Information & Management 26 (1994) 143-153

North-Holland 143

Research

A framework for information security evaluation

R. von Solms and H. van de Haar Port Elizabeth Technikon, Port Elizabeth, South Africa

S.H. von Solms Rand Afrikaans Unicersity, Johannesburg, South Africa

W.J. Caelli Queensland University of Technology, Brisbane, Australia

Information Security Management consists of various

facets, such as Information Security Policy, Risk Analysis,

Risk Management, Contingency Planning and Disaster Re-

covery; these are all interrelated in some way, often causing

uncertainty and confusion among top management. This pa- per proposes a model for Information Security Management,

called an Information Security Management Model (ISM’),

which puts all the various facets in context. The model con-

sists of five different levels, defined on a security axis. ISM’

introduces the idea of international security criteria or inter-

national security standards. The rationale behind these is to

enable information security evaluation according to interna-

tionally accepted criteria. Due to the lack of internationally

recognized and/or accepted information security standards

and criteria, this model cannot be implemented in its totality

at this time. A restricted form is implemented, forming an

information security evaluation tool. This tool can be used for information security management with great success within an

organization.

Keywords: Information security; Computer Security; Informa-

tion security management; Security and protection

Correspondence to: R. von Solms, Port Elizabeth Technikon,

Private Bag X6011, Port Elizabeth 6000, South Africa

1. Introduction

Different definitions for information security management (ISM) appear in the literature, each stressing a different aspect. One of these, is stated in [2] as:

“The goal of KM is to lessen either the proba- bility that something undesirable will happen (or the frequency with which it is known to be hap- pening) or the severity of the consequences when it does happen, or both.”

This definition is very wide, but does indirectly include a number of aspects relevant to informa-

Rossouw van Solms is Head of De- partment of Information Technology at the Port Elizabeth Technikon in Port Elizabeth, South Africa. He is currently the secretary of Working Group 11.1 of the International Fed- eration of Information Processing (IFIP) that deals with Information Se- curity Management. S.H. von Solms holds a PhD in Com- puter Science, and is Head of the Department of Computer Science at the Rand Afrikaans University in Jo- hannesburg, South Africa. He is the South African representative on Technical Committee 11 (TC 11) of the International Federation for In- formation Processing (IFIP), and is also the Chairman of Working Group 11.1 of TC 11. He has published many papers on Information Security, and is presently supervising about 15

post-graduate projects in Information Security. He is a consul- tant in Information Security to several large corporations, especially in the financial industry.

Helen van de Haar has been develop- ing Information systems for over 20 years. In 1989 she joined the Port Elizabeth Technikon in South Africa and is currently a Senior Lecturer in the Department of Information Tech- nology. Helen’s interest in Informa- tion Security started with research to- wards a Masters Diploma which she received (Cum Laude) in 1992. She is also currently involved in the develop- ment of software for Information Se- curity Management.

037%7206/94/$07.00 0 1994 - Elsevier Science B.V. All rights reserved

SSDI 0378-7206(93)E0045-6

144 Research Information & Management

SEaJRlM

AXIS

B .

T

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..--....-....... (CURRENT OSQ 1,

Add Counte-or

I A

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . (CURRENT 0%) t ,

Fig. 1. The security axis.

tion security - like policy documents, risk analysis and risk management, contingency planning, and disaster recovery.

This paper describes a five-levelled model for ISM, the ISM Model (ISM’); this directly repre- sents the security aspects. ISM is then defined in terms of the model. The new definition basically agrees with the goal, but addresses ISM from another angle. The model consists of 5 different security levels, ordered on a security axis.

William J. Caelli has been an active member of the Australian Computer Society (A.C.S.) since its inception and was made a Fellow of the Society in 1981. He is a well known commen- tator on the Computer industry and on data security and has published numerous papers on technical topics as well as on the social and economic implications of the technology. His first book “The Microcomputer Rev- olution” was published by the A.C.S. in 1979. He is the Chairman of and

Australian representative on IFIP (International Federation for Information Processing) Technical Committee 11 (Security and Protection in Information Processing Systems). In 1992 he received the International Federation for Information Pro- cessing (IFIP) Silver Core Award in recognition of his contri- bution to the field of computer and telecommunications secu- rity. He also serves on the Standards Association of Australia’s committee on E.F.T.S. security standards and has lectured widely to national and international groups on information systems security. Professor Caelli’s research interests lie in computer architecture for “broad-grain” parallel systems and their use in large scale message switches as well as in object oriented languages and programming systems in addition to his work in computer and network security. In September 1986 Professor Caelli was honoured with an Australian Infor- mation Technology Award (A.I.T.A.) for Achievement in the Information Technology Industry.

