€¦ · web view · 2016-12-29agency-wide security awareness program proposal. ... the data...
TRANSCRIPT
Running Head: SECURITY AWARENESS
Final Project Security Awareness
Terri Y. Hudson
Southern New Hampshire University – IT 552
December 20, 2016
Security Awareness 2
Agency-wide security awareness Program Proposal
Introduction
For the organization to comply with the current PCT DSS requirement version 12,6, a
security awareness program must be in place. The CISCO of the organization has an immediate
requirement of creating an agency-wide security awareness program. As a means of
implementing security awareness program the organization has conducted a security gap analysis
which is one of the component of security awareness program which showed the 10 security
findings. As one of the means of conducting the program, I will submit awareness program
proposal.
Objective
This SOW (Statement of Work) is being done on behalf of the senior information officer.
He has requested for the creation of an agency-wide security awareness program by handing over
the security gap analysis which was done prior to this process. Hence the major aim of this
document is to set a security awareness program which shows ten major key security findings.
The document will also include a risk assessment of the current security awareness practices,
processes and practices. By having this document, the organization will be able to have a well-
organized maintenance plan. It is also important in maintaining and establishing an information-
security awareness program (United States, 2000).
Background
The mission of the organization is to provide efficient IT services with the best security
program in place with an aim of protecting organizations assets.
Security Awareness 3
1. Technical infrastructure
The organization is engaged in short-term effort aiming at modernizing its information-
processing infrastructure. These efforts have incorporated software enhancements, installation of
firewalls and high end network systems for an improved communication. The senior information
officer is the one who is responsible top oversee modernization effort. He has of late completed
conducting a security awareness program and deployment of the organization’s LAN (Local area
Network). The hardware being used is of CISCO products.
2. Computing Environment
The organization’s desktop computers are of Windows 2007/ 98 and 95. The servers are
of Pentium with over 1 GB RAM. The current NOS (Network operating system) are window
based.
3. Security Posture of the Organization
The organization has a basic network structure with only one router which acts as a
firewall. It has several working stations and switches to this working stations. In addition the
organization has installed Kasperky’s antivirus in of their desktop machines with a motive of
reducing external threats. The data server is highly secured with Kaspersky’s antivirus. The
organization physical security in server rooms has rocks, network closets and the network
cabinet is rocked always. The organization has a worry on its current security plan this is because
of hackers, spammers and cybercrimes. Also the security plan of the organization has not proved
to have the best controls after the current security gap analysis that was conducted.
Security Gaps Findings
Security Awareness 4
From the findings one of the largest organization’s risks is not the weakness in the IT
infrastructure but the action and reaction of the employees. This has happen through disclosure
of sensitive information by the workers and social engineering attacks. After the gap analysis
report, the organization found that confidential customer data and the some of the IT assets were
at risk. From the gap analysis findings it is evident that loss of customer confidential information
was very high. The risks in Information technology assets were classified as moderate. The top
ten security findings were internet; this has become one of the greatest avenues for hackers.
Others are data breaches, ransom ware, browser plug-ins, virus, worms, spyware, key loggers,
rogue security software and pharming. Lastly some of the organization factors are contributing to
unhealthy of IT assets. Example a poor plan by the organization CEO of the best IT personnel,
identification of the critical assets of the organization, wrong mapping of the existing cyber
security capabilities across the organization so as to identify organizational risks, poor
assessment of the organization’s security maturity level and poor identification of the potential
cyber security threats (Roper, 2006).
The best practices in the organizational security program
Assemble all the security awareness team. The team will be mandated in ensuring
development, maintenance and delivery of the security awareness. The recommendation is for
the team to be well-staffed. In addition to this all the employee dough to be trained on the ten
securities gas findings. The security awareness program ought to have reference materials such
as ISO 27002:2013 which outlines the code practices of the information security control, the
NIST (National Institute of Standards and Technology) and COBIT 5 (Desman, 2002).
Security Awareness 5
Tasks
Some of the roles to be performed include performing a general description of the
security posture of the organization and a risk analysis, drafting security deliverable of the
organization and outlining responsibilities of each and every member in the organization in
ensuring the security of organizational assets.
