IT Contingency Planning & Business Continuity

The European Journal for the Informatics Professionalhttp://www.upgrade-cepis.orgVol. IV, No. 6, December 2003

IT Contingency Planning& Business Continuity

An accepted EuropeanICT certification standard

promoted by CEPIS(Council of European Professional

Informatics Societies)

<http://www.eucip.com/>

1

UPGRADE

is the European Journal for the Informatics Professional, published bimonthly at <http://www.upgrade-cepis.org/>

Publisher

UPGRADE is published on behalf of CEPIS (Council of European Professional Informatics Societies,<http://www.cepis.org/>) by NOVÁTICA<http://www.ati.es/novatica/>, journal of the Spanish CEPIS society ATI (Asociación de Técnicos de Informática<http://www.ati.es/>).UPGRADE is also published in Spanish (full issue printed, some articles online) by NOVÁTICA, and in Italian (abstracts and some articles online) by the Italian CEPIS society ALSI<http://www.alsi.it> and the Italian IT portal Tecnoteca<http://www.tecnoteca.it/>.UPGRADE was created in October 2000 by CEPIS and was first published by NOVÁTICA and INFORMATIK/INFORMATIQUE, bimonthly journal of SVI/FSI (Swiss Federation of Professional Informatics Societies, <http://www.svifsi.ch/>).

Editorial Team

Chief Editor: Rafael Fernández Calvo, Spain, <[email protected]> Associate Editors: • François Louis Nicolet, Switzerland, <[email protected]> • Roberto Carniel, Italy, <[email protected]>

Editorial Board

Prof. Wolffried Stucky, CEPIS Past President Fernando Piera Gómez andRafael Fernández Calvo, ATI (Spain)François Louis Nicolet, SI (Switzerland)Roberto Carniel, ALSI – Tecnoteca (Italy)

English Editors:

Mike Andersson, Richard Butchart, David Cash, Arthur Cook, Tracey Darch, Laura Davies, Nick Dunn, Rodney Fennemore, Hilary Green, Roger Harris, Michael Hird, Jim Holder, Alasdair MacLeod, Pat Moody, Adam David Moss, Phil Parkin, Brian Robson.

Cover page

designed by Antonio Crespo Foix, © ATI 2003

Layout:

Pascale Schürmann

E-mail addresses for editorial correspondence:<[email protected]>, <[email protected]> or <[email protected]>

E-mail address for advertising correspondence:<[email protected]>

Upgrade Newslist

available at <http://www.upgrade-cepis.org/pages/editinfo.html#newslist>

Copyright

© NOVÀTICA 2003. All rights reserved. Abstracting is permitted with credit to the source. For copying, reprint, or republication permission, write to the editors.

The opinions expressed by the authors are their exclusive responsibility.

ISSN 1684-5285

Vol. IV, No. 6, December 2003

2 EditorialUPGRADE, the European Informatics Journal of CEPIS

– Jouko Ruissalo, President of CEPIS

The recently appointed President of CEPIS describes the latest achievements of UPGRADE, reaffirms the commitment of CEPIS to UPGRADE, and transmits all the readers his best wishes for a fruitful 2004.

Joint issue with N

OVÁTICA

*

3 PresentationIT Contingency Plans: More than Technology

– Roberto Moya-Quiles and Stefano Zanero

The guest editors present the issue, explaining what Information Technologies Contingency Plans are and mean, looking not only into their technologic aspects but also into the business continuity and regulatory ones, since computer and network infrastructures are becoming increasingly important for the normal operation of organizations and for the development of our Information Societies as a whole.

6 Empirical Study of the Evolution of Computer Security and Auditing in Spanish Companies

– Francisco-José Martínez-López, Paula Luna-Huertas, Francisco J. Martínez-López, and Luis Martínez-López

The authors offer us the fruits of their research into medium size and large enterprises, which although it was conducted in Spain is to a large extent equally applicable to other countries.

12 Information Systems Auditing of Business Continuity Plans

– Agatino Grillo

With particular reference to the financial sector, the author describes how Continuity Plans are not only a corporate requirement in as much as service continuity is vital to business, but are also gradually becoming a legal requirement.

17 Business Continuity Controls in ISO 17799 and COBIT

– José-Fernando Carvajal-Vión and Miguel García-Menéndez

This article includes a detailed comparison between the two most important standards in the world for controlling business continuity from the ICT perspective.

24 Implementation of a Contingency Plan Audit

– Marina Touriño-Troitiño

The author advocates the need for ICT contingency plans to be audited as well, given the important role they play in guaranteeing business continuity.

26 Public Initiatives in Europe and the USA to Protect against Contingencies in Information Infrastructures

– Miguel García-Ménendez and José-Fernando Carvajal-Vión

This article shows the importance that public institutions give to the uninterrupted working of their information infrastructures which are key to the economic and social life of developed countries by describing US and European government plans in this regard.

30 Business Continuity and IT Contingency Planning in the Mobile Telephony Industry

– Miguel-Andrés Santisteban-García

This article reviews Business Continuity Plans in the mobile operator industry, where the rapid growth of the telecommunication industry has meant that non-customer focused processes, in particular network protection and availability, have been often neglected.

32 ICT Contingency Plans and Regulatory Legislation of e-Commerce and Data Protection – Paloma Llaneza-González

The author explains that any ICT Contingency Plan must take into consideration applicable legal and regulatory requirements, and analyses Spanish regulations in the fields of e-Commerce and Data Protection, which are very similar to those of other EU countries, all of them being based on the same European Directives.

39 Information Technologies and Privacy Protection in Europe

– David D’Agostini and Antonio Piva

The authors give their assessment of European Directive 95/46/EC on Protection of Personal Data, with special emphasis on spamming, a phenomenon which poses an ever increasing threat to the correct functioning of the Internet.

42 Legal Analysis of a Case of Cross-border Cyber-crime

– Nadina Foggetti

Based on a practical case, in this article the author reveals in a detailed way how the divergence of legislations governing system and network intrusions open up legal loopholes for technological criminals.

52 The European Network and Information Security Agency (ENISA) – Boosting Security and Confidence

– Erkki Liikanen

The author, member of the European Commission, responsible for Enterprise and the Information Society, closes the issue proclaiming that security and continuity of ITC resources must be preserved because they are vital for the progress of our Information Society, and explains the role that ENISA will play in this respect.

* This monograph will be also published in Spanish (full issue printed; summary, abstracts and some articles online) by NOVÁTICA, journal of the Spanish CEPIS society ATI (Asociación de Técnicos de Informática) at <http://www.ati.es/novatica/>, and in Italian (online edition only, containing summary abstracts and some articles) by the Italian CEPIS society ALSI and the Italian IT portal Tecnoteca at <http://www.tecnoteca.it>.

IT Contingency Planning & Business Continuity

Guest Editors: Roberto Moya-Quiles and Stefano Zanero

Next issue (January 2004):“Wireless Networks”

http://www.upgrade-cepis.org

http://www.ati.es/novatica/infonovatica_eng.html


2

UP

GRADE

Vol. IV, No. 6, December 2003 © Novática

Editorial

UPGRADE, the European Informatics Journal of CEPIS

As most of our readers will already know, this digital journalis an initiative of CEPIS (Council of European ProfessionalSocieties, <http://www.cepis.org>), an organisation founded in1989, bringing together 36 professional informatics societiesthroughout 32 European countries, and representing more than200,000 ICT professionals.

UPGRADE was created in October 2000 as a result of adecision on the part of CEPIS to complement the existingpublications of its member societies with a European-widejournal providing a valuable source of updated knowledge viaarticles written by recognised experts.

Three years on, UPGRADE has made some very significantsteps forward and, while it is still far from realizing all of itspotential, our journal can already boast some outstandingachievements. I will especially highlight three facts:1. By the end of the current year, nearly 650,000 articles in

PDF from the 19 issues published so far will have beenaccessed. The journal has been visited most from Europeancountries, with Italy being the most frequent visitor,though other continents have also been significantly repre-sented.

2. According to the info provided by the US companySEVENtwentyfour Inc., specialised in Internet rankings,and also according to data collected from our ownresearch, the UPGRADE site is amongst the top ones listedby some of the main search engines when searching for thesignificant string

“european informatics journal”

. Morespecifically, UPGRADE is ranked as number 1 in Google,Lycos and All the Web, number 2 in MSN Search andHotbot, number 4 in Yahoo, and number 5 in AOL.

3. The UPGRADE Newslist, a non-automated, non-commer-cial list the purpose of which is to distribute relevant newsabout our digital journal such as publication of new issues,calls for papers, etc., has reached almost 1,000 subscriberssince its creation in February 2003.

As we bring this year to a close, as president of CEPISappointed at the Council meeting held in Budapest last Novem-ber I would like to reaffirm the commitment of CEPIS (andespecially its new Executive Committee) to UPGRADE, inorder to ensure the journal’s continuing progress.

Thanks also go to our multinational Editorial Team for alltheir hard work; to the Spanish CEPIS society ATI (

Asociaciónde Técnicos de Informática

) and its journal NOVÁTICA forproviding the means and infrastructure for the operation ofUPGRADE; to the English language editors who ensure idio-matic correctness in a multilingual environment; and to a largenumber of authors and guest editors for their generosity insharing their knowledge and expertise with the tens of thou-sands of annual visitors to our website <http://www.upgrade-cepis.org>.

Last but not least, special thanks must also go to my prede-cessor,

Prof. Wolffried Stucky

, during whose tenure UP-GRADE was born as a result of his vision and efforts.

Finally, let me wish all the readers of UPGRADE a fruitful2004.

Jouko Ruissalo

President of CEPIS<[email protected]>

CEPIS, Council of European Professional Informatics Societies, is a non-profit organisation seeking to improve and promote high standards among informatics professionals in recognition of the impact that informatics has on employment, business and society.

CEPIS unites 36 professional informatics societies over 32 European countries,representing more than 200.000 ICT professionals.

CEPIS promotes

<http://www.eucip.com> <http://www.ecdl.com> <http://www.upgrade-cepis.org>

<http://www.cepis.org>


http://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.html


© Novática

UP

GRADE


3

Presentation

IT Contingency Plans: More than Technology

Roberto Moya-Quiles and Stefano Zanero

Introduction

IT Contingency Plans have become one of the commonconcerns of all organisations, especially those of a certain size– medium to large – which, like practically every organisationthese days, base their business processes on informationsystems and technologies. The scope of these plans, which inthe past were often erroneously considered as being the soleresponsibility of the operations section of Data ProcessingCentres (largely due to the negligence or ignorance of themanagement of the enterprises) has undergone a major evolu-tion and they are now an integral part of Business RecoveryPlans and Business Continuity Plans.

Nevertheless, the basic conceptual aims of ContingencyPlans have remained unchanged over the years: assessment ofspecific risks, response time to a wide range of incidents, toler-ance to data loss and to the time service is degraded, reliabilityof processes with regard to transaction and information integri-ty in the event of interruptions or incidents, synchronizationand backup of data, cost of implementing and maintaining theplan, etc. SAL (Service Level Agreement) contracts with Back-up Services, and Service Continuity using outsourced technol-ogy and communications suppliers are also becoming increas-ingly more important.

However, the many and far-reaching changes in availabletechnologies have been shaping these plans and making themharder to implement, due to the need to take into account a hugeand ever growing number of details for each particular applica-tion configuration and architecture. Furthermore, regulations ata number of different levels are adding their requirements tothese plans. There are not only Directives and Regulations, butalso sectorial rules, the most important of which come from thefinancial sector, such as the Bank for International Settlementsin Basle (<http://www.bis.org/>) and the US Federal Reserve,or the Fed as it is popularly known, (<http://www.federalre-serve.gov/>).

Three Scenarios

We can break down the kind of situations currentlyemerging into at least three typical scenarios:1. In the first scenario, data processing centres make their

backup copies in duplicate and keep one of the copies in apurpose built outsourced centre at an appropriately securesite. The most important obligation of the contract (ServiceLevel Agreement) signed with the Alternative Centre serv-ice provider is basically that of restoring the copies storedin the purpose built outsourced centre and restart serviceswhen required. This scenario is typical of centres dealingmostly with batch processes.

2. A second scenario consists of adding permanent communi-cation to the alternative centre via lines (VLANs, Internet,ISDN, etc.), thereby keeping the most critical databases upto date and enabling a faster response for services involv-ing communication, as tends to be reflected in the contract.

3. Finally, the third scenario could be the use of multiplat-form disk technology with direct connection by opticalfibre between the two centres, something which is notalways possible as limitations imposed by distance maymean that the backup centre faces similar risks to the oneit is backing up, for example natural disasters. This scenar-io is the one which is best suited to responding to seriousincidents in major operational centres with front-end webservices.

1

2

Roberto Moya-Quiles is a Doctor of Physical Sciences,specialising in Computational Science, and is also a graduate inComputer Science and a CISA (Certified Information SystemsAuditor) auditor. He has 34 years’ experience in a variety ofmanagerial roles in the field of Information Systems (IT manage-ment, consulting, training, security and control, auditing, andcomputer applications, etc.) in major computer manufacturingand software companies as well as energy supply enterprises. Hetakes part as a speaker in seminars and participates in forumsrelated to the Information Technology Security in private institu-tions and in public universities. He is on the Sub-Committee ofISO/IEC SC 27 (Security Techniques for Information Technolo-gy) and coordinates the IT Security Interest Group (GISI, <http://www.ati.es/gt/security/>) of the Spanish CEPIS society ATI(Asociación de Técnicos de Informática). <[email protected]>

Stefano Zanero has a MSc in Computer Engineering, andgraduated “cum laude” from the Politecnico of Milano school ofengineering, with a BSc thesis on the development of an Intru-sion Detection System based on unsupervised learning algo-rithms. He is currently a Ph.D. student in the Dipartimento diElettronica e Informazione of the same university. Among hiscurrent research interests, besides Intrusion Detection Systems,are the performances of security systems and the behaviour engi-neering techniques. He is a member of the IEEE (Institute ofElectrical and Electronics Engineers) and the ACM (Associationfor Computing Machinery). He is Information Security Analystfor IDG Corporation, and as such participated in national andinternational conferences. He is the author of the weekly “Secu-rity Manager's Journal” on Computer World Italy, and has beenrecently awarded a journalism award. In addition, he has experi-ence as network and information security consultant. <[email protected]>




4

UP

GRADE


The subject we are dealing with in this issue contains a longlist of references, which has doubtless grown as a result of thefateful events of September 11, 2001 (as a search by Google orAltavista will confirm), as has the bibliography related to bothdraft plans, and the resulting plans themselves. The main sourc-es are computer manufacturers and specialist consultancyfirms. At this juncture we should perhaps mention the SpanishMAGERIT methodology which provides a model for drawingup a Recovery Plan (available at <http://www.csi.map.es/csi/pg5m20.htm>).

In order to draw up a plan and put it in place, the choice ofwhich solution to implement depends unquestionably on theservices available (both in terms of processes and communica-tions) at each geographical location, since although we maylive in a global world, clearly services are not the same all overthe world, neither in terms of availability, quality, nor price.The great many small details that need to be taken into account,some apparently trivial (such as where to keep the keys tocupboard where the safety copies are kept, changing the pass-words on a real production machine after it has been tested, andso on and so forth) together with others which are not so simple(such as nominating the people authorised to give the order toput the plan into action or test it), should lead us to the conclu-sion that testing is an absolute necessity, however much it costs.

With regard to the frequency of testing, the standard answeris “

once a year is not enough and twice is too much

”, but in anyevent, it is advisable to carry out a test whenever alterations aremade either to the configuration of the architecture or to theapplications themselves. Our long experience in this field hasshown us that one of the advantages of having an annual test ofthe plan is that it becomes incorporated naturally into theculture of an organization’s staff. User area managers and soft-ware developers alike take major contingencies and the testingitself into consideration when working on their designs.

As professionals working in this ‘trade’ know only too well,changes invariably tend to suffer from teething troubles, sothere is a natural reluctance to make more than a bare minimumof changes to the day to day operational procedures, especiallyin the case of the alternative centres.

Finally we should bear in mind that no test can be a 100%faithful replica of the real situation since it is simply not feasi-ble to carry out a TOTAL test, given the major disruption sucha test would cause the organization. For this reason, so as not toharm real services, only certain applications and places arechosen, times outside the normal working day are used,segments of network are isolated by changing DNS addresses,etc. Testing, therefore, could be said to have an asymptoticnature, in that it is a necessary requirement but there is neverquite enough of it.

The Content of this Monograph

Bearing in mind all the above we asked several Europeanexperts on the matter (Spanish and Italian) to let us have theirpoints of view, covering a limited but significant cross section

of some of the most interesting aspects of the subject, includingthe legal aspect.

In their article

“Empirical Study of the Evolution of Compu-ter Security and Auditing in Spanish Companies”

,

Francisco-José Martínez-López, Paula Luna-Huertas, Francisco J.Martínez-López

and

Luis Martínez-López

offer us the fruits oftheir research into medium size and large enterprises, whichalthough it was conducted in Spain is to a large extent equallyapplicable to other countries.

Agatino Grillo

contributes with his article “

InformationSystems Auditing of Business Continuity Plan

” in which, withparticular reference to the financial sector, he describes howthese plans are not only a corporate requirement in as much asservice continuity is vital to business, but are also graduallybecoming a legal requirement.

The detailed comparison between the two most importantstandards in the world for controlling business continuity fromthe ICT perspective is the aim of the article

“Business Continu-ity Controls in ISO 17799 and COBIT”

by

José-FernandoCarvajal-Vión

and

Miguel García- Menéndez

.

“Implementation of a Contingency Plan Audit”

is the title of

Marina Touriño-Troitiño

’s contribution in which she advo-cates the need for ICT contingency plans to be audited as well,given the important role they play in guaranteeing businesscontinuity.

The article

“Public Initiatives in Europe and the USA toProtect against Contingencies in Information Infrastructures”

,again by

Miguel García-Menéndez

and

José Fernando-Carvajal Vión

, shows the importance that public institutionsgive to the uninterrupted working of their information infra-structures which are key to the economic and social life ofdeveloped countries by describing US and European govern-ment plans in this regard.

“Business Continuity and IT Contingency Planning in theMobile Telephony Industry”

, by

Miguel-Andrés Santisteban-García

, reviews Business Continuity Plans in the mobile oper-ator industry, where the rapid growth of the telecommunicationindustry has meant that non-customer focused processes, inparticular network protection and availability, have been oftenneglected.

Paloma Llaneza-González

’s article

“ICT Contingency Plansand Regulatory Legislation of e-Commerce and Data Protec-tion”

is based on the fact that any ICT contingency plan musttake into consideration applicable legal and regulatory require-ments, and analyses Spanish standards which are very similarto those of other EU countries, all of them being based on thesame European Directives.

In

“Information Technologies and Privacy Protection in Eu-rope”

,

David D'Agostini

and

Antonio Piva

give us theirassessment of European Directive 95/46/EC on Protection ofPersonal Data, with special emphasis on spamming, a phenom-enon which poses an ever increasing threat to the correct func-tioning of the Internet.

3




© Novática

UP

GRADE


5

“

Legal Analysis of a Case of Cross-border Cyber-crime”

by

Nadina Foggetti

, in which, analysing a practical case, shereveals in full detail how the divergence of legislations govern-ing system and network intrusions open up legal loopholes fortechnological criminals.

The monograph finishes with an article written by

ErkkiLiikanen

, member of the European Commission, responsiblefor Enterprise and the Information Society; in

"The European

Network and Information Security Agency (ENISA) – BoostingSecurity and Confidence”

he proclaims that security and conti-nuity of ITC resources must be preserved because they are vitalfor the progress of our Information Society.

And we would like to finish this presentation by thanking allthe authors for their collaboration in the hope that their work,and the work of the editors of UPGRADE and NOVÁTICA,will be of interest and use to readers of both journals.




6

UP

GRADE


Empirical Study of the Evolution of Computer Security and Auditing in Spanish Companies

Francisco-José Martínez-López, Paula Luna-Huertas, Francisco J. Martínez-López, and Luis Martínez-López

In this paper we present a series of statistics with which we aim to obtain a better understanding of the realsituation of Spanish companies in regard to such matters as Security and IT Auditing, in the hope that thisdata will serve as a useful reference for future work in greater depth on these issues. The main purpose ofthis work is to obtain statistically significant data to work with, since there have been few studies capable ofsupporting our empirical data. We conducted our research in two periods of time, 1992 and 2002, in orderto see how the analysed variables had evolved. A total of 851 companies collaborated, broken down intodifferent groups.

Keywords:

Information Systems, IT Audit, IT Security,Enterprise, Evolution, Statistics.

Introduction: Research into Security and IT Audit

Security and IT Audit are factors that are becoming moreand more important in an environment where dependence oncomputers and telematics is increasing, to the extent that wefeel it would be more appropriate to call the subject “securityand auditing of info-communications”.

The subject has, in fact, already seen a number of namechanges, from Electronic Data Processing Audit (EDPA),focused on the physical media, to the one which is perhaps themost appropriate for our Information Age, Security and Auditof Information Systems (SAIS). The most important and

pioneering association was founded in 1969 as the EDP Audi-tors Association (EDPAA) but later its name evolved into itscurrent one; the Information Systems Audit and Control Asso-ciation (ISACA, <http://www.isaca.org/>).

The importance of this issue has given rise to an abundanceof business and IT literature, though neither the academic ofbusiness world has yet paid it same degree of attention as it hasto other more developed matters such as Information Systems(IS) or other factors related to business computerisation.

As can be seen in Table 1, in the early 80s such literatureaccounted for an important percentage of all research into ISaround the world, though as time went by the subject lostpopularity, and its weighting dropped as low as 1% in someyears. However it is now once again gaining in importance, due

1

Francisco-José Martínez-López is a full professor of the Univer-sidad de Huelva, Spain, lecturing in Information Technologies, ITand Information Systems, in the Faculty of Business Sciences. Heis a graduate and Doctor in Economic and Business Sciences (witha doctoral prize). He has lectured at several institutions at a masterand doctorate level, and has lectured on 30 doctoral courses invarious Spanish and American universities. He has been the directorand chief researcher for a number of national and internationalscientific projects and has authored more than a hundred scientificpapers. He is a member of the Spanish CEPIS society ATI (Asoci-ación de Técnicos de Informática). <[email protected]>

Paula Luna-Huertas lectures in Information Systems at theUniversidad de Sevilla, Spain. She holds a doctorate in Economicand Business Sciences. She has been guest lecturer and researcherat several universities (Lyon II, France; Vladivostok, Russia; SantaFé (Argentina); etc.). Director of the ICT research group of the com-pany GITICE. She has taken part in several business researchprojects at a domestic and European level. She has also worked in aconsultancy and training capacity for a number of national andmultinational companies. She is a member of the Spanish CEPISsociety ATI (Asociación de Técnicos de Informática). <[email protected]>

Francisco J. Martínez-López is an assistant lecturer in marketingat the Universidad de Granada, Spain. He was awarded his DEA(Diplôme d'Etudes Approfondies) in marketing in 2001. He iscurrently writing his doctoral thesis in marketing at the Universidadde Granada. Among his main areas of interest are consumer behav-iour on the Internet, consumer behaviour modelling and marketresearch. He has also collaborated as a technical advisor on marketresearch projects and he has authored chapters of books and contri-butions to international conferences organised by the The Academyof Marketing Science, and The International Association for Fuzzy-Set Management and Economy. <[email protected]>

Luis Martínez-López is a Doctor in Computer Science from theUniversidad de Granada, Spain, and is a university lecturer in theComputer Science Department at the Universidad de Jaén, Spain.His current lines of research include linguistic preference model-ling, fuzzy decision making, decision support systems, electroniccommerce and computer aided learning. He has published in SoftComputing, Fuzzy Sets and Systems, IEEE Transactions onSystems, Man and Cybernetics. Part B: Cybernetics, InternationalJournal of Uncertainty, Fuzziness and Knowledge-Based Systems,IEEE Transactions on Fuzzy Systems and Information Sciences.<[email protected]>




© Novática

UP

GRADE


7

to the auditing of telematic systems and recent major securityproblems, especially Internet related ones, although by 2002 ithad still only climbed back to 2.66%.

Judging by the above results, the subject of Security and ITAudit has aroused some scientific interest, albeit a little late,but it still requires a greater number of empirical academicworks, since at the moment these are few and far between, usebiased samples, and rarely yield statistically significant data.This is what prompted us to carry out our own research, theresults of which we present in this article.