2. Security in the operation and the operation security environments

For any enterprise, the Operational Environ- ment (OE) may be defined as the total set of information services needed and responsible for storing, producing, and distributing information throughout the enterprise. This includes all hard- ware and software. It is of course vital for any enterprise to protect its OE as well as possible. To this end, certain counter measures, or control measures, are introduced to protect it. The Oper- ational Security Environment (OSE) is defined as the OE supplemented by all the installed counter measures. Information Security Management (ISM) can thus be viewed as an effort to create an optimal OSE in an enterprise. The problem is, of course, when is an OSE optimal? The answer to this question is precisely the purpose of this paper.

2.1. The information security management model (ISM2)

The ISM* consists of five different OSE’s ar- ranged in a particular hierarchy. These are: _ The Ideal OSE _ The Baseline OSE - The Accepted OSE

Information & Management R. ~bon Solms et al. / Information security ecaluation 145

- The Current OSE and - The Survival OSE

Each of these takes a specific position on a socalled security axis, and lnformation Security Management is defined as the process of manag- ing these five OSE’s “in step”. All of these, except the Ideal OSE, are dynamic and will move higher or lower depending on circumstances in the enterprise.

2.1.1. The current OSE Any OSE will change as a result of new infor-

mation services and/or new counter measures. At any specific point in time, say t,, the collection of all information services, together with all the counter measures installed, will be called the Current OSE at time t,. Obviously the Current OSE is dynamic in nature. Thus by introducing more (effective) counter measures, the informa- tion services will be more secure, and the Current OSE will be raised on the security axis. The security axis indicates increasing protection, as shown in an upwards direction in Figure 1.

(Current OSE) t, represents the Current OSE at time t,, etc. By introducing more (and more effective) counter measures, the Current OSE is raised from position A on the security axis to position B. The Current OSE is usually deter- mined by a risk analysis exercise.

2.1.2. The ideal OSE The Ideal OSE represents the ideal situation

in the enterprise. It constitutes such an effective set of counter measures, that no risk will be able to upset the information services; i.e., the Ideal OSE represents a situation of complete protec- tion. This ideal situation is defined by manage- ment in their information security policy. It should be apparent that such an Ideal OSE can never be achieved, because no service can be completely protected. For example, people can subvent the system even if the automation were perfect. Therefore the Ideal OSE appears as the top of the security axis, as represented by Figure 2. The Ideal OSE is therefore the position to “strive for”.

2.1.3. The prescribed OSE The Prescribed OSE represents a required set

of counter measures, as defined by interested external parties. For example, Insurance compa- nies may prescribe certain counter measures in order for them to agree to insure a specific enter- prise or to reduce the cost of the policy; an adequate company police force available at all times is an example. Business partners may also require certain security measures for the enter- prise in order to do business with it; e.g., when using EDI. The Prescribed OSE is therefore much

SECURITY

AXIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lDEAL OSE

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PRESCRIBED OSE

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CURRENT OSE

Fig. 2. The Ideal, Prescribed and Current OSE.

146 Research

SECURITY

AXIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

son kwwance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Fig. 3. The full set of 0%‘~.

IDEAL DSE

PRESCRIBED OSE

BASEUNE OSE

CURRPCT OSE

suRvlvAl. 0sE

more “attainable” than the Ideal, and therefore is likely to be high on the security axis, usually above the Current, but below the Ideal.

2.1.4. The baseline OSE Although an enterprise, may be confronted by

an externally defined Prescribed OSE the man- agement of the enterprise may, for certain rea- sons, decide to accept a lower (or higher) OSE

Information & Management

than Prescribed. For Example, for financial rea- sons, management may decide to carry some “self insurance” and not install all the counter mea- sures requested by their insurance company. The OSE purposely defined as enough by the man- agement of the enterprise, is called the Baseline OSE, and may be higher or lower than the Pre- scribed OSE. The Baseline OSE is therefore de- termined by a specifically considered decision by management on what resources will be commit- ted to security. The Baseline OSE is represented in Figure 3.