Personnel
It is highly recommended that security training includes how social engineering happens
and what are the consequences to the organization IT assets. One of the ways hackers are using
social engineering is to acquire user’s credentials. The program should tailor this awareness to
reflect the types of attacks that the organization is encountering and what the organization can
encounter in long-run. As one of the findings from the security gap is confidentiality of
customers’ data, it is highly recommended that different ways of how to safeguard customers’
information to be covered at the basic level for all the personnel. Example is protecting data in
electronic and non-electronic form. Others that need to be included in the awareness program is
organization’s security awareness policy, the impact of unauthorized access and the awareness of
the CHD security requirements (Gardner, 2014).
Conclusion
This SOW document has highlighted the objective of SOW. The document has addressed
four critical elements which must be addressed in the security program, these are; the security
posture of the organization and the major findings from the security gap analysis, the human
factors which undermine the security of the organization IT assets and organization factors that
contribute to unhealthy of the organization. Lastly I have included what need to be done in the
security awareness program.
Security Awareness 6
Introduction
Information security involves keeping corporate records secured. Policies are used to
address the necessities to protect data from unauthorized access, disclosure, loss, interferences
and corruption and are appropriate to information in both physical and electronic formats. A
security policy refers to a well-documented strategy with the purpose of protecting and
maintaining accessibility to a person network and its resources. Enough security in an
organization is the responsibility of the management. At this era that there is high risk of data
threat, almost all organizations have taken the initiative to implement security policies in their
companies. This paper will address the ten available security policies, and their importance,
which are: access control policies, addressing remote access, encryption and hashing, auditing
network accounts, configuration change management, segregation of duties, mandatory vacation,
information breaches, media protection, and social engineering (Bowden, February 18, 2003).
1. Access control policies
Access control is concentrates in determining the authorized activities of rightful users,
mediating each trial by a user to get entry to a resource in the system. In several systems, total
access is given upon a successful verification of the user, although many systems need more
complicated and compound control. Additionally, to the verification method like a password,
access control concentrates with how verifications are designed. In several scenarios,
authorization might reflect the organization’s structure, while in others it might rely on the
sensitivity degree of a range of documents and the clearance degree of the user contacting those
documents.
Security Awareness 7
Organizations thinking of access control system implementation should look at three
abstractions which are: access control policy, mechanisms and models. Access control policies
mean high-level requirements that state how access is managed and the person who has the
authority to access information and also under what circumstances. For example, policies might
be appropriate to resource utilization in or over units of an organization or might be based on
need-to-know, authority, competence, conflict-of-interest, or obligation factors. In a high level,
access control policies are implemented over a mechanism that translate request of a user,
regularly in terms of design that a system offers (NIST, May 6, 2015).
2. Addressing remote access
The importance of this policy is to describe rules and requirements for connecting to a
company’s network from any host. The reason these rules and requirements are designed is to
increase the likelihood exposure to the company from damages which may be brought from
unlawful use of the resources of the company. Damages consist of loss of sensitive or
confidential data of the company, intellectual property, damage to critical internal systems of the
company, damage to public image, and fines or other financial liabilities acquired from those
losses.
Remote access policy applies to company’s staffs, contractors, vendors and agents company
owned or personally-owned workstation or computer used to link to the network of the company.
It applies to remote access links used to carry out tasks on behalf of the company, including
sending or reading email and screening intranet web resources. Remote access policy covers
each and all technical executions of remote access used to connect company’s networks. It is the
duty of company staffs, contractors, vendors and agents with remote access rights to corporate
Security Awareness 8
network of a company to make sure that their remote access link is offered equal consideration as
the user’s on-site link to the company (SANS Institute, 2014).
3. Encryption and hashing (to control data flow)
The main goal of encryption is to change data so as to keep it secret from others in order to
control data flow. For example, sending somebody a secret letter, which only them that can be in
a position to read or securely sending password in the internet. Instead of concentrating on
usability, the objective is to make sure the data cannot be consumed by somebody else apart
from the intended recipient. Encryption changes data into a different format in a way that only
particular person can undo the transformation. It applies a key, which is kept secret, in
combination with the plaintext and the algorithm, so as to carry out the encryption activity.
Ciphertext, key, and algorithm are needed to undo to the plaintext.