Research Methodology

In order to analyse the situation of Information Systems& Technologies in Spanish companies, we conducted a studyinto different groups of companies (see Tables 2 and 3 forfurther information on technical specifications). The first group(SEG92-E and SEG-E) comprises Spanish enterprises with anannual turnover of over a million Euros (SEG92-E = 134; SEG-E = 395). The second group (SEG-G = 91) is made up of largeSpanish companies which either have high turnovers or are

ranked in the top five of their respective sectors. A randomsample was thus obtained from a list of 1,000 firms generatedby combining those of higher turnover with the top five fromeach of the 66 economic sectors in the classification providedby the database from the Spanish market research firm Fomen-to de la Producción, <http://www.fomenweb.com/>. This al-lowed us to collect data from companies leading in theirrespective sectors but not usually included in lists of majorcompanies. If we had focused exclusively on the top 1,000 byturnover, the sample obtained would have been mainly made upof companies belonging to just a limited number of sectorssuch as energy or communications.

The third group of companies

1

(SEG-F) is made up of 44financial institutions registered with the Bank of Spain, onefifth of the total number. This kind of enterprise was notanalysed in the 1992 study.

A fourth group of companies which was primarily used totest and validate the questionnaires and to fine tune the qualita-tive variables, was eventually used as a control group

2

. Theyare actually all companies operating within the Spanish prov-ince of Huelva (SEG92-H = 92; SEG-H = 87).

Results Analysis

3.1 Analysis of the Evolution of Target Variables between 1992 and 2002

3

The results from the 1992 study show us the relative impor-tance given to computer security and they would appear toindicate that contingency plans or written guidelines were prac-tically non-existent in all but some of the larger companies.

2

1. We wanted to include this type of enterprise in our study as theyare not usually included in lists of companies.

2. This category is not used as it was in the fieldwork. This kind ofcompany was primarily used as a control group to test the ques-tionnaires. However, as they were mainly small firms, they havemade it easier to analyse the effect of the size of companies onsecurity and computer audits.

3

Year Security and IT Audit (1)

Information Systems (2)

(1) / (2) Information Systems in title or abstract(3)

(1) / (3)

1980 29 540 5.37% 326 8.90%

1981 32 275 11.64% 477 6.71%

1982 40 475 8.42% 608 6.58%

1983 43 566 7.60% 700 6.14%

1984 55 894 6.15% 1027 5.36%

1985 52 1034 5.03% 1343 3.87%

1986 59 1109 5.32% 1558 3.79%

1987 46 1100 4.18% 1629 2.82%

1988 49 1503 3.26% 1750 2.80%

1989 11 1607 0.68% 1665 0.66%

1990 14 1818 0.77% 1770 0.79%

1991 26 1831 1.42% 2642 0.98%

1992 24 2054 1.17% 4774 0.50%

1993 45 2269 1.98% 5851 0.77%

1994 27 1910 1.41% 6299 0.43%

1995 30 2406 1.25% 7167 0.42%

1996 24 2297 1.04% 8462 0.28%

1997 33 2400 1.38% 8974 0.37%

1998 22 1577 1.40% 6942 0.32%

1999 13 1765 0.74% 8118 0.16%

2000 23 777 2.96% 5212 0.44%

2001 28 856 3.27% 4282 0.65%

2002 15 564 2.66% 3791 0.40%

Total 740 31627 2.34% 85367 0.87%

Table 1: Articles on Security and IT Audit and Information Systems in the ABI/INFORM Database. (Source: own compilation.)

Group SEG92-E SEG92-H

Universe Spanish companies Control group

Made up of smaller locally based companies

Target population Spanish companies with an annual turnover of more than a million Euros

Sampling error +/– 0.1 +/– 0.1

Confidence level 95.5% 95.5%

Hypothesis of parameters

P = Q = 0,5 P = Q = 0,5

Sample size 134 100

Sampling procedure

Random Sampling Random Sampling

Survey method Questionnaire by mail, telephone, fax, or personal interview

Questionnaire by mail, telephone, fax, or personal interview

Table 2: Technical Specifications of the 1992 Study. (Source: own compilation.)




8 UPGRADE Vol. IV, No. 6, December 2003 © Novática

Similarly, the scenario with regard to IT Audit was similar tothat of computer security, with just 26.12% of the companieshaving schemes in place (see Table 4). Where IT Audit did takeplace it was performed once a year by consultants brought infrom outside, either people connected with the auditing ofaccounts or external IT auditors. The results from the controlgroup, comprising less developed companies in terms of theiradoption of computer technologies, show that IT Audit isconducted by slightly less than 10% of all those that havecomputerised their IS.

A decade later, in 2002, a we can see there has been a changein both quantitative – numbers of firms – and qualitative –implementation of contingency plans – terms. This is due to thepresence of a series of factors which is causing companies tochange the way they design, develop and use their IS. Theymay adopt an integrated approach and do everything internally,within the company itself, or they may decide to outsource partor all of those functions to outside specialists, a policy whichplaces the IT function at the very eye of the outsourcing storm

which is currently affecting organisations at practically everylevel. Among issues affected are IT Audit, computer security,privacy, compatibility and outsourcing policies: in our articlewe focus on the first two.

3.2 Analysis of Computer Security (2002)As we have commented previously, one of the main concerns

of companies today with regard to their computer systems ishow to guarantee the security of the various day to day process-es on which their organizations are increasingly more depend-ent. This is doubtless one of the greatest challenges faced by ISprofessionals.

The importance of computer security can be clearly seen inFigure 1 which shows how companies consider it as a ‘veryimportant’ or ‘essential’ issue.

Most companies (93.52%) give this issue an importancewhich varies from average to vital, there being relatively fewcompanies that ignore this problem or consider it to be of littleor no importance.

The same situation can be found for the largest companies,where more than a third (35.16%) consider this matter as vitalfor survival. Furthermore, there were no cases in which theimportance of this problem was considered to be none, and just1.10% of this group considered it to have not much importance.

However it is the financial institutions which believe thisissue to be the most pressing, as nearly half of them rate it asvital, and none of them thinks of it as something with not muchimportance or whose importance is none.

Finally, with regard to the case of companies belonging to thecontrol group, this problem is viewed with less concern:11.49% understand it to be something of not much importanceand 3.45% think that its relevance is none. However, it shouldbe noted that a third of the firms in this group give it a lot ofimportance, and 12.64% consider its solution to be vital.

Therefore, concern about computer security is ever moredeeply rooted in organisational culture, since matters such as

3. This comparative analysis focused on the companies from whichdata was taken in both periods; that is to say, groups of ordinaryand locally focused companies (SEG-E and SEG-H).

Group SEG-E SEG-G SEG-F SEG-H

Universe Spanish companies Large Spanish companies Spanish financial institutions

Control group

Made up of smaller locally based companiesTarget population Spanish companies with an

annual turnover of more than a million Euros

Spanish companies in the top five of their respective economic sectors, completed with those with the highest turnover

Financial institutions registered with the Bank of Spain

Sampling error +/– 0.05 +/– 0.01 As the total number of institutions is not large, 1 out of 5 were sampled

+/– 0.1

Confidence level 95.5% 95.5% 95.,5%

Hypothesis of parameters P = Q = 0.5 P = Q = 0.5 P = Q = 0.5

Sample size 395 91 44 87

Sampling procedure Random Sampling Random Sampling Systematic Sampling Random Sampling

Survey method Questionnaire by mail, telephone, fax, or personal interview




Table 3: Additional Technical Specifications of the 2002 Study. (Source: own compilation.)

Questions SEG92-E

Do you perform IT audits? 26.12% (35/134)

How often? • Annually 74.36%

• Not periodically 7.69%

• Biannually 12.82%

• More than once a year 5.13%

Who performs them?

• Members of the company 37.04%

• Consultants connected with the auditing of accounts

40.74%

• External IT auditors 22.22%

Table 4: IT Audit (SEG92-E). (Source: own compilation.)




© Novática UPGRADE Vol. IV, No. 6, December 2003 9

solutions for computer viruses or continuity of IS are issuesthat companies whose business processes depend on the use ofInformation and Communication Technologies (ICT) arefacing every day. In fact this is so important that it has givenrise to a new economic sector made up of a considerablenumber of businesses that depend on this activity4.

We were therefore interested to see whether the concernshown by companies with regard to this variable had promptedthem to take specific action in the matter of computer security.In figure 2 we can see that virtually all the companies have setup guidelines for computer security. Taking the companies by

groups, 81.80% of the companies in group SEG-E, and almostall the large firms (SEG-G) and financial institutions (SEG-F)have chosen to adopt security measures of this type. In thegroup made up of smaller-sized firms, which, as we mentioned,showed little concern for these matters, 56.30% are now awareof this problem and have established appropriate securitymeasures.

Given the importance of this issue, we do not believe it isenough merely to establish security guidelines: these rulesshould be drawn up explicitly in writing in the form of acontingency plan, something that has in fact already been doneby nearly half the companies that had guidelines in place in the2002 study. This percentage rises with regard to large compa-nies and financial institutions which have drawn up contingen-cy plans in 79.12% and 84.09% of the cases respectively.

4. One particularly significant case is that of businesses focused onoffering solutions for computer viruses. This sector is increas-ingly important and generates more than 5 billion Euros a year.

Importance of computer security

0%

10%20%30%40%50%60%

Vital

A lot

Avera

ge

Not m

uch

None

SEG-E SEG-G SEG-F SEG-H

Figure 1: Comparative Analysis of the Importance Given to Computer Security.

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Security guidelines 81,80% 98,90% 95,50% 56,30%

Contingency plans 45,06% 79,12% 84,09% 16,09%


Figure 2: Extent Of Explicit Establishment of Computer Security Guidelines and Contingency Plans.





Nevertheless, contingency plans are still relatively uncommonamong the small local organizations based in the Huelva region(16.09%)

3.3 Descriptive Analysis of IT Audit (2002)The increasing dependence on ICTs and automated links

between companies’ IS has created a need for managers toknow whether their systems will work as they are expected to,hence the need for IT Audits.

Results show that, with regard to the implementation of ITAudit, the size of the company is very important. 29.87% of theSEG-E type of Spanish companies have put IT audits in place,while around three quarters of the large companies and finan-cial institutions (SEG-G and SEG-F) already have them inplace (see Figure 3). Finally, as has been the norm in our study,the small firms group (SEG-H) have adopted IT Audit to amuch lesser extent – slightly more than 10% of the group havetaken the plunge.

We were also interested to know who, if anyone, performs ITaudits. If we look at Table 5 we can see that audits are mainlyperformed by the companies themselves, with the exception offinancial institutions where 54.94% of firms carrying out thisactivity make use of external IT auditors.

Conclusions As we said in the first part of this paper, our main aim was

to obtain and analyse quantitative data to reveal the real situa-tion of Spanish enterprises with regard to computer securityand auditing, in order to provide a basis for more in-depthstudies into these issues.

Nevertheless, we have been able to draw some conclusionsfrom the data we have gathered, as they give us an importantinsight into the extent to which computer security and auditinghas been adopted in Spain. The results indicate that the chal-lenge has been taken up and met by the larger companies, butneeds to be paid more attention to by small and medium-sizedfirms.

Computer security is thus one of the major concerns facingcorporations with regard to IS and one of the most importantchallenges that organizations have to address on a day to daybasis. This is evidenced by the fact that a large percentage ofthe companies in our study considered the solution to thispotential problem to be of great importance or vital, while thenumber of companies giving it little or no importance wasinsignificant. More revealing still is the fact that it is the groupof financial institutions who attach the greatest importance tothis issue, as can be seen by the number of them who rate it asvital. As a result, four out of five companies in the SEG-Egroup, virtually all large firms and financial institutions, not tomention half of the small companies, had drawn up computersecurity guidelines. Given the importance of this issue, it is notenough just to set up security guidelines; companies need todraw up contingency plans. This has been already been done byalmost half the companies in the SEG-E group, almost all thelarge firms and financial institutions, and a sixth of smallcompanies that have adopted guidelines.

The size of the company also plays an important role in thedecision to introduce IT Audit procedures. Our results showthat most large companies and financial institutions carry out

4

29,87%

76,92% 77,27%

13,79%

0%

10%

20%

30%

40%

50%

60%

70%

80%


Figure 3: Extent of Adoption of IT Audit.

Type of IT Audit SEG-E SEG-G SEG-F SEG-H

IT auditors linked to the auditing of accounts

16.37% 25.71% 17.65% 9.09%

Internal IT auditors belonging to the company

43.97% 40.00% 29.41% 54.55%

External IT auditors 39.66% 34.29% 52.94% 36.36%

Table 5: Personnel Who Perform IT Audits. (Source: own compilation.)





this activity, while, for the other group of companies understudy, only around a third of them adopt such procedures, andin the group of local small companies the figure is a low as10%. With regard to who is responsible for performing audits,it would seem that they are mainly the responsibility of thecompanies themselves, except in the case of financial institu-tions who tend to outsource it to external IT auditors. However,if we look at the evolution of IT Audit over time (consideringonly SEG-E type enterprises and small companies for whichdata series were available for both years) we can see that the

extent to which IT Audit has been introduced by either categoryof company has been almost insignificant. More attentiontherefore needs to be paid to this activity both from theviewpoint of businesses (users) and computer organizations(supply).

In conclusion, companies are already aware of the impor-tance of this issue, but have not yet done everything in theirpower to address it.

Translation by Steve Turpin





Information Systems Auditing of Business Continuity Plans

Agatino Grillo

Business Continuity Planning (BCP) is a process to be governed by top management. BCP audit is afundamental element of the IT governance process; it represents an independent assessment of IT forstakeholders, business-partners and regulatory authorities. BCP audits are compulsory for financialinstitutions. In order to ensure a structured and auditable approach, a recognised BCP methodology shouldbe adopted. This contribution introduces IS Auditing and explains the BCP approach based on the COBITmodel, a general IT Governance framework developed by ISACA (Information Systems Audit and ControlAssociation), with a special mention to the initiatives of important banking institutions to this regard.

Keywords: Business Continuity Planning (BCP), COBIT, ISAuditing, ISACA, IT Governance

Information Systems Auditing Information Systems Auditing (ISA) analyses the corpo-

rate Information Technologies (IT) assets in order to measurethe existing degree of control and to identify the potentiallycritical areas and risks. The analysis also defines the way toassure the desired control level. The activities include ITcontrol evaluation at both system and application level; theformer includes the Business Continuity Plan (BCP) of thefirm.

ISA should be used to review BCPs because such plans arenecessary to business and required by a growing number ofregulatory requirements.

Enterprises such as financial institutions or government andpublic infrastructure agencies must face new and stringent reg-ulations about business continuity planning. In Italy, for exam-ple, a new Personal Data Protection Code will enter into forceon 1 January 2004 and it requires a high level of protection forbusiness continuity and disaster recovery too1.

In the following pages, BCP requirements for financial insti-tutions will be explained and a BCP audit approach will beproposed.

BCP and Financial InstitutionsIn Italy the Banca d'Italia2, in line with the guidelines laid

down at international level following the events of 11 Septem-ber 2001, has launched a series of initiatives aimed at verifyingthe ability of the Italian financial system to cope with disastersand to improve the operational security of the leading financialintermediaries and payment system infrastructure.

On the one hand the Banca d'Italia, in collaboration with ABI(Italian Banking Association), has required intermediariesfound to have shortcomings to make the necessary adjustmentsover a reasonable time period. On the other hand it has releaseda consultation document indicating the minimum requirementsthat all intermediaries should satisfy and the higher standardsto be met by those of systemic significance3.

In July 2003, the European System of Central Banks(ESCB)4 and the Committee of European Securities Regulators(CESR)5 published a document entitled “Standards for securi-ties clearing and settlement systems in the European Union”

1. The Code consolidates all the various legal provisions so far regu-lating personal data protection in Italy; note that the safeguardsafforded to all the entities involved have been enhanced further, inaccordance with the policy followed ever since the 1996 ItalianData Protection Act (no. 675/1996) was promulgated. Finally, theCode transposes EC Directive 2002/58 into Italian law. For exam-ple, about Business continuity the Code says: “Processingpersonal data by electronic means shall only be allowed if theminimum security measures are adopted to ensure (…) safekeep-ing backup copies and restoring data and system availability”.Note that additional measures must be applied to processing ofsensitive or judicial data to ensure data availability.

1

2. Banca d'Italia is the Italian supervisory authority of banks and theItalian member of European System of Central Banks (ESCB).

3. Banca d'Italia, “Ordinary general meeting of shareholders”, May2003 available at <http://www.bancaditalia.it/pubblicazioni/ricec/relann/rel02/rel02en/rel02_abr_anrep.pdf>.

4. The European System of Central Banks (ESCB) is composed ofthe European Central Bank (ECB) and the national central banks(NCBs) of all 15 EU Member States. “Eurosystem” is the termused to refer to the ECB and the NCBs of the Member Stateswhich have adopted the euro.

2

Agatino Grillo (CISA, CISSP) is responsible for e-securitypractice at Euros Consulting. Previously, he worked at Ernst &Young and Arthur Andersen as an IS auditor and IT Securityconsultant. He has more than 10 years of experience as an IT/ISconsultant and IS auditor. He is lecturer in e-business and securitysubjects at several national business conferences and businessschool seminars. He published several articles and white papersabout IS Auditing and IT Security; they are available at <http://www.agatinogrillo.it>. <[email protected]>





which aims to increase the safety, soundness and efficiency ofsecurities clearing and settlement systems in the EuropeanUnion.

The document contains a lot of recommendation about BCPfor financial institutions. For example: business continuityplans and backup facilities should be established to ensure,with a reasonable degree of certainty, timely business resump-tion with a high level of integrity and sufficient capacity; busi-ness continuity and disaster recovery arrangements should betested on a regular basis and after major modifications to thesystem; adequate crisis management structures and contactlists (both at local and cross-border level) should be availablein order to deal efficiently and promptly with operationalfailure that may have local or cross-border systemic conse-quences.

Finally, in July 2003 the Basel Committee6 of Bank of Inter-national Settlements published its principles for electronicbanking; principle number 13 declares “Banks should haveeffective capacity, business continuity and contingency plan-ning processes to help ensure the availability of e-bankingsystems and services”7; the Committee underlines that banksshould also ensure that periodic independent internal and/orexternal audits are conducted about business continuity andcontingency planning.

A structured and Auditable Approach Business Continuity Management is therefore a critical

component of any financial organisation. New legislation,shareholder expectations and investor requirements demand asolid business continuity plan as part of the global businessprocess.

In order to ensure a structured and auditable approach, arecognised BCP methodology should be adopted. Nowadaysthere is a significant number of standards related to BCM: themost important have been developed by the Disaster RecoveryInternational Institute (DRII), the Business Continuity Institute(BCI), the National Institute of Standards and Technology(NIST), and the “Information Systems Audit and ControlAssociation (ISACA)8.

All these organizations agree on the following ‘minimal’ setof best practices when developing and implementing a businesscontinuity management process:

• A BCP budget should be formalized and approved by seniormanagement,

• Formal disaster declaration authorities, which will beresponsible for implementing the continuity strategies in theevent of a disaster or business interruption, should be iden-tified,

• The organization should implement an incident manage-ment system or process for stabilizing, monitoring andrecovering from a disaster or business interruption,

• The plan should be reviewed periodically and benchmarkedagainst industry regulations and other organizations' proc-esses.

In the following, ISACA’s BCP audit approach will beexplained; it is based on the COBIT model, a general ITGovernance framework developed by ISACA.

ISACAThe Information Systems Audit and Control Association

(ISACA) started in 1967 in the USA and today has more than28,000 associates in IS auditing and IT Security relatedpositions.

ISACA publishes IS auditing standards, a technical journal inthe information control field (the Information Systems ControlJournal) and hosts a series of international conferences focus-ing on both technical and managerial topics pertinent to the ISassurance, control, security and IT governance professions.

ISACA has local chapters in more than 60 countries world-wide; in Italy there are two chapters: Milan and Rome.

Last but not least, ISACA manages two professional certifi-cations: the Certified Information Systems Auditor (CISA) andCertified Information Security Manager (CISM.)

COBITControl Objectives for Information and related Technol-

ogy (COBIT), now in its 3rd edition, is a framework developedby ISACA that helps organizations balance their risks vs.returns in an IT environment and ensure alignment of businessneeds with overall IT processes.

The COBIT mission is to research, develop, publicise andpromote an authoritative, up-to-date, international set of gener-ally accepted information technology control objectives forday-to-day use by business managers and auditors.

5. CESR is an independent Committee regrouping senior represent-atives from national public authorities competent in the field ofsecurities; the Italian member of CESR is “Commissione Nazion-ale per le Societa e la Borsa” (CONSOB).

6. The Basel Committee, established by the central-bank Governorsof the Group of Ten countries at the end of 1974, formulates broadsupervisory standards and guidelines and recommends statementsof best practice for financial institutions.

7. “Risk management principles for electronic banking”, BaselCommittee Publications No. 98, July 2003 available at<http://www.bis.org/publ/bcbs98.pdf>.

8. A complete review and comparison of these BCP approach isavailable in: Business Continuity Management Standards – ASide-by-side Comparison by Brian Zawada and Jared Schwartz inInformation Systems Control Journal, Volume 2, 2003.

3

4

5

Figure 1: COBIT Framework.





Most of the components of COBIT are available in openstandard format, available for complimentary download by thepublic.

COBIT is a business orientated framework that identifies 34information technology processes, grouped in 4 domains, andis supported by 318 detailed control objectives (see Figure 1.)Each one of the 34 processes references IT resources, and thequality, fiduciary and security requirements for information.

Further, the COBIT Management Guidelines are generic andaction orientated for the purpose of addressing the followingtypes of management concerns:1. Performance measurement – What are the indicators of

good performance?

2. IT control profiling – What is important? What are thecritical success factors for control?

3. Awareness – What are the risks of not achieving ourobjectives?

4. Benchmarking – What do others do? How do we measureand compare?

The COBIT family of products is shown in Figure 2.

Maturity ModelsFor each of the 34 COBIT IT processes, there is an incre-

mental measurement scale based on a rating of 0 through 5. Thescale is associated with generic qualitative maturity modeldescriptions ranging from “Non Existent” to “Optimised”

6

EXECUTIVE SUMMARY

FRAMEWORKwith High-Level Control Objectives

IMPLEMENTATION TOOL SET

Executive OverviewCase StudiesFAQsPower Point PresentationsImplementation Guide

• Management Awareness Diagnostics• IT Control Diagnostics

MANAGEMENTGUIDELINES

DETAILED CONTROLOBJECTIVES AUDIT GUIDELINES

MaturityModels

Critical SuccessFactors

Key GoalIndicators

Key PerformanceIndicators

Figure 2: COBIT Family of Products.

Figure 3: COBIT Maturity Models.





derived by the “Capability Maturity Models®” of the SoftwareEngineering Institute – SEI9.

Whatever the model, the scales should not be too granular asthat would render the system difficult to use and suggest aprecision that is not justifiable.

In contrast, one should concentrate on maturity levels basedon a set of conditions that can be unambiguously met (seeFigure 3.)

Against levels developed for each of CobiT's 34 IT process-es, management can map:• The current status of the organisation – where the organisa-

tion is today;• The current status of (best-in-class in) the industry – the

comparison;• The current status of international standard guidelines –

additional comparison;• The organisation's strategy for improvement – where the

organisation wants to be.The high-level control objectives of COBIT are shown in

Table 1.

9. The US Software Engineering Institute (SEI) is a federally fundedresearch and development centre sponsored by the U.S. Depart-ment of Defense

Planning & Organisation PO1 Define a strategic IT plan

PO2 Define the information architecture

PO3 Determine technological direction

PO4 Define the IT organisation and relationships

PO5 Manage the IT investment

PO6 Communicate management aims and direction

PO7 Manage human resources

PO8 Ensure compliance with external requirements

PO9 Assess risks

PO10 Manage projects

PO11 Manage quality

Acquisition & Implementation AI1 Identify automated solutions

AI2 Acquire and maintain application software

AI3 Acquire and maintain technology infrastructure

AI4 Develop and maintain procedures

AI5 Install and accredit systems

AI6 Manage changes

Delivery & Support DS1 Define and manage service levels

DS2 Manage third-party services

DS3 Manage performance and capacity

DS4 Ensure continuous service

DS5 Ensure systems security

DS6 Identify and allocate costs

DS7 Educate and train users

DS8 Assist and advise customers

DS9 Manage the configuration

DS10 Manage problems and incidents

DS11 Manage data

DS12 Manage facilities

DS13 Manage operations

Monitoring M1 Monitor the processes

M2 Assess internal control adequacy

M3 Obtain independent assurance

M4 Provide for independent audit

Table 1: COBIT High-Level Control Objectives.