2.1.5. The survival OSE In any enterprise, some information services

are more important than others. Some may be of vital importance and any disruption to them may be termed a disaster. The primary aim of the enterprise may therefore be to restore critical services as quickly as possible in the event of any disaster. These information services, identified as absolutely critical to the enterprise, together with the counter-measures to restore them or keep them going, constitute the Survival OSE. Thus the Survival OSE appears low on the security

SECURITY AXIS I...............,,,,..,...,,................,..................... IDEAL OSE

!igI$Jf&$Cr”

,........,........,.,.,.,,..,,,,,..,,,..,,.,.,,..,................ PRESCRIBED OSE MUTIlillOd~ExownrJFIdMs

,......,,....,........,,,,...,..............,..................... A !ttgz&?g*~

RISK MANAGEMENT

““,,“..........“““““““““““..................~....... I

I ; 8!ii!x~~w~lu I I

I I

I I ,,..,.~....,,.....,,,...,.....,....,.....,...............~....... SURVIVAL OSE

i DISASTER RECOVERYi

+

Fig. 4. The EM*.

Information & Management R. UOFI Solms et al. / Information security evaluation 147

SEclJRIlY AXIS

_.._‘._.._......__.‘....,

;),,, , . . . . . . . . . . . . . . . . . . . . ,

Fig. 5. The extended ISM2.

axis. If any mishap takes place the location of the Current OSE will fall on the security axis. If the Current OSE drops below the Survival OSE, a disaster is likely to occur. The Survival OSE is described in a contingency plan and must be supported by a disaster recovery plan.

2.2. The complete information security manage- ment model (ISM2) and its extension

The complete ISM2 is depicted in Figure 4. Risk management attempts to get the Current OSE as close as possible to the Baseline OSE.

Current OSE

Survlvai OSE

PHYSICAL LBGICAL IWWONNEL

Ideal OSE

Prescribed OSE

Baseline OSE

Fig. 6. The full extended ISM’.

148 Research Information & Management

In any enterprise, the information services and assets, can be divided into different categories: - physical - logical - personnel, etc.

In the ISM2, the Current OSE could therefore be shown within its context as in Figure 5. How- ever, this implies that the Current OSE has equal protection in each of these three categories - which of course is not true. The categories can also be subdivided into subcategories; e.g., the logical category may consist of: - Mainframe services (assets) - PC services (assets) - Network services (assets)

The subcategories are also unlikely to have the same security protection, resulting in the break- down of Figure 6. Using this model, an informa- tion security manager can individually manage the different services in the enterprise, and for every subservice, precisely define the actual situa- tion.

3. Scaling the security axis

Any measurement is relative, in the sense that something can only be measured if it is compared to something else. Therefore, the prime or overall aspect of a specific Current OSE is that is “rather high” or “rather low” on the security axis. This is, of course, very inexact and unsatisfactory. To address the problem, the security axis is scaled; it is divided into; say, five security levels, with each again subdivided into five sublevels. This, of course, provides a much better framework for evaluation in the ISM2. Much more objective and specific evaluation and management is now possi- ble. The positions of OSE’s in Figure 6 are hypo- thetical, but through a process of information security evaluation, exact position can be deter- mined.

In terms of this ISM2, information security management can be defined as:

ISM is the process of determining, controlling and maintaining the five different OSE levels of the ISM2.

4. Information security evaluation

4.1. Requirements to implement an information security evaluation tool

The benefits of a model like the Information Security Management Model are legion. To im- plement the model the following is required: _ a set of information security categories; - a set of criteria to evaluate against and _ a means of evaluating information security

against the criteria.

4.1.1. Information security categories Information security is a very exhaustive area.

It needs to be broken down into smaller chunks or categories to make it more manageable. Many authors have subdivided information security into categories and sub-categories and most of them differ quite drastically.

