling of non-classified information, including rules for security labelling to develop sector-specific codes of practice and base line controls. B International Developments Proposed Position In view of the rapidly evolving international communication and security scene, the security needs of the European organisations and individuals must be safeguarded and the competitiveness of the European industry maintained. The creation of barriers to trade and services based on the control over security mechanisms and digital signature schemes needs to be avoided. In case acceptable international solutions can not be found a European option should be considered. Proposed Action to work towards international solutions for information security requiring global assurance to strengthen the support for international standardisation to formulate common positions swiftly with respect to international developments, as they arise consider a European option offering confidentiality and digital signature services internationally. C Technical Harmonisation Proposed Positions Vendors and service providers need to innovate to survive commercially. They have a vital interest in ensuring that their products are adequately secure and safe. Electronic products, systems, services and applications must operate to generally recognised levels of trust. A differentiated approach to the evaluations of trusted solutions is needed which includes vendor declaration, self evaluation or formal evaluation. The choice of either of these mechanisms will depend on the costs and delays involved in formal certification processes, the level of assurance required and national constraints. The international character of service and product supply requires the establishment of mutual recognition of testing, validation, auditing and liability assessment. Safety, security and quality have many commonalities: these must be exploited to reduce cost and delays in evaluations. Proposed Actions to establish an international scheme for evaluation, certification and mutual recognition, that provides for once only security, safety and quality evaluations for applications, services, systems and products to establish the principles for incident reporting obligation for evaluated solutions, and their dissemination to establish principles for incident containment to establish a scheme for service provider and vendor self-evaluations and declarations to specify community-wide quality criteria for the safety of systems, incl. methodologies for the assessment of threats, vulnerabilities, and hazards for safety critical systems establish rules for the assurance of embedded systems. Acknowledgement The present document is the result of numerous contributions received from experts, working in the framework of IBAG, SRI, the Security Investigations and SOG-IS members (over 150 contributions received). To develop the thinking on specific groups of issues, the SOG-IS Advisory Group, reinforced by other experts, were consulted and contributed to the development of the document. In a spirit of openness, qualified contributions were accepted from all parties ready to contribute and to discuss their input in the context of an international workshop, that served to consolidate the views into a coherent presentation. While the experts acted in a personal capacity, their affiliation is included in the list below as an indication of the range of experience which was drawn upon. The contributions and active involvement in the preparation of this document of the following personalities is gratefully acknowledged: C. Amery Zergo Consultants Ltd. UK K. Ansttz BIFOA D Mr. Auer Siemens Nixdorf D G. Axelsson Swedish Agency for Administrative Development S E. Barreto CEC DGIII/B M. Baum Independent Monitoring USA T. Benjamin Defence Research Agency UK E. Bible Cameron, Markby and Hewitt B D. Birch Hyperion UK J. Birenbaum France Telecom F J. Blackwell CEC DGXIII/C C. Blatchford Panacea Ltd UK R.E. Bloomfield ADELARD UK A. Brignone Protexarms F S. Brummel Akin, Gump, Strauss, Hauer, Feld & Dassesse B A.J. Butcher MOD - Royal Air Force UK L. Cabirol SCSSI F R. Cadwallader ENACT Ltd. UK P. Carriot F Telecom F S. Castell CASTELL UK E. Cauvin Agence pour la protection des programmes F D. Cerny Bundesministerium des Innern D B.J. Chorley NPL UK J. Christensen CEC DGXIII/C C. Clark IBAG UK R. Clark University of Dublin Ireland B. Collins PCSL Consulting UK J-F. Cornet ECOLORG F C.J. Coumou Coseco International BV NL J.M. Court Institute of Chartered Accountants UK H. Daniel BSI D P. Daniel GEC Marconi Secure Systems Ltd. UK J. De Decker IBM B D. De Geest ESN B Mr. de Kervasdoue CAP SESA F A. de la Torre Prados Ministerio de Industria E E.R. de Lange Ministry of Transport, Public Works and Water Management NL P. de Lauzanne GSIT F B. De Schutter Free University of Brussels B M. De Soete Philips I.T.S. B T. de Vries KPMG Management Consultants NL D. De Winter Siemens Nixdorf AG D P. Dellios Ministry of Transports and Communications GR Y. Deswarte LAAS-CNRS & INRIA F G. Dietzel CEC DGXIII/C R. Dunkel IBM Europe F D. Duthil Agence pour la protection des programmes F G. Eisen IABG D G. Endersz Telia Research AB S R.A. English Communications Security Establishment UK A. Eriksen Ministry of Justice N P. Fagan Secure Information Systems Ltd. UK Mr. Fravezzi Ministry of Defence B A. Fujioka NTT Laboratories Japan P. Furberg c/o Swedish Agency for Administrative Development S S. Gaskill Dibb Lupton Broomhead UK M. Gasparinetti CEC Consumer Policy Service H. Gebhardt CEC DGXIII/A S. Geyres VERILOG F L. Glanert Deutsche Telecom D A. Hallan L R. Hanouz CEPME F N.G.L. Harding Health Systems Co-ordination UK G. Hardy Touche Ross & Co. UK N. Harwood BT UK P. Haufman SPRI S S. Herda GMD D V. Heyvaert Akin, Gump, Strauss, Hauer, Feld & Dassesse B N. Higham UK G. Hoberg BELGACOM B P. Hoving TeleTrust S S E. Humphreys XiSEC UK D. Hurley OECD F. Iribarne Navarro E K. Iversen Norwegian Centre for Medical Informatics N E. Jahren Ministry of Government Administration N C. Jansen Philips Crypto B.V. NL M. Jones DTI UK M. Kemna CEPIS Task Force NL M. King CESG UK H.M. Kluepfel Bellcore USA P. Knopf Swiss Mission to the E.C. B T. Knowles DMR Group Ltd. UK M. Kopecky SNCF F S. Kowalski Stockholm University S H. Kurth IABG D S. Kurzban PACE P. Landrock Cryptomathic A/S DK J. Lang Perihelion Software Ltd. UK C. Laske Free University of Brussels B Y. Le Roux Digital Equipment F J. Leach Zergo Consultants Ltd. UK A. Legait SYSECA F O. Leiberich D E. Lemmens Programmation de la Politique Scientifique B W. London Cameron, Markby and Hewitt UK W. Madsen Computer Sciences Corporation USA S. Mathews PCSL Consulting UK R.A.J. Middleton British Computer Society UK M. Miloikovitch Thomson-CSF F S. Mohammed European Parliament R. Moses Information Systems Ltd. UK P. Mller Bull Ingnierie F M. Nasrullah Ministry of Transport, Public Works & Water Management NL S.-I. Nilsson ECITC B J. Norman SGS-Thomson Microelectronics F M. Ohlin Swedish Defence Material Administration S T. Osvald CEN B K.W. Ott Ott Technology Software sprl B A. Parondo ISDEFE E A. Patel Teltec IRL L. Pauwels Belgacom B A. Peralta Univ. Politecnica de Cataluna E H. Peuckert Siemens AG D C. Pfleeger Trusted Information Systems (UK) Ltd. UK F. Piau Pari Mutuel Urbain F E. Pimentel Saraiva Banco Totta & Acores P D. Pinkas Bull F R. Pizer Certification Body, UK ITSEC Scheme UK D. Poelmans EDS B nv B R. I. Polis Groupe de Management Genve CH K. Presttun Alcatel F G.R. Price Glynwed Group Services Ltd. UK M. Purser Baltimore Technologies Ltd. IRL G. Rabe Technischer berwachungs-Verein Nord e.V. D K. Rannenberg Universitaet Freiburg D R. Rehorst Telecommunications and Post Department NL K. Rihaczek DuD D E. Roback Computer Systems Laboratory USA G. Roelofsen PTT NL NL T. Roraas Norwegian Telecommunication Regulatory Authority N C. Rossi FTI I R.A. Rueppel R3 Security Engineering AG CH G. Ruggiu Bertin F G. Rumi ETNOTEAM SpA Italy M. Salmon Thomson CSF F E.H. Schfer Deutsche Telecom D I. Schaumller-Bichl Genesis GmbH A T. Schoeller BSI D G. Shuringa Radobank NL H. Siebert IBM Deutschland D F. Simoes European Parliament R. Slegtenhorst Organisation and Technology Research NV B S. Smith EDS B B J. Sneep COSSO NL H. Strack EISS D W. Suchun FUNDP B M. Tuset E R. Urry Digital Equipment Corp. B I. Uttridge Logica Defence & Civil Government Ltd. UK P. van Dijken Shell International Petroleum NL P.W.J. van Dok Cooperative Centrale Raiffeisen-Boerenleenbank B.A. NL H. van Dorp Bazis Foundation NL W. van Gils Intercai NL M. van Lith KPMG EDP Auditors NL N. van Zuuren Prodata Systems B A. Veller Cullen International B A. Verrijn-Stuart Leiden University NL L. Voorham CEC Security Office H. Weerd Coopers & Lybrand NL W. Whitehurst IBM Corporation USA K. Wiessing The Dutch Government Centre for Information Security NL G. Williams ACT/BIS Information Systems Ltd. UK D. Willis DTI UK S. Winkelmann Hochschule fr Technik u. Wirtschaft D H. Wirth Auswrtiges Amt D 1. Introduction Rationale Individual, corporate and national wealth expresses itself increasingly in the form of information. The growth and performance of an estimated 2/3 of the economy relies on manufacturing or services heavily dependent on information technology, telecommunications and broadcasting, and therefore depends critically on the accuracy, security and trustworthiness of information. This is of as great importance and interest for individuals as for commerce, industry and public administrations. Correspondingly, the protection of information Security of Information Systems, definition; in all its aspects, here referred to as Information Security3 , has become a central policy issue and a major concern world-wide. The Council Decision of March 31, 19924 in the field of security of information systems recognises this situation and calls for the development of strategies to enable the free movement of information within the single market; while ensuring the security of the use of information systems throughout the Community. A consistent approach at European level could help to promote the interoperability of systems, lower existing barriers and avoid the formation of new ones between the individual Member States and with other countries5 Therefore, there is an urgent need to address requirements and options for action in the field of security of information systems at national, Community and international level in close collaboration with sector actors and national governments. Any action must take into account both national and international commercial, legal and technical developments. The key issue is to provide effective and practical security for information held in an electronic form to the general users, the business community and administrations without compromising the interests of the public at large. Since information security is involved in the protection not just of property and people, but even of society itself, Member States regard it as a topic which, like defence, touches on national sovereignty. 2. Scope, definition Security is a pervasive subject that arises whenever information is being used in private, business and public life. The scope of the subject and a clear distinction of the of the different dimensions needs to be kept in mind throughout. The diagram below provides a statement of the scope in an aggregate form. Structure of document;this document The core of the document is describing issues and the resulting requirements for action. It was felt necessary to state the problems clearly and concisely before attempting to define solutions. In this sense, the document, in its present form, represents a rather comprehensive analysis of the problems, without being a work programme. The requirements for actions are stated in a general form, without implying any particular organisational responsibility. These issues are grouped under the following headings: General issues. Here some of the basic issues relating to the security of information systems are described. These place security into a fast evolving world economy and states issues like rights and obligations, human rights, openness and protection. Demand related issues.; Issues under this section are concerned with requirements, security objectives, Codes of Practice, and the needs for digital signature and privacy enhanced communications. Supply related issues;. Under this heading, issues are identified which arise when meeting the demand for security and include security services, Trusted Third Parties, evaluation and R&D. Rights, responsibilities and liabilities issues.; Under this heading issues relating to the consequences of security breaches are dealt with. These include civil law and insurance. The measures one can consider addressing the issues identified are aggregated in a separate section. This presentation is used to accentuate the profile of issues which can be addressed by the same kind of measures. The diagram below depicts this structure. 