1. IT Continuity Framework

2. IT Continuity Plan Strategy and Philosophy

3. IT Continuity Plan Contents

4. Minimising IT Continuity Requirements

5. Maintaining the IT Continuity Plan

6. Testing the IT Continuity Plan

7. IT Continuity Plan Training

8. IT Continuity Plan Distribution

9. User Department Alternative Processing Back-up Procedures

10. Critical IT Resources

11. Back-up Site and Hardware

12. Off-site Back-up Storage

13. Wrap-up Procedures

Table 2: BCP Specific Controls.





One of the high-level control objectives is focused on BCP;it is “DS4 Ensure Continuous Service.” DS4's objective is thecontrol over the IT process ensuring continuous service tomake sure IT services are available as required and to ensure aminimum business impact in the event of a major disruption.

DS4 is enabled by having an operational and tested IT conti-nuity plan which is in line with the overall business continuityplan and its related business requirements; the continuity planshould take consideration:• Critically classification,• Alternative procedures, • Back-up and recovery,• Systematic and regular testing and training,• Monitoring and escalation processes,• Internal and external organisational responsibilities,• Business continuity activation, fallback and resumption

plans, • Risk management activities,• Assessment of single points of failure,• Problem management,• Monitoring.

Finally, objective DS4 is “translated” into the 13 specificcontrols for the BCP shown in Table 2.

The first two items, for example, should be evaluated regard-ing the following:1. IT Continuity Framework: information services function

management is to create a continuity framework whichdefines the roles, responsibilities, the risk basedapproach/methodology to be adopted, and the rules andstructures to document the plan as well as the approvalprocedures.

2. IT Continuity Plan and Philosophy: management shouldensure that the information technology continuity plan is inline with the overall business continuity plan to ensureconsistency. Furthermore, the information technologycontinuity plan should take account of the informationtechnology long- and medium-range plans to ensureconsistency. The disaster recovery/contingency planshould minimize the effect of disruptions.

The complete directory of specific controls is available in the“Control Objective” document of COBIT10.

ConclusionsBusiness Continuity Planning (BCP) is a process to be

governed by top management. This is important because anorganisation needs to first define its planning objectives forbusiness continuity. BCP audit is also a fundamental element ofthe IT governance process; it represents an independent assess-ment of IT for stakeholders, business-partners and regulatoryauthorities.

Links• Italian Data Protection Commission:

<http://www.garanteprivacy.it/garante/navig/jsp/index.jsp>. • Italy’s New Personal Data Protection Code:

<http://www.garanteprivacy.it/garante/doc.jsp?ID=311113>.• Banca d'Italia: <http://www.bancaditalia.it>.• ABI – Italian Banking Association: <http://www.abi.it>. • ESCB – The European System of Central Banks:

<http://www.ecb.int/about/escb.htm>. • CESR – Committee of European Securities Regulators:

<http://www.europefesco.org/v2/default.asp>. • CONSOB – Commissione Nazionale per le Società e la Borsa:

<http://www.consob.it>. • The Basel Committee on Banking Supervision:

<http://www.bis.org/bcbs/aboutbcbs.htm>. • BCI – The Business Continuity Institute: <http://www.thebci.org/>. • DRII – Disaster Recovery International Institute:

<http://www.drii.org/>.• DRJ –Disaster Recovery Journal: <http://www.drj.com>.• ISACA – Information Systems Audit and Control Association:

<http://www.isaca.org>. • NIST – National Institute of Standards and Technology:

<http://www.nist.gov/>.• ISACA Milan chapter: <http://www.aiea.it>.• ISACA Rome chapter: <http://www.isacaroma.it>.• SEI – Software Engineering Institute: <http://www.sei.cmu.edu>.

BibliographyKen Doughty. Business Continuity: A Business Survival Strategy,

Information Systems Control Journal, Volume 1, 2002Yusufali F. Musaji. Disaster Recovery and Business Continuity

Planning: Testing an Organization's Plans, Information SystemsControl Journal, Volume 1, 2002

Brian Zawada and Jared Schwartz. Business Continuity ManagementStandards – A Side-by-side Comparison, Information SystemsControl Journal, Volume 2, 2003

10. <https://www.isaca.org/TemplateRedirect.cfm?Template=/Mem-bersOnly.cfm&ContentFileID=1398>, for registered users only.

7





Business Continuity Controls in ISO 17799 and COBIT

José-Fernando Carvajal-Vión and Miguel García-Menéndez

In this article the sets of control included in the two major codes of practice on Information TechnologySecurity worldwide, that are needed to lay the foundations for the security policies that business continuityrequires, are described and compared. In fact, Section eleven of the Code of Practice for InformationSecurity Management, the ISO/IEC standard 17799, deals with aspects related to business continuity;similarly, the COBIT framework (Control Objectives for Information and Related Technology) forInformation Systems (IS) Auditing sets out what an organization needs to bear in mind in order to achieveits business goals.

Keywords: Audit, CISA, COBIT, Contingency, ControlObjectives, Disaster, Good Practices, Information Systems,ISO 17799, Security.

IntroductionSurvival is one of the primary objectives of living beings.

In a way a company, like a candle flame, could be compared toa living being if we apply, with a certain degree of artisticlicence, the definition for living organisms that we learned atschool: it is born, it grows, it reproduces and it dies. Looking atit in a simplistic way, reproduction can be seen as the transmis-sion of the information we have. Death would then be the lossor lack of control over that information, which hopefully wehave managed to transmit to those who will follow in our steps.

Nowadays, we understand that the success and ‘survivabili-ty’ of organizations depends to a great extent on the effectiveadministration of their information and, of course, on the Infor-mation Technology (IT) systems that support it: valuable assetsthat are important to safeguard and preserve.

We can achieve this safeguard by establishing the necessaryobjectives and control mechanisms for the information systemswithin our organization to allow us to preserve the most valua-ble aspects of our information: integrity, confidentiality andavailability.

In order to implement a continuity plan it is necessary toestablish a set of controls; this means that either we have toobtain them from the intrinsic knowledge we have of our busi-ness or we must adopt them from some existing standard orbest practices in the industry sector. These controls must beendowed with the following properties [1]:1. Valuable: that is, they are of genuine use to our business in

accordance with good practices recognised in our industry. 2. Complete: they cover all the necessary areas.3. Auditable: they can be defined and evaluated as to their

compliance, effectiveness and efficiency.Control sets of this kind can be found in the ISO/IEC 17799

[2] standard and in COBIT, Control Objectives for Informationand related Technology [3]. By control and control objectivewe understand the following definitions provided by COBIT:

• Control: “The policies, procedures, practices and organi-sational structures designed to provide reasonable assur-ance that business objectives will be achieved and that un-desired events will be prevented or detected and corrected.”

• Control Objectives: “A statement of the desired result orpurpose to be achieved by implementing control procedureswithin a particular IT activity.”

Both sets of controls are auditable by means of their ownaudit procedures, are complete, or at least they tend towardscompletion, and they are also good practices that can be certi-

1

José-Fernando Carvajal-Vión has a BSc degree in Biology,specializing in biochemistry, from the Universidad Autónoma deMadrid, Spain. He has taken post graduate courses in InformationSystems at the Universidad Carlos III de Madrid as part of hisdoctoral thesis in the field of computer immune systems. He hasmore than fourteen years’ experience in information systemstechnologies, mainly in the energy sector, and is a Certified Infor-mation System Auditor (CISA) by the ISACA (Information AuditSystems and Association Control) which he has been a memberof since 2000. He is currently responsible for InformationSystems Security at the company Soluziona. He is also a memberof the Spanish Asociación de Técnicos de Informática (ATI) andof the Information Systems Auditors Association (ASIA) inwhich he participates actively in their respective Security InterestGroups. <[email protected]>

Miguel García-Menéndez has a BSc degree in ComputerScience from the Universidad de Oviedo (Gijón campus), Spain.From 1994 to 2000 he was head of the Software Engineering andSystems Dept. in the industrial processes control firm Ensilectricand in March 2000 he joined Schlumberger, where he currentlyworks as an Information Security Management advisor, mainlyserving organisations in the public sector. He is also a CertifiedInformation Systems Auditor (CISA) and is member of ISACA(Information Systems Audit and Control Association) and ASIA(Asociación de Auditores y Auditoría y Control de Sistemas y Tec-nologías de la Información y las Comunicaciones) a Spanish As-sociation of Information Systems Auditors in which he acts asmember of the Security and Audit Standards Commission.<[email protected]>





fied. In the worst of cases, if disaster should strike, they allowus to demonstrate that our work was done with due diligenceand that any damage was not the result of deficient processesand/or a lack of security.

It should be stressed that neither set of controls refers only tobusiness upsets classed as a Disaster Plan (Disaster Recovery)but rather they refer in a broader sense to multiple ContinuityPlans (Business Continuity) which together make up a DisasterPlan [4]. For both it is necessary to establish a business conti-nuity management process by which, depending on the magni-tude of the event, we will activate different courses of action inour Disaster Plan.

For both standards the first thing we need to do is understandand evaluate business risks from the organization’s point ofview.

ISO/IEC 17799 Standard The standard consists of 12 sections (including objectives

and definitions) in which each has up to four levels of controls.There are 36 control objectives at the second level and acombined total of 127 at the third and fourth levels. Sectioneleven of this standard establishes as an objective “to counter-act interruptions to business activities and to protect criticalbusiness processes from the effects of major failures or disas-ters”. To achieve this goal it focuses on the establishment of aset of controls with the following objectives:1. To implement a business continuity management process. 2. Risk / impact analysis. 3. Documentation and implementation of continuity plans.4. To establish a single continuity framework assigning

responsibilities; how, where and when. 5. Maintenance, testing and reappraisal of the plans.

The standard stresses the importance of developing a plan forthe maintenance and recovery of business operations, though atno time does it mention “servers”. Thinking about servers as ifthey were business processes shows the lack of co-ordinationand collaboration there is between the people in charge ofinformation systems and the people responsible for the criticalbusiness processes involved.

COBITCOBIT (Control for Objectives Information and related

Technology) is a reference framework used as a basis for estab-lishing a method of internal control over matters of a compa-ny’s information technology and information systems. COBITis based on the control objectives set out by the InformationAudit Systems and Control Foundation (ISACF) and has beendrawn up and developed using international technical, profes-sional, regulatory and industry specific standards as a basis. Asin the case of the ISO standard, the resulting control objectivesare considered to be “good or best practices”, i.e. they areagreed on by experts, applicable and generally accepted for theinformation systems of any company. Both COBIT and ISO17799 tend to be pragmatic and to meet the needs of business-es, while being independent of the technological platform usedby the organization.

The COBIT structure is based on the premise that, in order toprovide the information necessary for an organization toachieve its business objectives, its IT resources must bemanaged by means of a set of naturally grouped processes.COBIT is a three level hierarchy (domains, processes andactivities or tasks), with 4 domains in the uppermost level(Planning and Organization – PO –, Acquisition and Imple-mentation – AI–, Delivery and Support – DS –, and Monitoring– M –.). There are 34 control objectives in the middle (process-es) level, and 318 detailed control objectives in the lowest(task) level. It also provides an Audit Guideline for each ofthese 34 high-level control objectives to match the review ofthe organisation’s existing IT processes against the recom-mended detailed control objectives to provide managementassurance and/or advice for improvement.

COBIT is designed not to be only used by ‘users’ and ‘audi-tors’, but also, and more importantly, as a general ‘checklist’for business process owners. In business nowadays, more andmore responsibility is delegated to business process owners forevery aspect of the business process. In particular, this includesthe provision of suitable controls and tools to help businessprocess owners to fulfil their responsibilities.

Control Objectives for Business ContinuityTable 1, shown at the end of this article segmented in

several pieces due to its large size, shows ISO/IEC-17799standard. Whereas the standard specifies controls mainly insection eleven, COBIT spreads them across all its domains dueto its marked business orientation. This is especially true of thecontrol objectives for risk evaluation (PO9) and business conti-nuity assurance (DS4) processes referring to the domains ofplanning and support respectively.

ConclusionsCOBIT undoubtedly provides more control objectives

(both organisational and technical) that are more widely appli-cable to the information systems of an organisation than thoseprovided by the ISO 17799 standard, which leans more to thetechnical side of things, although it is also imbued with acertain business oriented pragmatism.

As we see it, the control objectives specified by COBIT arecloser to the organization whereas the equivalent ISO standardsare closer to the operational implementation of those objec-tives. We should consider both of them when designing anddeveloping our company’s continuity policy in which somefactors, such as organization size, budget, materials and, ofcourse, the risks we are facing, will determine the how rigidlyand to what degree we implement these internal controls forour IT systems. These controls are also applicable to the newlyemerging concept of ‘survivality’ [5][6][7][8].

Finally, we would like to say that the task of implementingthe two sets of controls in a business continuity plan is one tobe performed jointly between IT management and technicianson the one hand, and business process owners on the other, andnot by just one of them independently. The selection and imple-mentation of controls must, therefore, be made by generalconsensus using any available risk evaluation methodology

2

3

4

5





which enables business impact to be determined. Unfortunate-ly, many organizations ignore or bypass this point, creating agulf between information owners and managers, made worseby the lack of any risk evaluation methodology able to mini-mise it. Business continuity must be an integral part of a com-pany’s security policy and be kept up to date so as to be usefuland effective.

References [1]

Philip L. Campbell. Survivability via Control Objectives. Posi-tion Paper for 3rd IEEE Information Survivability Workshop(ISW-2000). <http://www.cert.org/research/isw/isw2000/papers/24.pdf>

[2]Information Security Management, Code of Practice for Informa-tion Security Management. International Standard ISO/IEC17799:2000.

[3]ISACA. COBIT: Control Objectives for Information and relatedTechnology, <http://www.isaca.org/cobit.htm>.

[4]CISSP All in One Certification Exam Guide, Shon Harris,McGraw-Hill Ryerson/Osborne, 2002.

[5]Towards A Definition Of Survivability, John C. Knight and KevinJ. Sullivan.<http://www.citeseer.nj.nec.com/knight00towards.html>.

[6]Survivability, A New Technical and Business Perspective onSecurity. Proceedings of the 1999 New Security ParadigmsWorkshop. Association for Computing Machinery. New York,1999.<http://www.cert.org/archive/pdf/busperspec.pdf>.

[7]Information Survivability: Required Shifts in Perspective. JuliaH. Allen and Carol A. Sledge. <http://www.cert.org/archive/pdf/CrossTalk_Shifts_7-02.pdf>.

[8]Survivability – A New Security Paradigm. <http://www.cert.org/archive/pdf/surviv-paradigm.pdf>.

Table 1: ISO/IEC 17799 vs. COBIT (1 of 8).

Control ISO 17799 Objectives Control COBIT Objectives

A.11.1 Aspects of business continuity management

Control objective: To counteract interruptions to business activities and to critical business processes from the effects of major failures or disasters.

11.1.1 Business continuity management process.

• To assess and understand risks and their impact on the business.

• To establish an appropriate insurance policy.

• To formulate and document a continuity strategy appropriate to the business.

• To formulate and document continuity plans aligned with business strategy.

• To test and update plans.

• To incorporate continuity management in business processes and organization structures and assign responsibilities for it.

• PO9.1 Business Risk Assessment.

• PO9.6 Risk Acceptance.

• DS4.1 IT Continuity framework.

• DS4.2 IT Continuity Plan Strategy and Philosophy.

• DS4.3 IT Continuity Plan Contents.

• DS4.5 Maintaining IT Continuity Plan.

• DS4.6 Testing IT Continuity Plan.

• DS4.7 IT Continuity Plan Training.



• PO9.1 Business Risk Assessment. Management should establish a systematic risk assessment framework that incorporate a regular assessment of the relevant information risks to the achievement of the business objectives. The process should provide for risk assessments updated regularly at global level and of the system.

• PO9.6 Risk Acceptance. The risk assessment approach should ensure the formal acceptance of the residual risk, depending on risk identification and measurement, organisational policy, uncertainty incorporated in the risk assessment approach itself and the cost effectiveness of implementing safeguards and controls. The residual risk should be offset with adequate insurance coverage, contractually negotiated liabilities and self-insurance.

• DS4.1 IT Continuity Framework IT management, in co-operation with business process owners, should establish a continuity framework which defines the roles, responsibilities and the risk-based approach / methodology to be adopted, and the rules and structures to document the continuity plan as well as the approval procedures.

• DS 4.2 IT Continuity Plan Strategy and Philosophy Management should ensure that the IT continuity plan is in line with the overall business continuity plan to ensure consistency. Furthermore, the IT continuity plan should take into account the IT long- and short-range plans to ensure consistency.


























• DS4.3 IT Continuity Plan Contents IT management should ensure that a written plan is developed containing the following:• Guidelines on how to use the continuity plan• Emergency procedures to ensure the safety of all

affected staff members• Response procedures meant to bring the business

back to the state it was in before the incident or disaster

• Recovery procedures meant to bring the business back to the state it was in before the incident or disaster

• Procedures to safeguard and reconstruct the home site

• Co-ordination procedures with public authorities• Communication procedures with stakeholders,

employees, key customers, critical suppliers, stockholders and management

• Critical information on continuity teams, affected staff, customers, suppliers, public authorities and media needs to assess its adequacy on a regular basis or upon major changes to the business or IT infrastructure; this requires careful preparation, documentation, reporting test results and, according to the results, implementing an action plan.





















• DS4.5 Maintaining the IT Continuity Plan. IT management should provide for change control procedures in order to ensure that the continuity plan is up-to-date and reflects actual business requirements. This requires continuity plan maintenance procedures aligned with change and management and human resources procedures.

• DS4.6 Testing the IT Continuity Plan To have an effective continuity plan, management needs to assess its adequacy on a regular basis or upon major changes to the business or IT infrastructure; this requires careful preparation, documentation, reporting test results and, according to the results, implementing an action plan.

• DS4.7 IT Continuity Plan Training .The disaster continuity methodology should ensure that all concerned parties receive regular training sessions regarding the procedures to be followed in case of an incident or disaster.

• DS4.1 IT Continuity framework

• DS4.2 IT Continuity Plan Strategy and Philosophy. (aforementioned)









11.1.2 Business continuity and impact analysis.

• To identify events and threats to business processes and the assets requiring protection.

• Risk assessment.

• To develop a strategic plan based on risk assessment results.

• PO9.4 Risk Measurement.


• PO9.2 Risk Assessment Approach.

• PO9.5 Risk Action Plan.

• PO9.4 Risk Measurement The risk assessment approach should ensure that the analysis of risk identification information results in a quantitative and/or qualitative measurement of risk to which the examined area is exposed. The risk acceptance capacity of the organisation should also be assessed.

• PO9.1 Business Risk Assessment (aforementioned).

• PO9.2 Risk Assessment Approach. Management should establish a general risk assessment approach that defines the scope and boundaries, the methodology to be adopted for risk assessments, the responsibilities and the required skills. Management should lead the identification of the risk mitigation solution and be involved in identifying vulnerabilities. Security specialists should lead threat identification and IT specialists should drive the control selection. A structured method and skilled risk assessors should ensure the quality of the risk assessments.

• PO9.5 Risk Action Plan .The risk assessment approach should provide for the definition of a risk action plan to ensure that cost-effective controls and security measures mitigate exposure to risks on a continuing basis. The risk action plan should identify the risk strategy in terms of risk avoidance, mitigation or acceptance.




11.1.3 Drawing up and implementing continuity plans.

• To identify emergency procedures and people in charge.

• To implement emergency procedures for recovery and restoration.

• To document procedures and processes.

• Training adapted to personnel.

• Test and plan updates.

• Plans must be centred on business objectives. Planning involves not only the underlying IT infrastructure but also all necessary services and resources including non-computer personnel, other resources and contracts in support or not of the IT infrastructure.

• DS4.1 IT Continuity Framework.


• PO7.4 Personnel Training.

• PO7.3 Roles and Responsibilities.

• DS4.5 Maintaining the IT Continuity Plan.

• DS4.6 Testing the IT Continuity Plan.



• DS4.1 IT Continuity Framework (aforementioned).

• DS4.3 IT Continuity Plan Contents (aforementioned).

• PO7.3 Roles and Responsibilities Management should clearly define roles and responsibilities for personnel, including the requirement to adhere to management policies and procedures, the code of ethics and professional practices. The terms and conditions of employment should stress the employee’s responsibility for information security and internal control.

• PO7.4 Personnel Training Management should ensure that employees are provided with orientation upon hiring and with on-going training to maintain their knowledge, skills, abilities and security awareness to the level required to perform effectively. Education and training programmes conducted to effectively raise the technical and management skill levels of personnel should be reviewed regularly.

• DS4.5 Maintaining the IT Continuity Plan (aforementioned).

• DS4.6 Testing the IT Continuity Plan (aforementioned).

• DS4.7 IT Continuity Plan Training (aforementioned).

• DS4.2 IT Continuity Plan Strategy and Philosophy (aforementioned).

Table 1: ISO/IEC 17799 vs. COBIT (4 and 5 of 8).








11.1.4 Business continuity planning framework.

• A single framework will be set up for business continuity plans to assure that these plans are consistent and to identify priorities for testing and maintenance.

• Activation conditions, emergency and recovery procedures, and backup procedures for the alternative centre.

• Maintaining and testing the plan.

• Staff awareness and training activities and responsibilities of personnel within the plan framework.

• Required resources and backup and supply contracts and agreements.




• DS4.5 Maintaining the IT Continuity Plan


• DS4.6 Testing the IT Continuity Plan, DS4.7 IT Continuity Plan Training.



• DS4.8 Continuity Plan Distribution.

• DS4.4 Minimising IT Continuity Requirements.

• DS4.10 Critical IT Resources.

• DS4 4.11 Back-Up site and Hardware.

• DS4.12 Off-site Back-up Storage.

• DS4.1 IT Continuity framework. (aforementioned)

• DS4.2 IT Continuity Plan Strategy and Philosophy. (aforementioned.)

• DS4.3 IT Continuity Plan Contents. (aforementioned)

• DS4.5 Maintaining the IT Continuity Plan. (aforementioned)

• DS4.6 Testing the IT Continuity Plan. (aforementioned)

• DS4.7 IT Continuity Plan Training.( aforementioned.)

• PO7.4 Personnel Training. (aforementioned.)

• PO7.3 Roles and Responsibilities. (aforementioned.)

• DS4.8 IT Continuity Plan Distribution. Given the sensitive nature of information in the continuity plan, the latter should be distributed only to authorised personnel and should be safeguarded against unauthorised disclosure. Consequently, sections of the plan need to be distributed on a need-to-know basis.

• DS4.4 Minimising IT Continuity Requirements. IT management should establish procedures and guidelines for minimising the continuity requirements with regard to personnel, facilities, hardware, software, equipment, forms, supplies and furniture.









11.1.4 Business continuity planning framework.

• A single framework will be set up for business continuity plans to assure that these plans are consistent and to identify priorities for testing and maintenance.

• Activation conditions, emergency and recovery procedures, and backup procedures for the alternative centre.

• Maintaining and testing the plan.

• Staff awareness and training activities and responsibilities of personnel within the plan framework.

• Required resources and backup and supply contracts and agreements.




• DS4.5 Maintaining the IT Continuity Plan


• DS4.6 Testing the IT Continuity Plan, DS4.7 IT Continuity Plan Training.



• DS4.8 Continuity Plan Distribution.

• DS4.4 Minimising IT Continuity Requirements.

• DS4.10 Critical IT Resources.

• DS4 4.11 Back-Up site and Hardware.

• DS4.12 Off-site Back-up Storage.

• DS4.10 Critical IT Resources. The continuity plan should identify the critical application programmes, third-party services, operating systems, personnel and supplies, data files and time frames needed for recovery after a disaster occurs. Critical data and operations should be identified, documented, prioritised and approved by the business process owners, in cooperation with IT management.

• DS4.11 Back-up Site and Hardware. Management should ensure that the continuity methodology incorporates an identification of alternatives regarding the back-up site and hardware as well as a final alternative selection. If applicable, a formal contract for these types of services should be concluded.

• DS4.12 Off-site Back-up Storage. Off-site storage of critical back-up media, documentation and other IT resources should be established to support recovery and business continuity plans. Business process owners and IT function personnel should be involved in determining what back-up resources need to be stored off-site. The off-site storage facility should be environmentally appropriate to the media and other resources stored and should have a level of security commensurate with that needed to protect the back-up resources from unauthorised access, theft or damage. IT management should ensure that off-site arrangements are periodically assessed, at least annually, for content, environmental protection and security.





