Internet acceptable usage policy

Internet Acceptable Usage Policy Sharman Lichtenstein

q time gaini

rganizations are becoming aware of the need to control employee usage of the Internet while at the same

ng maximum benefit from Internet connection. One means by which this aim may be achieved is the Internet acceptable usage policy. This article examines the development, structure, content and management of an organization’s Internet acceptable usage policy. Important issues highlighted by the article include the influences of organizational and national culture, privacy, employee rights, freedoms, responsibilities, duties, accountability, and other human issues, in Internet acceptable usage policy.

Introduction The rapid adoption and diffusion of Internet technology into the workplace has introduced serious new organization-d security concerns. The Internet’s many vulnerabilities have been well-exploited by hackers, com- petitors, disgruntled employees and ex-employees, resulting in damage, disruption and an atmosphere of un- certainty. Organizations have been employing the Internet for information sharing and management, research,

communication and collaboration, and access to applications. Many employees connected to the Internet for such purposes have been unwittingly contributing to their organization’s information security problems by making dangerous assumptions about In- ternet security or by harnessing the power and availability of the Internet resource for undesirable purposes such as nonbusiness usage.

As a response to this recently observed organizational Internet security problem, companies have begun developing Internet security programs, comprising measures which address organizational Internet risks and other security concerns. It is now well- accepted that information security is as much a human problem as a technological one (Wood, 1995). Po- licies, procedures, standards and other management instructions are therefore of special importance in that they aim to control the human factor. The Internet acceptable usage policy is thus a key element in an organization’s Internet security program, its purpose being “to direct staff in the use of Internet services so use will be acceptable to the public and the (organization)” (Heard, 1996). The policy contains guidelines for employees in- dicating those Internet usages which are acceptable as well as those which

Computer Audit Update l December 1996 0 1996, Elsevier Science Ltd.

or erroneous Intemet-

erroneous

[email protected] 1: Internet risks for an organization

are unacceptable, thereby attempting Cooper, 1995; Starlings, 1995; FNC, to control employee behaviours and 1995a). actions which contribute to the in- cidence and severity of Internet risks.

Internet risks for organizations A complete set of the Internet risks to which an organization is exposed through Internet usage is shown by the model in Figure 1. The model has been compiled via a study of previous findings (for example, Cheswick et al., 1994; NIST, 1994a, 1996; Cohen, 1995;

The central circle denotes an organization with Internet connection. The outer ring labelled ‘Other Internet Participants’ denotes other members of the Internet community with whom the organization communicates via the Internet. The two-way arrows portray Internet risks which can emanate from within the organization and affect other Internet participants, or which can emanate from other Internet participants and affect the organization. Each arrow represents a different type of Internet risk, as briefly described below.


nl

Accidental erroneous business transactions Organizations or employees may accidentally issue transactions incorrectly, for example, by sending a transaction to the wrong application at another organization.

Low quality data The quality of data being exchanged via the Internet is questionable, in that it may be inaccurate, untimely, incon- sistent, or merely opinion rather than fact (Mathieu et al., 1995). Organiza- tions or employees may accidentally issue transactions which contain in- correct data (for example, by inclusion of an inaccurate data field). Another manifestation of the problem is that initially correct information, in the form of business transaction data or communications, may become altered in transit, either deliberately, via eaves- dropping (also known as sniffing or snooping), or accidentally (Mathieu et al., 1995). Outdated (i.e. untimely) information may remain on old Web sites. Conflicting versions of data may exist, for example, two versions of a database. Subjective opinion, rather than fact, may be transmitted by organizations or individuals, via postings.

Non- business activities Employees may be using the Internet for a variety of nonbusiness activities, including surfing the Internet, Internet relay chatting, downloading games and images, personal use of E-mail, personal use of other tools (for example, videoconferencing), netphones and newsgroups.

Accidental/deliberate disclosure Employees may be incautious in their use of the Internet when communicat- ing possibly confidential business mat- ters. An example of accidental disclosure is the inclusion of confden- tial information within E-mail, a Web site, or another posting mechanism.

Deliberate disclosure may occur. For example, a rival firm’s employees may attempt to view useful information within another firm’s systems, without authorization, with the aim of gaining a competitive advantage.

Junk E-mail Organizations or employees may send unwanted E-mail to one another, representing an infringement of privacy rights. Spamming of individuals or sites may occur, this being the sending of excess flame mail, sometimes referred to as mail-bombing, indicative of a decline in civility between Internet participants (Highland, 1996).