3. General issues; Issues (of general nature) 3.1. Globalisation of the economy; and mobility Issue The internationalisation, diversification, pluralisation and popularisation of the use of communications and information systems. Discussion The unprecedented increase in mobility and the provision of global communications has resulted in manufacturing, trade and leisure activities extending world-wide. Distributed manufacturing, publishing, and financial operations form the back-bone of the modern economic system. Travelling and communications for business or pleasure are common place. This is being supported, and sometimes driven, by a spectacular development in the field of communications and by the proliferation of affordable and easy to use information systems. In the last decade the cost-performance of long-distance transmission has improved by 5 orders of magnitude. This change is providing the basis for a rapid diversification of world-wide services customised to provide access to a full range of information services and utilities wherever and whenever required. Terrestrial, satellite and mobile networks provide the physical infrastructure and an unrestrained number of service applications provide the customised applications. The nature and scope of provision of Information Security in this new world of open, multi-service and multi-media communications with a multitude of alternatives to routing, management and access has profoundly changed the requirements and options for Information Security (IS). Flexibility of access, openness of the network and the service environment have to be balanced against the requirement of accountability of the user and the service provider and the protection of possible third parties involved. Associated with this is a new network of responsibilities and liabilities. Requirements Revision of the scope and approach to information security to reflect the new conditions, challenges and requirements brought about by globalisation adaptation of the respective policies and regulations clearly defined conventions on the expectations, responsibilities, duties and liabilities, related to levels of security, harm, and good practices. 3.2. Internal Market; (four freedoms;) Issue Alignment of the national conditions relating to Information Security with the requirements of the functioning of the Internal Market. Discussion The Internal Market, as adopted in the Single Act, provides for the "four freedoms " within the Community, ie free movement of goods, capital, services and people. The legislation of Member States provides for the internal needs for information security, however the requirements in the case of trans-European communications remains to be addressed. Inconsistent or incomplete provisions of information security and safety represents a technical obstacle to the working of the Internal Market. The measures taken to establish confidence in systems should not adversely affect the flow of goods and services. Standardisation, certification, mutual recognition and administrative procedures should provide for the unobstructed working of the Internal Market. This requires standards that are valid but not overly restrictive on technological solutions, certification regimes that recognise the international aspects of many of the markets (eg in avionics, motor vehicles), the costs of certification, and the likely acceptance by the market of any certification regimes put in place. Beyond the technical aspects, the administration of information security needs to reflect the realities of the needs of the Internal Market. Services are to be increasingly provided on the principle of one-stop and pay-per-use. Information security, as an integral part of services, needs to be provided in a seamless manner throughout the Community and support EC actors in their business world-wide. Related are the issues of liability and insurance. The impact of different states legal systems and the associated liability issues needs to be understood. Requirements Adaptation of the existing provisions with respect to their conformance to the Internal Market policy of the EC implying the removal of existing internal barriers and the avoidance of the formation of new technical barriers due to divergent application of security and safety rules, regulations and legislation provision to business and the public of solutions available throughout the Community and preferably at the international level respecting the one stop and pay-per-use principles consistent deployment of standards and certification where critical for the working of the Internal Market certification and standards that reflect the needs of the different market segments. 3.3. Human Rights and the Protection of Communications; Issue To reconcile the human right to privacy and the obligations of law enforcement to protect public order. Discussion Privacy and the protection of private information is considered one of the fundamental human rights of individuals and is protected to varying degrees in Member States. The European convention on Human Rights states Everyone as a right to respect for his private and family life, his home and his correspondence. Individuals have the legitimate expectation that this right is respected and that solutions are made available to him that ensure the safeguard of this right. This applies to conversation in the home and to a lesser degree when telecommunications is being used. However, prevailing national solutions do not, at present, provide for trans-European services and communications and this lack can be exploited, inter alia, by organised crime. With the rapid growth and diversification of communication services the rights and duties of individuals and law enforcement are being reviewed and redefined, eg FBI supported legislation and the proposal of the government to provide US business and citizens with cryptographic devices including explicit provision for intercept by law enforcement agencies. As the safety and security of the individual provided by the process of law and order is also related to human rights, reconciling these objectives represents a delicate political issue. The diagram below gives an overview of international, Community and national responsibilities for different application categories. Requirements Common approach defining rights, responsibilities and duties of individuals, business and of the authorities. 3.4. Social Acceptance; of Identification; and Authentication; Methods Issue To reconcile the human right to privacy and protection and the use of identification and authentication methods for access control, authentication and accountability. Discussion The use of biometric methods and smart cards is technically feasible and becoming more economically feasible as an identification technique and access control. Biometric methods; rely on a system of machine recognition of a set of personal characteristics to verify the identity of an authorised user in order to allow access to some physical environment. Such personal characteristics include hand-written signatures, fingerprints, voice prints, machine phrenology, lip prints, response of the skeleton to a physical stimulus, hand geometry and retinal patterns. Many other different personal characteristics and recognition techniques are being investigated by researchers. Some of these effect the human right for privacy more than others and some are socially unacceptable. As an example, the retinal blood-vessel pattern of a human eye (retinal vasculature) is highly characteristic of the individual. A typical system might work as follows. The individual is required to look into an optical device and through a process of optical adjustment fixate on a crosswire whereby the recognition machine will locate the fovea of the individual, and scanning with a low intensity infra-red beam detect the nodes and branches of the retinal pattern falling within the scanned area. The measured pattern is compared with the stored pattern of the individual and access is granted or denied depending on the result of the comparison. This method of machine recognition may or may not be considered sociably acceptable on the grounds of hygiene, due to the type of information being stored about the individual (a record of which may be built up which may reveal other information relating to a persons health condition) or the general problem of protection of medically relevant information. There are systems under trial for the recognition of human profiles eg the human face. Again these systems may not in general be socially acceptable and the issue of privacy and human rights may come into play. The use of voice-prints has been introduced in Australia and does not require the consent of the persons concerned. It is used to scan calls for individuals. In addition to biometric controls;, the role of smart cards containing megabytes of personal data may potentially represent an issue. Even a magnetic stripe on a passport or national identity card may contain around 200 characters of information. Security and privacy controls should reflect national conventions and practices. Smart identity cards and national identification numbers may serve as conduits to greater amounts of personal data contained in data bases. Member States treat such technology differently. As identity cards and passports transition to machine readable embedded chips and magnetic/optical stripes respectively, privacy and security controls must be incorporated to prevent abuse of the personal data therein. Progress in bio-technology raises new questions as to the definition of privacy and as to the rights of the individual over information relating to his person and the assurances required for its use. Information relating to genetic defects are of obvious sensitivity and implies corresponding measures for protection. Work may need to be undertaken to set out a clear definition between things that are biometric and things that are medical. At the present time there is low confidence by the general public in the honesty of commerce or government in the field of bio-technology. Requirements Clarification of the ownership of biometric data; and privacy of biometric data; issues related to the use of biometric data agreed classification of biometric data and conditions requiring secure handling of such data definition of the rights of and responsibilities of individuals, business users, corporations and administrations using biometric techniques. 3.5. Human Rights and the Safety; of Systems Issue To reconcile the human right to expect the supply of goods and services that are not life threatening, with the vendors commercial needs to supply goods and services that exploit information systems in safety critical functions. Discussion Safety critical systems differ from security critical ones in that if they fail death or serious injury to people may result. The law treats the liability of suppliers in this situation differently from that where information is lost or property damaged. Suppliers are held strictly liable. Codes of practice for the development of safety critical systems exist in order to reduce the chance of failure and design techniques are invoked to analyse all possible hazards. Nevertheless risks remain. At a Community level, harmonisation of such codes of practice and design techniques would enable citizens to rely on a consistent level of safety in any Member State, and it would reduce the costs of development of codes of practice and design techniques in each country. Community-wide procurement would be facilitated, as would the development of safety critical systems by Community-wide consortia. Requirements Community wide standard for design practices and codes of conduct harmonised legal environment for vendors and users of safety critical systems. 3.6. Confidence in Communication; Systems and Confidence in Services Issue To establish confidence in communication services and systems for all the parties involved (users, public, service providers etc.). This includes confidence in the general ability of the technology as well as confidence in specific solutions and the way they are managed. Discussion Confidence in the security and safety of communication services and systems is a basic requirements if regulators are to discharge their duties, if service providers and vendors are to able to operate in the communication market, and if consumers and users are to benefit from the technologies. In considering confidence we need not only to address it on from an idealised objective viewpoint but also to take into account the behaviour of users, their perception of risks and its volatility. It might only take one incident to undermine user confidence with substantial financial and political repercussions. eg reluctance to use air travel, rejection of certain makes of cars. Confidence is therefore a key notion. It is achieved through the integration of disparate sources of evidence from the process used to develop the system, properties of the system as revealed by analysis and testing, and through experience with the particular systems and other similar ones. The confidence in a service or system should be rigorously and scientifically based: the confidence should not be misplaced. There is a need to understand this integration of evidence and engineering judgement and to develop procedures and techniques for it. An important contributor to confidence is the experience with the system under consideration and similar systems. While many suspect that software and design errors are important factors undermining confidence in systems this is normally supported by anecdotes rather than by statistically significant evidence. There is a need to establish what dependability is being achieved in practice, the relative importance of different parts of the computer systems and how the dependable computer systems are compared wit other components in the wider system. Mechanisms should be put in place for feeding this data back to the development of systems and for providing early warning of problems before these develop into incidents. Ideally, the experience with systems should be related back to the techniques and procedures used to develop them. There is also the issue of how confidence in a service or system can be expressed and communicated. While undoubtedly independent diverse viewpoints are important in the verification and validation of systems and in motivating vendors and service provides the issue of whether these practices need to be codified into formal requirements for third party evaluation and certification needs careful consideration and evaluation of the costs, risks and benefits. The alternatives of self-evaluation, vendor declarations and of using other mechanisms such as liability and the insurance market may be more appropriate. Linked to the concept of confidence is the need to anticipate whether a systems could potentially meet the requirements and to prevent the development of unassurable systems . It may be possible to develop simple rules (eg the notion of claim limits used in parts of the nuclear industry to disallow claims of reliability greater than 10-5 failures per demand for a single system) that, while not restricting innovation unduly, prevents delimiting what is assurable. Requirements Real-time indication for the user of the trustworthiness of a service or system feedback mechanisms for security and safety related incidents involving communications independent assessment of the levels of trustworthiness being achieved investigation of the reasons why the security and safety of systems are compromised understanding of the relative importance of the different system components and the components of the wider system and usage context methods/frameworks for evidence reporting role (costs, benefits) of certification in providing confidence and communicating this in the market place establishment of agreed claim limits to establish assurability. 