11.1.5 Testing, maintaining and re-assessing business continuity plans.

• Business continuity plans will be tested regularly to ensure they are effective and up to date. Different parts or components of the plan can be tested separately using various techniques to ensure that they work.

• PO 1.7 Monitoring and Evaluating of IT Plans.

• DS4.5 Maintaining the IT Continuity Plan.

• DS4.6 Testing the IT Continuity Plan.


• DS4.13 Wrap-up Procedures.

• PO1.7 Monitoring and Evaluating of IT Plans. Management should establish processes to capture and report feedback from business process owners and users regarding the quality and usefulness of long- and short-range plans. The feedback obtained should be evaluated and considered in future IT planning.

• DS4.5 Maintaining the IT Continuity Plan (aforementioned).

• DS4.6 Testing the IT Continuity Plan (aforementioned).

• DS4.7 IT Continuity Plan Training (aforementioned).

• DS4.13. Wrap-up Procedures. On successful resumption of the IT function after a disaster, IT management should establish procedures for assessing the adequacy of the plan and update the plan accordingly.






Implementation of a Contingency Plan Audit

Marina Touriño-Troitiño

The auditing of systems and information technologies involves, among other activities, the assessment of aContingency Plan as a specific auditable area. However, we need to bear in mind that, according to ISACA(Information Systems Audit and Control Association) standards, business contingency and continuity issuesshould be addressed in several more areas. It is also important to distinguish between the ‘good managementpractices’ for information systems and technologies required of the managers of any enterprise, and the‘good practices’ applicable to the performance of an audit on those practices.

Keywords: Auditing Standards, Contingency Plan, Continu-ity Plan, IS/ICT Auditing, Testing.

Information Systems Auditing StandardsThe performance of an audit requires Information

Systems/Information and Communications Technology(IS/ICT) auditors to apply a methodology regardless of what-ever ‘good practices’ may be adopted by the enterprise to beaudited. These practices could be an adaptation of the ones setout in COBIT (Control Objectives for Information and relatedTechnology, <http://www.isaca.org/cobit.htm>) or any othervoluntary standard on the market. COBIT is the work of theISACA (IS Standards, Guidelines and Procedures For Auditingand Control Professionals, <http://www.isaca.org/>), ISACF(Information Systems Audit & Control Foundation) and theirIT Governance Institute (<http://www.itgi.org/>.)

It should be remembered that the COBIT document is notexpressly intended for auditing but rather for IS/ICT manage-ment, even though it includes audit guidelines and make timelyreferences to auditing fundamentals1. These audit guidelinesincluded in COBIT can be thought of as a kind of vade-mecumof auditing programmes (planning, type of testing) to apply foreach control objective. But it is the scope and objective of aparticular audit, the assessment of risks, and the size of theenterprise to be audited which will ultimately determine theplanning and type of testing an experienced IS/ICT auditor willopt for.

The basic methodology to be applied by IS auditors can befound in the auditing standards published by ISACA. CISAcertified auditors (Certified Information Systems Auditor) areobliged to abide by and apply these standards which arereviewed periodically by the community of IS/ICT auditors.

Table 1 shows the table of contents for the May 2003 versionof these standards.

We should not think of the assessment and review of Contin-gency Plans only in terms of a specific audit of this matter.Given that all IS/ICT activities are interrelated, service conti-

nuity issues should be borne in mind in the reviews listed inTable 2, which gives a summary of some of the mentions madeof Continuity Plans in the ISACA standards.

Continuity Plan ReviewTaking all the above as a reference framework, it can be

seen that reviews performed by auditors need to include aspectsrelated to the continuity of the service provided to the organi-zation by internal or external IS/ICT. Regardless of the specificaudit of the IS/ICT Contingency Plan, an IS auditor’s review ofthe organizational and managerial aspects of IS/ICT must nec-essarily include an assessment of the enterprise’s risk analysisand whether this analysis takes adequate account of servicecontinuity issues, such as the classification of critical systems,business needs, and the dependencies of its IS/ICT.

Contingency planning for IS/ICT sometimes tends to neglectthe necessary interfaces with user areas (training, definition ofneeds and an action plan to respond to the many different waysan automated service can be interrupted, etc.). This is, there-fore, an aspect which IS auditors should take into account intheir planning, especially when auditing automated businessprocesses.

The growing tendency to outsource a wide range of IT serv-ices should also prompt IS auditors to address continuity issuesrelated to: development and maintenance of external software,communications, Internet services, network maintenance,operations and processes, technological structure and compati-bility, intrusion, etc. When each item is verified there shouldalso be a follow up of any incidents that may have occurred.

1. Knowledge Gathering, Adequacy Evaluation, Compliance Assess-ment, and Risk Substantiation.

12

Marina Touriño-Troitiño is a Certified Information SystemsAuditor by ISACA (Information Systems Audit & Control Asso-ciation). She has more than 25 years’ experience as an IS auditor(external and internal auditing in major international corpora-tions) and she also lectures on this subject. She is member ofISACA, and of the Spanish associations ASIA (Asociación de Au-ditores y Auditoría y Control de Sistemas y Tecnologías de la In-formación y las Comunicaciones), and ATI (Asociación deTécnicos de Informática). <[email protected]>





When testing, IS/ICT auditors should also consider not onlythe major aspects of Contingency Planning (legal require-ments, backup copies, alternative sites, planning document ormanual, etc.), but also the finer details: • Detailed review of current contracts which may affect serv-

ice continuity. • Controls for new system implementation.• Software change management. • Verification of backup cycles. • Verification of periodic testing (a plan which is not tested at

least once a year with the involvement of all affected partiesmay be a fascinating exercise but is of no practical use).

• Identification of past recoveries, regardless of their impor-tance or scale.

• Backup of key functions for users and technical staff, amongother tests.

ConclusionsIS auditors, who as part of their functions are required to

issue an opinion on IS/ICT reliability, should also take intoaccount and include in their planning any aspects which mayaffect the continuity of automated services. As with any other

IS audit, this planning should be performed in compliance with“generally accepted standards for the performance of an ISaudit”.

The auditor should not ‘demand’ compliance with any partic-ular set of standards but rather should perform tests to demon-strate whether the practices adopted by an enterprise entail anyrisk of IS/ICT services being interrupted. These practicesshould be analysed in terms of system criticality, businessobjectives and the size and complexity of the enterprise’s tech-nological structure.

In addition to reliably identifying existing risks, the bestadded value an IS auditor can offer to an enterprise’s manage-ment is to give appropriate and practical recommendations onhow to address these risks.

3

ISACA IS Auditing Standards

010 Audit Charter

020 Independence

030 Professional Ethics and Standards

040 Competence

050 Planning

060 Performance of Audit Work2

070 Reporting

080 Follow-Up Activities

IS Auditing Procedures

1 IS Risk Assessment

2 Digital Signatures

3 Intrusion Detection

4 Malicious Logic

5 Control Risk Self-assessment

6 Firewalls

Table 1: Auditing Standards Published by ISACA (May 2003 version.)

Subject Description Guideline

Third party services (outsourcing)

“The protection of systems and information assets through backup recovery, Contingency Planning and redundancy” 050.010.040 Effect of third

parties on an organization’s IT controls

Review of contracts“The protection of systems and information assets through backup recovery, Contingency Planning and redundancy.”

Review of management applications

“General IT controls be the subject of a separate review, which would include such things as: physical controls, system level security, network management, data backup and Contingency Planning. Depending on the control objectives of the review, the IS Auditor may not need to review general controls”

060.020.020 Application systems review

Internet banking Business continuity and Contingency Planning risks should be evaluated. 060.020.092 Internet Banking

Firewalls Disaster recovery and business Continuity Plan procedures should be reviewed. 6 – Firewalls

Table 2: Mentions of Continuity Plans in the Auditing Standards Published by ISACA (May 2003 version.)

2. The Performance of Audit Work guideline deals with the follow-ing points:010 Supervision

010 Enterprise Resource Planning (ERP) Systems020 Evidence

010 Audit Documentation020 Application Systems Review030 Audit Evidence Requirement040 Audit Sampling 050 IT Governance060 Effect of Pervasive IS Controls070 Use of Computer Assisted Audit Techniques(CAATs)080 Using the Work of Other Auditors and Experts090 Business-to-consumer E-commerce 091 System Development Life Cycle (SDLC) 092 Internet Banking





Public Initiatives in Europe and the USA to Protect against Contingencies in Information Infrastructures

Miguel García-Ménendez and José-Fernando Carvajal-Vión

Today, the protection of an organisation’s information assets and related technology is without a doubtfundamental to its business objectives. In the case of government and other public bodies, for which theadoption of an appropriate protection strategy also guarantees citizens a better service, this is of particularimportance. In February 2003, US Federal Government and the EU Commission took a major step forward,by each releasing an initiative aimed at ensuring the security of interdependent networks and informationtechnology infrastructures: The National Strategy to Secure Cyberspace and the proposal for a EuropeanNetwork and Information Security Agency (ENISA), respectively.

Keywords: Contingency, Cyberspace, Information SecurityAgency, Information Systems, Information Technology, Net-works, NISA, Security, Strategy, Ten Point Plan.

IntroductionToday the protection of an organisation’s information

assets and related technology is fundamental to its businessobjectives. In the case of government and other public bodies,for which the adoption of an appropriate protection strategyalso guarantees citizens a better service, this is of particularimportance.

The efforts we have been seeing in recent years towardsproviding organisations with a standardized and commonreference framework in the field of information systems secu-rity, received a vital shot in the arm as a consequence of thefateful events which rocked the world at the start of the newmillennium. In February 2003 – barely one and a half yearsafter that tragic 11 September 2001 – the US Federal Govern-ment and EU Commission took a major step forward. Theyeach released an initiative aimed at guaranteeing the security ofinterdependent networks and information technology infra-structures: “The National Strategy to Secure Cyberspace” andthe proposal for a European Network and Information SecurityAgency (ENISA), respectively.

Leaving aside the obvious differences between both initia-tives in matters of patriotic orientation and scope, it is clear thatthese initiatives stem from governments’ greater awareness ofthe fact that today they are more dependent on technology andinformation resources [1] and, consequently, they are morevulnerable to the threats those resources are exposed to.

Securing CyberspaceThe United States Federal Government, as part of its

Homeland security policy1, has designed a “National Strategyto Secure Cyberspace” [2], providing a reference frameworkfor the improvement of nationwide electronic security.

This cyberspace protection initiative – complemented byanother, the “National Strategy for the Physical Protection ofCritical Infrastructures and Key Assets” [3] – is to serve as aguideline for federal agencies involved in electronic security,although state and local governments, industry and citizens

1

2

Miguel García-Menéndez has a BSc degree in ComputerScience from the Universidad de Oviedo (Gijón campus), Spain.From 1994 to 2000 he was head of the Software Engineering andSystems Dept. in the industrial processes control firm Ensilectricand in March 2000 he joined Schlumberger, where he currentlyworks as an Information Security Management advisor, mainlyserving organisations in the public sector. He is also a CertifiedInformation Systems Auditor (CISA) and is member of ISACA(Information Systems Audit and Control Association) and ASIA(Asociación de Auditores y Auditoría y Control de Sistemas y Tec-nologías de la Información y las Comunicaciones) a SpanishAssociation of Information Systems Auditors in which he acts asmember of the Security and Audit Standards Commission. <[email protected]>

José-Fernando Carvajal-Vión has a BSc degree in Biology,specializing in Biochemistry, from the Universidad Autónoma deMadrid, Spain. He has taken post graduate courses in InformationSystems at the Universidad Carlos III de Madrid as part of hisdoctoral thesis in the field of computer immune systems. He hasmore than fourteen years’ experience in information systemstechnologies, mainly in the energy sector, and is a Certified Infor-mation System Auditor (CISA) by the ISACA (Information AuditSystems and Association Control) which he has been a memberof since 2000. He is also a member of the Spanish Asociación deTécnicos de Informática (ATI) and of the Information SystemsAuditors Association (ASIA) in which he participates actively intheir respective security commissions. He is currently responsiblefor Information Systems Security at Soluziona where he isresponsible for the design and implementation of security solu-tions, security management and also does additional work audit-ing third party companies for compliance with Spanish PersonalData Protection law (LOPD). <[email protected]>





also have an important part to play. In order to achieve this goal,the strategy focuses on three key objectives:• To prevent computer attacks on the nation’s critical infra-

structures.• To reduce the level of exposure such attacks.• To minimize impact and recovery time in the event of such

attacks occurring.

2.1 Hierarchical Structure of the PlanThe US Administration has structured the programme using

a hierarchy consisting of several general purpose guidelinesgoverning a series of initiatives. The aims of these guidelinesrange from improving the response to incidents and reducingtheir consequences, to the suppression of aggressions affectingcritical national security assets. They also aim to increase inter-national co-operation in these issues and include measuresaimed at reducing the threat of and vulnerability to suchattacks.

In total there are five general guidelines corresponding to thefive priority action lines, and a total of thirty one initiatives.(See Table 1).

If we look at Table 1 we can see that, with the exception ofcertain initiatives referring directly to US issues, nearly all theinitiatives are perfectly transferable to any other environment.

Given the subject of this monograph, the explicit referencesto continuity/contingency plans, highlighted in bold type inTable 1 (1 of 5), are of special interest.

It should also be pointed out that the hierarchical structure ofthe US strategy is complemented by a series of actions andrecommendations (A/R) derived from the above mentionedpriorities and initiatives, some of which once again stress theneed for appropriate contingency plans. Specifically, of a totalof forty seven A/R included in the strategic plan, the followingfive A/R refer to continuity/contingency management. (SeeTable 2.)

1. After the terrorist attacks of 11 September 2001, the US Govern-ment decided to reinforce its defence and security policy in orderto prevent new attacks, particularly in its own territory. Thisprotection policy was named the “National Strategy for Home-land Security”. One consequence of such a policy has been thecreation of a new macro-department within the US Administra-tion: the Department of Homeland Security, DHS, set up on 25November 2002. The new Department brings together a total oftwenty two pre-existing agencies dedicated to the protection ofnational assets and responsible for the principal tasks related toUS cyber security. Within the same preventive framework, twostrategies have been defined. The first one is oriented toward theprotection of critical infrastructures nationwide, while the secondis focused on safeguarding American technology infrastructures.They are, respectively, “The National Strategy for the PhysicalProtection of Critical Infrastructures and Key Assets” and “TheNational Strategy to Secure Cyberspace”.

NATIONAL STRATEGY TO SECURE CYBERSPACE

(Summary of Priorities/Initiatives)

Priority I. RESPONSE SYSTEM

Initiative 1. Establish a public-private architecture for responding to national-level cyber incidents.

Initiative 2. Provide for the development of tactical and strategic analysis of cyber attacks and vulnerability assessments.

Initiative 3. Encourage the development of a private sector capability to share a synoptic view of the health of cyberspace.

Initiative 4. Expand the Cyber Warning and Information Network to support the role of DHS in coordinating crisis management for cyberspace security.

Initiative 5. Improve national incident management.

Initiative 6. Coordinate processes for voluntary participation in the development of national public-private continuity and contingency plans.

Initiative 7. Exercise cybersecurity continuity plans for federal systems.

Initiative 8. Improve and enhance public-private information sharing involving cyber attacks, threats and vulnerabilities.

Table 1: National Strategy to Secure Cyberspace. (1 of 5)



Priority II. THREAT AND VULNERABILITY REDUCTION PROGRAMME

Initiative 1. Enhance law enforcement’s capabilities for preventing and prosecuting cyberspace attacks.

Initiative 2. Create a process for national vulnerability assessments to better understand the potential consequences of threats and vulnerabilities.

Initiative 3. Secure the mechanisms of the Internet by improving protocols and routing.

Initiative 4. Foster the use of trusted digital control systems/supervisory control and data acquisition systems.

Initiative 5. Reduce and remediate software vulnerabilities.

Initiative 6. Understand infrastructure interdependencies and improve the physical security of cyber systems and telecommunications.

Initiative 7. Prioritize federal cyber security research and development agendas.

Initiative 8. Assess and secure emerging systems.




Priority III. TRAINING AND AWARENESS PROGRAMME

Initiative 1. Promote a comprehensive national awareness programme to empower all Americans – businesses, the general workforce, and the general population – to secure their own pars of cyberspace.

Initiative 2. Foster adequate training and education programmes to support the Nation’s cyber security needs.

Initiative 3. Increase the efficiency of existing federal cyber security training programmes.

Initiative 4. Promote private-sector support for well-coordinated, widely recognized professional cyber security certifications.






If we read the five recommendations in Table 2 from a broad-er perspective, eliminating any specific references to the USA,they could be taken as true best practices in the field of contin-gency planning and management of information assets.

The European AnswerOn February 11 of this year, Brussels also issued a joint

response to the computer security problem. The EuropeanCommission published a proposal for a regulation which wouldcreate a new entity responsible for securing networks and infor-mation infrastructure within the European Union. The proposalwas prompted by (a) the lack of any cross-border co-operationbetween Member States with regard to computer security, and(b) the disparity between the approaches and attitudes shownby the different countries [4].

Thus the European Network and Information Security Agen-cy (NISA) was born, with the purpose of creating a commonframework, which would:• facilitate the application of Community measures relating to

network and information security,• help ensure interoperability of security functions in

networks and information systems already existing in therespective Member States, thereby contributing to the func-tioning of the internal market, and

• enhance the capability of the Community and the MemberStates to respond to network and information securityproblems.

3.1 CommissioningBriefly, the proposal suggests the creation of a legally inde-

pendent, Community wide regulatory body, subject to theadministrative requirements of the Commission. The organisa-

3



Priority IV. e-GOVERNMENT PROTECTION

Initiative 1. Continuously assess threats and vulnerabilities to federal cyber systems.

Initiative 2. Authenticate and maintain authorized users of federal cyber systems..

Initiative 3. Secure federal wireless local area networks.

Initiative 4. Improve security in government outsourcing and procurement.

Initiative 5. Encourage state and local governments to consider establishing information technology security programmes and participate in information sharing and analysis centres with similar governments.




Priority V. NATIONAL SECURITY AND INTERNATIONAL CO-OPERATION

Initiative 1. Strengthen cyber-related counterintelligence efforts.

Initiative 2. Improve capabilities for attack attribution and response.

Initiative 3. Improve coordination for responding to cyber attacks within the US national security community.

Initiative 4. Work with industry and through international organizations to facilitate dialogue and partnerships among international public and private sectors focused on protecting information infrastructures and promoting a global "culture of security".

Initiative 5. Foster the establishment of national and international watch-and-warning networks to detect and prevent cyber attacks as they emerge.

Initiative 6. Encourage other nations to accede to the Council of Europe Convention on Cyber crime, or to ensure that their laws and procedures are at least as comprehensive.


TACTIONS/RECOMMENDATIONS RELATED TO CONTINGENCY PLANNING

A/R 1–31

1. Key to Action/Recommendation codes: the number before thehyphen indicates the guideline to which this A/R is associated,while the figure after the hyphen identifies the ordinal number ofthat A/R within the guideline referred to. E.g.: A/R 1–3, repre-sents action or recommendation number 3 within priority 1; A/R2–10, is action number 10 of priority 2; and so on.

To test civilian agencies’ security preparedness and contingency planning, DHS will use exercises to evaluate the impact of cyber attacks on government-wide processes.

Weaknesses discovered will be included in agency corrective action plans and submitted to the OMB. DHS also will explore such exercises as a way to test the coordination of public and private incident management, response and recovery capabilities.

A/R 1–4 Corporations are encouraged to regularly review and exercise IT continuity plans and to consider diversity in IT service providers as a way of mitigating risk.

A/R 1–5 Infrastructure sectors are encouraged to establish mutual assistance programmes for cyber security emergencies. DoJ and de Federal Trade Commission should work with the sectors to address barriers to such cooperation, as appropriate. In addition, DSHG’s Information Analysis and Infrastructure Protection Directorate will coordinate the development and regular update of voluntary joint government-industry cyber security contingency plans, including a plan for recovering Internet functions.

A/R 2–10 DHS also will support, when requested and as appropriate, voluntary efforts by owners and operators of information system networks and network data centres to develop remediation and contingency plans to reduce the consequences of large-scale physical damage to facilities supporting such networks, and to develop appropriate procedures for limiting access to critical facilities.

A/R 3–4 Large enterprises are encouraged to evaluate the security of their networks that impact the security of the Nation’s critical infrastructures. Such evaluations might include: (1) conducting audits to ensure effectiveness and use of best practices; (2) developing continuity plans which consider offsite staff and equipment; and, (3) participating in industry-wide information sharing and best practices dissemination.

Table 2: Actions/Recomendations Related to Contingency Planning.





tional structure of the agency would consist of a ManagementBoard, an Executive Director, an Advisory Board to assist theExecutive Director and the necessary technical and administra-tive staff (between 31 and 442 people).

NISA would begin work on 1 January 2004 and wouldremain operational for an initial period of five years (until 31December 2008) although this may be extended. The newAgency’s overall budget allocated for this period would bebetween _24m and _33m3, to be contributed by the Commis-sion and participating Member States.

3.2 Action LinesTo meet its general objectives, the new Agency should

perform the functionslosted in Table 3.If we look at Table 3, we can see that it has some points in

common with the American proposal, above all, the commonobjective of the two initiatives: to protect information assetsand to be prepared to del with incidents that might endangerthem. Looking more closely at the content of both these publicstrategies we can draw a series of conclusions which are set outbelow in the form of a ten point plan.

Ten Point Plan

1. The effort to achieve a more secure society, technological-ly speaking, should be a shared task, in which contribu-tions from governments, businesses and citizens’ must bebrought together.

2. Any strategy aimed at protecting information assetsrequires continuous reappraisal and periodic adjustments,due to the dynamic and ever-changing nature of technolo-gy, especially in that of cyberspace.

3. Organisations which base their activities on technologicalinfrastructures should adopt a proactive approach to secu-rity, in terms of foreseeing, identifying and remedyingtheir weaknesses.

4. Such organisations should carry out periodic reviews(audits) of any potential exposure they may have, in orderto define and implement appropriate countermeasures.

5. Such audits should be performed by experienced andaccredited professionals, holding qualifications recognisedthroughout the industry.

6. Organisations should issue explicit policies, based on andcompliant with industry best practices. This would alsomake it easier to audit compliance with such policies.

7. The establishment of a proper security practice requiresmore than simply installing and setting up a series ofdevices (hardware or software). It also requires correctoperational and managerial practices.

8. Human factor is key to the success or failure of any securi-ty strategy. Therefore every strategy should include actionsaimed at raising user (or citizen) awareness.

9. Security of information assets must be compatible withindividuals’ privacy.

10. The adoption of measures to protect information assetsprovides ROI to the organisation.

References[1]

Cybersecurity and the European Network and Information Secu-rity Agency. Erkki Liikanen. European Parliament Public Forum.Brussels, 11.6.2003. <http://europa.eu.int/rapid/start/cgi/guesten.ksh?p_action.getfile=gf&doc=SPEECH/03/585|0|RAPID&lg=EN&type=PDF>

[2]The National Strategy to Secure Cyberspace. February 2003. TheWhite House. Washington, D.C. <http://www.whitehouse.gov/pcipb/>.

[3]The National Strategy for the Physical Protection of CriticalInfrastructures and Key Assets. February 2003. The White House.Washington, D.C. <http://www.whitehouse.gov/pcipb/physical.html>.

[4]Proposal for a Regulation of the European Parliament and of theCouncil Establishing the European Network and InformationSecurity Agency. Brussels, 11.2.2003. COM(2003) 63 final.2003/0032 (COD). Commission of the European Communities.<http://europa.eu.int/information_society/eeurope/news_library/index_en.htm>2. Lower figure is for Europe with 15 members, higher figure

assumes incorporation of ten new countries as of 2004.3. Lower figure is for Europe with 15 members, higher figure

assumes incorporation of ten new countries as of 2004.

4NISA TASK LIST

Task 1. Collect and analyse data, including information on current and emerging risks and, in particular, those which would impact on the resilience of critical communications networks and the information accessed and transmitted through them.

Task 2. Provide assistance and deliver opinions within its objectives to the Commission and other competent bodies.

Task 3. Enhance co-operation between different actors operating in the field of network and information security, inter alia by establishing a network for national and Community bodies.

Task 4. Contribute to the availability of rapid, objective and comprehensive information on network and information security issues for all users by, inter alia, promoting exchanges of best practices on methods of alerting users, including those related to computer attack alert systems, and seeking synergy between public and private sector initiatives.

Task 5. Assist, when called upon, the Commission and national regulatory authorities in analysing the implementation of network and information security requirements for operators and service providers, including requirements on data protection, that are contained in Community legislation.