Hashing acts the role of guaranteeing integrity that is, making it so that if something is
transformed one will be able to know it. To be precise, hashing consumes arbitrary input and
give a fixed-length string. It is implemented in combination with verification to give strong proof
that a particular message has not been changed. This is achieved through taking a specific input,
hashing it, and later signing the hash with the private key of the sender. Upon receiving the
message, the recipient can confirm the signature of the hash with the public key of the sender,
and later the hash the message itself and contrast it to the hash which the sender signed. If they
are similar it is unchanged message, sent by the right person (Miessler, 1999-2016).
4. Auditing network accounts
Network auditing is the collective measure carried out to analyze, study, and collect data
regarding a network with the aim of guaranteeing its health in line with the requirements of the
Security Awareness 9
organization or network. Primarily, network auditing offers insight into how helpful network
practices and control are, that is, its fulfillment to internal and external network policies and
regulations. When it comes to auditing network works it entails checking what user accounts and
groups are on every machine and the shares are accessible and to whom.
Many auditing tools will deal more on the basic user account information that requires to
be included in the audit. These main properties and settings are a good place to begin with the
audit and will normally consist of the following properties: Workstations, LogonScript, last time
password was set, password is needed, password expires, password time expires, account is
disabled, and last logon time. From the fact that attacks are available through a user account that
got one or several inaccurate and non-secured settings, it brings sense to concentrate on user
account properties in time of audit. (Melber, August 4, 2005).
5. Configuration change management (to reduce unintentional threats)
Organizations have minimum visibility into the efficiency of their change management
controls over their IT infrastructure. When there is no effective management and monitoring of
change controls, the consequences of this can be distressing. At first, minimized availability over
key corporate, customer, and financial systems can happen if unauthorized changes or updates of
software are performed, even if their nature is non-malicious. These operations can impact main
functionality, or a time brings breakdown the whole systems. As systems must later be taken
offline to lessen a security problem or just withdraw the unauthorized change, this can result to
dramatic revenue loss as capital expenditures are raised to resolve the problems, and clients are
not able to access revenue-producing systems (Constellation Software Engineering, 2015).
6. Segregation of duties
Security Awareness 10
Segregation of duties security policy manages conflict of interest, the manifestation of
conflict of interest, and fraud. This policy is important since it makes sure that there is separation
of various functions and explains authority and accountability over transactions. It is important to
efficient internal control; it minimizes the danger of erroneous as well as inappropriate actions.
This policy limits the power amount held by a person. It creates a boundary in place to keep
away fraud, which might be committed by one person. There will still be occurrence of fraud
when there is collusion. For one to be guaranteed that all segregation duties problems have been
identified, one will first require to develop an information flow diagram for each function in each
part of the organization.
Administrators who are responsible should consider the rule of segregation of duties when
planning and describing job roles. They must use processes and control procedures that, to the
degree practicable, segregate duties to the employees and that consist of effective oversight of
operations and transactions. To the situation when it is not possible to separate these functions,
for instance in small number of staffs, more reliance must be positioned on administrative scene
(Lowa State University, 1995-2016).
7. Mandatory vacation (to mitigate intentional threats)
Mandatory vacation policy assists to detect when staffs get caught up in malicious action, like
embezzlement or fraud. For embezzlement activity of any considerable size to be successful, a
staff would require to be constantly available so as to stage-manage records and respond to
various inquiries. Alternatively, if a staff is forced to be absent for a minimum of five
consecutive workdays, the possibility of any illegal activity flourishing is minimized, because
another person will be forced to respond to the queries in time of the staff’s absence.
Security Awareness 11
This policy is not restricted to financial institutions only. Numerous organizations need same
policies for administrators. For instance, an administrator might be the only individual needed to
carry out sensitive actions like reviewing logs. An administrator who is malicious may overlook
or cover up some actions revealed in the logs. But, a mandatory vacation policy would call for
somebody else to carry out these activities and raise the likelihood of discovery (Darril, 2015).
8. Personally identifiable information breaches
Personally identifiable information (PII) means any data that could possible identify a
particular person. Any information which can be used to differentiate an individual from the
other can be applied for de-anonymizing anonymous data can be said as PII. PII can be grouped
into two: sensitive and non-sensitive. Sensitive PII refers to that information, when exposed,
could cause harm to the person whose privacy has been violated or breached.