3.7. Management of Openness and Protection Issue Openness and protection are partially contradictory user requirements, which need to be reconciled depending on the specific circumstances. The user must be able to define the security controls based on need, consistent with national, international and regulatory constraints. These controls need to managed in a way that provides protection in an open environment and do not unduly impede the functioning of the service or usage. Discussion In considering management, one must introduce the concept of a user of an Information System, and the role that they perform in using that system. At any time the user of an Information System will be performing a role, which could be one of: system owner, administrator, auditor, investigator, data provider, or user. It is quite possible for the requirements of these roles to be logical in conflict with each other. Openness of access may be in conflict with protection from general availability. There may also be national, international or regulatory constraints which impose role requirements beyond those needed to satisfy the operational use of the Information System. An open environment must be provided with controls that are capable of providing protection without technical limitations. A single, isolated computer may be effectively protected, as far as confidentiality is concerned, against threats from outside by physical separation and human administration. This does not apply in the context of telematics. Telecommunications and telematics applications are increasingly being designed for maximum openness and inter-operability since the utility of ITT&B-based services and applications depends largely on the possibility of users world-wide being able to freely inter-operate over communication links. Major international efforts are underway to establish standards permitting this, in particular through Open System Interconnection (OSI);, Open Distributed Processing (ODP); and Open Network Provision (ONP);. The acceptance and use of telematics services depends on meeting the justifiable interests of all parties: in particular to be able to chose trade-offs between "openness" and "protection"6. In recognition of this, increasing attention is being given to the provision of Information Security Services and Techniques. The comparison with the way this dilemma is traditionally addressed leads to some observations which also apply when information is handled electronically. These include, for example The User/Originator requires the freedom to decide over the degree of openness/protection depending on his appreciation of the requirement or the applicable rules of conduct for the given activity. Profiles exist setting out the needs of both openness and protection that need to be supported. A single level profile will not support the requirements of all the users involved, and there may need to be mechanisms which allow for negotiation between profiles to determine temporarily agreed common profiles. Infrastructure, services, applications and organisation have to be adapted to provide the openness/protection. To the role holders, both the visibility of and the transparency of the degree of openness/protection is crucial. Accountability for the application of appropriate levels of openness/protection require objective records, which are themselves protected. The management of the openness and the protection of Information Systems requires the definition of security domains. These correspond to the security policies which are in force for the Information Systems in use, as modified by the constraints of the role holders. It should be remembered that computers which are not directly under human supervision may form part of the security domains involved. The development of a generic framework for the management of open and protected communications in a user/business oriented environment must include: 1. Reinforcement of the options to define security domains Terminal users, servers and other computer based resources link into business processes to provide information domains which require corresponding security domains. Such facilities must not only promote the correct degree of openness , but must also provide filters against unauthorised access. This needs to be possible not only at one site eg on LAN-Based applications, but also via MANs and other communication-links. The definition and management of such security domains needs to be possible either from within the user group or provided by a trusted third party. Virtual Private Networks have some of the features, but these would also need to be available in the context of public network based applications. 2. User Interface for the management of openness/protection The normal usage requires the ability to communicate either with specific correspondents, a select group, an open group or indiscriminately. The choice being determined by the nature of the information, its function and the applicable rules. The user-interface needs to cater for this as well as the underlying services and applications. 3. Objective records; and procedures for the accounting of open/protected transactions Processes must be available that provide non-refutable evidence of the origin of, and delivery of, information to all involved partners. Requirements Generic framework for the management of open and protected communications in a user/business oriented environment: - definition of agreed security domains - user interface for the management of openness/protection - objective records and procedures for the accounting of open/protected transactions 3.8. Common Concerns of Commercial and National Security Issue Information Security is a common concern of business, administrations, citizens, law enforcement and defence. Discussion Though not to the same degree, commercial and personal information security shares many aspects with the defence and other classified governmental affairs. This provides an opportunity for commercial and personal applications to build on experience and expertise from the defence and classified government area. The reverse is also true. As commercial security advances and becomes available at a large scale, governments and defence organisations may wish to take into account this body of experience. In addition governments themselves are, of course, in the need of adequate protection of their non-classified information and will wish to make use of public services of this kind. Requirements Common requirements of business, citizens and authorities to adequately protect commercial and personal information and its communication. 3.9. Security and Law Enforcement; on International Scale Issue Crime is exploiting weak information security to further its ends. Strong information privacy may also be used to escape investigation by law enforcement. Discussion Crime, and here organised crime; and terrorism in particular, are relying on weak information security; to prepare and execute their operations. As quite powerful means for information security have been published and are freely available, their increased use in protecting such operations is perceived as a growing problem. Public authorities have in the past used legal and regulatory powers to restrict the use and dissemination of related technologies. With the growing availability of computing power and open networks, this approach is getting less effective, as organised crime, contrary to the legitimate user, feel free to use products that are not authorised. The overall result is that business is seriously constrained in meeting its security requirements, particularly in international communications and in its relations with other organisations. If business requires the legal and regulatory powers to relinquish total control over these security related technologies, business has a duty of care; to manage and control their use for their commercial and business purposes, including the policing and auditing of management environments. Correspondingly, authorities maintaining control carry the responsibility for the potential damage to business, individuals and the economy at large. Privacy and security are impacted by the growth in interconnected law enforcement/criminal information systems;; There is an increasing availability of criminal and law enforcement information from a variety of national data bases (eg, United Kingdom's Police National Computer 2 - PNC2;; Germany's INPOL;; France's fichier des personnes recherches - FPR;; the United States' National Crime Information Centre - NCIC;; Canada's Canadian Police Information Centre - CPIC and Australia's Law Enforcement Access Network - LEAN) and international data bases (eg, Schengen Information System;; INTERPOL's X.400 distributed data base network and the EUROPOL;/Trevi Information System;). Incorrect information can lead to false arrests and a general denial of civil liberties. Non-vetted information can result in individuals being arrested and/or investigated for spurious and non-criminal reasons such as political, trade unionist and religious activities. Requirements Effective, internationally agreed, economic, ethical and usable solutions to meet business, administration and personal needs mechanisms for authorised interception for law enforcement reporting of incidents and crimes adjusted to the conditions of the Internal Market equipment, software and an infrastructure of trusted third parties. 3.10. Economics of the Security; of Information Systems Issue The use of information security impacts on costs;, performance; and availability;. It may also be used to achieve a competitive advantage;. Discussion The cost of security is an integral part of cost of ownership of an information system, ie namely that without security the users system is at risk. The cost of protection against breaches of security needs to be commensurate with the costs (both direct and indirect) that may be incurred from a breach in security. A security breach may have short term (and perhaps, localised) implications such as loss of sales and revenue or fraud or theft. It may also have longer term (and wider) impacts on business communities through loss of confidence and consequential loss of business. The costs of detection, resistance and recovery can be both tangible and high, and although there are techniques available to quantify risks there are no generally applicable methods for estimating the potential costs arising for example from denial of service or loss of integrity. The provision of security measures may also make it harder to use and may constrain overall performance. However, where the security risk is high enough to cause an unacceptable level of compromise, leading to considerable commercial and financial loss, then security measures must be given high priority commensurate with the nature and value of the business in question. If information security is too expensive, clumsy, not effective in the context of actual usage or not available in time its use is avoided and high risks are taken until something drastic happens. The issue for information security is therefore, not only to be effective but also to address other requirements which impact the acceptability and application of information security. In particular, countermeasures; may have to be put in place that meet specific regulatory or legislative requirements, with associated mandatory assurance; needs. To a business, securing information can be thought of as being like an insurance policy - the cost of protection must be balanced against the likely consequences of the perceived threat occurring. This cost is made up of a number of elements, including: the life-cycle costs; of implementing the countermeasures in relation to likely and worst case impact on business performance liability of management for incidents and relationship with customer confidence legal costs. An important experience from the past two years shows that, in commercial applications, the aspects of cost and ease of use are critical for the introduction of information security. For this reason a number of enterprises, including many Governments, are looking to procure Commercial Off The Shelf (COTS); security products to meet their needs, rather than developing bespoke systems. The unit cost of security is affected by market volume. Market volume is unlikely to be achieved without commoditisation of security products to the point where they are part of the IT infrastructure rather than a separate cost factor (on cars, ABS was expensive until it became generally fitted). High volume and commoditisation can be achieved by: the provision of a common architecture and security building blocks which can be used across the widest possible community so that low prices can be achieved development of world-wide standards for secure systems raising awareness of security risks in order to stimulate demand common or mutually recognised security evaluations world-wide vendor self-certification, with appropriate liabilities agreed protection levels with corresponding sets of protection measures (to focus products onto common needs). Current work on baseline controls could provide a basis for an agreed minimum protection level. Other protection levels may be needed for more sensitive or critical information it may be that separate security evaluation criteria and methods need to be developed to allow low price, low assurance assessments to be carried out Requirements IS-to-cost; techniques for business and private users incorporation of good information security design practice in the development of products and services definition of information security as business and marketing factor identification of acceptance levels for insurers, regulators and the commercial courts specification of duties and responsibilities of parties to the use of information systems and their security requirements security architecture and "building blocks" specifications and standards, with a view to minimising the cost of providing commonly needed levels of security. 