4.2.2. Information security criteria or conditions An information security evaluation can take on

one of two forms: 1. an evaluation conducted to determine whether

a certain security condition has been met, or 2. an evaluation through a process of comparison

of security criteria implemented against a pre- defined set of criteria or standards. Currently, very few international standards or

criteria exist. TCSEC and ITSEC [6,7] are criteria used to evaluate operating system security. Simi- lar criteria are in the process of being formulated for database and network security evaluation. If a set of international information security criteria existed to describe each level of security for each information security category in the model, it would be possible to describe the Survival OSE, the Baseline OSE and the Prescribed OSE in terms of these criteria. This set of criteria would also make it possible to evaluate the Current OSE in terms the of criteria, and to compare it with other OSEs like the Baseline OSE, or the Prescribed OSE, to identify the “difference” in security between the two levels. An international set of information security criteria would also make it possible for one organization to compare its information security level with that of another. The set of security criteria could be known and recognised anywhere in the world. An insurance broker could then dictate a certain level of secu-

Information & Management R. (Ion Solms et al. / Information security evaluation 149

rity to a client, and if this is not obtained, the premium could be increased, for example.

4.1.3. The eualuation Information security evaluation can mean:

1. an evaluation process to determine whether or not a condition of security was met or,

2. the comparison of the current security controls in place against some complete set of security criteria. The current security controls in place will eval-

uate to a specific level of security on the informa- tion security graph, depending on how well the complete set of criteria is met.

International security criteria are at this point in time ill-defined. For this reason the Informa- tion Security Management Model cannot yet be implemented. Also, for the same reason, no in- formation security self-evaluation tool, known to the authors, exists currently.

4.2. Different types of evaluation

The two different types of information security evaluation involve either evaluation for a condi- tion or evaluation through comparison.

4.2.1. Evaluation for a condition TCSEC as well as ITSEC have identified vari-

ous levels or classes of security for an operating system environment. TCSEC has defined four levels of protection with subclasses: D, Cl, C2, Bl, B2, B3 and Al. Each of these classes repre- sent a certain condition, e.g.: - D - minimal protection - Cl - discretionary security protection - C2 - controlled access protection - Bl - labelled security protection - B2 - structured protection - B3 - security domains - Al - verified design

These conditions can be met in various ways through different techniques and counter mea- sures. Some body must certify that the associated conditions have been met. If a certain product has been certified as a B2 system, everybody knows what protection is associated with that specific product. The drawback of this technique of evaluation is that an international certifying body needs to be established, and the process can be very time consuming and expensive. Obviously

the ideal solution to information security evalua- tion would be a technique of self evaluation, which can only be possible if a security condition being measured is very clearly defined, and very specific guidelines should be written on how the evaluation should be executed. The whole idea of self evaluation seems unobtainable at this stage, partly because of the lack of international stand- ards.

4.2.2. Evaluation through comparison An alternative to showing that a given condi-

tion has been met, is to make an evaluation using a comparison against predefined criteria. This is only possible if an internationally accepted set can be identified. If it can, then information security evaluation can take the form of a com- parison against this set of criteria. Self evaluation may then even become a possibility. Because the set used in the evaluation would be internation- ally specified, an information security measure- ment level would be the same to everybody. It would then be possible for one party to dictate a specific level of security protection to another, because there is a common means of expressing protection. The nature of the criteria is another problem. The only possibility at this stage is to use information security countermeasures as the criteria. The evaluation would then take the na- ture of comparing installed countermeasures against a complete set as criteria. The degree of match can then be converted to a percentage or a value between 0 and 5, as suggested in the Infor- mation Security Management Model, described earlier. This type of evaluation can also be used on an international basis, because everybody will compare against the same set of countermeasures or criteria. This will also make self evaluation a definite possibility. Two immediate problems come to mind: firstly, countermeasures may be installed, but they may be managed or operated ineffectively; secondly, during a process of self evaluation, prejudice may affect the accuracy.

Of the two possible evaluation techniques, only the latter one seems possible at this time.

4.3. Information security evaluation limitations

The requirement to establish an information security evaluation tool are: - a set of categories;

150 Research Information & Management

_ a set of criteria to evaluate against and _ a metric against which to perform the evalua-

tion process.

4.3.1. The problem of international evaluation standards

No internationally accepted subdivision of in- formation security exists currently. The informa- tion security evaluation tool will have to define categories which can be used during the evalua- tion process. Different information security eval- uation tools may define different subdivisions for information security and may thus use different categories. Further, no internationally recognised and accepted set of information security criteria or standards or conditions exist for the use in the evaluation process. Various tools may thus be compared against a different set of criteria. Until these two problems have been solved, an interna- tional standard in information security evaluation cannot be established. Different tools will use different criteria and different categories will be defined. Results from these tools can thus not be compared and accepted as an international level of information security protection.

