CHAPTER 6

SECURITY AND COMPLIANCE MANAGEMENT

Objectives:
Describe the basic elements of risk management
Explain and understand what is compliance management

FOUNDATIONS OF RISK MANAGEMENT

THREATS OF ICT SYSTEMS
ICT systems and the information, stored in these systems, can be
attacked by software viruses, hackers or espionage. People (own
employees, external people) can damage our ICT systems and destroy or
damage information stored in these systems.

DEFINITION OF RISK
A risk is the extent of loss, which may happen it a threat
occurs.

1
MEASUREMENT OF RISKS
Single risk
The standard approach is, that the risk value is expressed by the
product of the probability of occurrence and the expected amount of loss.
The amount of loss is considered as a random variable. Thus it would be
“more” correct to define the risk value as the expectation value of the
random variable “amount of loss” with its underlying probability distribution.
Risk portfolio
A very naïve approach to value the total volume of risks of a
management object (e.g. a total organization or a portfolio of specific
objects or a specific E-Commerce system) is the number of identified
risks. Many people think, that such an approach is too simple but it is
much better to work with such a very simple list and to discuss about the
risk situation than to ignore the risks.

RISK ANALYSIS

2
 A risk analysis according to ISO/IEC 27001 (IEC = International
Electro-technical Commission, ISO = International Organization for
Standardization) has to run through the following steps:
1. Inventory of information assets
2. Determination of protection requirements
3. Identification and assignments of threats (e.g. supported by the BSI
threats catalogue)
4. Identification and assignment of weaknesses
5. Determination of potential extent of loss
6. Determination of probabilities of loss occurring
7. Determination of risks
8. Decision on acceptance of risk
9. Selection of safeguards
10. Documentation of residual risks
11. Documented approval of management

BASIC RISK MANAGEMENT STRATEGIES

We see a lot of threats, which could lead to a damage or destruction
of ICT systems. Management has to deal with it. Though the variety of
threats and corresponding risks is extremely large there are only four

3
basic risk management strategies:
1. Avoidance of threats, which means that you are able to completely
eliminate the threat of your management object. Normally you will
not be able to completely avoid a threat.
2. Reduction of threats, which means that you lower the risk resulting
from that threat. In most cases you will be able to reduce the
potential amount of loss. Whether you can change the probabilities
of occurrence can only answered if the specific situation is known.
3. Transfer of risks to a third party, e.g. insurance. This means that
the third party will take over and pay the amount of loss if the risk
occurs. You will have to pay a fee for that.

4. Acceptance of threats, which is selected when you do not have

any chance to change the situation.

COMPLIANCE MANAGEMENT
In general, compliance means conforming to a rule, such as
specification, policy, standard or law. Regulatory compliance describes the
goal that organizations aspire to achieve in their efforts to ensure that they
are aware of and take steps to comply with the relevant laws and
regulations.

4
INTEGRATION INTO GRC MANAGEMENT
Governance, Risk and Compliance (GRC) are three pillars that work
together for the purpose of assuring that an organization meets its
objectives.
Governance is the combination of processes established and
executed by the board of directors that are reflected in the organization’s
structure and how it is managed and led towards achieving given
objectives.

Risk management is predicting and managing risks that could

hinder the organization to achieve its objectives.
Compliance with the company’s policies and procedures, laws and
regulations, strong and efficient governance is considered to be a key
factor to an organization’s success.

INFORMATION SECURITY MANAGEMENT (ISM)

PROTECTION GOALS
With respect to information there are several common protection
goals:
5
1. Authenticity: Realness/credibility of an object/subject, which is
verifiable
2. Integrity: Data cannot be manipulated unnoticed and without proper
authorization
3. Confidentiality: Information retrieval not possible without proper
authorization
4. Availability: Authenticated and authorized subjects will not be
restricted in their rights without proper authorization
5. Obligation: A transaction is binding if the executing subject is not able
to disclaim the transaction afterwards
6. Authorization: Power and right to conduct an activity.