Inaccurate advertising An organization or employee may ‘advertise’ within E-mail, Web sites, or other posting mechanisms, in such a way as to appear to represent an official view. The content of this information may be inaccurate, in an organizational context,

Hacking An employee may gain unauthorized access to an organization’s systems or data either out of curiosity or for a more harmful reason, and may subse- quently cause damage. The well- known risk of impersonation is included in this risk type, two pertinent examples being the forging of electronic mail (“E-mail is usually easy to forge, being the electronic equivalent to a postcard written in pencil”) and the existence of undependable Inter- net identifications (NIST, 1996).

Internet- transferred threats Other Internet participants may act as a source or conduit for harmful threats to attack an organization. For example, a flaw in an Internet component may be exploited in order to transfer threats from outside into the organization.

I Computer Audit Update l December 1996 0 1996, Elsevier Science Ltd.

Pirated media An employee may download software or data in breach of copyright or licensing laws.

Corrupted or erroneous software An employee may download software containing bugs, or malicious software such as viruses and trojan horse programs. Web browsers are particu- larly dangerous, in their provision of access to untrustworthy systems and in their invocation of unproven applications.

Both deliberate and accidental types of risks have been included in the model, although the difference between deliberate and accidental is often extremely difficult to determine. For example, Vanbokkelen (1990) re- marked that “Security is subjective; one site might view as idle curiosity what another would view as a hostile probe”. Losses which may be incurred by organizations due to occurrences of the risks described include the existence of corrupted, erroneous or pirated software on the organization’s systems, erroneous data, misinforma- tion, loss of privacy, damaged employee reputations, and monetary or credit damage (NIST, 1996).

It should be noted that although not all of the Internet risks repre- sented in the model emanate from an organization’s employees, each risk may affect an employee in some way. Employees should be made aware of the complete set of risks, consequent losses and recommended remedies, through appropriate channels such as security policies and security education. In particular, it is imperative that risks which are influenced by employee behaviours and actions be addressed by an organization’s Internet acceptable usage policy.

Internet acceptable usage policy Although organizational security policies have been extensively researched in recent years (for example, IETF,

1991; Pethia et al., 1991; Wamman, 1992; NIST; 1994b; Olnes, 1994; Abrams et al., 1995a, 1995b; FNC, 1995b; Olson et al., 1995; Wood, 1995) only limited research has been carried out into defining the structure and content of Internet acceptable usage policies (for example, Heard, 1996; Lichtenstein, I996a). One view of the positioning of the Internet acceptable usage policy within an organization is described in Lichten- stein (1996a). An organization mounts a corporate security program containing many elements, one element being an Internet security program which contains an Internet security policy (as well as other elements). This policy contains the Internet acceptable usage policy (as well as other subpolicies, such as an Internet information protection policy).

An indicator of possible content for an Internet acceptable usage policy can be obtained from the guidelines produced by The Internet Security Committee of British Columbia, re- ported in Heard (1996). These guidelines recommend that an Internet acceptable usage policy contain subpolicies which advocate high employee ethical standards, business-only usage, adherence to copyright and licensing laws, and nondisclosure of confidential information. Acceptable business usages cited are business communications, professional development communications, and pre-ap- proved postings unless disclaimers are attached. Unacceptable business usages cited include non-business related postings, interference or disrup- tions to other Internet participants, distribution of malicious, rude, ob- scene or harassing material, and personal financial gain. The policy should also define roles and responsibilities for different individuals and groups in the organization, as well as the con- sequences of employee non- compliance.

It can be seen that the acceptable and unacceptable usage policies which


Figure 2: Framework for developing an organization’s Internet acceptable usage policy

are typically included within an Inter- of information security in an organiza- net acceptable usage policy control tion comprises four phases (Abrams et employee behaviours and actions al., 1995b): which contribute to the risks repre- sented in the Internet risks model

l

described earlier. Any process for developing the policy must therefore incorporate an assessment of these Internet risks, as well as an evaluation l

of the human issues which may arise in attempted control of Internet related employee behaviours and actions.

l

Development of Internet acceptable usage policy l

A typical strategy for the engineering

a requirements definition phase, culminating in a Corporate Infor- mation Security Policy containing layers of policies and procedures;

a design phase, resulting in a set of security mechanisms which implement the requirements;

an integration phase, which results in the coordinated security system being put in place;

a certification or accreditation phase, which results in a certificate

A I Computer Audit Update l December 1996 0 1996, Elsevier Science Ltd.

of accreditation being produced, if relevant.