Task 6. Contribute to the assessment of standards on network and information security.

Task 7. Promote risk assessment activities and encourage interoperable risk management solutions within organisations.

Task 8. Contribute to the Community approach on co-operation with third countries including facilitating contracts with international fora.

Task 9. Undertake any other task assigned to the NISA by the Commission, derived from new necessities within its objectives, and promoted by the changing nature of Technology.

Table 3: NISA Task List.





Business Continuity and IT Contingency Planning in the Mobile Telephony Industry

Miguel-Andrés Santisteban-García

In recent years the new mobile operators have been striving to acquire market share and expand theirnetworks in terms of capacity and coverage. This rapid growth was essential to try and maintain theunprecedented market capitalisation of the companies involved, which was disproportionate to theprofitability of the delivered product. The rapid growth of the telecommunication industry has meant thatnon-customer focused processes, in particular network protection and availability, have been neglected.This article reviews Business Continuity Plans in the mobile operator industry.

Keywords: Audit, Business Continuity, Contingency,Contingency Plan, Controls, Mobile Operators, Recovery Plan,Security Plan.

Security and ContingencySecurity is a dynamic problem. Frequent changes to

service releases, operating systems, the technology supportingthese services, etc. make it difficult to maintain an adequatelevel of security without making a periodic review of existingcontrols and security measures.

Security is not only about the confidentiality and integrity ofdata; the availability of the data is equally important. The rapidgrowth experienced by the telecommunication industry hasmeant that non-customer focused processes, in particularnetwork protection and availability, have been overlooked.Availability means that information is accessible and servicesare fully operational, even in the event of power cuts, naturaldisasters, accidents or attacks.

Many companies purchase business insurance to cover forlost revenue if the business has a catastrophic failure (fire, floodetc.). However, insurers demand that they take reasonable stepsto protect their resources and have recovery plans to rebuild thebusiness in the event of a significant business-threatening inci-dent. Senior management often has responsibility for businesscontinuity as part of their duties but they do not normally haveenough involvement in the operational side of the business toknow whether if this task is being properly performed.Frequently, experience has shown that planning for majorcontingencies is poor. This is partly due to an inadequate levelof communication within companies in which many differentdepartments and work groups are required for complex servicedelivery networks.

Networks and Security Initially, operators tended to design their networks

around a small number of switches, platforms and supportinfrastructure all on one site. This first site would contain themajor components of the network, such as the main switches,

IP gateway, key interconnection circuits and all supportplatforms such as mediation, billing and customer support.Then, as the company grew, the network would typicallyexpand geographically with new switches, a separate IT centreand a distributed customer care centre.

Despite a certain degree of business continuity being provid-ed by site diversification, rarely is a risk assessment performedto see if there are weak spots, or whether one system coulddisable the whole network. For example, customer care andbilling systems normally communicate with the networkthrough a mediation platform. There may be only one media-tion platform operating with no high availability measures inplace, so if it fails it will halt provisioning and customer billing.Even value-added service platforms, such as voicemail plat-forms and short message centres, are often located at one pointin a GSM network; they are vital to service provision but areoften the most at risk.

Controls and Logs All the information about network design, configuration

and logs is too often held on the network and not recorded

1

2

3

Miguel-Andrés Santisteban-García studied Business Infor-mation Technology. He is a CISA auditor (Certified InformationSystems Auditor) by ISACA (Information Systems Audit &Control Association). During his career he has worked for severalconsulting firms in the field of analysis and design of securitysolutions, information system audits, and data protection legisla-tion compliance. He is currently working for a mobile telephonyoperator as a security and risk analysis expert for new services.He is a member of ISACA (Information Systems Audit and Con-trol Association) and ASIA (Asociación de Auditores y Auditoríay Control de Sistemas y Tecnologías de la Información y lasComunicaciones, Spain), and member of the Spanish CEPISsociety ATI (Asociación de Técnicos de Informática) in which heparticipates in its Computer Security Interest Group (GISI.)<[email protected]>





anywhere else. These include items such as routing design,switch configuration, IP node configuration and storage of allsubscribers’ temporary information.

A company’s management expects systems to be backed upregularly and to be easily recoverable. This is difficult if thereare no procedures to ensure that backup processes are efficient-ly managed and controlled. If no such procedures exist, in acontingency situation we may find that the backup media isempty or the information stored there is corrupted. Even whenbackups are made they are often not stored securely. All theabove are typical shortcomings of fast growing networks inwhich system management suffers from deficiencies in thedevelopment and implementation of correct controls.

Common Weaknesses in Business ContinuityBelow is a list of the some of the areas which are funda-

mental to business continuity in the event of a major contingen-cy and which tend not to be properly protected: • Lack of a clear business continuity policy within the corpo-

rate security plan.• Network architecture.• The network itself may be well protected but the overall

protection is not effective, e.g. redundant systems but in thesame physical location.

• Protection of the customer network data and reconfigurationcapability.

• Configuration of switch and network elements is not proper-ly documented.

• Weaknesses in connection restoration or re-routing plans. • Recovery process for value-added service platforms. • Registration and management of IP resources, IP addresses

and services used.• Back-ups that are made but never tested. • Absence or inadequacy of criteria in the use of high availa-

bility platforms.

• Failure to identify customers who are important to the busi-ness and who should receive greater levels of service.

• A clearly defined business recovery team

The Need for Risk AnalysisBusiness continuity taken to its ultimate expression could

be hugely expensive if the whole network and support systemswere to be fully replicated. Clearly operators cannot afford totackle the problem in this way, either from a logistical or afinancial point of view. Instead operators could put an effectiveand efficient business continuity policy in place by designingexisting network services so as to provide a reduced servicelevel in the event of a contingency without affecting the wholecustomer base. This requires the operator to perform a full busi-ness continuity risk assessment of the network, supportingsystems and organisational processes, in order to ensure that nosingle point of failure can compromise the correct operation ofthe network, and that recovery plans are commensurate withthe real level of risk involved.

Many conventional business continuity planning processesare very resource intensive from an organisational point ofview. Risk analysis is therefore fundamental to a sound busi-ness continuity strategy, in order to ensure that the plan iseffective and can be maintained without the need for excessiveoverheads.

Relevant SourcesEuropean Directive 97/33/EC on interconnection.

<http://europa.eu.int/eur-lex/en/consleg/main/1997/en_1997L0033_index.html>.

European Directive 98/10/EC on voice telephony<http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=31998L0010&model=guichett>.

COBIT (Control Objectives for Information and related Technology),ISACA. <http://www.isaca.org/cobit.htm>.

Telephone Management Billing, 2001, ISACA.<http://www.isaca.org/>.

Business Continuity Planning, September 2001, ISACA.<http://www.isaca.org/>.

4

5





ICT Contingency Plans and Regulatory Legislation of e-Commerce and Data Protection

Paloma Llaneza-González

As well as fulfilling all the necessary technological parameters and technical standards, a Contingency Planfor Information and Communications Technologies (ICT) must also meet all applicable legal or regulatoryrequirements. Having in mind that similar requirements exist in the European Union’s member States, in thisarticle we look into some of those requirements, specifically the obligations imposed for Spanish companiesby two Spanish acts and their regulations: the Information Society Services Act (a transposition into Spanishlaw of European Directives 2000/31/EC, 98/27/EC, and 2002/58/EC) and the Personal Data Protection Act(similarly transposing Directive 95/46/EC.)

Keywords: Contingency Plans, Duty to Collaborate, Duty toRetain e-Communication Traffic Data, Intermediary ServiceProviders, Security Regulation, Spain’s Automated DataProcessing Regulation Act (LORTAD), Spain’s Personal DataProtection Act (LOPD), Spain’s Information Society ServicesAct (LSSI-CE), Technical and Organisational Security Meas-ures.

Considerations Regarding the Regulation of e-Commerce

Act 34/2002 of 11 July on Information Society Services andE-commerce (hereinafter LSSI-CE) transposes into Spanishlegislation the European Parliament and Council Directive2000/31/EC dated June 8, 2000 on certain aspects of Informa-tion Society services and e-Commerce in the internal market. Itpartially incorporates European Parliament and Council Direc-tive 98/27/EC, of 19 May 1998, relative to injunction actions toprotect and enforce consumer rights, and anticipates the subse-quently approved European Parliament and Council Directive2002/58/EC dated 12 July 2002, on the processing of personaldata and the protection of privacy in the electronic communica-tions sector. In particular it incorporates the duty to retain andstore electronic communications traffic data (article 12 LSSI-CE.)

Directive 2000/31/EC aims to contribute to the correct func-tioning of the internal market by guaranteeing the free circula-tion of Information Society Services among member states. Tothis end it seeks to harmonise all the different national provi-sions applicable to the Information Society which have a bear-ing on the internal market, the establishment of service provid-ers, commercial communications, online contracts, theresponsibilities of intermediaries, codes of conducts, out ofcourt settlement of litigation, legal resources and the coopera-tion between member states.

The LSSI-CE has a common backbone upon which the regu-lated services and the duties and rights of the operators are

‘hung’. This backbone of generally applicable legislation is setout in the following chapters and articles of the Act:• Title I

- Chapter I. Object (art.1)- Chapter II. Scope of application (arts. 2 to 5)

• Title II- Chapter I on the principle of free provision of services

(arts. 6 to 8)

1

Paloma Llaneza-González is a Madrid lawyer and a partner ofLlaneza A+A Associate Lawyers. She is an honorary member ofthe Ilustre Colegio de Abogados de Caracas, Venezuela. She is acollaborative lawyer for the Secretaría Técnica del Ilustre Colegiode Abogados de Madrid, Spain, and a diplomate from the Colegiode Europa in Bruges, Belgium, in the field of community law(Diplome d'Hautes Etudes Européens). She holds a master incomputer programming from the Universidad Pontificia de Sala-manca de Madrid, and was awarded the AUTEL 2000 Prize forthe Dissemination of the Use of Telecommunications (in the indi-vidual work category) for the book “Internet and Digital Commu-nications”. She is on the board of the Asociación de Auditores yAuditoría y Control de los Sistemas y Tecnologías de la Informa-ción y Comunicaciones (ASIA), and a member of the Subcomité27 of AENOR (AEN/CTN 71) Information Technology. She isalso an arbiter of the Court of Arbitration of the Ilustre Colegio deAbogados de Madrid, specialising in technological arbitration.She has directed several courses on ICT and telecommunicationsand has lectured in this subject on a number of postgraduatecourses, including ICADE. As well as her prize-winning book shehas also authored “Telecomunicaciones. Régimen general yevolución normativa” (Aranzadi. Serie Monografías. 1998) and“Nuevo marco regulatorio de las Telecomunicaciones” (Bosch,2002) and “Practik de la LSSI-CE” (BOSCH 2003). She is thedirector of the online journal NJBOSCH and collaborates on themonthly Ciberpaís, a suplement of the Spanish daily newspaperEl País. <[email protected]>





- Articles 9, 10 and 13 of Chapter II, on the obligation toregister domain names in public registries, the generalinformation to be provided, and the general liabilities ofInformation Society Service Providers.

- Chapter III, on Codes of Conduct (art. 18)• Title V, on in court or out of court settlement of conflicts

(injunction actions, articles 30 and 31, and out of courtsettlement of conflicts, article 32)

• Title VI, information, control and supervision (arts. 33 to 36)• Title VII, on infractions and penalties (arts. 37 to 45)

Branching out from this common backbone is a double regu-lation referring to two specific types of activities and theiragents:• Intermediary Service Providers:

- Article 11, on the duty of the Intermediary ServiceProvider to collaborate with the authorities.

- Article 12, on the duty to retain electronic communica-tions traffic data.

- Title II, Chapter II, Section 2, of articles 14 to 17 on theIntermediary Service Provider’s liability for content.

• Legislation governing online contracts and some informa-tion obligations for Information Society Service Providersengaged in e-Commerce:- Title III, on commercial communications (arts. 19 to 22)- Title IV, on online contracts (arts. 23 to 29) and, more

specifically, on the validity and enforceability of suchcontracts, testing of contracts, intervention of TrustedThird Parties, applicable law, obligations prior to initiat-ing the contract process, subsequent information andplace where the contract is made.

- Additional Fourth Provision: new draft of articles 1262 ofthe Civil Code and 54 of Commercial Law.

- Final Fifth Provision: adaptation to the LSSI-CE of thelegislation on telephone or electronic contracts withstandard terms.

- Third Additional Provision: Consumer ArbitrationSystem.

Any provision of services via the web (e-banking, e-Commerce, hosting, housing, caching services, etc...) mustfulfil a series of obligations of a protective nature for theconsumers, which range from the obligation to provide generalinformation identifying the owner of the website to certaincontractual obligations concerning e-contracts. From this pointof view, the LSSI-CE is more of a legal standard than a techni-cal one, which is not to say that Intermediary Service Providersdo not need to take them very much into account in theirContingency Plans, particularly with regard to the twin obliga-tions of collaboration with the authorities or the judicial bodiesand the compilation and retention of data.

1.1 The Duty to Collaborate and the Duty to Retain DataPoint a) of the Annex to the LSSI-CE defines Intermediary

Service as the “the Information Society service whereby theprovision or use of other Information Society services or accessto information is facilitated. Intermediary services are the pro-vision of Internet access services, the transmission of data overtelecommunication networks, the making of a temporary copyof an Internet page at the request of user, the storage in propri-etary servers of data, applications or services provided by oth-ers and the provision of tools for searching, accessing and com-

SECURITY LEVELS SECURITY MEASURES

Basic Level: all files containing personal data.

→Draw up a security document (Article 8): The file controller must design and implement security rules in the form of a document which must be followed by all staff with access to automated personal data and information systems. The document must be kept up to date at all times and must be revised whenever important changes are made to the information system or the way it is organised. The content of the document must at all times comply with current provisions for the security of personal data. The document must as a minimum include the following aspects:

• The scope of the document with a detailed specification of protected resources.• Measures, norms, procedures, rules and standards aimed at guaranteeing the security level required by this Regulation.• Functions and obligations of the staff.• Structure of the files containing personal data and a description of the information systems on which they are processed.• Procedure for reporting, managing and responding to incidents.• Procedures for making backup copies and recovering data.

→Functions and obligations of the staff (Article 9): The functions and obligations of everyone with access to personal data and to information systems must be clearly defined and documented. The file controller must take the necessary steps to ensure that the staff are familiar with the security rules affecting their functions and the possible consequences of non-compliance.

→Incident logs (article 10): The procedure for reporting and managing incidents must necessarily include a log in which the type of incident, the time when it happened, the person reporting it, who it was reported to and any consequences of the incident must all be recorded.

→Identification and authentication (Article 11): The file controller shall be responsible for ensuring that there is an up to date list of users who have authorised access to the information system, and for establishing identification and authentication procedures to control that access. If the authentication mechanism is based on passwords there must be a procedure for assigning, distributing and storing them which ensures their confidentiality and integrity. Passwords must be changed at regular intervals as set out in the security document and while they are valid they must be stored in an intelligible way.

Table 1: Basic Security Legal Measures Set out in the Spanish Regulation of Security Measures for Automated Files Containing Personal Data (1 of 2.)





piling data or to establish links to other Internet sites”. Theconcept of the ‘Intermediary Service Provider’ includes, interalia, the ISP (Internet Service Provider); the IAP (InternetAccess Provider); service providers for caching; serviceproviders for hosting, housing or virtual hard disk; all kinds ofsearch engines (indexed and metasearch engines, with or with-out human intervention) and the inclusion of links in thewebsite itself, which effectively makes anyone who has a webpage an Intermediary Service Provider.

Intermediary Service Providers are also liable for the heftiestfines, as much as 600,000 euros in cases of non-compliancewith the duty of collaboration with public administrations orjurisdictional bodies (article 11 LSSI-CE). If one of thesebodies were to order an Intermediary Service Provider to stopproviding services or demand the withdrawal of certain contentfrom providers based in Spain, and this required the collabora-tion of an Intermediary Service Provider, that provider could beordered, either directly or via a justified request to the SpanishMinistry of Science and Technology, to suspend all transmis-sion, data hosting, access to telecommunication networks andprovision of any other equivalent intermediary service theymay perform. The measures used to block, withdraw orsuspend services must be objective, proportionate and notdiscriminatory, and may be adopted prior to or in execution ofresolutions. Clearly care needs to be taken to block, withdrawor suspend services for all the entity’s servers in the same wayand simultaneously, otherwise there is a risk that a service orcontent which has been suspended or withdrawn in the originalserver might continue to provide the service and be locatablevia a mirror server.

As well as the duty to collaborate there is a duty to retainelectronic communication traffic data. In this respect, article 15of Directive 2002/58/EC sets out the following:

“Scope of application of certain provisions of Directive95/46/EC.1. European Union Member States may adopt legislative

measures to restrict the scope of the rights and obligationsprovided for in Article 5, Article 6, Article 8(1),(2), (3) and(4), and Article 9 of this Directive when such restriction

constitutes a necessary, appropriate and proportionatemeasure within a democratic society to safeguard nationalsecurity (i.e. State security), defence, public security, andthe prevention, investigation, detection and prosecution ofcriminal offences or of unauthorised use of the electroniccommunication system, as referred to in Article 13(1) ofDirective 95/46/EC. To this end, Member States may, interalia, adopt legislative measures providing for the retentionof data for a limited period justified on the grounds laiddown in this paragraph. All the measures referred to in thisparagraph shall be in accordance with the general princi-ples of Community law, including those referred to inArticle 6(1) and (2) of the Treaty on European Union.

2. The provisions of Chapter III on judicial remedies, liabilityand sanctions of Directive 95/46/EC shall apply withregard to national provisions adopted pursuant to thisDirective and with regard to the individual rights derivedfrom this Directive.

3. The Working Party on the Protection of Individuals withregard to the Processing of Personal Data establishedaccording to Article 29 of Directive 95/46/EC shall carryout the tasks laid down in Article 30 of the above men-tioned Directive also with regard to the protection offundamental rights and freedoms and of legitimate inter-ests in the telecommunications sector, which is the subjectof this Directive.”

Article 15 of Directive 2002/58/EC exempts some basic prin-ciples included in its text. The exemptions refer to the princi-ples set out in article 5 (confidentiality of communications)article 6 (traffic data) and article 8 (calling line and connectedline identification presentation and restriction). The principlesare as follows:- To ensure the secrecy of communications and the related

traffic data: prohibition of listening, tapping, storage andother kinds of interception or surveillance of communica-tions and related traffic data. The technical storage necessaryfor the conveyance of a communication which does nothamper the principle of confidentiality is permitted.


Basic Level: all files containing personal data.

→ Access control (Article 12): Users shall only have authorised access to the data and resources they need to perform their duties. The file controller must set up mechanisms to prevent a user from accessing data or resources he is not authorised to access. The list of users must specify the access authorised for each of them. Only staff authorised to do so in the security document may grant, alter or cancel authorised access to data and resources, in accordance with the criteria established by the file controller.

→ Media management (Article 13): Information media containing personal data must permit the type of information they contain to be identified, inventoried, and stored in a place where access is restricted to staff authorised for that purpose in the security document. The removal of media containing personal data from the premises where the file is stored can only be authorised by the file controller.

→ Backup copies and recovery (Article 14): The file controller is responsible for checking the definition and correct application of data backup and recovery procedures. The procedures established for making backup copies and data recovery must guarantee that the system is returned to the state it was in before the data loss or corruption occurred. Backup copies must be made at least once a week unless the data has not been updated in that period.

Table 1: Basic Level Security Legal Measures Set out in the Spanish Regulation of Security Measures for Automated Files Containing Personal Data (2 of 2.)





- The recording of communications and the related traffic datain the course of lawful business practice for the purpose ofproviding evidence of a commercial transaction or of anyother business communication is permitted.

- The use of cookies and spyware1 is restricted as set out inarticle 5.3 of the Directive.2

- The obligation to erase or render anonymous traffic datarelated to users and subscribers when it is no longer neededfor the scope of transmitting a communication.

- The processing of traffic data is permitted when it is neces-sary for the purpose of billing and interconnection pay-ments.

- Providers may process traffic data for marketing electroniccommunications services or for the provision of value addedservices, if the subscriber or user at issue has given his priorconsent. Users and subscribers must be given the opportuni-ty to withdraw their consent to the processing of traffic dataat any time.

- Obligation of the service provider to inform the user/sub-scriber about the type of traffic data being processed and theduration of such processing for billing purposes. If trafficdata is being processed for marketing purposes, notificationmust be prior to obtaining consent.

- Processing of traffic data is permitted to “persons acting -under the authority of providers of the public communica-tions networks and services handling billing or trafficmanagement, customer enquiries, fraud detection, market-ing electronic communications services or providing a valueadded service, and must be restricted to what is necessaryfor the purposes of such activities”. The processing shouldbe restricted to what is necessary for such activities (article6.5 Directive 2002/58/EC).

- Possibility of presenting or restricting calling line andconnected line identification (article 8 Directive 2002/58/EC)

The LSSI-CE has adapted article 15 of the Directive to Span-ish internal law, providing for the obligation of electroniccommunication network and service operators, telecommuni-cations network access providers and data hosting serviceproviders to retain connection and traffic data relating to com-munications made during the provision of an InformationSociety service and to keep them for a maximum period of

1. According to the online dictionary WhatIs, at <http://whatis.com>, generally speaking “spyware” is any technology whichallows information about a person or an organisation to becollected without their knowledge. On the Internet spyware issoftware which gets put on someone’s computer to secretlycollect information about the user and send it on to advertisers orother interested parties.

2. Art. 5.3. “Member States shall ensure that the use of electroniccommunications networks to store information or to gain accessto information stored in the terminal equipment of a subscriber oruser is only allowed on condition that the subscriber or userconcerned is provided with clear and comprehensive informationin accordance with Directive 95/46/EC, inter alia about thepurposes of the processing and is offered the right to refuse suchprocessing by the data controller. This shall not prevent any tech-nical storage or access for the sole purpose of carrying out orfacilitating the transmission of a communication over an elec-tronic communications network, or as strictly necessary in orderto provide an information society service explicitly requested bythe subscriber or user.”


Basic Plus or Low Medium Level (article 4.4 RS): files containing enough personal information to build up a picture of the data subject’s personality.

Neither the obligation to nominate a security officer nor the special stipulations regarding the incident log are applicable. THE BASIC LEVEL guidelines are applicable plus the medium level measures set out in articles 17, 18, 19 and 20 RS:

→ Auditing (Article 17): internal or external audit at least once every two years to check on compliance with the Regulation and the procedures and instructions in place regarding data security. The audit report should issue an opinion as to the degree of compliance with the Regulation in force of measures and controls, should identify their shortcomings and propose the corrective or complementary measures required. It must also include all data, facts and observations supporting the conclusions reached and the recommendations proposed. The auditors’ report shall be studied by the person in charge of data security who will in turn report his conclusions to the file controller who will then adopt the appropriate corrective measures. This report will be made available to the Data Protection Agency.

→ Identification and authentication (Article 18): The file controller must establish a mechanism which permits the unequivocal and individual identification of any user trying to access the information system and the verification of their authorisation. There must be a limit to the number of failed unauthorised access attempts to the information system.

→ Control of physical access (Article 19): Only staff authorised by the security document are allowed access to the physical locations housing information systems with personal data.

→ Media management (Article 20): A system for registering incoming media must be set up which permits the direct or indirect identification of the type of information media, the date and time, the sender, the number of media, the type of information they contain, the manner they were sent and the person responsible for their reception who should be appropriately authorised. There must also be a control system for outgoing media which permits direct or indirect identification of the type of media, the date and the time, the recipient, the number of media, the type of information they contain, the manner they were sent and the person responsible for their dispatch who should be appropriately authorised. When any storage media is to be disposed of or reused, measures must be taken to prevent any subsequent recovery of the information stored therein, prior to its removal from the inventory. When storage media has to be removed from the premises where the personal data files are kept due to maintenance operations, the necessary steps must be taken to prevent any undue recovery of the information stored on it.

Table 2. Low Medium Level Security Legal Measures Set out in the Spanish Regulation of Security Measures for Automated Files Containing Personal Data.





twelve months (article 12 LSSI-CE). The data to be kept byelectronic communication network and service operators andtelecommunications network access providers must only bewhat is necessary to enable the location of the terminal utilisedby the user to transmit the information. Data hosting serviceproviders must only retain what is absolutely necessary to iden-tify the source of the hosted data and the moment when theservice provision started. The obligation to retain data must inno way violate the secrecy of communications. These serviceproviders must adopt appropriate security measures to preventthe loss or corruption or unauthorised access to the dataretained and stored. There is still no decision regarding thedifferent categories of data that must be kept according to thetype of service provided, the exact period of time that each typeof data must be retained within the absolute limit mentioned inthis article, the conditions under which data must be stored,processed and safeguarded and, if the case should arise, how itshould be delivered to the authorities when requested and howit should be destroyed after the corresponding period of reten-

tion, unless it were required for these or any other purposesprovided for by the Act.