Therefore, sensitive PII should be encrypted in transit and when data is at rest. Examples of
such kind of information are: biometric information, personally identifiable financial information
(PIFI), medical information, as well as unique identifiers like passport or Social Security
numbers. Non-sensitive PII is information which can be sent in an unencrypted format without
causing any harm to the person. It can also be gathered with ease from public records, corporate
directories, and phonebooks (Rouse, January, 2014).
9. Information breaches
The importance of information breach procedure is to offer general guidance to employees who
manage IT resources in an organization, to facilitate quick and effective recovery from security
events; react in an orderly manner to events and perform all required steps to rightfully take on
an event; minimize or prevent interference of critical computing services, as well as reduce theft
Security Awareness 12
or loss of sensitive or mission important information. The IT security breach notification also is
used to breaches regarding all organization’s Health Insurance Portability and Accountability
Act (HIPAA) and all organization’s business associates incorporated under HIPAA. The Health
Information Technology for Economic and Clinical Health (HITECH) Act, as well as their
implementing regulations increase the privacy and security features of HIPAA.
10. Media protection and Social engineering
Information security media protection policy creates the enterprise media protection
policy, for managing risks rooting from media access, media transport, media storage, as well as
media protection by the establishment of an efficient media protection program. The media
protection program assists an organization to implement security best practices in relation to
enterprise media usage, storage, and clearance.
Social engineering simply means the act of manipulating people so as confidential
information is given. The kind of information that criminals look upon may be different, though
when peoples are aimed the criminals are normally attempting to trick the individual into giving
them their passwords or information about their bank, or access a user’s computer to secretly
install malicious software that will offer them access to user’s passwords and bank information
and providing them control over one’s personal computer. Security entails identifying the person
and what to trust. Knowing when and when not to take an individual at their word, when to rely
the person one is talking to is actually the person one thinks he or she is talking with; when to
rely on a website; when to trust that person on a phone; when giving information is or is not a
good idea (Criddle, n.d.).
Security Awareness 13
Introduction
Purpose
Continuous monitoring is one of six stages in the Risk Management Framework
portrayed in NIST Special Publication 800‐137. The motivation behind a Continuous monitoring
project is to figure out whether the entire arrangement of planned, required, and conveyed
security controls inside a data framework or acquired by the framework keep on being
compelling after some time in light of the inescapable changes that might happen. Nonstop
checking is a vital action in surveying the security impacts on a data framework coming about
because of arranged and spontaneous changes to firmware, the programming, or environment of
operation (Whitman & Mattord, 11 May 2016).
Overall security posture
To see any organizations' security pose, group significant discoveries were classes of
digital security that is affected: security knowledge, application, information, business
accomplices and outsourcing, and risk insight. These subjects serve as an extraordinary
beginning stage for critical talks encompassing an association's security hone, with basic security
address including: What is association's greatest security concern and is its security spends and
ability legitimately apportioned to address that hazard? There's no specific business needs,
business hazard, most important resources, and so on. Security pose that doesn't attach
specifically to an organization goal can lead security vanity appeal, however, doesn't offer a
genuine assessment of where an association stands (Alexander, Finch, Sutton, & Taylor, 18 Jun.
2013).
Security Awareness 14
Human factors
Human elements that antagonistically influence the security atmosphere specifically,
human qualities conduct impacts data security and at last related dangers. searching into
employments constraint field investigation comprehends driving and limiting strengths of human
issues and consider these powers as objectives and snags of data security. The examination will
demonstrate the human variables while endeavoring to comprehend the present Information
Security Management System circumstance of an association and its change considering perfect
circumstance. It will give measures to interest in elements that satisfy the objectives of ISMS
since the association is powerless against both unintentional and intentional security dangers.
Proposal
Setting and keeping up a safe processing environment is progressively more troublesome
as systems turn out to be progressively interconnected and information streams perpetually
openly. In the business world, the network is no more drawn out discretionary, and the
conceivable dangers of availability don't exceed the advantages. Subsequently, it is imperative to
empower systems to bolster security benefits that give satisfactory assurance to organizations
that lead a business in a moderately open environment (Solms & Solms, 26 Nov. 2008). To give
satisfactory security of system assets, the strategies, and advances that individual send needs to
ensure three things:
Privacy: Providing classification of information ensures that exclusively approved clients can see
delicate data.
Respectability: Providing uprightness of information ensures that exclusively approved
clients can change touchy data and gives an approach to identify whether information has been
messed with amid transmission; this may likewise ensure the credibility of information.