The Corporate Information Security Policy is of critical importance to an organization’s information security program. It contains the complete information security requirements for the organization, in the form of layers of policies representing progressively more refined and progressively more rule-like policies, addressing different audiences and different aspects of information security. The creation of appropriate policies involves many choices and decisions, from high-level decisions concerning organizational objectives down to lower-level decisions regarding hardware. The Internet security policy is a subpolicy of the Corporate Information Security Policy, and the Internet acceptable usage policy is a subpolicy of the Internet security policy. The Internet acceptable usage policy should be determined during the requirements definition phase.

Various approaches to the development of different types of security policies have been described (for example, Olnes. 1994). A framework for the development of an Internet acceptable usage policy is shown in Figure 2, and described below.

The approach used is top-down hierarchical development of the policy. Initially, a risk assessment process is carried out in order to determine and prioritize significant information security risks for the organization, as recommended by Wood (1995). The Internet risks model presented in Figure 1 helps to identify the organizational Internet risks; these are then added to the existing information security data. The accumulated security data is then input into the risk assessment process and analysed, to determine a prioritized set of significant risks. These prioritized risks are considered, together with a study of the relevant holistic information security issues, by various policy making processes. An initial policy making

process produces the Corporate In- formation Security Policy. High-level policies from the corporate document are relined by further policy making processes to create lower-level policies. Internet-related policies are refined to create the Internet security policy and the Internet acceptable usage policy.

Holistic issues in Internet acceptable usage policy A popular interpretation of holism is the study of the broad, all-encompass- ing picture, rather than separate con- siderations of individual components. Many researchers have advocated holistic perspectives for information security (for example, Hartmann, 1995; Olson et al., 1995; Yngstrom, 1995; Lichtenstein, 1996a, 1996b). Olson et al. (1995) suggest that an organization’s information security policies should take into account the organization’s information security philosophy, national policy, international standards, political issues, relevant organizational policies, implementation platform lim- itations, and ethical, legal and privacy issues. The Internet acceptable usage policy development approach which has been described in this article considers these holistic issues. Yng- Strom (1995) classifies holistic information security issues as legal, managerial, administrative and operational, technical, and human issues.

Legal issues An organization needs to be aware of relevant laws and standards prior to setting policy. Legal issues to be addressed by the policy include the need for employees to adhere to state, national and international laws pertain- ing to copyright and licensing, theft and terrorism, privacy, trademark and trade secrets, evidence law, jurisdic-


tional issues, and the publication and accessibility of offensive material. An extensive treatment of legal issues in cyberspace may be found in Cavazos et al. (1994). Employees will need guidance as to those operations which are legal or illegal to perform on the Internet, within the Internet acceptable usage policy.

Managerial issues

Management commitment Management commitment to the policy is a primary managerial require- ment, expressed within the Internet acceptable usage policy as a clarfica- tion of management expectations for employee behaviours and actions.

Internet security program A comprehensive Internet security program must be compiled to provide appropriate support for the Internet acceptable usage policy. This program must itself be part of a comprehensive organizational information security program. The Internet security program should include risk assessment, policy determination, readily available and accessible written policies, monitoring, and an Internet security awareness program.

Internet security awareness program Internet security awareness programs should include not only provision of the written Internet acceptable usage policy, but also Internet security awareness sessions, Internet security training sessions, presentations, videos, guest speakers, panels and newsletters (NIST, 1994a; 1996). At awareness and training sessions, acceptable usage policy can be clarified. For example, terms such as “reasonable and prudent precautions” should be explained (Branstad et al., 1995). Educational information disseminated should in-

clude plentiful examples of acceptable and unacceptable Internet usages, cau- tionary messages about downloading unapproved software, protectionary configuration advice and remedies based on risk loss control or mitiga- tion. Employees should be educated about possible losses to the system, to themselves, or to other Internet participants, incurred through either accidental misuse or deliberate abuse. Employees may refuse to accept accountability for their actions without adequate Internet security awareness programs in place.

Policy integration Support should be provided by other, complementary information security policies such as an Internet information protection policy (Lichtenstein, 1996b), as well as by standards, guidelines and procedures (for example, procedures for the development of individual, employee Web pages). The Internet acceptable usage policy should also be integrated with other organizational policies, such as the organization’s Code of Conduct, in order to ensure consistency between policies.

