ON INFORMATION SECURITY GUIDELINES FOR SMALL/MEDIUM ENTERPRISES

David Chapman, Leon Smalov

Abstract

The adoption rate of Internet-based technologies by United Kingdom (UK) Small and Medium Enterprises (SMEs) is regularly surveyed by the Department of Trade and Industry (DTI). Over several decades information security has evolved from early work such as the Bell La Padula (BLP) model toward widely disseminated Information Security Guidelines containing comprehensive and detailed advice. The overwhelming volume and level-of-detail provided often fails to address the information security requirements of SMEs. SMEs typically fail to implement effective Internet strategies due to lack of information security awareness, lack of technical skills and inadequate financial resources. Awareness of information security issues among SMEs is poor. The European Union supported ISA-EUNET Consortium has developed a set of best practices to support SMEs. We present a sample mapping of the Computer Security Expert Assist Team (CSEAT) Information Security Review Areas onto the Alliance for Electronic Business (AEB) web security guidelines as an example of a possible roadmap approach for SMEs to gain information security awareness.

References

  1. AEB web security guidelines. (2002). Retrieved April 14, 2003, from Intellect Web site: http://www.cssa.co.uk/publications/ business_guidance_papers/web_sec_guidelines.pdf
  2. An Introduction to Computer Security: The NIST Handbook. (1995). NIST. Retrieved May 24, 2003 from NIST Web site: http://csrc.nist.gov/ publications/nistpubs/800-12/ handbook.pdf
  3. Anderson, R. (2001). Security Engineering. UK: John Wiley & Sons.
  4. Automated Information Security Program Review Areas. (n.d.). Retrieved May 24, 2003, from NIST Web site: http://csrc.nist.gov/cseat/Infosec_pgm_rev.html
  5. Bell, D., & LaPadula, L. (1973). Secure Computer Systems: Mathematical Foundations and Model. MITRE Corporation.
  6. Biba, K. (1975). Integrity Considerations for Secure Computer Systems. Mitre Corporation.
  7. Chesher, M., Skok, W. (2000). Roadmap for Successful Information Technology Transfer for Small Businesses. Proceedings of the 2000 ACM SIGCPR conference.
  8. Common Criteria for Information Security Evaluation - Part 1: Introduction and General Model. (1999). Retrieved May 18, 2003, from NIST Web site: http://csrc.nist.gov/cc/Documents/CC 20v2.1/p1- v21.pdf
  9. Information Security Assurance Guidelines for the Commercial Sector. (n.d.). Retrieved January 19, 2004, from DTI Web site: http://www.dti.gov.uk/industry-files/pdf/cag1.pdf
  10. Information Security website. (n.d.). Retrieved May 18, 2003, from DTI Web site: http://www.dti.gov.uk/ industries/information_security
  11. Information Technology - Code of Practice for information security management. (2000). ISO/IEC 17799.
  12. Miller, A. (n.d.). Small firms at risk from hackers. Retrieved May 13, 2003, from: http://www.vnunet.com/News/1105297
  13. OECD Guidelines for the Security of Information Systems and Networks. (2002). Retrieved January 19, 2004, from DTI Web site: http://www.dti.gov.uk/ industry_files/word/ M00034478 202.doc
  14. Securing your Website for Business. (2001). Retrieved March 10, 2003, from Ignite BT Web site: http://www.ignite.com/application-services/ products/verisign/pdf/SecureServerWP06062001.pdf
  15. Systems Security Engineering Capability Maturity Model. (1999). ISO/IEC 21827, Retrieved May 13, 2003, from: http://www.sse-cmm.org
  16. Systems Security Engineering Capability Maturity Model: The Appraisal Method. (1999). Retrieved May 13, 2003, from: http://www.sse-cmm.org
  17. Siponen, M. (2002). Designing secure information systems and software: critical evaluation of the existing approaches and a new paradigm . Dissertation, University of Oulu.
  18. Siponen, M. (2003). Information Security Management Standards: Problems and Solutions. 7th Pacific Asia Conference on Information Systems, Adelaide, South Australia.
  19. Spinellis, D., Gritzalis, D. (1999). Information Security Best Practise Dissemination: The ISA-EUNET Approach. WISE 1:First World Conference on Information Security Education, p111-136.
  20. Spinellis, D., Kokolakis, S. Gritzalis, D. (1999). Security requirements, risks and recommendations for small enterprise and home-office environments. Retrieved May 14, 2003, from: http://www.dmst.aueb.gr/dds/pubs/jrnl/1999-IMCSSoft-Risk/html/soho.pdf
  21. Swanson, M. (1998). Guide for Developing Security Plans for Information Technology Systems. NIST. Retrieved May 13, 2003 from: http://csrc.nist.gov/ publications/nistpubs/800-18/Planguide.pdf
  22. Swanson, M. (2001). Security Self-Assessment Guide for Information Technology Systems. NIST. Retrieved March 10, 2003 from NIST Web site: http://csrc.nist.gov/publications/nistpubs/800- 26/sp800-26.pdf
  23. Swanson, M. and Guttman, B. (1996). Generally Accepted Principles and Practices for Securing Information Technology Systems. NIST. Retrieved May 13, 2003 from NIST Web site: http://csrc.nist.gov/publications/nistpubs/800- 14/800-14.pdf
Download


Paper Citation


in Harvard Style

Chapman D. and Smalov L. (2004). ON INFORMATION SECURITY GUIDELINES FOR SMALL/MEDIUM ENTERPRISES . In Proceedings of the Sixth International Conference on Enterprise Information Systems - Volume 3: ICEIS, ISBN 972-8865-00-7, pages 3-9. DOI: 10.5220/0002593700030009


in Bibtex Style

@conference{iceis04,
author={David Chapman and Leon Smalov},
title={ON INFORMATION SECURITY GUIDELINES FOR SMALL/MEDIUM ENTERPRISES},
booktitle={Proceedings of the Sixth International Conference on Enterprise Information Systems - Volume 3: ICEIS,},
year={2004},
pages={3-9},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002593700030009},
isbn={972-8865-00-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the Sixth International Conference on Enterprise Information Systems - Volume 3: ICEIS,
TI - ON INFORMATION SECURITY GUIDELINES FOR SMALL/MEDIUM ENTERPRISES
SN - 972-8865-00-7
AU - Chapman D.
AU - Smalov L.
PY - 2004
SP - 3
EP - 9
DO - 10.5220/0002593700030009