3.11. Social Recognition of Information Crime Issues Negligence, ignorance and recklessness are the some of the causes of many security breaches and create the opportunity for information crimes. Discussion Information security breaches, like failures to observe safety rules, can in many instances be attributed to a lack of care; or ignorance. This is compounded by the fact that the loss of immaterial goods, for example information, is not considered as serious as the loss of material goods. This is due in part to the fact that electronically stored information can be reproduced at close to zero costs without the loss of the original. Stealing information is therefore often considered as a gain for the thief without a loss to the owner. It is perceived by many to be a game rather than a real problem because people are unable to relate the electronic world to the real one. This has the double effect of inciting negligence by the owner of the information and little concern for the illegal acquisition of information. Because of the widely practised back-up of information resources, this applies even to the intentional or accidental destruction of information. There is much work in establishing and reinforcing "ethical principles;" as applied to specific actions of information ownership, creation, dissemination, etc. These need to be related to sector actors, their control perspective and the assets over which they exercise either explicit or implicit authority. This needs to be related to codes of practice and conduct, legislation and regulation to establish the extent to which protection is dependent upon a formal or informal control environment or can rely on the enhancement of ethical and professional standards. Changes to traditional programming techniques have made it possible for non-IT professionals to deliver programming and systems analysis methods. In many smaller enterprises such work would often be done by non-IT professionals. Two examples of computer crime illustrate the diversity of situations which may arise: Example 1 In a German company (belonging to the "Association for Security") a programmer - unsatisfied with his salary - caused damage by a specific computer-programme. This program modified the data of a data bank by randomly controlled write operations. The programme was intricately hidden among other programme-parts. Within two years the data-bank became more and more defective and damaged. The costs of damages and of reconstructing the data bank were about 500 000 ECU. Example 2 In an office of the German Government a huge computer-system, comprising various storage means and terminals was installed. Suddenly the computer-execution-times and the response times became much longer than expected. After a difficult investigations it turned out, that a programmer, who had founded together with his wife a shop for sending out photo-equipment, has done his complete accounting, mailing, etc. for his shop on the computer in a hidden area. He had camouflaged or suppressed the protocolling of this programme. He caused damage of about 100 000 ECU. Requirements Education and training on the information security requirements and concepts needed to operate in a secure manner in the Information Age clarification of "Info-Ethics" for the professional and individual user in its relationship to information security clarification of responsibilities of the sector actors in general and in their relations within each other, with particular reference to open and distributed applications. 3.12. Human Factors Issue Human interference with information systems constitutes the biggest risk factor to security and the most difficult to address. Discussion The largest potential threat to IT systems arises from the people involved in them be they designers, programmers, operators or users. And more security breaches are caused by human error, often by well intended people, than any other causes. Apart from providing fool-proof system and services, there is thus a need for organisations to give due consideration to the non technical techniques which they should consider to meet this threat. Such techniques could come under the heading of personnel policies and forced users - positive vetting, removal on notice, monitoring changes in life style, avoidance of collusion, job organisation, contracts of employment, etc. And the role of good supervision. Allied to this is the need to emphasise that controls in a system must not only relate to the technical mechanisms but to the system overall, including the clerical and manual workforce. And, of course, they must relate to the overall objectives of the organisation. "Security is an attitude of mind, practice and discipline." Requirements Adjustment of personnel management practices and organisational procedures to reduce the vulnerability by the actions of staff and other people greater use of non-technical management controls. 3.13. Safety Critical Environments Issue Protection of information in safety critical environments;. Discussion Safety and security have a common technological basis, but differ in their objective. In complex systems there is in many cases a duality of objectives. Safe systems need also to be secure. The reverse is not necessarily the case. Safety is defined in terms of hazards and risk. A hazard is a set of conditions (a state) that can lead to an accident, given certain environmental conditions. The analysis of the safety environment involves identifying the hazards within a safety critical environment and then either verifying that hazardous states cannot be reached or that the risk is acceptable. Risk is defined as a function of the probability of a hazard occurring, the probability that the hazard will lead to an accident, and the worst potential loss associated with such an accident. You can diminish risk by reducing any or all of these factors, and there are environmental-safety techniques that focus on each. There is an increase in the use of information systems within various areas of application which are considered as part of a safety critical environment. For example in the area of healthcare (eg medical databases), air traffic control, transportation of hazardous and dangerous goods, industrial processes etc. The increased reliance on electronic information in these various areas of application specifically related to the control and management of safety, has resulted in an increased need for the protection of the information system supplying such information. Therefore the protection of information systems used in safety critical environments is factor to be addressed when considering hazards and associated risks in such environments. Consideration needs to be given to the common requirement of security and safety, common methods for analysing the threats, vulnerabilities and hazards, and the role of security evaluation for safety-critical systems. Requirements Common approach to the handling of security and safety critical requirements methodologies for threat, vulnerability and hazard analysis for the protection of information systems used in safety-critical environments methodologies for the design, development and procurement of safety critical systems, covering project management, development environment, auditing of process, configuration management and change control common approach to security evaluation of information systems in safety-critical environments common approach to information systems recovery in safety critical environments. 3.14. Embedding Systems Embedded systems security Issue There is a marked trend to embed information systems in other products. This raises particular security and safety issues. Discussion: Increasing use of computers and information processing is occurring in a manner that incorporates information/computers into other products to make those products more usable, flexible, etc. These embedded systems, that are usually hidden from the user, depend upon the accuracy of the programs they contain and the information inputs/outputs to preserve the usefulness of the products in which they are placed. Failure of the processor or corruption of the programs or information contained may cause failure or destruction of the device or hazard to the user. Embedded systems are already being used in automobiles for controlling ignition and carburettor systems or braking systems, in television sets and VCRs, in microwave ovens, and so on. As embedded systems proliferate they create potentials for physical hazard to users beyond simple loss of the functionality of the devices in which they are embedded. The potential will also exist that such embedded systems could constitute a hazard to the well-being of bystanders or property. Security hazards; can be introduced quite unwillingly. For flexibility reasons, suppliers of communication systems are moving towards installable firmware in the field. They may thereby overlook the fact that such a facility may create an undefined platform. IEEE standard 1149.1 calls for standard test access ports and also foresees the possibility of remote diagnosis. It is therefore possible to extract data flowing between the components on a printed circuit. To some extent, liability laws will cover product failures which create damage to users. However, there may need to be some added means of ensuring the reliability of embedded systems and the integrity of the systems as they leave the factory. Requirements Methods of testing that enable standards of reliability to be ensured, including tests to destruction where appropriate approach for the certification of safe products definition of requirements for fail-safe system architectures and implementations anti-tampering and protection specifications and standards quality label, that indicates the quality level of the embedded system awareness of designers of the potential impact of innovation in the validity of test technology. 4. Demand Related Issues; Issues (related to demand) 4.1. Requirements for Enterprises and Individuals 4.1.1. Agreement on Security Requirements for Enterprises Issue Identification of real world security requirements and objectives for business and administration. The derivation of security requirements from business requirements is complex and not well understood. Discussion The protection of information systems must include all relevant aspects. Consideration must be given to requirements from the view point of the enterprise, taking into account corporate and organisation plans, goals and strategies of the business or administration. Requirements at this level can be then translated into "Security Objectives" - why the security functionality is required as it applies to the operation of the business or administration environment. There are two elements to this: identifying business requirements which have a security dimension relating that security dimension to security objectives. These security objectives need then to be supported by a definition of the security functionality and related services required necessary to support the user/business. The security model has not included legal, accounting or regulatory requirements which may be imposed upon enterprises rather than forming any integral part of the Enterprise requirements. Given the complexity and diversity of user/enterprise requirements for such protection it is necessary to classify the requirements in some structured way consistent with real world business and operational environments. The protection of information systems needs to consider the enterprise requirements of the business. These requirements not only include functionality that is owned by the enterprise but must include inter-enterprise requirements as well. It must consider the functionality and assurance of IT building blocks, end user applications, integration enablers (such as electronic mail), operating systems, communication services and protocols, and basic hardware and software platforms. The balance of functionality and assurance; (what it does) and assurance (how