Administrative and operational issues Administrative and operational tasks need to be considered and defined. For example, procedures for applying, monitoring and auditing the security policies are required (Branstad et al.., 1995). -

Technical issues Technical mechanisms must be determined, acquired, installed and monitored, in order to implement the security requirements specified in the policy. Procedures must be specified for ensuring that appropriate mechan-

l lu Computer Audit Update l December 1996 0 1996, Elsevier Science Ltd.

isms (for example, firewalls) are selected, installed, and monitored.

Human issues The human influence in all spheres of information security is well-known. Addressing the human factor is of the utmost importance, it having oft been stated that the long-term success of the Internet or any future global information infrastructure depends on the successful handling of human factors. Many human issues are of concern to an organization’s employees in the development of Internet acceptable usage policy.

Individual information security requirements Kohl (1995) noted the following major information security requirements for individual users:

l informational self-determination: the need for individuals to be in control of access to personal data about themselves;

l non-repudiation: the inability of an individual to deny having performed an operation;

l reproducibility: the credibility and consistency of actions and reac- tions in a system;

l design potential: the ability to design one’s own information security measures.

Employees expect organizational security policies to instil confidence in the above aspects of an organization’s information security environment, as well as catering for the following employee humanistic concerns.

National and organizational culture Internet business collaboration is enabled by open E-mail, groupware, discussion groups, address and phone

look-up, audio and video services, plus network-transparent calendaring and scheduling. Nance et al. (1995) highlighted the need for organizations to understand the different national and organizational cultures with whom they are collaborating technologically. These cultural differences impact heavily on individual ethical behaviour and the effectiveness of the collaboration.

Cultures may differ in their acceptance of the authority behind a policy (Condon et al., 1985). Some cultures obey laws and policies quite readily, while others require active enforce- ment and sanctions as added induce- ments. Cultural issues gain significance whenever interaction between people of different cultures takes place. “Lan- guage barriers, nonverbal communication, overscrutinization, socialization and intimacy, and interpersonal syn- chrony” were all identified by Nance et al. (1995) as problematic issues in global, computer-mediated communication, leading to possible misinterpre- tation and error. Despite difficulties which may be encountered in attempting to provide comprehensive and effective solutions to multicultural problems within an Internet acceptable usage policy, some guidance is advisable.

Etiquette Many attempts have been made to standardise general user etiquette (netiquette) for Internet use (Highland, 1996). An organization may wish to vary netiquette to suit their culture, with variations being documented within the Internet acceptable usage policy.

Rights and freedoms Employee rights and freedoms should be recognized within the Internet acceptable usage policy. An employee’s right to privacy is especially important within the context of global exposure, and an assurance of employ-


ee privacy rights is considered essential to the future success of global information infrastructures. Privacy may be defined as “the ability of an individual to control information about oneself, and communications to which the individual is a party”, with current privacy concerns revolving around personal information, transactions and communications (NIIAC, 1995). For example, employees may not desire personal information about themselves to be published and made available on the Internet via Web pages or other means.

An anticipated, substantial increase in technology-enabled cross-border flows of personal data in European communities, in order to enable inter- nal market operation (EC, 1995), is also expected to take place globally. Consequently, there should be guidance provided through the Internet acceptable usage policy regarding acceptable communication and accessibility of any such personal data. It should be noted that this personal data may not only relate to employees, but may concern other individuals (for example, the organization’s clients).

Sophisticated security services which support the privacy of Internet operations may be desired by employees, for example, unobservability, anonymity, unlinkability and pseudonymity (Rannenberg, 1994). If these services are provided, the employee should be duly informed within the policy. The services are defined as:

Unobservability: a user may use a resource or service without other users, especially third parties, being able to observe that the resource or service is being used.

Non-repudiation: A subject cannot deny accountability with respect to a particular operation.

Anonymity: A user may use a resource or service without disclos- ing identity.

Unlinkability: A user may make

multiple uses of resources or services without others being able to link these uses together.

Pseudonymity: a user may use a resource or service without disclos- ing identity, but can still be held accountable for that use.

Employees will not only demand their rights but also their freedoms in the workplace, as illustrated by the traditionally accepted personal usage of the office telephone. In many organizations, employees may feel un- duly restricted and may strongly pro- test if totally prohibited from personal usage of the Internet. Employees may feel that they should be free to send personal E-mail, surf the Internet, download games and images, subscribe to listservers, and so forth. Cultural patterns will influence the amount and types of freedom which employees expect.

Responsibilities, duties and accountability Specific policies must clarify business and nonbusiness usages of the Inter- net. Employees may need to perform selected business activities requiring Internet usage for the purpose of information sharing and management, research, communication and collaboration, or access to applications. Examples of valid business usages of the Internet are:

electronic commerce transactions;

exchanging mail with clients and other third parties;

participation in technical news groups;

monitoring of dynamic business information (for example, stock market data).