The reason for keeping this type of data for a length of timeas yet unspecified by law, is so that it can be used in a criminalinvestigation or for reasons of public and national securitywhen it can be requested by judges or courts or the Public Pros-ecutor, or by the armed forces or the police, providing theyhave obtained a prior court order.

This obligation is especially important, not only because ofthe hefty fine an Intermediary Service Provider could incur ifdata is not adequately safeguarded, but also the criminaldimension of the retention and safeguarding of information.This data is critical and the issue of its safeguarding must beaddressed as a priority in any Contingency Plan as its integrityis a legal requirement.

1.2. Personal Information and e-CommerceThe Personal Data Protection Working Group, made up of

the competent authorities in data protection from each of the


Medium level: files containing data referring to the commission of administrative or criminal proceedings, the Inland Revenue or financial services.

IN ADDITION TO THE BASIC LEVEL

→ Security document (Article 15): PLUS the designation of a security officer or officers, regular controls to check compliance with the provisions of the document and measures to be taken when storage media is to be disposed of or reused.

→ Security officer (Article 16): The file controller must designate one or more security officers to be in charge of coordinating and controlling the measures stipulated in the security document. This in no way implies any delegation of the file controller’s responsibility.

→ Auditing (Article 17): internal or external audit at least once every two years to check on compliance with the Regulation and the procedures and instructions in place regarding data security. The audit report should give an opinion as regards to the degree to which measures and controls comply with the current Regulation, identify their shortcomings and propose any corrective or complementary measures required. It must also include data, facts and observations supporting the conclusions reached and the recommendations proposed. The auditors’ report shall be studied by the person in charge of data security who will in turn report his conclusions to the file controller for him to adopt the appropriate corrective measures. This report will be made available to the Data Protection Agency.

→ Identification and authentication (Article 18): The file controller must establish a mechanism which enables any user trying to access the information system to be identified unequivocally and individually and their authorisation verified. There must be a limit to the number of failed unauthorised access attempts to the information system.

→ Control of physical access (Article 19): Only staff authorised by the security document are allowed access to the physical locations where there are information systems with personal data.

→ Media management (Article 20): A system for registering incoming media must be set up which permits direct or indirect identification of the type of information media, the date and time, the sender, the number of media, the type of information they contain, the manner they were sent and the person responsible for their reception who should be appropriately authorised. There must also be a control system for outgoing media which permits direct or indirect identification of the type of media, the date and the time, the recipient, the number of media, the type of information they contain, the manner they were sent and the person responsible for their dispatch who should be appropriately authorised. When any storage media is to be disposed of or reused, measures must be taken to prevent any subsequent recovery of the information stored therein, prior to its removal from the inventory. When storage media has to be removed from the premises where the personal data files are kept due to maintenance operations, the necessary steps must be taken to prevent any undue recovery of the information stored on it.

→ Incident logs (Article 21): In the log, any data recovery procedures carried out should ALSO be reported, indicating the person responsible for carrying out the procedure, the data which was restored and, when appropriate, what data had to be recorded manually in the recovery process. Data recovery procedures must be authorised in writing by the file controller.

→ Testing with real data (Article 22): Any testing carried out prior to the implementation or modification of information systems which process files containing personal data must not be performed using real data, unless the security level required by the type of file to be processed can be guaranteed.

Table 3: Medium Level Security Legal Measures Set out in the Spanish Regulation of Security Measures for Automated Files Containing Personal Data.





EU member states (known as the “Article 29 Group”, in refer-ence to article 29 of Directive 95/96/EC) drew up some “Min-imum requirements for online personal data collection”. Theserequirements have been adopted by the Agencia de Protecciónde Datos (APD) (Spanish Data Protection Agency) in their“APD recommendations to the e-Commerce sector to bringtheir practices in line with the LOPD (Personal Data ProtectionAct)”, commonly referred to as the “APD Recommendations”and available at <https://www.agpd.es/index.php?idSeccion=75>. We believe these recommendations provide some usefulguidelines to bear in mind for personal data collection, process-ing and third country transfer. We will go on to take a look atsome of recommendations which are most relevant to thisarticle:1. As set out in section 1 of article 4 of the Spanish Personal

Data Protection Act (LOPD), personal data may only becollected for automatic processing, and be subjected tosuch processing, if such data is adequate, relevant and notexcessive in relation to the scope and legitimate purposesfor which they have been gathered. Only those criteriawhich do not lend themselves to illicit practices may beused for their classification. In the opinion of the APD,personal data should not be collected via the Internet whenthere is no justifiable reason for the data controller to knowit and when the user has not been previously notified. Thus,the APD recommends as a good practice allowing users tomake an anonymous visit to commercial sites withoutbeing asked to identify themselves by first name, surname,e-mail address or any other information. As we havealready seen, Information Society Service Providers mustmake a certain amount of information available to users(information of a general nature, prior to any contract) butthey should not oblige the user to do the same, nor shouldthey ask for any personal data.

2. There are many agents involved in the transactions thattake place on the Internet and users are unaware of a great

many of these transactions. The user often finds it hard todistinguish between the end-seller and the various Interme-diary Service Providers with whom he has contracts to sellhis products or provide his services. The upshot of this isthat any data provided by the user will pass through manydifferent hands. Given that these players are not always inthe same legal entity, it is very important for the buyer toknow which of them is the one who will ultimately decideon the use and purpose of his personal data. All these casesinvolve access to customers’ personal data, so the provi-sions of article 12 of the LOPD will be applicable to all ofthem.

3. When payment gateway services, provided by certainfinancial institutions, are used to make a transaction via theInternet, no data must be stored which could relate thepayment method with the identity of the payer, unless it isnecessary for legitimate purposes.

4. The user should be duly notified whenever control is trans-ferred from one website to another, in such a way that thereis no room for any doubt. In this respect, the APD consid-ers it good practice for the website manager to ensure thatthe web sites to which control is being transferred alsocomply with the terms of the Recommendation.

Considerations Concerning the Regulation of Person-al Data Protection and Privacy Protection

Article 18.4 of the Spanish Constitution establishes that “thelaw shall limit the use of computerised information to guaran-tee the honour and privacy of all citizens and their families andthe full exercise of their rights”.

In application of this article (which as early as 1978 foresawthe risk that the use of computers could pose) two organic lawswere passed. The first was Organic Law 5/1992 of 29 Octoberon the Regulation of the Automated Processing of PersonalData (known by the Spanish acronym LORTAD), and this was

2


High level: files containing information about ideology, religion, beliefs, ethnic origin, health or sex life, plus any files containing data gathered for policing purposes without the consent of the data subjects.

IN ADDITION TO THE BASIC AND MEDIUM LEVELS

Distribution of electronic media (Article 23): Electronic media containing high level protection personal data must be encrypted or use some other mechanism to ensure that such information is not intelligible and cannot be manipulated while it is being transmitted.

Access log (Article 24): For every access the following minimum data will be recorded: user identity, date and time of access, file accessed, type of access and whether it was authorised or denied. For authorised accesses it is necessary to retain the information allowing the file accessed to be identified. The mechanisms enabling this data to be recorded must be under the direct control of the security officer, and under no circumstances may these logs be deactivated. Data logs must be kept for a minimum of two years. The security officer in charge will be responsible for periodically reviewing the control information logged and must report on the reviews carried out and the problems detected at least once a month.

→ Backup copies and recovery (Article 25): A backup copy and a copy of the data recovery procedures must be kept on a different site from where the hardware used to process the data is located. Security measures required by the Regulation must always be complied with.

→ Telecommunications (Article 26): Any personal data transmitted over telecommunications networks must be encrypted or use some other mechanism to ensure that such information is not intelligible to or able to be manipulated by third parties.

Table 4: High Level Security Legal Measures Set out in the Spanish Regulation of Security Measures for Automated Files Containing Personal Data.





followed by Organic Law 15/1999 on Personal Data Protection(Spanish acronym, LOPD).

In application of the first law, and in particular of article 9,the Royal Decree 994/1999 of 11 June3 was passed, wherebythe regulation on security measures of automated files contain-ing data of a personal nature (hereinafter the ‘Regulation’ orRS) was passed.

Article 9 of the LORTAD establishes the obligation of the filecontroller to adopt the necessary technical and organizationalmeasures to guarantee the security of personal data and preventits alteration, loss, processing or unauthorized access, takinginto account the state of the art, the nature of the data stored,and the risks to which they are exposed, whether from humanintervention or from the physical or natural environment. Arti-cle 43.3.h) of LORTAD establishes that maintaining files,premises, programmes or hardware containing personal datawithout the security required by regulations is a serious infrac-tion.

After the LOPD was passed, the Spanish government hadone year to pass a new RS adapted to the new legislation.However, it has been 4 years now since the LOPD was passedand still no regulation has been introduced to replace the RS,which as a result, according to the LOPD itself, remains inforce.

The RS specifies the technical and organisational measuresto ensure the confidentiality and integrity of personal informa-tion in order to safeguard the honour and privacy of individualsand their families and the full exercise of their personal rightsagainst corruption, loss or unauthorised processing or access.

The security measures established are the basic securityrequirements that all files containing personal data must fulfil,without prejudice to the establishment of special measures forthose files which, due to the special nature of the data theycontain or due to the very nature of the files themselves, requirea greater degree of protection.

The security measures required are broken down into threelevels: basic, medium and high. The levels depend on the natureof the information being processed and the greater or lesserneed to guarantee the confidentiality and integrity of the infor-mation. See Tables 1, 2, 3, and 4.

Of all the general rules set out in the RS, the following are ofspecial importance with regard to setting up an ICT Contingen-cy Plan:• Access to data via communication networks: the security

measures required to access personal data via communica-tion networks must guarantee a level of security equivalentto that of a local network (Article 5).

• Rules for working on a different site from where the file is:the processing of personal information from somewhereother than where it is stored must be expressly authorised bythe file controller and must at all times guarantee the level ofsecurity corresponding to the type of file being processed(Article 6).

• Temporary files: temporary files must comply with theappropriate level of security as set out in RS criteria. Alltemporary files must be deleted once they have ceased to benecessary for the purpose for which they were created(Article 7).

Translation by Steve Turpin3. This regulation is commonly known in Spain as “Reglamento de

Seguridad de la LORTAD”.





Information Technologies and Privacy Protection in Europe

David D’Agostini and Antonio Piva

The protection of privacy has progressed in parallel with technological evolution. The European Parliamentand Council Directives, 95/46/EC on the processing of personal data, and 2002/58/EC on electroniccommunications, protect personal data from any kind of undue processing, paying particular attention to therisks derived from automation and the use of telematic networks for commercial purposes as tools to invadepersonal privacy. This article analyzes the implementation of the first directive and addresses the problemof unsolicited commercial communications (spamming), describing the latest regulatory solutions to bedrawn up in an attempt to overcome a phenomenon that can have severe negative economic effects and adangerous impact on the operation and security of Internet.

Keywords: Consent, Personal Data, Privacy, Opt-in Opt-out,Spamming, Unsolicited Communication.

An Evaluation of the European Directive 95/46/EC on Personal Data

Between September 20 and October 1, 2002 an internationalconference on Directive 95/46/EC of the European Parliamentand of the Council of 24 October 1995 on the protection ofindividuals with regard to the processing of personal data andon the free movement of such data1 and its implementation washeld in Brussels, during which the results were released of apublic consultation launched by the European Commission tofind out citizens’ and firms’ opinions of the community direc-tive on privacy and its implementation. The previous summertwo different questionnaires – one for citizens who are ‘datasubjects’, the other for those who are ‘data controllers’ – hadbeen distributed among European Union Member States. Thefirst questionnaire revealed that there is still insufficient protec-tion of privacy, while the second one reflected a need for moreflexibility in the application of regulations. However, bothquestionnaires found that stakeholders have a very low aware-ness of privacy laws and how to apply them. On the basis of thatconsultation, Fritz Bolkestein, EU Internal Market Commis-sioner, ruled out any revision of the text of the Directive for themoment, choosing instead to study new ways to improve itsapplication in individual member states and to look into morepragmatic approaches in order to simplify the regulatoryframework and make it more flexible, while safeguarding theprotection of citizens’ rights and freedom.

Perhaps the most significant actions resulting from this deci-sion were the simplification of legislation regarding the notifi-cation of personal data handling, the promotion of privacyenhancing technologies to guarantee a simpler and more effec-tive protection of privacy, the promotion of the use of codes ofconduct, and the harmonisation of practices followed by indi-

vidual member States. These proposals have been officiallyformulated by the European Commission, in accordance witharticle 33 of the Directive, via the publication of a First Reporton the application of the Data Protection Directive.2

As we mentioned before, the report does not consider this tobe the right time to submit a Directive amendment proposal, forthree reasons:1) There has been only limited experience of its application.2) Many difficulties can be overcome by a more effective

application of the regulations already in force.3) No simplification of the application of legislation must be

allowed to lower the level of protection guaranteed.An analysis of the report shows that there is still some diver-

gence with regard to how individual member states have imple-

1. Available at <http://europa.eu.int/ISPO/legal/en/dataprot/directiv/directiv.html>.

1

2. The report COM(2003) 265 can be found at <http://europa.eu.int/eur-lex/en/com/rpt/2003/com2003_0265en01.pdf>.

David D’Agostini is a lawyer, whose main field of practice isthe Internet and high-tech law (Master of Information andCommunication Technology Law from the University of Bolo-gna, Italy). He provides consultancy services and legal assistancein matters of software, privacy and security, informatic contracts,e-commerce, domain names, computer crimes and electronicsignature. He collaborates in scientific research with the Univer-sity of Udine, Italy, and a number of cultural associations. <[email protected]>

Antonio Piva has a degree in Computer Sscience and is presi-dent of the Italian CEPIS society ALSI (Associazione NazionaleLaureati in Scienze dell'Informazione e Informatica) for the FriuliVenezia Giulia region and is director of the ALSI journal. He is auniversity professor in ICT Law and author of numerous publica-tions. He is a consultant in information systems and an expert inISO 9000 quality systems, and an ECDL (European ComputerDriving Licence) at the CEPIS Italian society AICA (Associazi-one Italiana per l'Informatica e il Calcolo Automatico).<[email protected]>





mented the Directive, making use of the leeway that thecommunity legislator grants to national legislators.

However, these rules do little to facilitate the free movementof data and hinder the achievement of community goals. TheCommission, therefore, while recognizing that convergence isnot the same as standardisation, has proposed measures toreduce this divergence, giving particular importance to theworkgroup set up by art. 29 of the Directive. The report alsofinds that citizens are not sufficiently aware of their own rightsin privacy matters and there is a need for European institutionsto promote an awareness campaign to address this problem.Meanwhile enterprises tend to undervalue the need to protectdata, often blaming either the excessive costs of conformance,or the complexity of the legislation which often varies from onemember state to another.

Biometrics and Video SurveillanceFinally the report encourages the European Data Protec-

tion Working Party to continue their activity of monitoring andadvising on video surveillance and the use of biometric devic-es. To this end, on November 25, 2002 a “Working Documenton the Processing of Personal Data by means of Video Surveil-lance”3 was adopted to supervise the installation of systems,networks and devices which enable images to be recorded forthe purposes of security, and the protection of property, individ-uals, and public interests. In light of the growing public andprivate use of such equipment, we need to pay special attentionto the guarantees and safeguards that must be provided by thosecarrying out video surveillance4. In particular, images must beused correctly, for specific, explicit and legitimate purposes,only when circumstances demand and never to excess, and theyshould be kept only as long as their purpose requires.

With regard to biometric technologies5 (principally finger-printing, but also retina scanning, facial recognition...) andtheir use for purposes of security, they may not be used in ageneralized or indiscriminate way. A reasonable balance mustbe struck between the use of such equipment and the intendedpurpose, by using methods or technologies which are less inva-sive of individual privacy. It is also necessary to take certainprecautions, particularly with regard to accessibility andconservation of data, when there is a high risk of data beingused illegally (for example abusive data mining) as a result ofthe use of advanced technology6.

SpammingIn 2005 the Commission will re-examine the state of

application of the Directive in order to decide what measuresneed to be taken in the light of the experience acquired. Mean-

while the European Parliament and Council have adoptedfurther legislation: Directive 2002/58/CE of July 12, 2002, onthe handling of personal data and protection of private life inthe field of electronic communications7. Given the widespreadnature of a problem which affects almost all Internet subscrib-ers, the provisions set out in art. 13 concerning unsolicitedcommunications, or spam, with a wider frame of reference thanthe equivalent art. 12 of Directive 97/66/CE 8 on unsolicitedcalls, is of particular interest. According to the definitions of thenew regulation, a ‘call’ is understood to mean a connectionestablished by a telephone service allowing a two way commu-nication in real time; while by ‘communication’ is meant anyinformation, exchanged or conveyed between a finite numberof parties by means of a publicly available electronic commu-nication service, such as e-mail, a concept not included in the1997 text. The fundamental principle is that the use of an auto-matic dialling device, for either fax or e-mail9, with the purposeof carrying out direct marketing, spamming10, is permittedonly if the receiver has given his or her prior consent. If an e-mail address is obtained in a legal way in the course of a previ-ous sale, the seller may send advertising material of their ownproducts or services, but must offer the customer a simple andfree way to decline such material.

In addition to the above, the Community Legislator requiresindividual member states to choose between an opt-in or anopt-out policy: in the first case unsolicited communications arenot permitted without the prior consent of the interested party,whereas in the second case subscribers must state their desirenot to receive such communications. Italy has adopted the opt-in11 system. Finally the directive prohibits e-mailing for directmarketing purposes in which the identity of the sender ismasked or hidden, and obliges the sender to provide a validaddress so that the receiver can ask for the mailing to bestopped.

This particular interest in the matter of electronic mail arisesfrom the potential risk to private life that this method ofcommunication entails, a method which is easy to use andcheap because the cost of the connection is paid for by thereceiver of the unsolicited communication12. Furthermore,from a technological point of view, the sheer volume of mes-sages may cause problems for electronic communicationnetworks13 and for servers, to the point of blocking traffic alto-gether. It is a phenomenon of immense proportions since at the

3. Document WP 67 of 25.11.2002 is available at <http://europa.eu.int/comm/internal_market/privacy/workingroup_en.htm>.

4. On this point see also the general provision of November 29,2000 of the Italian Supervisory Authority.

5. Biometrics uses parts of the human body to verify the identity ofan individual.

6. The supervisory authority have made further provisions on thismatter (available at <http://www.garanteprivacy.it>).

2

3 7. Available at <http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/l_20120020731en00370047.pdf>.

8. Available at <http://europa.eu.int/ISPO/legal/en/dataprot/protection.html>.

9. But also SMS, MMS or any other similar type of communication.10. Spamming, the act of sending unsolicited e-mail, is a violation of

the Netiquette code and of the correct use of network resourcesset out in documents RFC 1855 and RFC 2635 (available at<http://www.rfc-editor.org/>.)

11. See art. 130 of the Italian Personal Data Protection Code based onAct 127 of March 24, 2001.

12. See consideration no. 40 of the report mentioned in footnote 2.13. Think of the transmission capacity the Internet Service Provider

needs to provide.





moment more than half of all e-mails are spam and because,according to data from Brussels, the annual cost of spammingamounts to 10 milliard Euros worldwide, a frightening figurewhich could grow due to the widespread use of new technolo-gies in mobile communication.

Faced with these figures, community institutions are fightingback against spamming: last July the European Union Com-missioner for the Information Society, Erkki Liikanen, present-ed a series of guidelines to coordinate and strengthen the fightagainst this phenomenon at a European level. Liikanen’sproposal is basically an action plan to define the measures to betaken at a European level and describes the situation in theEuropean Union a year away from the coming into force ofDirective 2002/58/CE (on 31 October 2003).

Changes to the Italian LawWith regard to this, Italy has been quick to adopt the new

guidelines, incorporating them into its latest Privacy Codewhich will come into effect on January 1, 2004, and is includedin legislative decree no. 196 of June 30, 2003. This legislativecorpus has redefined judicial measures to safeguard individu-als’ privacy, and includes significant changes to law no. 675 of

December 31, 1996. Privacy protection can be of either anadministrative nature or judicial one, as the individual decides.In the first case he can go to the Supervisory Authority(Garante) with a reclamo (complaint), with which he reports aviolation, or by means of a segnalazione (recommendation) toask the Supervisory Authority to make an inspection, orthrough a formal ricorso (appeal) if he wants to press for legalaction.

In the second case, disputes regarding personal data aresettled by the ordinary judicial authorities, in the court wherethe ‘data controller’ is resident. The judge reaches a decisionvia a newly instated procedure aimed at ensuring a quick resultwhile still guaranteeing the rights of the parties involved.

In either case, if the Supervisory Authority or the Judge findsin favour of the plaintiff, they put a stop to the illicit behaviourand prescribe the necessary measures to safeguard the people’srights, including compensation for damages. In the case ofspamming in particular, when a violation is repeated the serviceprovider may be ordered to put filters in place to protect theplaintiff’s e-mail address and prevent the spammers fromcontinuing with their illegal activities.

This is were the law stops and technology begins!

4





Legal Analysis of a Case of Cross-border Cyber-crime

Nadina Foggetti

Computer crime or cyber-crime, that is, unlawful conduct committed over the Internet, is spilling overnational borders and causing a huge legal headache, particularly in the matter of deciding whichjurisdiction such crime should fall under. The law is not always prepared for meeting the demands ofglobalisation and new unlawful activities based on the illicit use of ICTs. In this article we analyse, from theperspective of Italian and Swiss Criminal Law, a case of illegal access to a public interest computer systemlocated in Switzerland affecting Italian users, in which the system included an e-mail service for registeredusers. This case provides an example of a common problem these days, the disparity that exists betweendifferent countries’ legislation regarding cyber-crime, and reinforces the need to globalise the law and theway we respond to a problem that transcends national borders.

Keywords: European Convention on Cyber-Crime, IllegalAccess, Jurisdiction, Security Measures, Rootkit, Territoriality.

IntroductionThe globalisation of information facilitated by the emer-

gence of the new Information and Communication Technolo-gies (ICT) has led to the creation of a borderless free market1

in which cyber-crime has international repercussions. The casewe analyse here provides an overview of the problems whichwe may come up against, especially regarding applicable lawin the event of cross-border cyber-crime. In this particular case,the attacker violated a public interest system in Switzerlandaffecting Italian users connected to the compromised system.

The system compromised by the attacker is of ‘public inter-est’ since thousands of users from all over the world areconnected to the system and because experiments are conduct-ed and analysed using the hardware and software resourceslocated in Geneva. The system also hosts the necessary data-bases to conduct such experiments since they are essential forthe purposes of scientific and technological research into theimprovement of sustainable development to benefit the world’spopulation. There is also an e-mail service for registered users.

The attacker in question made use of a local vulnerability ofthe system, in this case Linux Kernel 4.2, attributable to poorlyset up system login credentials2, thanks to which he upgradedhis privileges from ‘normal user’ to ‘root user’. This gives us aprofile of the main offence: nothing more than a simple illegallogin facilitated from within, in this case, from the Genevasystem itself.

Also, in this case the attacker went on to install a ‘rootkit’which makes a Trojan-like attack. The software used wascomplex and included a ‘sniffer’ to copy the passwords keyed

in online on the violated system, and programmes which set up‘backdoors’, in other words privileged and concealed accesseswhich, after the initial attack, can later be used to get back intothe system without having to hack into it again. The ‘rootkit’also contains tools to hide any trace of the attack, by alteringthe system commands which enable the intrusion to be verified,thereby cancelling the activity logs, in other words the finger-prints left by the attacker after the illegal access. Finally weknow that the attack was launched from Geneva, the passwordsbelonged to Italian users who were connected to the violatedcomputer system and that no intermediate attack was registeredon the systems whose passwords had been copied.

Armed with this essential information of a technical naturewe can now go on to analyse the legal position under Italianlegislation.

Application of Italian Legislation The Internet has prompted the emergence of a new kind

of crime, one which is committed more often than not in aglobal legal environment, thereby giving rise to complexproblems regarding both the law applicable to each particularcase and the competent jurisdiction to try the crime.