well it does it), both generic and application specific, will determine the extent to which electronic information systems are accepted as an integral part of both the public and corporate IT infrastructure to underpin business actions. The prime requirement for any secure system must be a set of architectural principles that can be effectively translated into an overall design framework. Secure systems must be created at different grades of assurance from a set of policies, standards and procedures. Specific security requirements relating to open systems will come from a threat assessment and risk analysis which will form part of the overall system security policy process. The cost of security; is an integral part of the cost of ownership of an IT system ie namely that without security the users system is at risk. The cost of protection against breaches of security needs to be commensurate with the costs (both direct and indirect) that may be incurred from a breach in security. A security breach may have short term (and perhaps, localised) implications such as loss of sales and revenue or fraud. It may also have longer term (and wider) impacts on business communities through loss of confidence and consequential loss of business. The cost of detection;, resistance and recovery can be tangible and high, and although there are techniques available to quantify risks there are no generally applicable methods for estimating the potential costs arising for example from denial of service or loss of integrity. The provision of security measures may also make it harder to use and may constrain overall performance. However, where the security risk is high enough to cause an unacceptable level of compromise, leading to considerable commercial and financial loss, then security measures must be given high priority commensurate with the nature and value of the business in question. Sectoral requirements vary widely, as do requirements by size of enterprise within a sector. Sectoral requirements may be varied by regulation, bilateral international agreements, general trading agreements or conventions. Increased demand for Electronic trading; from all kinds of businesses, both public and private sector, will place requirements for security on the communal service infrastructure that provides the capability for such business activities. The regulatory and legal environment within which such service organisations work will become a factor for economic growth in the community, and security of service provision an element of such services. Requirements Taxonomy and directory of user requirements and security objectives derived from experience with practical applications. 4.1.2. Security Administration Issue Security administration operates within the overall management. It should not compromise its mission. Discussion Security administration is an indispensable function for the normal working of any organisation and falls within the "control" aspect of management's activities. The function's objectives will be to ensure the existence and maintenance of security of: hardware, firmware, software personnel communications and networks physical environment. It will also be concerned about disaster recovery and contingency planning; compliance with legislation such as data protection and privacy laws, and maintaining auditability. Corporate governance issues are now starting to require directors of listed companies in UK to state publicly whether they consider that their companies' system of internal control has been working, and this specifically includes information security consideration. Security administration represents a non-negligible cost factor in an enterprise. It may also unduly restrict personnel to do their job. Therefore, security administration and management needs must be reconciled. Personnel in the security administration function need not only to have adequate awareness, information and training in order to recognise threats and vulnerabilities and to be aware of appropriate counter-measures, but also to understand the enterprises mission. Management is responsible for reviewing audit reports and taking corrective action where necessary. Audit is responsible for ensuring that security technology has been implemented in accordance with the organisation's security policy. Specific items to be considered under this area also include control over safety critical and process control information, and security logs and the need for real-time alarms to detect intruders, where appropriate. It is important to be realistic about controls and not be overlook simple matters such as the possibility of passwords being sold. Requirements Guidelines for establishment of security administration function recommendation on moving towards commonality of laws on data privacy and protection, particularly relating to individuals means to provide increased awareness and relevant education and training guidelines for consideration of balanced security, taking account of level of risk in different areas (physical, personnel, hardware, software, data, etc). 4.1.3. Security Objectives for Enterprises Issue Definition of Security Objectives for enterprises. Discussion A security objective is a description of what security the enterprise is trying to achieve eg why this security control/function is wanted. It is a mission statement of the user/enterprise which describes why an aspect of security is needed. It is a user/business target or purpose to which security is being addressed. For example, consider the subject of data integrity and the objective "Prevent unauthorised modification to data". The security objective has the objective "Appropriate mechanisms should exist to preserve the integrity of data". For example this may be related to data held on a medical database, on a company financial database, in airline reservation system or a geography information system. The organisation of security; within enterprises in terms of business control structures or in the case of some user environment (eg legal, accounting, audit etc.) and functions (eg IT, human resources, insurance) needs to be integrated with a set of security policies, standards (both public and in-house), and made compliant with laws and regulations (eg computer crime manual), guidelines and codes of practice etc. The process of producing a security policy; may require the use of a set of security methodologies, tools and evaluation criteria. For example risk analysis methods, baseline controls, and evaluation criteria (eg ITSEC, Federal Criteria etc.). Security objectives; thus encompasses a set of objectives (and possibly sub-objectives) and a set of related issues that reflect specific points of concern, problems, questions relative to business requirements, controls and applications. The diagram below shows the relationship between Security objectives, Security organisation, and Security methodologies;. Laws apply to the user environment directly. Their presence generates some of the security objectives. Standards may be both mandatory and discretionary, and may incorporate methodologies. The final box covers security methods and techniques. Requirements Standard techniques for drawing-up security policies for typical situations methods and techniques for agreeing levels of security and security objectives. 4.1.4. Exploiting Security and Innovation Issue To establish how service providers and vendors could exploit the benefits of innovation without compromising security and safety. Discussion Vendors and service providers need to innovate to survive commercially. They have strong vested interest in ensuring that their products are adequately secure and safe. Businesses by their very nature need to take risks to survive and this commercial imperative for a risk taking culture has to be reconciled with the needs for an inherently risk averse security and safety culture in a way that is effective yet does not stifle innovation. There are many aspects to innovation. On the one hand there is innovations which change the technology that is being used to implement systems (eg from electrical or electronic to programmable). Other innovations concern the domains of application (new forms of command and control, remote diagnosis and maintenance, ultra-critical applications) and other innovations concern the technology. This can either be in the technologies deployed (eg new forms of fault tolerance, different types of open systems) or in the technologies used to develop systems (eg code generation. novel testing regimes, formal methods, neural nets). These innovations are likely to continue the trend for greater integration and internationalisation of systems, a convergence of dependability safety and security problems, a blurring in the distinction between hardware and software. Systems are likely to more open in the past, and be the result of evolution and make grate use of components already deployed in other applications. The safety and security concerns will change as a system evolves and changes in the environment of a system (eg organisational changes, removal of other systems ensuring safety) can cause a system to evolve into a higher level of criticality. There is a need that the measures taken to provide confidence in systems can cope with these innovations and that businesses have predictable certification or regulatory costs where these are relevant. This has a number of implications for the regulatory and certification regimes and poses challenges to the standards making process. Innovation can bring with it new hazards. There is a need to identify these and either remove them via redesign, provide measures to tolerate them or at worst, measures to mitigate their consequences. Requirements Assessment methods for impacts of changes on systems procedural and regulatory framework needs to address convergence of safety and security, etc (implications for standards) methods for identifying early on where innovations are likely to be unacceptable from a safety perspective or will result in such economic penalties that they are not viable commercially. 4.1.5. Sectoral Specifics Issue Beyond the normal requirements common to different business sectors and user environments there may also be additional requirements and priorities specific to the operational nature and commercial mission of a particular business. These specific requirements can be normally expressed in terms of codes of practice and baseline controls. Discussion Legal and regulatory provisions can be supported by Codes of Practice in an attempt to achieve due care and diligence. There are those of general application and those that are industry specific. A general Code of Practice may achieved by the establishment of a security management handbook, maybe based upon the approach taken for achieving a Quality code of practice (ISO9000). The application of information security is a prerequisite for the successful conduct of business for particular sectors, especially when these sectors a highly interactive. The traditionally prominent among them are: Finance Trade Medical Telecommunications Manufacturing industry Process industry Administrations. There may be other market led requirements, that will result in a different security based segmentation. Requirements Consolidation and development of a set of Codes of Practice and baseline controls addressing specific business sector requirements. 4.1.6. Security Domains Issue Openness and protection. Discussion In practice, the level of information security is dynamically adapted to a given situation. This leads to the concept of Dynamic IS Management and the need to be able to define domains, in which information security is applied homogeneously. Domains are user groupings sharing some of their functions and support. For some activities they operate as virtually closed user groups, but have the possibility to interwork with other domains as long as certain minimum requirements ensure no loss of trust or a transparent downgrading. The notion of a security domain is therefore important for two reasons. Namely, It can be used to describe how security is managed and administered, and It can be used as a building block in modelling security relevant activities that involve elements under distinct security authorities. Examples of domain activities are: accesses to elements (eg a database for network management) a communications link operations relating to a specific management function non-repudiation operations involving a notary. The organisation of security within enterprises in terms of business control structures or in the case of some user environment (eg legal, accounting, audit etc.) and functions (eg IT, human resources, insurance) needs to be supported by a set of security policies, standards (both public and in-house), laws and regulations (eg computer crime manual), guidelines and codes of practice etc. The security policy defines what is meant by security within the domain, the rules by which security may be obtained to the satisfaction of the security authority, and the activities to which it applies. The security policy may also define which rules apply in relations with other security domains in general, and in relations with particular other security domains. The management of inter-domain openness and protection may be different depending on similarities in purpose, and agreements will be needed to achieve appropriate levels of assurance. Mechanisms by which TTPs achieve efficient, coherent management of policies, procedures and controls between domains need development: Requirements Mechanisms for management of policies, procedures and controls between domains for TTPs generation of guidelines for domain creation, management and control development of a common framework for domain interworking agreement on management, TTPs, accreditation, auditing and relations with law enforcement agencies. 