It is becoming increasingly difficult to define a usage as personal or business, as communication and coKla- boration may involve personal ex- changes as a cultural expectation (see earlier discussion on culture). Accep-

: u Computer Audit Update a December 1996 0 1996, Elsevier Science Ltd.

table and unacceptable usage policies will thus need to be interpreted by employees and authorities in the context of the organization’s culture.

Employees may be held accountable for various Internet activities and for residual system conditions after an Internet misuse or abuse. Policies which clarify employee accountability are extremely ditlicult to formulate. For example, data exchanged by employees over the Internet may be of poor quality, yet current legal and ethical guidelines for determining lia- bility and accountability for the quality of Internet information are inadequate (Mathieu et al., 1995). In such conditions, how can policies place the blame for poor data quality with the employee? Employees will also need to be assured that adequate services which support true accountability are in place, namely authentication and non-repudiation. As noted earlier, employees may refuse to be held accountable for their actions without adequate policy awareness measures. The following definitions explain what is being requested by employees.

l Accountability: The responsibilities and accountability of all parties involved should be made explicit. The system should provide a comprehensive, secure history of security-related actions, to enable employee accountability.

l Authentication: Each employee should be identified and verified by the system.

l Non-repudiation (from Kohl, 1995): An employee should be unable to deny having performed an operation.

Non- Compliance Employees will wish to know their level of culpability with respect to breaching policy. Sanctions for breaching policy should be clearly defined and should be acceptable to employees. In order to achieve acceptance, suitable warnings, reprimands, and other punitive measures need to be

developed by negotiation with repre- sentative employees. Exceptions to policy should always be possible, and the path of action for approval of such exceptions clarified within the policy.

Conclusion With the growing Internet security threat to organizations combined with increasing employee expectations in Internet usage, an organization’s Inter- net acceptable usage policy must be recognized as a vital, organizational information security measure. This article has provided insight into its role, structure, content, development and management, as well as highlight- ing some important, humanistic con- siderations. It has been clearly shown that a recognition of the views and needs of employees is crucial to the effectiveness of the policy.

Organizational Internet security measures, however, cannot on their own guarantee organizational Internet security. The cooperation of other Internet participants and a secure external Internet infrastructure are essential co-requirements. Continued changes, in the form of improved Internet technology, developing laws and standards, and changing social norms, will necessitate regular re- examination and revision of a company’s Internet acceptable usage policy. An organization must place someone in charge of Internet acceptable usage policy interpretation, capable of eval- uating an employee’s behaviour and actions in the face of the constantly changing, increasingly vulnerable, In- ternet business environment.

MS Sharman Lichtenstein is a senior lecturer in the Department of Information Systems at Monad University, Melbourne, Australia.


References Abrams, M.D. and Bailey, D. (1995a) “Ab- straction and Refinement of Layered Se- curity Policy” in M.D. Abrams, S. Jajodia and H.J. PodelI (eds); Information Security - an Integrated Collection of Essays, IEEE Computer Society Press, Los AIamitos, California.

Abrams, M.D., PodelI, H.J. and Gambel, D.W. (199513) “Security Engineering” in M.D. Abrams, S. Jajodia and H.J. Podell (eds) Information Security - An Integrated Collection of Essays, IEEE Computer Society Press, Los Alamitos, California.

Branstad, D., Oldehoff, A., Aiken, R. and others (1995) Security Policy for Use of the National Research and Education Net- work, in FNC (1995b), Appendix 4.

Cavazos, EA. and Morin, G. (1994) Cyber- space and the Law: Your Rights and Duties in the On-line World, MIT Press.

Cheswick, W. and Bellovin, S. (1994) Fire- walls and Internet Security, Massachu- setts, USA: Addison-Wesley Publishing Company.

Cohen, F.B. (1995) Protection and Security on the Information Superhighway, John Wiley & Sons, Inc.

Condon J.C. and Yousef, F. (1985) An Introduction to Intercultural Communi- cation, MacMillan.

Cooper, F.J. (1995) Implementing Internet Security, New Riders Publishing.

DoddrelI, G.R. (1995), “Information security and the Internet”, Information Man- agement G Computer Security, Vol. 3 No. 4.

EC (1995) Directive 95/16/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal of the European Communities, 23rd November, No. L. 281.