In the case we are studying here, the attacker has committedthe crime in Switzerland, compromising the integrity of acomputer system there but ‘cracking’ the passwords of userswho had connected to it in Italy and who had an account in the

1. P. Costanzo, “Internet (diritto pubblico)” in Digesto disc. Pub-blic., Nuova Edizione, 2000, Turin 2000.

2. In fact later they were able to tighten up login credentials and thusincrease security.

1

2

Nadina Foggetti has a BSc in Law from the Università degliStudi de Módena Reggio Emilia, Italy, and the thesis towards herdegree was on “Legalità penale ed Unione Europea” (Criminallegality and the European Union) for which she was awarded thehighest grade. She has attended several specialist courses onComputer Law, mainly in the field of Criminal Law and its appli-cation to Internet related cross-border matters. She is currentlypractising law in the law firm of A. G. Orofino in Casamassima. <[email protected]>





hacked system enabling them to access the calculation resourc-es physically stored in Geneva.

By analysing the specific profile of this case we can identifyseveral different criminal activities and a concurrence ofoffences forming part of a single criminal act. We will then goon to look in greater depth at the problem regarding the appli-cation of the aforementioned Italian legislation.

First of all the attacker has made an illegal access to acomputer system, a conduct which is defined in article 615-terof the Italian Criminal Code (ICC) and carries a penalty of oneto three years’ imprisonment “Anyone who enters unauthorizedinto a computer or telecommunication system protected bysecurity measures, or remains in it against the expressed or im-plied will of the one who has the right to exclude him”.

The content of article 615-ter and the other offences intro-duced by Act 547 of 1993 was drawn up using the offence ofviolation of domicile defined in article 614 of the ICC as amodel. It is the result of the legislative approach of the prepar-atory papers3 and tends to identify the new unlawful conductsas different kinds of aggressions against traditional legal rights,but does not consider computer crimes as a new and independ-ent category needing to be defined on the basis of the legalrights to be protected.

In our case, the attacker in question had been granted therights of a normal user, not those of a root user, which, accord-ing to prevailing case law4, is of itself enough to establish thesystem owner’s right to exclude others (ius excludendi).

The same law also includes a series of aggravating circum-stances affecting the prosecution of the offence which allow themaximum penalty to be raised to five years. Given that thesystem in our case was serving the public interest, the aggravat-ing circumstance quoted in paragraph three of article 615-ter ofthe ICC is applicable. This makes the offence in question acriminal one, prosecutable by the State, carrying a sentence ofone to five years when it damages a public interest network.This article requires that the security measures the system is

equipped with should be ‘adequate’5, although it defines nocharacteristics or parameters to specify what is meant byadequate.

According to the technical information we have, we canidentify a second criminally punishable offence: when theattacker installed the ‘rootkit’, he would have been guilty of theconduct defined in article 617-quinquies of the ICC. The instal-lation of the ‘sniffer’ programme (a password cracker), one ofthe components of the ‘rootkit’, allowed the attacker to capturethe passwords of users connecting from Italy, with the aim ofensuring the possibility of attacking more machines andextending the radius of action of the same unlawful conduct.

Article 615-quater of the ICC defines the illicit possession ofaccess codes to information and telematic systems6 as anoffence, which is also applicable to the case we are studying.To be guilty of this offence you do not have to cause any actualdamage or disruption to the system; the mere fact of havingaccessed any of the systems described in the law is sufficient.

However, case law7 tends to consider this conduct as sub-sumed in the main offence and therefore punishable, togetherwith the illegal access, as laid down in article 615-ter of theICC, without considering them as two separate unlawfulconducts.

The article quoted, given the way it is drafted, defines atypical endangerment offence and in fact penalises simple ille-gal access, regardless of the damage caused to the system, orthe removal of the data stored on it, or the interruption of itsworking8.

The legislator’s intention is clear: to bring the protection for-ward to the moment before a far more serious criminal act iscommitted, one which is more harmful to interests which fullydeserve such protection9.

The offence of illegal access can therefore be considered asan ‘intermediate offence’ coming before subsequent ‘finaloffences’ of a merely patrimonial nature. This appreciation is

3. The Explanatory Report to Act 547/93 clearly shows the legisla-tor’s intention to protect in his definition of illegal access, “anextension of the sphere pertaining to each individual, which issafeguarded by Article 14 of the Constitution as well as by Arti-cles 614 and 615 of the Criminal Code”.

4. The issue of security measures will be dealt with later on. How-ever, for the moment we can say that prevailing case law consid-ers that, while being a constituent element of the concept ofillegal access to a computer system as defined in article 615-ter ofthe Italian Criminal Code, these measures have a merely idealsense. That is, such measures are not considered so much in termsof how suitable they are to keep out any intruders but rather as away of declaring the ‘right to exclude others’ (ius excludendi), inparallel with the legislation that governs the physical domicile(article 614 of the Criminal Code). See D. Trentacapilli, “Accessoabusivo ad un sistema informatico e adeguatezza delle misure diprotezione”, Dir. Pen. e Proc., no. 10/2002, pp. 1280 and follow-ing. Supporting this interpretation see M. Nunziata, “La primaapplicazione giurisprudenziale del delitto di accesso abusivo adun sistema informatico – ex artículo 615-ter”, Note on thesentence of the Court of Turin of 7 February 1998, Giur. Merito,1998, II, p. 711. For an opposite interpretation, see the sentence ofthe First Instance Judge of the Court of Rome of 21 April, 2000,at <http://www.penale.it>.

5. As we will see, applicable case law has also understood the need,recognised by the law, to increase security measures in the case ofa public interest network. In a broad sense, see in particular thesentence of the Supreme Court of Appeal of 6 December 2000,with a note by P. Galdieri, “L’introduzione contro la volontà deltitolare fa scattare la responsabilità dell ‘hacker’", in Dir. e Inf.,2001, I, pp. 17 and following.

6. This article carries a penalty of up to one year’s imprisonment anda fine of up to ten million lira (5,164.67 euros) for “Whoever, inorder to obtain a profit for himself or for another or to cause dam-age to others, illegally gets hold of, reproduces, propagates,transmits or deliver codes, key-words or other means for theaccess to a computer or telecommunication system protected bysafety measures, or however provides information or instructionsfit to the above purpose”.

7. See the sentence of the Court of Turin, Section Four, dated 17February 1998, commented by C.Parodi, “Accesso abusivo, frodeinformatica, rivelazione di documenti informatici segreti: rap-porti da interpretare”, in Dir. Pen. e Proc., no. 8/1998, pp. 1038and following.

8. All of which are circumstances that serve to aggravate the basicoffence. See D. Trentacapilli., “Accesso abusivo ad un systeminformatico e adeguatezza delle misure di protezione”, op. cit.,pp. 1283 and following.





fully confirmed by the legal provision we have been looking at,in which the legislator has opted to consider ‘pure’ illegalaccess, that is, access intended simply to view the contents ofthe violated system, as a criminal conduct, but applying lessserious penalties. The other offences dealt with in the same law(Act 457/93) are thus complementary and not concurrent to theoffence of illegal access to a computer system, and are relatedby a teleological and structural nexus within the same unlawfulconduct present in the commission of several offences.

In the case we are studying, the violated system also providesan e-mail service which a number of users connect to daily tomanage their messages. The passwords captured were, there-fore, not only those giving access to the system but also thosebelonging to the accounts of e-mail users. User passwords andnames are considered as ‘personal data’ since their purpose isto allow a specific person to identify themselves, as the ItalianCommissioner for Personal Data (Garante per la Privacy) hasexpressly stated10.

Finally we could consider applying article 35 of Act 675/96for the protection of personal information, which penalises theillegal processing of this kind of data. We do not yet have reli-able information about whether there was any illegal process-ing of the personal data gathered by the attacker; we only knowthat he was in possession of this data as the Suckit programmecaptured and copied it for him.

The violated system was obliged to safeguard the data it wasin charge of processing, in compliance with Act 675/96 aimedat protecting the privacy and integrity of such data.

The first paragraph of article 15 of that law clearly states theobligation of “the adoption of suitable and preventive securitymeasures aimed at preventing the loss or destruction of theaforementioned data, unauthorised access, or any processingwhich is either not authorised or not in accordance with itsintended purpose”. Decree no. 318 issued by the Presidency ofthe Italian Republic on 28 July 1998, specifies the securitymeasures which must be adopted11. The analysis of the meas-ures to adopt according to the type of computer systeminvolved falls outside the scope of this article, but suffice it tosay that if whoever is responsible for processing personal datadoes not adopt appropriate security measures to protect theintegrity and privacy of that data, they will be liable to up to twoyears’ imprisonment and a fine of between ten and eightymillion lire (between 51,64.57 and 41,316.55 euros) underarticle 36 of the 1996 act 675.

2.1. Presuppositions for the Territorial Applicability of the Criminal Law of Italy

The thing that distinguishes cyber-crime from other criminalactivities is basically the cross-border nature of unlawfulconducts over the Internet.

It is not always feasible to identify the locus commissi delicti(the place where the offence was committed) when the offendermakes use of informatic and telematic means to commit theoffence, as this will often involve several acts all forming partof the same single criminal act, but one which is carried out viaseveral intermediate systems or stepping stones. The attackermay, in fact, violate several computer systems with just oneillegal access and carry out several unlawful operations oncomputers which are interconnected but physically located indifferent territories, sometimes in different countries. In othercases it may be that the place where the initial violation occursis also where the attacker is, but the person harmed by theoffence is, conversely, somewhere else.

In the case we are studying here, the first problem is to deter-mine whether or not Italian law can be applied.

Article 3 of the ICC defines the principle of the ‘obligatorynature of Criminal Law’12, which is also expressed in thesystematic position of the article itself which, in fact, comesbefore the norms referring to the territorial application of Crim-inal Law and the principle of ignorantia legis (ignorance of thelaw is no excuse)13, and comes after the declaration of the prin-ciple of legality and the norms referring to ratione temporis(time limitations governing the applicability of Criminal Law).

Article 3 declares the non-derogable nature of the applicationof Italian Criminal Law based on personal (ratione personae)jurisdiction, whereby it is applicable to all persons (whetherItalian citizens or foreigners, in the national territory orabroad), the only limitations being the principle of legality andthe norms laid down by International Law14.

The wording of the norm, defined as technically inadequatein some informed circles15, does not however preclude theapplication of other criteria introduced later by the legislator

9. C. Pecorella, “Il diritto penale dell’informatica”, Padova, 2000, p.336, and, in the opposite sense, F. Mantivani, “Diritto penale.Parte speciale”, Padova, 1995, pp. 451 and following. For Manti-vani a simple informatic indiscretion is of no criminal impor-tance; and is seen, in and of itself, as merely an intromission.

10. On this point, see his decision of 16–29 April 2001 in which herules that information supplied for the purposes of registering aweb domain is also personal information. See M. Barbaresi, “Laraccolta indiretta di indirizzi elettronici costituisce violazionedella privacy?”, September 2002.

11. Decree available at <http://www.interlex.it/675/minotti.4.htm>.

12. According to article 3 of the ICC “Italian Criminal Law appliesto all citizens or foreigners within the territory of the State, savefor those exceptions provided for by internal public law or Inter-national Law. Italian Criminal Law also applies to all citizens orforeigners who are abroad, within the limitations of casesprovided for by that law or by International Law”.

13. See L. Piccotti, “La legge penale”, in Giurisprudenza sistematicadi diritto penale, parte generale, I, II Ediz., (edited by) F. Bricola-Zagrebelski, Torino, 1996, pp. 154 and following.

14. This article clearly reflects the political and ideological perspec-tive of the fascist legislator of that time, as does the declaration ofthe absolute sovereignty and authority of the State. There is aschool of thought that holds that article 3 is the precursor of thedeclaration of the principle of territoriality – stated in the laterarticle 6 – as the basic principle behind the territorial limits to theapplicability of Italian Criminal Law. In fact the norm actuallyaims to uphold the opposite principle, that of the universal appli-cability of national Criminal Law based on ratione personae (per-sonal jurisdiction), establishing the principle of determiningwhich Criminal Law to apply on the basis of where the offencewas committed only as an exception to the general principlestated.





with aim of defining the scope of application of national Crim-inal Law16.

The principle of territoriality is dealt with in article 6, para-graph 1, of the ICC, which defines Criminal Law as beingapplicable within the whole of territory of the State. It is there-fore essential to define where the offence was committed. Arti-cle 6 paragraph 2 provides that “the offence is considered tohave been committed within the territory of the State when theaction or omission giving rise to the offence is carried out fullyor partially there, or if the consequence of the action or omis-sion was suffered there”.

Our criminal code, therefore, aims to expand the jurisdictionof Italian Criminal Law by establishing a criterion of ubiquity,raising the perennial question of how to define the ‘smallestpart’ of a criminal act that can cause the offence to be consid-ered as having been wholly committed in Italy.

The resulting problem of interpretation has found no unani-mous solution at a doctrinal level and also creates divergencesin case law.

Among legal scholars there has been much debate about thepossibility that acts committed within national territory, interms of the applicability of Italian case law, should at least beconsidered as a punishable attempt and not be limited to a merepreparatory act, or whether the offence should be considered ashaving been committed in Italy even though only a ‘fragment’of the offence, or even a mere preparatory act, was committedin Italy17.

Conversely, according to another criterion based on a literalinterpretation of the norm, the offence should be considered ascoming under Italian jurisdiction when only part of it, whethercompleted or attempted, has been committed in Italian territo-ry, provided that the ‘part’ was an essential component of theoffence. Such a decision must be taken after the event (ex post)and specifically, and not merely before the event (ex ante) andabstractly.

Prevailing case law seems to accept this latter interpreta-tion18.

With regard to the minimum requirements to consider anoffence as attempted, for the purposes of applying Italian juris-diction in compliance with article 6, paragraph 2, prevailingcase law considers that “the part of the act committed in Italydoes not of itself have to be actionable but it is enough that thepart of the act which was committed in Italy, in conjunctionwith subsequent unlawful actions committed abroad, could beconsidered as an attempted or completed offence”. This inter-pretation would seem to accept the theory of the “potentialcommission of the deed”19. However, the same ruling continueswith a restrictive interpretation requiring that “an attemptedcriminal act carried out in Italy must have some correspondingobjective impact on the outside world”.

2.2. Applicability of the Principle of Territoriality The criterion of ubiquity is particularly applicable to offenc-

es committed over the Internet. Part of the doctrine on thesubject considers that Italian jurisdiction should apply whenthe data involved in the offence, although it may have been putonto the Internet outside Italy, passes through servers located inItaly, or when the storage and copying of that data has takenplace in Italy20.

The principle of ubiquity is specifically applicable in cases ofdefamation over the Internet. The Italian Supreme Court ofAppeal states that, on the basis of that principle, an Italianjudge can try such an offence, either if it has been committed innational territory or if the iter criminis (crime route) initiatedabroad has been completed with a crime committed in Italy21.Defamation is classified as a ‘result crime’, meaning an eventwhich is external to the agent and causally connected to thebehaviour of the offender, which is not a physical act but apsychological one, the result of the perception a third party hasof the message they ultimately receive. The actual defamationmay not take place, for example either because no one visits thewebsite, or the attempt may fail, or it may have been impossibleto commit the crime, perhaps because the would-be hacker wasusing a defective programme that he thought would allow himto hack into a website but in the end his message never got ontothe Internet.

Assuming a case of defamation, if the dissemination of themessage in Italy constitutes the “minimum necessary require-ment” for the application of Italian jurisdiction, in the case weare studying here the principle of ubiquity would not apply.

In fact the attacker acted from Geneva, copying the pass-words keyed in by the users who were connected to the violatedsystem.

The fact that the passwords were keyed in by Italian users,from computers located in Italian territory, means that the

15. F. Bricola, “Fatto del non imputabile e pericolosità”, Milan,1961, pp. 87 and following.

16. The same article 3 of the ICC, in a later paragraph, delegates thedefinition of the limits to the principle of the obligatory nature ofCriminal Law to the internal legislator and International Law.

17. This doctrine holds that a criminal attempt can be considered tohave been committed in Italy even though the preparatory actsmay not have been committed in Italian territory, provided thatthe unlawful act could potentially have been committed within theItalian territory. See L. Piccotti, La legge penale, op. cit., pp. 172and following.

18. The Supreme Court of Appeal has in fact on many occasionssanctioned that the term “in part” in article 6, paragraph 2 of theICC, should be understood in its natural sense, that is, as onemoment of the iter criminis, or one stage of the crime, that,considered in conjunction with later offences committed abroad,becomes an attempted or completed crime. See Cass. Pen.,Section I, 28 November 1980, in Cass. Pen., 1982, p. 735; Cass.Pen., Section III, 27 November 1984, in Cass. Pen. 1986, p. 476;Cass. Pen., Section, 30 July 1984, in Giust. Pen., 1985, II; Cass.Pen., Section VI, 19 January 1988, in Riv. Pen., 1989, p. 416.

19. Cass. Pen., Section III, 10 January 1961, Cass. Pen., II, pp. 811and following; for the most recent case law, see Cass. Pen.,Section I, 20 March 1963, Riv. It. Di Proc. Pen., 1965, pp. 118and following; Cass. Pen., Section IV, 22 February 1993, in Giust.Pen. 1993, II, no. 517, p. 629.

20. L. Picotti, I profili penali delle comunicazioni illecite via internet,in Dir. Dell’Inf. e dell’Inf., 1999, pp. 322 and following.

21. Cass. Pen., sentence of 17 November 2000, 17 December 2000,no. 4741, available at <http://www.interlex.it/testi/cp4741.htm>.





‘minimum requirement’ needed for Italian law to apply is notfulfilled. The deed of ‘copying the password’ was done whollyin Geneva in as much as the Suckit tools which were used tocopy the data dynamically were installed on machines belong-ing to the Genevan system to which the Italian users wereconnected to access the available calculation resources.

In this case, therefore, the principle of the ‘territoriality’ can-not be applied in order to determine whether the offence ispunishable under Italian law.

2.3. Applicability of the Principle of DefenceIn terms of the applicability of Italian Criminal Law and as

an alternative to the principle of territoriality, our judicialsystem provides for the application of the ‘principle of defence’by which the criminal legislation to apply is decided based onnot where the offence was committed nor on the nationality ofthe offender22, but rather on the basis of who the victim of theoffence was. Thus, according to this principle, Italian CriminalLaw is applicable provided that the offence was committedagainst the Italian State or against an Italian citizen, regardlessof where it was committed.

Article 10 of the ICC states that a foreigner who “commits ina foreign territory, against the Italian State or against anItalian citizen, an offence for which Italian law specifies life im-prisonment or a custodial sentence not less than a year, will bepunished under that law”.

This article is a corollary of article 3 of the ICC, by whichItalian law is universally obligatory, unless it is limited byconflicting internal or International Laws.

Whether an unlawful conduct committed by a foreigner froma foreign territory can be punished under Italian law alsodepends on some other conditions: the presence of the offenderin Italian territory and either a petition from the Italian Ministryof Justice or a lawsuit or complaint filed by the offendedparty23.

In the light of the above considerations and in compliancewith article 10 of the ICC, the case we are analysing is notpunishable under Italian law, as none of the conditions provid-ed for in paragraph 2 of the aforementioned article are fulfilled.Finally it should be stressed that the fact that the passwordswere copied has been proven, since the technical data concern-ing the attack to the system proves that the ‘sniffer’ programmecopied and sent the passwords on the system to the attacker.Regardless of the use that the attacker made of them subse-quently, both the access codes of the violated system and theItalian users’ passwords that they used to manage their e-mail

accounts by connecting to the system were in the attacker’spossession.

As we have already commented, if the Italian users had fileda lawsuit against the attacker under Italian law, article 10, par-agraph 2 of the ICC could have been applied.

On the other hand, if the Italian users had filed their lawsuitafter the CHKrootkit programme to detect the presence of‘rootkit’ type programmes had been installed, and if the lawsuithad been accepted, the case could have been tried under Italianlaw, not on the basis of the principle of nationality of theoffended party but on the basis of the principle of ubiquity.

The installation of a ‘rootkit’ programme on the Italian users’machines could only have been carried out with the sameprocedure that was used on the violated system: after havingcopied Italian users’ passwords that were stored on the firstsystem, the attacker took the user names and their passwords inorder to enjoy the privileges that they had been granted.

If the control operation had been successful and the Italianusers had detected the presence of the ‘rootkit’ in their systems,from a technical point of view the cyber attack would havecontinued via the intermediary systems violated before, whilefrom a strictly legal viewpoint there would have been a contin-uation of the iter criminis which began in Switzerland andended in Italy.

The violation of the Italian systems would have constitutedthe final link of the attacker’s criminal project, with the subse-quent application of Italian Criminal Law, not by virtue of theprinciple of nationality of the offended party but based on thecriterion of ubiquity set out in article 6, paragraph 2, of the ICC.

In the light of case law and prevailing doctrine, the later at-tack on the computer systems would have provided the “mini-mum necessary requirement” which would allow the wholeunlawful conduct to be tried under Italian law.

In the case we are studying, however, for all the abovereasons it is not Italian Criminal Law that can be applied butSwiss law, which we will be taking a look at in the followingsections.

Application of Criminal Law of SwitzerlandThe Swiss Criminal Code (SCC) has been reviewed and

modified recently in order to address the problem of regulatingcyber-crime, given the special nature of these offences.

The system introduced by the Swiss legislator is clearlyinspired by German legislation in terms of the legislative tech-niques employed, while the definition of the different unlawfulconducts has followed the model set out in Council of EuropeRecommendation no. R (89/9)24.

As we have said previously, the Swiss legislator has definednew property crime offences to penalise computer related crim-inal offences and especially those aimed at damaging datacirculating or recorded on computer systems25.

The 1993 act saw the introduction of article 143-bis into theSCC, which refers to the offence of unauthorised access to a

22. This also constitutes an exception to the principle of territorialityand is based on the principle of the ‘active personality’. It isprovided for in article 9 of the ICC, according to which the citizenwho, not in the circumstances described in articles 7 and 8, “com-mits a crime which under Italian law carries a penalty of impris-onment for life or for not less than three years, provided that he orshe is in Italian territory”, can be punished under Italian legisla-tion. See G. Contento, Corso di diritto penale, Bari, 1996, pp. 142and following.

23. See L. Piccotti, I profili penali delle comunicazioni illecite viaInternet, op. cit., pp. 196 and following.

24. See the Recommendation no. R (89/9) of the Council of Europeon cyber-crime and the European Committee’s final report onCrime Problems, Strasbourg, 1990.

3





computer system, an offence which is also recognised in Italianlegislation.

The norm penalises anyone who, by means of a data trans-mission system, makes an unauthorised access to a computersystem they do not own which has been specially protectedagainst such an access. The punishability of such an offence isregardless of the purpose for which the unauthorised accesswas made. Article 143-bis of the SCC is therefore applicableeven in the case where the offender has acted simply to ‘get toknow’ the violated system.

The absence of any personal gain motive on the part of theoffender is an important feature of this new offence, althoughin early drafts the lack of any profit motive was merely a miti-gating circumstance of the offence26.

According to some legal scholars, the legislator’s decision topenalise cases of intrusion even when there was no real damagedone would make this offence one of abstract endangerment,one in which the offender’s purpose plays no part27.

Prevailing doctrine is of the opinion that if article 143-bis ofthe SCC does in fact define an abstract endangerment offence,this norm would not, however, be applicable in the case ofconcurrent circumstances making the offence punishable underarticle 143 of the SCC which, although this norm also providesfor the concept of abstract endangerment, it also provides bylaw (ex lege) for specific intent, that is the intention to obtaingain either for the offender himself or for others28.

In the light of this interpretation, article 143-bis of the SCCtakes on a role as a residual norm, applicable in those limitedcases in which an attacker has acted with the purpose of simplybreaking in to the computer system, without intending to doany damage or remove any of the data in the system. Article143 of the SCC, in its latest draft, provides for minimum sen-tences of five years’ imprisonment or arrest29 for anyone who,with the intention of obtaining an unlawful gain for himself orfor others, obtains, for himself or for others, data not intended

for him which is specially protected against unauthorisedaccess, and is recorded or transmitted electronically or by anyother means.

When the attacker commits the offence with the intention ofdamaging or copying a system’s data but the offender does notsucceed in carrying out his criminal intent, it may give rise todoubts concerning whether the offence should be tried underarticle 143-bis of the SCC, as a completed offence, or under ar-ticle 143 SCC, as a case of an attempted offence.

The same Swiss doctrine considered the possibility ofpunishing under article 143 of the SCC anyone making anunauthorised access to a computer system simply in order toget an idea of its potential or its vulnerabilities30, with thepurpose of using this information to obtain for himself or othersan unlawful gain31.