4.1.7. Security Labelling Issue Transfer of information among domains requires agreements on the expression of the sensitivity of information, ie the syntax and semantics of the associated information labels, and of the procedures and mechanisms for handling labelled information. Discussion The basis for the trustworthiness of a domain and the trust between domains is the assurance that the processes that are used to manipulate information behave in a way that corresponds to the protection requirements of the information in terms of confidentiality and possession, integrity and authenticity, and availability and utility. Labels are a method for expressing the sensitivity of information. They can be based on different scales, like the value of information or the impact of a security breach affecting the information. The need for comprehensive labels has become acute because of the increasing degree to which organisations interoperate electronically. This has led to increased reliance on technical measures to achieve adequate security. It is quite feasible for trusted systems to switch on or off technical measures automatically providing that the label adequately expresses the security requirement associated with a piece of information. Labels could then be used to make decisions on information routing, transmission enveloping, requirements for confirmation and so on. However, decisions on information routing etc. cannot be made without user labelling, that is, some indicator of the categories of information which can be allowed into end systems or to users. Organisations have to agree on the range of options that do meet any particular security requirement. Part of the solution to the handling of labelled information lies in the development of Codes of Practice specifying procedures and mechanisms. There is also a need for accreditation and audit of communicating partners. The introduction of independent third parties avoids the pairwise interactions that would otherwise be necessary to establish trust. Requirements Guidelines for security labelling. standard on how to express labels and on the meanings of a basic set of security labels Codes of Practice and accreditation methods for domains claiming to support standard labels, and their mutual recognition. 4.1.8. Administration of Access to Security Related Data; Issue Support of functions for the administration of security related data. Discussion Management of rights is an administrative function available to both security administrators and resource owners. While management functions reserved to security administrators can be rather sophisticated, functions available to resource owners have to be kept simple and easy to use. The management of rights can be separated into security information related to users (eg privileges, keys and/or passwords) and security information related to resources (eg access control lists, labels; keys). Management functions need to be performed form the place where the administrator/resource owner is sitting and apply to a number of remote resources. It is therefore important that the management of access rights is done in a secure fashion (eg using appropriate security protocols). Requirements Easy to use tools for access right management and key management secure solutions for remote administration awareness for control issues concerning security related data, and implications of non-action. 4.1.9. Security Requirements for Individual Users Issue Individuals and small companies have "enterprise requirements" but often have little opportunity to choose appropriate security protection when dealing with large organisations (eg equipment and software suppliers, service suppliers, banks). Discussion The individual user, in their role as a private citizen or as a member of a liberal profession (eg a lawyer or medical doctor), has a natural interest, and sometimes a legal requirement, to protect some of their information. Unlike in the case of the enterprise, the individual user will not normally go through a systematic process of establishing goals, definition of security objectives, etc., unless they are subject to professional standards of conduct. The individual normally has at his disposal a PC (or small network of PCs) and some communication links, eg telephone, fax, e-mail. Often physical security is likely to be weak. Most liberal profession work under some codes of practice or conduct. These codes are of a general nature and do not normally specify particular security arrangements. The common and specific requirements of individual users, with regard to the protection of their computer installation (physical and electronic), the protection of their data (against accidental and deliberate loss) and the protection of their communications (eg signed communications, privacy enhanced communications) must be established. The individual user has also an interest that the totality of processing of any matters relating to the user is correct and confidential to the extent required. Requirements User profiles identifying standard types of users together with typical requirements. 4.2. Requirements for Security Functions 4.2.1. Access Control Issue Access control procedures to many systems need to be standardised and well managed to meet their objectives. Discussion Computer systems and services impose control procedures on persons (or other systems) attempting to access them directly or over local or wide-area networks. These access control procedures apply to "connections"; that is, they determine whether or not a connection, association or session is allowed to be established. These control procedures have been often primitive and relatively insecure, as the occurrence of "hacking" demonstrates. The requirement for secure access control is not confined to access to host computers by persons at terminals. Reciprocal (mutual) access control is often needed between two (or sometimes more) systems. Access control can apply across general telecommunication networks, determining (for example) who may call whom by telephone; or who may receive which programme on a cable TV network. In addition to applying to end-to-end (trans-network) communications, access control also applies to users and (even more importantly) operators accessing the network and to access by human users to terminal devices. Although the importance of access control is widely recognised, the practical application of security techniques in solving the problem is more limited. This is for a variety of reasons including technical complexity, lack of agreed standards and lack of user acceptability. Secure access control relies on a mixture of: identification mechanisms; (authentic naming;) identifying the remote person or system authorisation mechanisms;, determining the authority of the remote person or system to carry out different types of actions random (unpredictable) components;, affording protection against the re-use of once-valid access control messages under invalid circumstances (replay) cryptographic techniques to protect the above from modification, copying, etc. Without some analysis of access control scenarios, followed by some outline standardisation work, users and systems are going to find themselves having to implement and use (depending on their current application) a range of incompatible techniques, which in turn rely on only partially interoperable infrastructures (such as naming and identification authorities, certification authorities, key management systems, directory services, etc.). Access control very often involves only two parties: one making the access and one granting/denying the access. In some environments this is however inadequate as some intermediaries cannot do the access on their behalf but on the behalf of someone else. This applies in a number of cases, in particular for distributed applications or transaction processing. For example, in a distributed service the requester addresses its request to the nearest server able to fulfil the service and then the request has to be forwarded so that it can be honoured by the appropriate server within the service. This problem is called delegation. For the server point of view different policies may apply: it may be interested only by the privileges of the initial requester and by the privileges of all the intermediaries. The access control decision may then be based on the properties of the initial requester only or on all of the entities involved. In addition restrictions about what intermediaries are or are not allowed to do may be specified by the initial requester. There is a need for widely accepted solutions to the most common access control scenarios. Requirements Group access control scenarios and schemes based on levels of commonality techniques, products, specifications and standards addressing access control matched to the scenarios identified parameters common to most or all of the above techniques, products, specifications and standards and the feasibility of establishing common formats for them identification of the key features for coherence in the supporting infrastructure basic access control mechanisms for pilot implementation development of delegation scenarios identification of techniques, products, specifications and standards addressing delegation and their association with the identified scenarios. 4.2.2. Requirements for Electronic Cash Issue A general purpose system is needed for providing electronic cash. Discussion The securing of electronic cash shares some problems with negotiable documents, and may also need additional properties such as privacy (untraceability) and dividability. Large scale solutions already exist for paying small amounts of money in special situations, such as special cards for telephones and travel. Other systems exist for large amounts of money - prepayment and credit cards;. Between these two, there is a need for a system to make general purpose payments for relatively small amounts of money. This means that the system must have low transaction costs, and will thus be able to compete with existing special cards. The system should ideally include the following properties: unlimited transferability (from one user to another) dividability into any sub-amount required independence from on-line TTP services privacy / untraceability security and uniqueness - ie cannot be forged or copied. It should give users complete control over the amount transferred in each transaction, and allow them to know the amount remaining. It should be relatively easy to refill the device with electronic money, possibly via unsecured network services. Requirements Agreement on the concepts underlying electronic cash international standards. 4.2.3. Requirements for Security Services Issue Various security services have been identified. Agreement on their requirements must be established. Discussion A variety of security services has bee identified. Although several of these are used in practice at a limited scale, their general requirements have not yet been agreed and their availability to the general user is not yet established. Some of the more important services are described below. Non-Repudiation Services Non-repudiation of origin respectively receipt means that a particular user, called the originator respectively the receiver, cannot repudiate (ie deny) to have signed respectively received a particular electronic document. It does not prove who has actually created the document. We have exactly the same problem with paper documents: the fact that someone puts his signature on a hand-written transcript of music does not mean he is the composer. Non-repudiations services are precisely the services which in electronic communication can cover all legal functionalities of a hand-written signature, but in a much more secure way: The main difference is that the digital signature which supports the non-repudiation provides a logical connection to the message. Claim of Origin Copyright is a very important security service in the electronic handling of a document. The major problem with enforcing copyright of, say, a software program, is that of two different versions it is difficult to decide which one is the original. This problem is of course not restricted to electronic documents only. In fact, one runs into exactly the same kind of problems as in the paper world. The service required here is "claim of origin". This is the counterpart to non-repudiation in the sense that the point is to allow the creator to prove who created the document, as opposed to non-repudiation of origin, which allows everybody to prove that someone has signed a particular document (which typically commits him to something). The difference is that with non-repudiation services, the receiver is able to prove something, whereas claim of origin pertains to the transmitter. Claim of ownership Some conventional physical documents, such as eg the bill of lading and the bill of exchange, must be negotiable. The possession of the document must allow to give title to anybody who can present it. The electronic equivalent is also needed. The goal to achieve here is that an electronic document at any particular time can be proved to be the (temporary) property of a particular user. With ordinary paper documents, the problem is solved by giving the original of a document certain physical attributes that are difficult to reproduce. With this precaution, it makes sense to speak of the original of a document, and define the owner simply as the person holding the original. Negotiable documents entail that their physical uniqueness must be