4.3.2. Internal security evaluation The fact that international information secu-

rity evaluation cannot yet be performed does not mean that information security evaluation should not be made. Information security evaluation can be used internally by the information security officer and as a management reporting tool.

5. Au information security evaluation tool

Many risk analysis and management tools are commercially available. CRAMM [S], and many others, include a risk analysis component to iden- tify and analyze risks, as well as a risk manage- ment component that suggests which counter- measures should be installed. The logical way to develop an information security management tool is to integrate the tool with an existing risk analy- sis and management tool, because most of the data needed for an information security evalua- tion are captured by a risk analysis exercise, ei- ther making the tool part of an existing risk analysis and management package or using the data captured during a risk analysis exercise in an

add-on evaluation system. Most risk analysis packages make use of some subdivision of infor- mation security that can be used as the categories in the Information Security Management Model. Further, most of the risk analysis packages that include a risk management component, contain an extensive set of information security counter- measures.

During a risk analysis exercise, data is cap- tured on all assets, threats and vulnerabilities. Based on the vulnerabilities, some sort of security requirement is calculated for the various groups of assets. The security requirements are then used to suggest a set of countermeasures from the countermeasure file, based on the security needed. It should be possible to trace each of the security requirement values back to a security category. The Baseline OSE, as defined in the Information Security Management Model, is nothing but the security needs for the organiza- tion. Because the countermeasures are linked in some way to the security requirement, a security requirement value, for each category, can be cal- culated for the countermeasures already in- stalled. This security requirement, based on the currently installed countermeasures, reflects the current level of security protection of the organi- zation and can thus be used as the Current OSE within the model. All countermeasures trace back to one or more of the categories. The complete set of countermeasures, from the countermeasure file, tracing back to a category, may in theory represent a level of complete protection in that category. The Ideal OSE, which is an obtainable goal, may be represented by that complete set of countermeasures. It would thus be possible to determine the Ideal OSE, Baseline OSE as well as the Current OSE fairly easily, using any of the risk analysis and management packages available. Using only these three OSE’s of the Information Security Management Model will be a great aid to management.

6. An implemented tool based on CRAMM

CRAMM is a well known risk analysis and management tool developed by CCTA [Sl, [9l. Many governments have already accepted CRAMM as an official methodology of risk anal- ysis and management.

Information & Management

6.1. The CRAMMEX categories

CRAMM divides information security into six security aspects, viz.

hardware and software; communications; procedural; physical; personnel and environmental. These security aspects will the various security

categories within which CRAMMEX, a tool based on CRAMM developed by the authors, operates.

6.2. The criteria in CRAMMEX

CRAMM has an extensive file of countermea- sures. Each of these countermeasures are linked to one or more of the security aspect categories. The set of countermeasures are used as the eval- uation criteria in CRAMMEX.

6.3. The evaluation in CRAMMEX

During a CRAMM review, an extensive amount of information security relevant data is recorded. Data is stored for all the relevant groups that need protection. The potential threats that

R. von Solms et al. / Information security evaluation 151

threaten the organization as well as the vulnera- bility of the asset groups to the identified threats are also recorded during the review. Based on this, a security requirement is calculated and stored for each of the asset groups. These secu- rity requirements are then used to identify a set of countermeasures that should provide adequate protection for each asset group, based on the security requirement. Each of these countermea- sures can then be traced back to one or more security aspect categories.

The complete set of countermeasures for each security aspect (category) can be taken as the ultimate or ideal protection for the category and will be represented as a level 5 protection in the evaluation graph. This will form the Ideal OSE in the evaluation graph and is represented in Figure 7. The security requirement, based on the subset of countermeasures recommended by CRAMM for each security aspect, can now be presented as a fraction of the Ideal OSE (ultimate protection) and assigned a value between 0 and 5. This will form the Prescribed OSE in the model. A hypo- thetical example is represented in Figure 7.