FNC (Federal Networking Council) (1995a) Federal Internet Security Framework for Action - Draft, Federal Networking Council, Security Working Group.

FNC (Federal Networking Council)

(199513) Federal Internet Security Plan (FISP), Federal Networking Council, Secur- ity Working Group.

Hartmann, A. (1995) “Comprehensive In- formation Technology Security: A New Approach to Respond Ethical and Social Issues Surrounding Information Security in the 21st Century”, in Information Security - the Next Decade, IFIP/Sec ‘95, Proc of the IFIP TCll Eleventh International Conference on Information Secutity (El- off, J.H.P. and Von Solms. H.S., eds.), Chap- man and Hall.

Heard, F.T. (1996) “Internet Security Po- licies and Internet Appropriate Use PoIi- ties”, Proceedings of EDPAC 96 Conference, Perth, Australia.

HighIand, H.H. (1996) “Random Bits and Bytes”, Computers G Security, Vol. 15 No. 1.

IETF (1991) Site Security Handbook (Hol- brook P. and Reynolds, J., eds.), IETF RFC 1244.

Kohl, U. (1995) “From Social Requirements to Technical Solutions - Bridging the Gap with User-Oriented Data Security”, in Information Security - the Next Decade, IFIP/Sec '95, Proc. of the IFIP TCl I Eleventh International Conference on Information Security (Eloff, J.H.P. and Von Solms, H.S., eds.), Chapman and HaII.

Lichtenstein, S. (1996a) Information Se- curity Principles: a Holistic View, Work- ing Paper 3/96, Department of Information Systems, Monash University, Melbourne.

Lichtenstein, S. (1996b) Engineering an Internet Security Policy. a Holistic and Organizational Approach, Working Paper 9/96, Department of Information Systems, Monash University, Melbourne.

Mathieu, R.G. and Woodard, R.L. (1995) “Data integrity and the Internet: imphca- tions for management”, Information Man- agement G Computer Security, Vol. 3 NO.

Nance, K.L. and Strohmaier, M. (1995) “Ethical Information Security in a Cross- Cultural Environment”, in Information Securig - the Next Decade, IFIP/Sec ‘95, Proc. of the IFIP TCll Eleventh International Conference on Information Security (Eloff, J.H.P. and Von Solms, H.S., eds.), Chapman and HaII.

0 H Computer Audit Update l December 1996 0 1996, Elsevier Science Ltd.

NIIAC (1995) Commentary on the Privacy and Related Security Principles, Mega Project III of the National Information Infrastructure Advisory Council.

NIST (1994a) Reducing the Risks of Inter- net Connection and Use, Computer Sys- tems Laboratoy Bulletin.

NIST (1994b) Computer Security Policy. Computer Systems Laborato y Bulletin.

NIST (1996) The World Wide Web: Mana- ging Security Risks, Computer Systems Laboratory Bulletin.

Olnes, J. (1994) “Development of security policies”, Computers & Security, Vol. 13

No. 8.

Olson, I.M. and Abrams, M.D. (1995) “In- formation Security Policy”, in Information Security - an Integrated Collection of Essays (Abrams, M.D., Jajodia, S. and Podell, H.J., eds.), IEEE Computer Society Press, Los Alamitos, California.

Pethia, R., Cracker, S. and Fraser, B. (1991)

Guidelines for the Secure Operation of the Internet, IETF RFC 1281.

Rannenberg, K. (1994) “Recent Develop- ment in Information Technology Security Evaluation - The Need for Evaluation Criteria for Multilateral Security”, in Proc. Security and Control of Information Technology in Society (Sizer, R., Yngstrom, E., Kaspersen, H. and FischerHubner, S, eds.), IFIP Transactions A43, Elsevier Science B.V. (North-Holland).

Stallings, W. (1995) Znternet Security Handbook, IDG Books Worldwide, Inc.

Vanboklcelen, J. (1990) The Internet Oral Tradition, IETF RFC 1173.

Warrnan, A.R. (1992) “Organizational Com- puter Security Policies: the Reality”, Eur- opean Journal of Znformation Systems, Vol.1 No. 5.

Wood, C. C. (1995) “Writing InfoSec Policies”, Computers & Security, Vol. 14.

Yngstrom, L. (1995) “A Holistic Approach to IT Security”, in Information Security - the Next Decade IFIP/Sec ‘95, Proc. of the ZFZP TCll Eleventh International Con- ference on Information Security (Eloff, J.H.P. and Von Solms, H.S., eds.), Chapman and Hail.


Documents

Internet acceptable usage policy