protected against duplication; it must be easy to distinguish a copy from its original. This is the case with hand signed paper documents; the hand-written signature cannot be copied such that the copy could not be distinguished from the original. Although a digital signature does protect the integrity of the signed electronic document, it can, however, easily be copied so that the physical original cannot be distinguished from its copies. This impedes the usage of electronic communication eg in maritime trade. The sender of a cargo produces a unique document, the bill of lading, hands a copy to the shipper and sends the protected original to the receiver. The receiver may trade the original and its title or keep it. Whoever presents the original to the shipper will be handed over the cargo. The shortcoming of the paper bill of lading is the fact that it takes time to transport it, particularly as it is a piece of value and must be well protected. Therefore, an electronic substitute should be found that protects the uniqueness of the original document, and which can be transacted over communication systems. The technique should support recovery after equipment or communication failure. Besides issuing negotiable documents there are other ways of securing correct title to property. Instead of a person proving his claim by the presence of a token, the claim may be addressed to a distinct person who then is expected to prove his identity. This is the case with the freight bill, which is another way to deliver a cargo to the authentic receiver. However, the freight bill cannot be traded as effectively as the bill of lading. The provision of electronic negotiable documents must include: document uniqueness, ie a document should only exist in one single valid copy (and can therefore not be sold more than once by an owner) document authenticity, ie a document should not be able to alter, and the origin of a document should be possible to identify transferability, ie the document should be possible to transfer through communication networks fail-safe storage and communication, ie recovery after failure should be possible both when document is stored and transferred between parties. One should expect that, unless proper electronic documents will be available, the use of paper for negotiable documents will be continued at the expense of effectiveness and more paper. Transaction of negotiable documents are often a part of a larger business transaction, eg the seller of a document receives a payment, or negotiable documents are exchanged between the parties. When such transactions are taking place over a telecommunication network, there might be a need for a service giving fair exchanges of values, ie a service that can guarantee that either will the whole exchange be performed or it will perform no exchange. Such a service will secure fraud during exchange of values. Fair Exchange of Values When negotiable trade documents change hands, they are often handed over in exchange for something else, for example another negotiable document, some form of payment, or simply some piece of information that may be of sufficient value to the receiver. The party who gives a document away may of course be concerned with the possibility that he may not receive in exchange the object or the information he was supposed to. If the parties meet physically and exchange ordinary documents, this concern may not be very serious; an attempt of abuse is likely to be detected early enough to prevent a successful fraud. In the world of (interactive) EDI, however, the problem can be more serious. Efficient communication is possible over great distances with parties to which there may be little or no existing business relations. Such parties may well be found worthy of less trust than those with which physical meetings can be arranged. Untraceability As electronic registration and transportation of data becomes more common, there are an increasing number of scenarios where individuals face new threats against their privacy. Since many types of personal data can easily be traced to particular individuals, the fact that the data are electronically stored introduces the possibility that someone could efficiently collect comprehensive dossiers on individuals, even without this becoming known to the users themselves. In its most general form, anonymity or untraceability is a service with the goal of preventing such personal data from being traced and collected. The issue is therefore to allow accesses, calls or transactions to be performed without revealing the identity of the user. In some cases, anonymity of the user is required or identification of the user is unnecessary. Examples where anonymity is required are about electronic cash or electronic shopping where this is related to the privacy of the user. Practical cases are about road toll systems and mobile phone billing without revealing location history of user. Examples where identification of the user is unnecessary by the target system is where a service is opened to thousands of users but where subscription to the service is not managed directly by the service but by another company: The service manager is only interested in the fact that charges can be paid when the service is used. Who is using the service is not relevant. In some cases the user would also like to know that the service manager is not able to trace back the user. Another category where anonymity is required is non-traceable calls. Reporting fraud or corruption will only happen if the call (either phone or e-mail) is not traceable to the caller. There is a need to have mechanisms able to fulfil these needs. However these kinds of techniques should not be used when there is at the same time a requirement of auditability. For cases where both requirements exist there can be solutions where tracing an event can only be achieved by co-operation between different auditors. Time-Stamping In electronic communications, a digital equivalent is required for the date and time stamp in the paper world. Such a time stamp must be issued by an organisation that is trusted. If time stamps are simply attached internally by the sender or receiver of a message, then, in case of litigation, it will be difficult to establish if these were erroneous or have been forged. In direct communications, both parties may agree on a mutual time reference, but in store-and-forward type communications time stamping by a third party is particularly important . Depending on sectoral differences, different granularities of time stamps may be needed. Some sectors may be content with the date, some with the nearest second. Requirements Scenarios for the use of electronic security services user specifications for electronic security services establishment of international application rules that can operate under the different legal frameworks and that ensure international communicability identification of different scenarios where it is appropriate for the public interest to mask or hide the identity of the end user, taking into account the balance between full anonymity and audit. 4.2.4. Digital Signature 4.2.4.1. The Individual Right to Signature Issue Individuals have the right to sign any information. Discussion Like with hand-written signatures, anybody is entitled to use a digital signature. Therefore, the distribution of keys for the purpose of signature must be non-discriminatory and non-restrictive. Separate from the signature is the question of entitlement, ie if a certain person is empowered to sign a certain element of information, document or transaction. Signature verification is therefore a two step process: formal verification of the signature and verification of the entitlement of the sender. This process is depicted below. It is assumed in this simple model, that the sender adds his certificate (name plus his public key) to the signed document. The formal verification then establishes that a person with a certain name has correctly applied his signature and that the document has not been modified in transfer. Verification of entitlement checks that the name has the legal power to sign a particular document. Note that as a consequence, the powers given to a person should not be included in the attributes of the certificate, otherwise any change in these powers would invalidate the certificate. The situation maybe further complicated by the fact that several signatures maybe required for certain documents, eg husband and wife plus notary, two company directors. Requirements Clarification of the right to signature and the attached entitlement. 4.2.4.2. Consistency of Legal Principles for Digital Signatures Issue The legal functions have to be clearly identified for the authority of digital signatures, before a code-of-practice can be developed and introduced. Discussion In legal practice security and functional requirements for hand-written signatures differ widely. In some cases a hand-written signature is only to indicate that the signer has concluded his train of thought or his expression of will; under the given circumstances its authenticity may be obvious and needs not be provable. In other cases, for evidence, the signature must be provably authentic. In yet other cases authenticity requirements may demand attestation or even ask for more than one person's signature or for public notification. The spectrum of legal requirements can be matched by the spectrum of technical realisations which may differ with respect to security provisions just as widely as legal requirements. Yet the signing process must be transparent to the signer. For this reason it must follow standardised rules; specific man-machine interfaces must be familiar to the signer; ie they must follow a standardised layout principle. For ease of transition (in judicial thinking) from hand-written to digital signatures traditional functional requirements for hand-written signatures should be met by the technical implementation of digital signatures as closely as possible. A particular problem is the validity period of a digital signature. One must distinguish the validity period of the signature itself and the validity period of the entitlement. The validity period of the digital signature; itself may have to be limited for technical reasons. These reasons include: Insufficient key length;. One may discover that some years from now, new progress in mathematics and technology makes it plausible that keys of the originally chosen limited length can be broken. (For instance, several European banks have introduced remote banking with RSA keys of length 512 bits. One cannot guarantee that this will be safe in 10 years, or even less, from now.) Poor key generation;. One cannot be sure that programs at the desired quality level will be used by all key management centres. Hence users of those key management centres may find that their keys are breakable, and they have to cancel their certificates. Weak protection of workstation;. The secret key of a user may be compromised accidentally or through negligence. It may also be possible to tap the password of a user through a Trojan horse on his PC and subsequently get access to the secret key. (Fraudulent users may even claim this happened, and give away their key on purpose, in order to dispute that a certain signature did originate from them.) Taking the necessary precautions, and taking a differentiated approach to the validity period of signatures, then most digital signatures would fall inside the scope of applicability of hand written signatures The entitlement attached to a signature normally changes much faster. The authority given to a person should therefore not be included in the attributes of the certificate, otherwise any change in entitlement would invalidate the certificate. However, in all the work that has been carried out so far, there is no solution offered to the following problem: If messages have been signed with a key and needs to be kept for a number of years, and that key is denounced by the user as being compromised, how can the value of the already calculated signature be left intact? One possibility might be to use a TTP for time stamping, but further study into this problem seems in place. An example may illustrate this point. If a user A signs a message in 1993, which has legal consequences to user B until 2003, and A then cancels his certificate in year 1995, claiming that his key has been compromised, he will probably claim that the signed document from 1993 was falsified in 1995 by B, who could have bought a copy of A's secret key. However, if B upon receipt in 1993 had gone to a TTP and had the signature of A time stamped and signed by the TTP, or even registered, he can prove that A in fact did produce the said signature back in 1993. For some sectors and/or applications the granularity of the time stamping will be critical. It is conceivable that trusted time down to one second accuracy will be needed. Requirements EC-wide/international agreement on the legal functions of signatures; clarification of the conditions of acceptance of the authority of a digital signature;, eg for legally binding purposes, ie as substitute for hand-written original signatures recommendation for the implementation for a public digital signature scheme; for use by business, administrations and the general public legislative rules and, where appropriate, liabilities, for keys, certificates and TTPs to cover revocation of any or all the entities involved in the chain of proof needed in the signature technique. 