Security Awareness 15
Accessibility of frameworks and information: System and information accessibility gives
continuous access by approved clients to essential figuring assets and information.
The unintentional risk that the association is probably going to face is that the approved client
may erase delicate information by oversight or unintentionally. The information may likewise be
undermined or erased because of: the specialized disappointment of equipment, disappointment
of some program running on the PC, the sudden breakdown of electric supply as well as viruses.
The solutions for inadvertent danger actualized are: Backing up of information will be taken
frequently. The reinforcement of information can be utilized to recoup the erased information.
Most recent antivirus programming will be utilized to output all information coming into the PC
(Sutton, 26 Nov. 2014).
While the Intentional threat, the unapproved (or approved) client may erase delicate
information purposefully. The client might be an irate representative of an association or
whatever another unapproved individual. For the most part, programmers can erase the delicate
information. A programmer can break the security of the PC framework for erasing or changing
information. He accesses information through PC network utilizing PC programming or devices
or different procedures.
The solution for deliberate risk:
Just the approved staffs that have rights to get to information might be permitted to erase
or adjust information subsequent to taking after a well-ordered process. An appropriate secret
word assurance ought to be utilized. A log record ought to likewise be kept up to monitor every
one of the exercises performed on the information/documents. Approved clients ought to change
their passwords intermittently. Some solid encryption calculation ought to be utilized where
useful information is encoded before its stockpiling or transmission over a system. On the off
Security Awareness 16
chance that anybody (unapproved individual) accesses the information; he will most likely be
unable to comprehend it. PCs and all sponsorship stockpiling gadgets ought to be put in bolted
rooms. Just approved clients ought to get to these assets (Solms & Solms, 26 Nov. 2008).
Work Settings
At the point when people feel that they can't act naturally at work, they won't connect
with completely as a major aspect of the group or in allocated work. Hierarchical pioneers will
assume an imperative part in setting the tone for the move towards expanded differing qualities
and comprehensiveness in an association. An instructive approach can discredit many feelings of
trepidation that individuals have with regards to tending to assorted qualities. Representatives
need to realize that differing qualities and incorporation are best supported in an open working
environment where errors can be utilized for learning not for humiliating or disgracing people.
Work Planning and Control
Upkeep work administration is the center of support administration. It's the place where
the capability of administrators, organizers and specialists are illustrated, and where the
achievement and cost-adequacy of an upkeep administration framework are resolved. A
compelling work plan and control processor framework will recognize and approve all the
support work to be done (both strategic and non-strategic), matches it with the required assets
through legitimate arranging, plans when it will be done, distributes the undertakings to skilled
people and guarantees that it is done effectively and hesitantly. At long last, the work points of
interest and expenses will catch for reporting and examination purposes (Alexander, Finch,
Sutton, & Taylor, 18 Jun. 2013).
Security Awareness 17
Correspondence Plan
A corporate security mindfulness program means to make every one of the
representatives comprehend and acknowledge not just the estimation of the organization's data
security resources additionally the outcomes on the off chance that these advantages are traded
off. In principle, the procedure is clear and easy.
Informing procedures
Interpersonal Communication
A standout amongst the most critical if not the most imperative types of correspondence a
supervisor will take part in consistently is interpersonal correspondence. The benefit of
Interpersonal Communication aptitudes is that:
Detailed data: When managing an unpredictable issue, email misses the mark. There's a
lot forward and backward that can bring about mistaken assumptions and deficient trades that
prompt to botches. Better to get up from your work area, talk face to face, and clear up points of
interest.
Significant tasks: Working on real activities, coordinate correspondence can maintain a
strategic distance from issues and underscore key focuses. For instance, amid discussions, extra
issues may emerge, which can be specifically tended to. You complete the discussion sure you
have a grip on new data.
Better understanding: Face-to-face communication permits you to watch non-verbal
communication and how somebody responds sincerely to your thoughts. Since quite a bit of
correspondence is nonverbal upwards one will pick up a full comprehension of collaborators'
viewpoint and point of view, something you can't get from a PC screen or cell phone.