After the set of countermeasures has been proposed, those that have been implemented al- ready are identified and removed from the list. By manipulating the data based on these counter-

LEGEND

L-l IDEAL

n q PRESCRIBED

4

L E 3 V E 2

L

s 1

HW/SW Comma Raced. Physkal Fmomd Environ.

CATEGORIES

Fig. 7. The Ideal, Prescribed, Baseline and Current 0%‘~ in CRAMMEX.

152 Research Information & Management

LEGEND 5

rl 0 IDEAL

IZB PRESCRIBED

BASELINE

- Nogloctabls

- Accoptablo

- Dangarou8

- Crltlcal

- Dlrattroua

HW/SW Come F+mmd. Ph@cal Pwsomel Environ.

CATEGORIES

Fig. 8. Warning levels for hardware and software.

measures,the current level of security protection for each security aspect can be calculated. These installed countermeasures normally form a subset of the set of proposed countermeasures and form the Current OSE in the evaluation model. Simi- larly, those countermeasures marked by manage- ment for implementation, can be used to form the Baseline OSE. Because the level of protec- tion, between 0 and 5, is totally based on the specific security situation and vulnerabilities within the organization reviewed, it cannot be compared to that in another organization with a different situation and vulnerabilities. The Pre- scribed OSE represents the level of information security as represented by CRAMM. The Base- line OSE represents the level of information se- curity protection as accepted by management. The Current OSE is a representation of the cur- rent level of information security within the orga- nization.

The major benefit of CRAMMEX is that it will make the results of a CRAMM review more interpretable and management friendly. The Baseline OSE, for each category, is divided into five equal portions. Each of these has a certain warning level associated with it. The Current OSE will obviously end up in one of these por- tions, depending on the percentage that the Cur- rent OSE is of the Baseline OSE.

The warning levels are: 0%-20% Disastrous 21%-40% Critical 41%-60% Dangerous 61%-80% Acceptable 81%-100% Neglectable It can clearly be seen that the Current OSE of

the Hardware and Software category is at a dan- gerous level. Similar danger levels are calculated for each of the categories. These danger levels can be used as some sort of a Prescribed OSE. An insurance broker may not expect the client to have all the countermeasures installed, but may prescribe that at least the acceptable warning level must be in place. This can only work if the CRAMM review is done in a totally objective way. One of these warning levels will be associ- ated with each of the categories. This will enable management to interpret the information security situation even better.

7. Conclusion

The effective control of information security management is made easier if risk analysis and management tools are used. Top management, responsible for the well-being of the organization, is only interested in the current status of informa-

Information & Management R. van Solms et al. / Information security evaluation 153

tion security in their organization. They want to determine if their information service assets are adequately protected or not. If not, where is the greatest need for additional protection and to what extent? The Information Security Manage- ment Model can definitely be implemented in a restricted way, using the data captured during a security review. CRAMMEX is an add-on pack- age that will make the results much more man- agement friendly. Graphs and the use of warning levels will give top management a concise, clear picture of their information security status.

Bibliography

[l] Caelli, W.J., “Trusted Systems”, Computer Control Quar- terly, Vol 9, No 2, 1991.

[2] Moulton, R., “A Srategic Framework for Information

Security Management”, Proceedings of the 14th Computer

Security Conference, October 1991, Washington D.C.

[3] Saari, J., “Top Management Challenge - From Quantita-

tive Guesses to Prudent Baseline of Security”, Managing

Director, International Baseline Security Oy, P.O. Box 66,

02171 Espoo, Finland. [4] Von Solms et al., “Information Security Management; A

framework for effective management involvement”, Znfor- mation Age, Volume 12, no 4, Ott 1990. 217-222.

[S] Von Solms et al., “An Information Security Management

Model”, IFIP WG 11.1 Workshop, Carlton Hotel, Singa-

pore, 1992. 6-22. [6] Trusted Computer Systems Evaluation Criteria (TCSEC),

U.S. Dept of Defence, 5200.28 STD, Dec. 1985.

[7] Information Technology Security Evaluation Criteria

(ITSEC), Harmonised Criteria of France - Germany -

Netherlands - U.K., Internal Ministry, Bonn, May 1990.

[8] “An Overview of CRAMM”, Central Computer and

Telecommunications Agency, Touche Ross, January 1991. [9] “Computer Security Risk Assessment”, The CRAMM

Method, Touche Ross.