4.2.4.3. Universal Acceptance of Digital Signatures Issue For digital signatures to become a full alternative to hand-written signature universal acceptance is required. Discussion All functions of the hand-written signature should also apply to digital signatures. Where legal functions are carried out by digital signature, consensus with the legal profession is essential. Requirements Development, together with the legal profession, of recommendations for the practical use of digital signatures as a full equivalent to hand-written signatures in legal transactions demonstration, through pilot projects, that digital signatures can be used as equivalent to hand-written signatures inclusion in the curriculum of relevant educational institutes (eg engineering, law and business schools) the use of digital signature. 4.2.5. Privacy enhancement ;issues 4.2.5.1. Perception of Requirements for Privacy Enhancement Issue Confidentiality is, at times, essential for the good functioning of administrations, business and human relations. Discussion Business user of telecommunications and information systems cannot obtain full business benefit without confidentiality services being available. There is a clear need for confidentiality services in the exchange of information in the business as well as in the private use. Today the exchange of sensitive information requiring confidentiality is often done in non-electronic form because for electronic transmission confidentiality is either not available or its use not permitted. With the increasing demand for fast exchange of all kind of data, demand for confidentiality;confidentiality will become pressing. It is already present in some applications such as medical information systems. Most business and private users of communication systems are aware of the conflict between their confidentiality requirements and national security issues which require the possibility to intercept the communication in a way regulated by national laws. They accept the national authorities ability for this interception provided there are adequate safeguards to prevent unauthorised interception even by government employees. Expectations of confidentiality of electronic message services can currently not be met in the absence of international standards or internationally accepted methods. Uptake of these services by commercial users to support business processes will therefore have a natural limit, ie to those messages that someone usually writes on a postcard. Examples of commercially sensitive information includes pricing and bidding strategies, mergers and take-overs, or from a privacy point of view (transmission of personnel and medical data). User needs for confidentiality, user needs In analogy with confidentiality offered by existing physical mail and archiving services, ie envelopes, registration, courier services, etc., there is a need for confidentiality in the situation of electronic interchange and storage of data. Even more so because electronic data can much more easily be copied or disclosed in its usual form, eg only channel coding and formatting as the "envelope", than its physical counterpart. At present certain unclassified but sensitive information on physical media such as paper, microfilm, or photograph, of business enterprises or medical centres are protected against unauthorised disclosure by physical and procedural methods. Today the trend is towards more electronic communication and storage of data and hence there is a need for appropriate confidentiality services in an agreed or standardised form to be readily available for all users of electronic information systems. Service provision The extent to which confidentiality services are provided for a specific business or citizen could depend on a system of licenses or certificates. A particular business might qualify for a confidentiality license depending on its internal procedures and activities. A general (minimum) level of confidentiality could be provided to all users. It should be possible for certain user groups or businesses to use other confidential services (egproprietary) than the standard ones provided. There are strong indications of emerging "bottom up" solutions for these needs (eg the Pretty Good Privacy offering on Internet, beginning 1993). Other initiatives (eg the announcement of the "Clipper Chip", 16April 1993) illustrate the growing awareness of governments of the needs of their citizens for confidentiality services. Awareness In general users of electronic data processing systems are not aware of the threats involved in using those systems. Only after they have noticed (the consequences of) an unwanted or unauthorised disclosure of their information will they start to think of the inherent vulnerability of the system they are using. In view of this one should try to create more security awareness. Users, service providers, operators and authorities should achieve a certain minimum level of awareness of the issues involved in using confidentiality services before embarking on their use. Granularity (meeting differentiated needs) Confidentiality services at different granularity and for different types of telecommunication services are needed. Based on his risk analysis the user can then decide which level of confidentiality he needs and then use the services which provides this required level. Some users may want a range of services of different assurance levels (analogy of courier services, registered mail, ordinary mail). Some users may want visibility of assurances to different extents. Impact of loss of information ;and Impact of theft of information By its nature, actual risks and impacts of disclosure are hard to quantify. But the absence of a baseline of protection of confidentiality will undoubtedly have a negative impact on commercial (and other) usage of international electronic communications in a wide range of business processes. Actors and roles Individuals may have a number of roles in more than one organisation - these need defining or clarifying. Their "role" as a private citizen is an important case. The organisations that act as custodians of roles need to be classified also. These are essential ingredients for domain management. Mutual confidence and TTPs; TTPs (mutual confidence of) Users and mechanisms to ensure that they get assurance of compliance to agreed rules of procedure from their trading partners, or other private citizens, with whom they are interacting using confidentiality services. TTPs are one mechanism for achieving this, but other lower assurance, lower cost solutions may also need to be considered. Requirements Frameworks and architectures which are accepted as well by the business users as by the national security agencies and the service providers standards for services and service provision compatibility of confidentiality services with existing communication standards and practices where possible verification of practicability of proposed solutions through suitable pilot projects model contracts for confidentiality services awareness improvement of sector actors of the potential losses due to the absence of confidentiality services. 4.2.5.2. The Case for the Provision of Public Confidentiality Services Issue The provision of public confidentiality services have to reconcile the needs of the business sector and general public with the obligation of public authorities to provide adequate protection while at the same time maintaining its capability to fight organised crime, maintain public order and national security. A well developed public confidentiality service would provide for the obligations in a transparent manner. Discussion Business operates increasingly in an international and open environment. The communications take place via private and public networks. Modern network management techniques use alternative routing depending on traffic conditions. This implies that the physical communication is under the control of a variety of intermediaries working under different regulatory and legal conditions for data protection and privacy, and therefore one must consider the network as inherently vulnerable. This means that end-to-end protection is required. This applies also to the general public using international public telephone networks. It is a fact that business and the general public have been addressing their needs with public domain solutions (published algorithms and freely available software). However, the approach is awkward and its utility therefore limited, since, for example, there is no public directory and he has to manage the keys himself. A public solutions open to all users requiring electronic signature and confidentiality would remove the need for the use of ad hoc solutions. It would also provide for a transparent solution to the need for legally authorised intercepts. If a public confidentiality scheme is offered, organised crime could also subscribe to such a scheme, but as it would include provisions for legal intercept, it would hardly be attractive. One would expect that such users would continue to find their own solutions as will the classified domain. An open and public service offering a credible level of confidentiality would therefore provide for the honest user, while not worsening the situation with respect to public order or national security. The combination of international communication and national security regulations require a common framework for confidentiality services, which on the one hand interoperate within all Community Member States as well as with countries outside the Community which themselves may establish their confidentiality services. This requires either an overlay approach or gateways which link the different national or regional services. These gateways are only required where multinational agreements for co-operation on national security concerns is not yet established. In this case these gateways may provide at least an interim solution. In order to fulfil its function and eliminate the need for home-made" solutions, the public confidentiality service must be open to world-wide use and provide its service in a non-discriminatory way. Confidentiality services should ensure that Users are protected and obtain assurance against non authorised interception and disclosure. The confidentiality service is of high (technical, procedural) quality and evaluated as such by all Member States. Authorised disclosure of the protected user information (undo the confidentiality service) is under certain well-defined circumstances possible, eg by secret-sharing. With this approach, confidentiality mechanisms details (description) do not need to be published or disclosed to the public in general. While the use must be largely unrestricted, the systems and sub-systems or equipment for the independent implementation of aforementioned confidentiality services can be made subject of export controls, eg export is possible if: The users comply with the rules of the exporting nation (end-user declaration) with respect to the disclosure mechanism. Multinational business users form EC countries with "central" organisations. Other countries on a bilateral agreement liaise with EC if they comply with the rules. Export restrictions are, inter alia, based on the concern that cryptography may be used by hostile governments or other organisations for the concealment of subversive information. The same concern does not apply to the use of cryptography for integrity and authenticity enhancing service. There are technical solutions to provide only integrity, integrity plus signature, and integrity, signature and confidentiality. Confidentiality enhancement is de facto only meaningful in communications with also the two other functions being provided. The problem remains that organised crime and hostile governments are not restrained from adopting public domain solutions or from developing home-made mechanisms. Furthermore they are able to exploit legitimate users of systems and solutions to their own ends by use of traditional criminal mechanisms of bribery, blackmail or threats to personal safety. Legislation could discourage non-authorised use, but cannot be expected to prevent it, particularly in the case of organised crime. Restrictive legislation impacts the law-abiding user much stronger than others. Choice versus interoperability The users and service providers may feel the need to choose solutions to achieve the assurance levels they require. But interoperability will dictate a limited set of possible choices being available, and costs of service provision will also focus debate onto efficient solutions. Advice and instruction versus prohibition This may vary from country to country, however certain minimum-rules will need to be adhered to between parties offering interworking public schemes which includes beyond simply usage also systems and sub-systems or equipment for the independent implementation of such confidentiality services The confidentiality that users enjoy will depend upon the robustness of the service that is offered. This in turn will depend upon the robustness of the architectures available to perceived threats: key theft, masquerade, deliberate denial of service, inadequate disaster recovery are examples of threats the vulnerability to which may be different for alternate architectures. Mechanisms are needed that provide for a defined way to pass from one domain to another. This will require collective or multilateral agreements for interoperation. Requirements Architecture that minimises service vulnerability framework for the provision of trans-domain confidentiality services guidelines for pan-European confidentiality service providers (including accountability) model contract for relationship between service providers across national boundaries assurance criteria for service providers and operators accreditation process for mutual recognition. 4.2.6. Use of Names; and Certification of Credentials Iss