Security Awareness 18
Persuading Stakeholders
The most imperative will be to distinguish and comprehend partners' level of intrigue; it
permits one to enroll them as a feature of the exertion. Utilizing Interpersonal Communication
aptitudes will build the odds for the accomplishment of security collaboration. For the majority
of the above reasons, recognizing partners and reacting to their worries makes it significantly
more probable that collaborations will have both the partners' bolster it needs and the suitable
concentration to be viable (Sutton, 26 Nov. 2014). Interpersonal Communication techniques will
likewise make space for a question and answer session since it's a one on one style of
correspondence, making it easy clarify further and demonstrate partner the advantage of putting
resources into the proposed innovation.
Conclusion
The blend of preventive and analyst observing controls is essential in building a
successful constant checking program. The fruitful usage of continuous monitoring project will
require normal duty through initiative support, approving authority authorization, and framework
proprietor obligation. A very much outlined and actualized consistent checking project can
enhance the nature of organization data security programs by giving administration present,
significant data on the security stance of their IT resources (Alexander, Finch, Sutton, & Taylor,
18 Jun. 2013).
Security Awareness 19
References:
United States. & United States. (2000). Summary statement of work. Washington:
National Commission on Air Quality.
Desman, M. B. (2002). Building an information security awareness program.
Boca Raton: Auerbach Publications.
Gardner, B., & Thomas, V. (2014). Building an information security awareness
program: Defending against social engineering and technical threats.
Waltham, Massachusetts: Syngress.
Roper, C. A., Grau, J. J., & Fischer, L. F. (2006). Security education, awareness, and
training: From theory to practice. Burlington, MA: Elsevier Butterworth-Heinemann.
Bowden, J. S. (February 18, 2003). Security Policy: What it is and Why – The Basics. SANS
Institute InfoSec Reading Room. Retrieved from
https://www.sans.org/reading-room/whitepapers/policyissues/security-policy-basics-488
Constellation Software Engineering. (2015). Minimize Risk and Downtime With Change
Management Controls. CSE. Retrieved from https://www.cse-corp.com/cybersecurity-
change-management/
Criddle, L. (n.d.). What is Social Engineering? WEBROOT. Retrieved from
https://www.webroot.com/ie/en/home/resources/tips/online-shopping-banking/secure-
what-is-social-engineering
Darril. (2015). Mandatory Vacations. Get Certified Get Ahead. Retrieved from
http://blogs.getcertifiedgetahead.com/mandatory-vacations/
Security Awareness 20
Lowa State University. (1995-2016). Segregation of Duties. Retrieved from
http://www.policy.iastate.edu/policy/duties
Melber, D. (August 4, 2005). Auditing User Accounts. Windows Security. Retrieved from
http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/
Auditing-user-accounts.html
Miessler, D. (1999-2016). Encoding vs. Encryption vs. Hashing vs. Obfuscation. Retrieved from
https://danielmiessler.com/study/encoding-encryption-hashing-obfuscation/#gs.0kQuJwE
NIST. (May 6, 2015). Access Control Policy and Implementation Guides. Computer Security
Division Security Resource Center. National Institute of Standards and Technology.
Retrieved from http://csrc.nist.gov/projects/ac-policy-igs/index.html
Rouse, M. (January, 2014). Personally Identifiable Information (PII). TechTarget. Retrieved
from http://searchfinancialsecurity.techtarget.com/definition/personally-identifiable-
information
SANS Institute. (2014). Remote Access Policy. Consensus Policy Resource Community. SANS.
Retrieved from https://www.sans.org/security-resources/policies/network-security/pdf/
remote-access-policy
Agarwal R. and Prasad J. 1998.A conceptual and operational definition of personal
innovativeness in the domain of Information Technology, Information Systems
Research,Vol. 9, no. 2:204-215.
Bandura, A. 1989 Social cognitive theory, In R. Vasta (Ed.), Annals of child development.Vol.6.
Six theories of child development (pp. 1-60). Greenwich, CT: JAI Press.
Security Awareness 21
Garson, B. 2005. Work addiction in the age of information technology: An analysis. IIMB
Management Review, Vol. 15: 21
McCue, K. 2008. A comparison of employee benefits data from the MEPS-IC and form 5500.
Working Papers 08-32, Center for Economic Studies, U.S. Census Bureau.
Murray, B. 1991. Running corporate and national security awareness programmers. Proceedings
of the IFIP TC11 Seventh International Conference on IS security: 203-207.