THE COMPUTER LAW A N D S E C U R I T Y REPORT 5 CLSR

COMPSEC 85

The Second National Computer Security Conference, organised by Elsevier International Bulletins (EIB), was recently held at the Anugraha Centre, near Windsor. Twenty-six papers were presented over a two day period to 165 attendees, which included 25 overseas visitors from such far flung countries as Egypt and Nigeria.

The first National Conference, held at Nottingham last year, was a joint promotion with the National Computer Centre (NCC), who are running their own event in Bristol, in early 1986. In order to provide interactive presentations, this first El B conference was based upon keynote speakers and workshops: including ones presented by manufac- turers like ICL, British Telecom and Ozier, Perry and Associates (OPA) of San Francisco.

Will Ozier, General Manager of OPA presented Risk Assessment Methodologies. This paper was unique in that as well as overviewing the history of risk management, the current mainframe and micro based products, Ozier described OPA's new product, Bayesian Decision Support System (BDSS), which will be available in the US next Spring. BDSS is an IBM PC quantitative risk management tool that effectively addresses the uncertainty of risk through Bayesian statistical methods. This enables the selection and application of safeguards by producing a graphic evaluation of their effectiveness in reducing risk.

Keynote speakers included: Encryption and Authentication - Donald W. Davies

Telecommunications and Dial-up Security - Dr. David Everett.

Donald Davies, formerly Data Security Specialist at the National Physical Laboratory, Teddington, discussed the Data Encryption Standard (DES). First published in 1978, and now showing its age, the DES wil l be a standard for banking but not a general commercial standard. However, DES requires re-certification in the US by the National Bureau of Standards/National

Security Agency (NSA) in 1988. (The NSA, based in Fort Mead (MD) USA, provides advice and assistance in the hardware implementation of a DES based system). Davies also discussed public key cryptography but stressed that thought is now required regarding a DES replacement. In his paper Dr. Everett emphasised that while encryption ensured the detection of an active attack against a data communication line, good security management, especially in the area of user authentication, must be utilised to protect the environment containing the encryption keys.

British Telecom, in a Workshop session, also discussed Cryptography, with an emphasis on standards and equipment, some of which was over-priced '"ith the move to provided secure networks in the commercial sectors. Market research had pointed towards a maximum cost of about £200 per unit. This new market would also require modular, user friendly devices which could be integrated within an open, inter-connection of secure communications.

The Conference covered all areas including Office Automation, Security, Software Protection and Piracy, Audit Software and the Data Protection Act. However, according to Tony Powell, General Manager of EIB, the most popular sessions, as marked by the attendees critique forms were (not in any order):

* Computer Hacking by Martin Samocink. * Electromagnetic Production from Visual Display

Units by Wim Van Eck.

* Personnel Aspects of Computer Security by Sheelagh Keddie.

I enjoyed the event and I recommend that the week commencing October 27th, 1986 is cleared in your diary for the Third Annual Conference, which will again be held in the London area.

Alan Reed

CONTINGENCY PLANNING

Contingency planning is a company problem that requires dedicated resources. Brian Pinder, a Consultant at Datashield (the IBM hot-start standby unit of Datasolve Ltd.) examines the project cycle involved in the creation of a contingency plan for a company, with a turnover in excess of £70 million. The company is a subsidiary of a major U.S. entertainment and leisure group wi th a product base of approximately 12 ,000 items and a dealer base of 6 ,000. The first computer, a small Honeywell, was installed in 1969 running a batch sales order processing system with limited stock control, stock accounting and sales statistics. By 1975 the Honeywell had undergone a number of upgrades and an IBM 370 /125 had been installed to support the first on-line order entry system.

Between 1975 and mid 1984, continuous development and expansion of the on-line systems had required the all too familiar growth in CPU power, disk storage capacity and communications networks. By the end of 1984 an IBM 3083-B was in place supporting over 200 terminals and printers in 10 sites, including a manufacturing and distribution centre in Europe.

BASIC PLAN

During 1969-1978, contingency planning was limited to storing master file backups in a fire safe in the machine room with weekly backup offsite, initially at the head office some 5 miles away, and latterly at a bank. In 1979 a contract was signed which provided for the use of a fixed cold site facility. This was changed in 1981 to a mobile cold site which was to be

14