In the draft law submitted to the Federal Council on 24 April1991, unauthorised access was considered as a mere “prepara-tory act” to the acquisition of data and therefore provided forwithin the same article intended to control such unlawfulconduct32. After the parliamentary debate, unauthorised accesswas defined separately and given a much lighter penalty thanthe unlawful acquisition of data. In the final and definitive draftpassed by both Chambers, the two offences were considered asbeing different, and article 143-bis was put alongside article143 of the SCC. The structure of that particular norm is actuallyhighly questionable since it is not only defined as an offence ofabstract endangerment, but also considers the concept of mereconduct, as in 615-ter of the Italian Criminal Code.

The different systematic position of the two offences in thetwo legislations puts the real meaning of article 143-bis of theSCC into doubt.

As the Swiss legislator included unauthorised access amongproperty offences, he should at least provide for the possibilitythat the intruder may appropriate data from the victim, there-fore the requirement of specific intent should be understood asa circumstance warranting the application of a criminal penalty.At the same time, as it is a case of endangerment prior to thetheft of the data, it should be considered as impossible for aconduct of unauthorised access to result in the damage of asystem that has no data.

The Italian norm is, however, largely coherent with itssystematic position, although it is not entirely in agreementwith current doctrine since it does not aim to protect propertybut rather freedom and, in particular, to protect the home as a

25. E. Strauffacher, “Infractions contre le patrimoine: le nouveaudroit, Schweizerische Zeitschrift für Strafrecht", 1996, pp. 7 andfollowing.

26. The preliminary project states “if the offender acted with nopersonal profit motive he will be punished, at the request of one ofthe parties, with arrest or a fine”; see C. Pecorella, “Il dirittopenale dell’informatica”, Padua, 2000, p. 308, note no. 124.

27. N. Schmid, “Das neue Computerstrafrecht”, ZStrR, 1995, pp. 25and following.

28. E. Strauffacher, “Infraction contre le patrimoine: le nouvelledroit”, op. cit. p. 13. “one can however answer this objection bysaying that forgery of securities may also be an abstract endan-germent offence but it is one in which there is an undeniable pecu-niary profit motive”.

29. Under Swiss Criminal Law, imprisonment and arrest are the twoforms of penalties involving the deprivation of personal freedom.Imprisonment, defined in article 35 of the SCC, is the most seri-ous of the penalties involving the deprivation of personal free-dom: the minimum sentence is one year and the maximum twentyyears; it may also be for life if the law expressly provides for sucha sentence. With regard to arrest, defined in the following article,no. 36, the minimum duration is three days while the maximum isthree years, unless the law expressly provides for some otherduration.

30. For example, it could be supposed that this person is simplycarrying out the information gathering phase, collecting genericinformation about the target system and then selling it to obtain anillicit gain.

31. U. Cassani, with regard to the preventive formulation of article143 of the SCC, postulated a contradiction with the principle oflegality; in the same sense, M. Schwbarth, “Kommentar zumSchweizerischen Strafrecht, Bes”. Tail., 2 Band, 1990, pp. 98–99.In opposite sense, see. S. Trechsail, “Schweizerisches Strafgesetz-buch Kurzkommentar”, Zurich, 1989, p. 445.

32. See Message from the Federal Council no. 91032, referring to themodification of the Swiss Criminal Code and the Military Code,in Feuille Fédérale, no. 23 dated 18 June 1991, pp. 933 andfollowing.





place where personality is manifested and formed. Thissystematic position and the nature of the legal right protectedprovide the basis for the punishability of the mere conduct ofunauthorised access to informatic and telematic systems.

As we have seen, article 143 of the SCC criminalizes theunlawful acquisition of data. The systematic position of thisarticle which is included among crimes against property, andthe meaning of the French term “soustraction”, have prompteddoctrine to quietly interpret the term “acquisition” as havingthe same meaning as the French used in the legislative defini-tion of the offence of theft referred to in article 139 of the SCC.

According to Swiss doctrine, in order to include the offenceof “soustraction des données” (unauthorised acquisition ofdata) it is essential that there be a theft (“soustraction” in theFrench text and “wegnehmen” in the German version) of thedata, causing harm to the rightful owner.

According to this approach, the mere fact of copying the datadoes not in itself constitute an offence under article 143 of theSCC33. In this case, doctrine considers that article 143-biscould be applicable, provided that there is no intent to make anyunlawful profit nor, therefore, any specific intent.

In the light of the prevailing interpretation, it must be stressedthat the abovementioned norm will only be applicable in therarest of cases, since it is easily avoidable by the attacker, whocan just copy the data – even with the purpose of unlawful gain– and still not be liable to be tried for any of the offences wehave been studying.

3.1. More on the Application of Swiss Criminal LawIn the case under consideration, the attacker gained illegal

access to a computer system, acting with criminal intent andwith the intention of copying the data circulating on the system.The criminal intent is clearly proven by the fact that the attackerinstalled ‘sniffers’ as part of the ‘rootkit’ which copied thepasswords as they were keyed in by users.

The fact that the attacker copied the passwords could beunderstood as fulfilling the requirement referred to in article143 of the SCC. However the requirement of “material theft”of data from the violated system has not been met. For theconduct to be punishable, Swiss legislation also requires theoffender to have acted with the purpose of obtaining an unlaw-ful gain either for himself or for others. In the case we are stud-ying, the intention of obtaining some gain cannot be provedand, if we wanted to interpret the norm in its broadest possiblesense, by equating “the intent to damage” a system with thedegree of harm caused by someone who acts with the intent toobtain an unlawful gain for himself or for others, we would becommitting a violation of the principle of legality set out inarticle 1 of the Swiss Criminal Code.

Therefore, in the author’s opinion, it is not possible to applyarticle 143 of the SCC to the case under consideration. It wouldalso be hard to apply the offence of unauthorised access to acomputer system referred to by article 143-bis on the basis ofthe attacker’s conduct, since it was not intended for the sole

purpose of finding out about the computer system but was inorder to steal data.

In any event, in spite of opinions to the contrary put forwardby current doctrine, article 143-bis of the CP could be consid-ered applicable, even though its purpose is more general andpreventive and carries minor penalties in relation to the offenceactually committed by the attacker.

Similarly, the other Swiss provisions aimed at data protectionare not applicable either, since case under study does not meetthe objective and subjective requirements necessary to bring aprosecution against the offender34.

Swiss legislation does, in fact, have some major loopholeswhich can allow certain offences go unpunished. It is not verysuitable in terms of its application to the unlawful activitiesconducted by electronic means, due to the rigidity of its legis-lative corpus which is clearly at variance with the constantadvances brought about by the WWW.

In the case we are considering now, our attacker could besentenced to arrest – certainly not for too long – if the Swissmagistracy opted to apply article 143-bis of the SCC. If theoffence were deemed not to fall within the scope of applicationof that particular article, our attacker could take advantage ofthe diversity of possible punishments for the same offenceunder different judicial systems and would benefit from thecriminal safehaven in which he had chosen to conduct his crim-inal activities.

The application of article 143-bis of the Swiss criminal codeis closely linked to the presence of data in the violated system,as the code is designed expressly to protect data.

In a sentence dated 31 march 1999, a Swiss court found astudent from Lausanne guilty of an unauthorised access to acomputer system carried out by means of an upgrading ofprivileges in a Linux system environment resulting in his takingcontrol over the machine35.

As in our case, the attacker in Lausanne had installed‘sniffers’ to capture the passwords that were keyed in. With thepasswords thus obtained he had managed to attack other com-puter systems. The aforementioned Swiss court sentenced himunder article 143-bis of the SCC, for the offence of unauthor-ised access to a computer system, and, under article 144-bis forthe damage caused to the violated system.

An analysis of the constant case law of the Swiss courts givesa clear indication that the norms aimed at penalising the unau-thorised access to a computer system are intended to protectsystems containing data. It also shows the great importancegiven at every level to the existence of security measuresinstalled to protect the computer system36.

In a global network, the principle of territoriality as a way oflegitimising the State’s power to punish crime, in which legal

33. E. Strauffecher, “Infraction contre le patrimoine: le nouveaudroit”, op. cit., p. 14.

34. Article 144-bis of the SCC deals with the offence of causingdamage to data, and cannot be applied since the attacker has notdamaged the data or interrupted the system’s functionality. Theother laws – referring to arts. 141-bis and 150-bis of the SCC –are closely linked to the offence of fraud by means of the us ofcomputer systems or credit card fraud.

35. Sentence passed by the Prosecutor Judge of Vaud on March 31,1999.





norms have traditionally been drawn up for a community ofcitizens located within clearly defined boundaries, is beginningto break up, and there is a risk that this break up will leave legalloopholes for those who know how to take advantage of themin the country where they commit their crimes.

It can be seen that offences committed by professionalattackers are often left unpunished by Criminal Law, since theoffenders make use of their technical and legal know-how toensure themselves impunity.

It should also be stressed that professional attackers takeadvantage not only of failures in computer systems in order togain illegal access to them and compromise them, but they alsotake advantage of bugs in the legal systems and the inadequacyof the legal instruments used to combat unlawful intrusions.

European and International AspectsIn the face of the countless problems of a practical nature

posed by the I new information technologies which have beenadopted as both the instrument and the object of modern formsof crime and which make it difficult to identify where anoffence has been committed or who the offender is, there is agrowing need to find an alternative system to Criminal Law andto create a common legislation at a European and internationallevel in order to overcome the inadequacy of the principle ofstrict territoriality and even the principle of ubiquity. The reper-cussions that globalisation is having on the legal world high-light the need for a rethink of the objectives and instruments ofthe law to address problems which have a cumulative effect ina way we have never experienced before. We need to pay closeattention to new acts and conducts which may become a causeof contradiction and conflict between the law of each State andlaw of a supranational or international nature37.

In the face of these problems, one thing is certain; theanswers provided by classic International Law are not suffi-cient, nor do they serve to conceal the tensions created by thegeneral principles of the law of each of the States, which call

for the universality of their own rules despite the diversity ofactors present on the global judicial stage38.

To overcome this problem we need to rethink the role and themeaning that the sovereignty of States should be given withregard to possible protective instruments aimed at combatingand preventing cross-border crime. International cooperation isan essential ingredient and in fact most European countrieshave realised that the problem of cross-border crime39 requiresa global answer, especially in the matter of cyber-crime, inorder to propose effective tools to fight this new type of crime.

Perhaps the greatest steps forward have been the setting up ofEuropol40 and the EU Council decision which created Euro-just41, aimed at judicial cooperation in the collection ofevidence and the execution of sentences and arrest warrants inthe cross-border network.

The European Union Convention on Cyber-Crime42, signedon the 23 November 2001, represents the most important effortmade so far at a European level to try and combat this particulartype of crime effectively. The growing scale of this type ofcrime poses a serious threat, not only to the international econ-omy and finance sector, but also to the very political balance ofindustrialised countries.

The Convention is made up of three basic parts, the first ofwhich identifies a minimum number of unlawful conducts thatthe signing States must adopt in order to present a commonfront to organised crime43, takes measures to ensure thatoffences are punished whether they are completed or attemptedcrimes, and also establishes the responsibility of legal personsguilty of cyber-crimes.

The second part of the Convention establishes proceduralmeasures related to the system for communicating and publish-ing judicial acts: judicial orders, search and confiscation ofcomputerised data, gathering of computer traffic data, the inter-ception of communications content, and jurisdictionalmeasures.

36. See what C. Schwarzennegger has to say in “Computer crimes inCyberspace”, Jusletter dated 14 October 2002, published at<http://www.weblaw.ch> and which was kindly brought to myattention by Dr. Franz Kummel. Examples of sentences are: theWEF-hacker case, in which a hacker hacked into a public interestwebsite, that of the World Economic Forum, where specificchecks are carried out on the security measures in place to protectthe system against unauthorised accesses. Specifically, theattacker had carried out a series of port scans on the attacked site,and therefore, for probate purposes, the system owner had toprove the adequacy the security measures adopted to protect thesystem.

37. See G.M. Flick, “Globalizzazione dei mercati e globalizzazionedella giustizia”, Riv. Trim. Dir. Pen. Dell’Econ., 2000, pp. 591and following.

4

38. States, individuals, multinational corporations, non-governmentalorganisations, supranational institutions both of a regional andinternational nature, and the respective jurisdictional systems.

39. Since the sixties the EU Council has been actively promoting newlegislation in matters concerning cyber-crime, trying to leadmember states to a standardisation of national legislations toallow computer crime to be combated effectively. See D.Militello, “ Nuove esigenze di tutela penale e trattamento elettron-ico delle informazioni”, in Riv. Trim. Dir. Pen. Econ., 1992, p.365 and following.; F. Frosini, “The criminalità informatica”, inDir. Inf., 1997, p. 487 and following.

40. The basic function of Europol is to facilitate the interchange ofjudicial information between member States by managing acomputerised data system fed directly by the member Statesthemselves, and with direct query access for national bodies andthe managers of Europol (see <http://europa.eu.int/scadplus/leg/en/lvb/l14005b.htm>).





The third and last part is devoted to international coopera-tion; it refers to general principles in matters of cooperation anddeals with provisions related to extradition and legal aid.

The main aims of the Convention are to harmonise the treat-ment of infractions related to cyber crime, to provide nationaltrial law with the necessary powers and tools to prosecuteinfractions committed via the use of a computer system orinfractions where there is evidence in electronic form, and toset up a fast and efficient system of international cooperation.

In matters of attacks against information systems, the Euro-pean Union has put forward a proposal for a framework deci-sion and has justified their intervention in matters of unauthor-ised accesses, warning of the threat posed by cyber-crime to thecreation of a safer Information Society and a free, secure andjust cyberspace. Unquestionably, these aims demand anadequate response from the European Union44.

The framework decision provides for a series of precise andspecific definitions with regard to cyber-crimes and the constit-uent elements of the criminal offence. It also calls for the useof criminal sanctions in order to combat the aforementionedunlawful conducts.

The different proposals for harmonising trial procedure at aEuropean and international level are based on the application ofcriminal sanctions, using information on cyber-crimes affect-ing European member States in recent years as a basis for theirargument.

Criminal justice is a delicate issue for national governmentssince it has a direct impact on the freedom of the individual,and it takes time to overcome the concept of national sover-eignty in order to transpose legislative and jurisdictionalcompetences to supranational institutions45.

Criminal justice does not, however, seem to be the idealinstrument, or, at any rate, does not always appear to be the best

way to ensure an appropriate penalty for unlawful conductsover the Internet.

In fact Criminal Law does not have a predominantly repres-sive function; its primary purpose is of a more preventivenature, intervening prior to the commission of an unlawful con-duct and preventing it. Only in this way is it able to provide anyreal protection to legal rights against possible aggressions. It isimportant to bear in mind that, in order to carry out this func-tion, Criminal Law may often have recourse to the collabora-tion of private individuals, for example by demanding theyadopt security measures to protect their own computer systems.

In other circumstances the criminal conduct is not excessive-ly damaging to the protected legal right and calls for alterna-tives to the Criminal Law route, public law for example.

Finally it should be stressed that many initiatives aimed atdeveloping computer systems for scientific and technologicalpurposes are funded directly by the European Union (EU). Thedamage done by cyber attacks to these types of systems doubt-less affects private individuals whose personal information hasbeen copied and the offenders go unpunished, but it also indi-rectly harms the economic interests of the EU itself.

We need the direct intervention of the EU in order to harmo-nise the treatment of ‘cyber crimes’ and to allow the EU tobring to bear effective judicial instruments to punish someunlawful conducts.

The EU does not have competence in Criminal Law matters,but it does have instruments of public law at its disposal, espe-cially in matters concerning the adoption of Regulation no.2988/95, which could be defined as the ‘general part’ of com-munity public law. The Regulation does in fact include generalprinciples and guarantees borrowed from Criminal Law46.

Conclusions The globalisation of markets and telecommunications is

undeniably prompting the need for a globalisation of the lawand for our global system to find answers to a problem thatspills over the traditional confines of national borders. CriminalLaw is still a long way from being seen as something separatefrom State legislative powers, a situation which is compoundedby the problem of linking the continental and Anglo Saxonlegal systems (civil law and common law, respectively) whichmake up the European and international legal scene.

Once again the use of Criminal Law may turn out to be inad-equate as the EU is unable to intervene directly in criminalmatters. Therefore their direct intervention is required to unifyand diversify the penalty for unauthorised access to computersystems depending on the scale of the attack on the protected

41. On December 14 2000, the Council took the decision to set upEurojust, a supranational judicial body made up of leading magis-trates and members of the police from each member State, whosetask was to facilitate the coordination between the variousnational authorities responsible for bringing criminal actions,providing assistance in investigations into cases of organisedcrime, especially in cooperation with Europol and the judicial net-work, with the principal purpose of simplifying the execution ofletters rogatory. See V. De Amicis, “Eurojust: le indicazioni delministero per rendere effettivo il coordinamento”, in Dir. Gist., I,24, 2001. p. 54.

42. Available (in English and French) at <http://conventions.coe.int/Treaty/in/Treaties/Html/185.htm>.

43. Such cases are provided for in arts. 2 to 9; for more in depth infor-mation, see C. Sarzana di Sant’Ippolito, “La Convenzione euro-pea sulla cibercriminalità”, in Dir. Pen. e Proc., no. 4/2002, pp.509 and following.

44. Proposal for a framework decision no. 2002/0086 dated19/04/2002, COM(2002) 173 definitive; available at<http://www.eu.int>.

45. E. U. Savona, F. Lasco, A. De Nicola, P. Zolfi, “Processi diglobalizzazione e criminalità organizzata transnazionale” com-munication presented to the congress “La questione criminalenella società globale”, Naples, Italy, 10–12 December, 1998,available on the official site <http://www.jus.unitn.it/transcrime/papers/wp29.html>.

46. The Regulation openly recognises this need for protection byestablishing the obligation to respect the fundamental principlessuch as the principle of legality, the principle of proportionality ofpenalty to the crime, the principle of double jeopardy (ne -bis inidem), of guilt, and even the guarantee of a two level trial systemafforded by the First Instance Court and the Court of Appeal. SeeF. Bernardi, “Sulle definizioni dei principi di diritto penale”, inAnnali dell’Univeristà di Ferrara-Scienze Giuridiche, 1992, vol.VI, p. 102, and A. Ruggiero, “Gli elementi normativi della fattis-pecie penale”, I, Napoli, 1965.

5





legal right, in order to avoid the creation of legal voids andcriminal safehavens for the people who operate in the world ofcyber-crime, especially at organised crime levels, and who arein a position to take personal advantage of the differencesbetween the various judicial systems.

However it would not seem fair to press for criminal sanc-tions against the so called ‘White Hackers’ who do not use theirskills and knowledge to damage systems but freely offer the

fruits of their research in order to improve the informationsystems they have hacked. After all, a hacker is not a criminal,but just a person who, unlike an attacker, has a highly devel-oped curiosity and often hasn’t the slightest intention of doingany harm at all and may not even perceive the criminal natureof his conduct, which technically speaking is ‘harmless’!

Translation by Steve Turpin





The European Network and Information Security Agency (ENISA) – Boosting Security and Confidence

Erkki Liikanen

In this article, the author, member of the European Commission, responsible for Enterprise and theInformation Society, underlines the high importance that networks and information systems have, and willincreasingly have, in almost every aspect of our societies, and how decisive is therefore to ensure theirsecurity and continuity. He explains also the role that the recently created European Network andInformation Security Agency (ENISA) will play in this respect.

Keywords: Confidence, Cross-border Co-operation, CyberSecurity, eEurope, ENISA, Network and Information Security,Security.

Note from the Editor of Upgrade: Abstract, keywords, sectionnumbering and footnotes have been added by the Editor of Upgrade.

Introduction In today’s society, already a lot depends on networks and

information systems. Network security has become a keyconcern, especially in the aftermath of the 11th of Septemberevents. The malfunctioning of networks and informationsystems concerns everybody: citizens, businesses and publicadministrations.

Future requirements on security will rapidly change asnetworking and computing develop further and electroniccommunications will become more ubiquitous. For instancebroadband connections offer people the possibility to be“always on”. This, of course, increases the vulnerability ofsystems and multiplies the probability of some sort of cyber-attack. Enhanced security is therefore a key element for thesuccess of broadband.

New wireless applications will enable the users to access theInternet from anywhere. The possibilities to connect everythingfrom printers to central heating systems to the Internet, willcontinue to develop and expand the way people use theInternet.

Safe and Secure Networks Remain a Priority within eEurope

For these reasons, ensuring a secure information infrastruc-ture was placed at the heart of the Union’s eEurope 2005 ActionPlan1. This has provided a roadmap for how Member Statesand the European Institutions can improve security of networksand information systems.

The Union’s activities related to network and informationsecurity in the overall picture of ‘cyber security’, fall in threebroad categories.• Firstly, we have the legislative framework for electronic

communications and for privacy and data protection is nowin place. For example, in the area of unsolicited communi-cations the directive proposes an “opt in” system thatrenders the relevant provisions technology neutral andharmonises the different national regimes for the treatmentof spam.

• Secondly we witness an emerging policy on cybercrime, forexample, through common rules for Member States inrelation to attacks against information systems.

• Thirdly, the activities on network and information securitycomplete the picture, in particular, through the agreementearlier this autumn on the creation of the European Networkand Information Security Agency (ENISA.)2

All this reflects the fact that Governments see a wideningresponsibility in this field. They want to promote security, forinstance by giving support to warning and alert systems, toresearch and to awareness raising campaigns. They are alsoequipping and training law enforcement services to deal withcomputer and Internet related crime.

Member States are however in different stages of their workand the approaches vary. Today there is no systematic cross-

1. For detailed information visit the official pages of the eEurope2005 Action Plan at <http://europa.eu.int/information_society/eeurope/2005/all_about/action_plan/index_en.htm>.

1

2

2. See FAQs about ENISA at<http://europa.eu.int/information_society/eeurope/2002/action_plan/safe/documents/faqs_enisa.doc>

Erkki Liikanen is member of the European Commission,responsible for Enterprise and the Information Society. Commis-sioner Liikanen took over these responsibilities at the beginningof the Prodi Commission in 1999, having previously been Com-missioner in charge of Budget and Administration between 1995and 1999. Prior to this he had been Finnish Ambassador to theEuropean Union and a member of the Finnish Government. <[email protected]>





border co-operation on network and information securitybetween Member States, although security cannot be an isolat-ed issue for only one country.

The Role of the New AgencyThe new Agency, which will be located in Greece, will

strengthen European co-ordination on information security.This should help to raise the overall level of security in allMember States, at the same time as contributing to the func-tioning of the Internal Market. It will play several roles:• The Agency should increase the ability of Member States

and EU Institutions to prevent and respond to major networkand information security problems. It will serve as a centreof expertise where both Member States and EU Institutionscan seek advice on matters relating to security. It will help toestablish a culture of security across the Union.

• The Agency will play an advisory and co-ordinating role.Today both public and private organisations gather data onIT-incidents and other data relevant to information securitywith different objectives. There is, however, no central entityat European level that analyses such data to support the EUpolicy work in that area, whilst at the same time providingadded value to national initiatives.

• Awareness-raising and co-operation is key in this area. Theagency should be able to launch initiatives to foster co-oper-ation between different actors in the information securityfield, e.g. to support the development of secure e-business.However, for this to work, it requires the participation andinvolvement of a broad range of stakeholders, often groupedtogether in public / private partnerships.

Industry of course has a key role to play in this field, espe-cially as most of the networks are privately owned and man-aged.

• By kick-starting a more co-ordinated European approachand by promoting risk assessment and risk managementmethods, the Agency will help us to deal with increasinginformation security threats.

• The Agency will also follow standardisation work, giventhat the security of networks and services depends as muchon technical standards, as on legal prohibitions. This will bedone in close collaboration with industry and will build ontheir expertise.

• Finally, the Agency will provide support for Europeancontacts with relevant parties in third countries. Networkand information security issues are by their nature global –as electronic communication channels do not stop at nation-al nor European borders. Enhanced international co-opera-tion in this field is necessary.

Good progress has been made by the Council and the Euro-pean Parliament in agreeing in just a year the design for thisnew agency. The challenge now is to manage the final adminis-trative steps in order for the agency to be up and running assoon as possible.

The successful transition to a knowledge-driven economyrelies on ensuring confidence in an information society.Network and information security is an essential element inestablishing a high level of trust. This means that society as awhole, as well as individuals and businesses, has to learn howto manage the risks involved in networks and informationsystems. ENISA will be one tool enabling them to do this.

3



Documents

IT Contingency Planning & Business Continuity