THE ISM PROCESS

The information security management process has four major
steps, which are subsequently described:
1. Initialize
2. Analyze and develop
3. Plan and implement
4. Operation and monitoring
DATA ENCRYPTION
Steganography
Objective is to hide the existence of a message. Specific
applications of this technology are the transfer of messages or digital
watermarking. Examples of steganographic methods are special terms and
phrases in text documents, sympathetic ink or hiding of information in
image files through setting of single pixels.
Symmetric encryption
The communication protocol runs as follows: A and B define a
common secret key. Then A encrypts the message and sends the

6
message to B. B receives and decrypts the message through applying the
key

Asymmetric encryption

The communication protocol runs as follows: A and B generate a

pair of keys (each of them) consisting of a public key and a private key.
Both public keys are published and accessible by any third party. If now A
wants to send a message to B, A encrypts his message with the public key
of B and sends the message to B. B receives the message from A and
decrypts it with his private key.

Hash function
Hash functions are considered to be one step towards an electronic
signature. By using specific algorithms a hash function generates a
document specific hash value. That is a high-value number assigned to
the actual document. If the document is modified later on it gets another
hash value.

Electronic signature
There are some requirements for an electronic signature, which
have their origin in traditional signatures, of course. First it has to proof the
7
identity of the signer doubtlessly. The signature shall be applied once only
and valid only in connection with the original document. The signed
document must not be changed afterwards; a change must be visible. The
signature must not be rejected. The signer must not deny that he has
signed the document.

Public Key Infrastructure (PKI)

A PKI is built and operated for a secure generation, distribution,
certification, storage/ archiving and deletion of (encryption) keys. The
most important term is the certificate. This is a digital confirmation that a
public signature key is assigned to a specific person or organization.

SMART CARDS

A smart card, chip card, or integrated circuit card (ICC) is any

pocket-sized card with embedded integrated circuits. Usually smart cards
are made of plastic. The application focus is the proof of identity. Smart
cards can provide identification, authentication, data storage and
application processing. They may provide strong security authentication for
single sign-on (SSO) within large organizations.

SET (Secure Electronic Transaction)

SET is a credit card based online payment system developed by Visa
and Microsoft, supported by MasterCard, IBM, Netscape und CyberCash.
8
The first official version was launched in May 1997. SET aims at
enabling a secure electronic payment. It is an expensive system and
has low acceptance in the markets.

RELEVANT LAWS
In Germany there are several other laws being relevant for E-
Commerce:
1. Telecommunications Act (Telekommunikationsgesetz (TKG)
2. Telemedia Act (Telemediengesetz (TMG)
3. Data privacy laws (on federal and state level)
4. Signature law (with a Signature Act, a Signature Policy and a
Signature By-Law
5. Administrative procedures laws (e.g. notification reform act,
Formal requirements adjustment act, justice communications
act)
6. Antitrust and public procurement laws (with contracting rules
and a law against restraints on competition)

DOMAIN RIGHT

9
 Domains are assigned via ICANN (Internet Corporation for Assigned
Names and Numbers) and subsidiaries .
The domain .eu was started in 2005. In the beginning it was only
available for owners of registered trademarks. The assignment follows the
first-come-first-serve-principle. Strong formal procedures have been
established

LIABILITY FOR DISTURBANCE

A disrupter is a person or organization being involved in causing
damage (see BGB § 1004; BGB = German Civil Code). His specific
contribution is not relevant. Accountability is assumed even if you let a
third party cause damage though you would have been able to prohibit it.
This accountability is always given even if you are not aware of an illegal
activity.

CRIMINAL LAW
Due to German criminal law (StGB § 9) an action has been
conducted where the actor did it or where he wanted to do it or where
the result of his action occurred or was expected by him to occur

RIGHTS OF EMPLOYEES
If the private use is permitted then the employer is considered to be
a professional telecommunication services provider. He is not longer
allowed to check mails because the privacy of correspondence, posts and
telecommunications dominates the employer’s right to check the activities
of his employees. Therefore the explicit prohibition of private use of any
system of the organization is strongly recommended.

10
For further discussion please refer to the link provided: Security and Compliance Management
[Link]
For further discussion please refer to the link provided: Threats of ICT Systems
[Link]
For further discussion please refer to the link provided: Basic Risk Management Strategies
[Link]

Reference Books:
Introduction to E-Commerce
(Combining Business and Information Technology)
By: Martin Kutz, 1st Edition 2016

Internet Marketing
(2011, The Internet Marketing Academy and Ventus Publishing ApS)

11