T;,e Sc.dti\ .Afdcaa InsfH.xte for Copui;1· ��c�c�rtists ant� l r1f0 rm�� t· ;,c lJ Te�:h O l,,ei�; ts {V\_lv•·T·- � • l .. .1 · ., I � + ( l . ! < ·-' - .•. J_ .,. <._, 1 _ ) ! . .23--2 1 :� OVC\ 1 IBE!11�,98 .;�A �'E T(HV�� Hos•J 0�· ((1c U:iivc'i�) 0f {:�p To,,'n h ?�',-Cfodt'll n :01 t!tc CS5,\. i\) ( di�f�Ht:•·.�·H iJHJ�rsi{) for CHE aud ·n, 1:r,h 1 tnity f Nu!al EIHTED nv D. F·TKo:· ANL' L. Vc.:n�R SPONGOR�D BY.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
T;,e Sc.dti\ .Afdc.aa InsfH.xte for Cornpui;.:1· ��c�c�rtists ant� l r1f0 rm�� t· ;,c lJ Te�:h f!O l,,ei�; ts
{V\_lv•·T·- .,� r, • l ... 19,.1· ., 'J I � 11 .... ( l ..... ! < ·-' - .•. J_ .,. <._, k_1 _!( ) ! t' .
.23--2 1:� l'\OVC\1IBE!11�,98 .;�A �'E T(HV��
Hosi:•.:J 0�· ((1c U:iivt:c'.i�) 0f {:�p;: To,,'n h ?�',-.)Cfodt'll n :01 t!tc CS5,\. i\) ( di�f�Ht:•·.�·H iJHJ..,�rsi{) for CHE aud
·n,\:. 1:r,h1 tnity r,f Nu!al
EIHTED nv
D. F·!tTKo:..,· ANL' L. Vc.:\in�R
SPONGOR�D BY.
The South African Institute for Computer Scientists and Information Technologists
ANNUAL RESEARCH AND DEVELOPMENT
SYMPOSIUM
23-24 NOVEMBER 1998 CAPETOWN
Van Riebeeck hotel in Gordons Bay
Hosted by the University of Cape Town in association with the CSSA, Potchefstroom University for CHE and
The University of Natal
GENERAL CHAIR: PROF G. HATTINGH, PU CHE
PROGRAMME CO-CHAIRS: PROF. L VENTER, PU CHE (Vaal Triangle), PROF. D. PETKOV, UN-PMB
LOCAL ORGANISING CHAIR: PROF. P. LICKER, UCT - IS
PROCEEDINGS
EDITED BY D. PETKOV AND L. VENTER
SYMPOSIUM THEME:
Development of a quality academic CS/IS infrastraucture in South Africa
SPONSORED BY
Copyrights reside with the original authors who may be contacted directly.
Proceedings of the 1998 Annual Research Conference of the South African Institute for Computer Scientists and Information Technologists. Edited by Prof. D. Petkov and Prof. L. Venter Van Reebeck Hotel, Gordons Bay, 23-24 November 1998
ISBN: 1-86840-30�-3
Keywords: Computer Science, Information Systems, Software Engineering.
The views expressed in this book are those of the individual authors and not of the South African Institute for Computer Scientists and Information Technologists.
Office of SAICSIT: Prof. J.M.Hatting, Department of Computer Science and information Systems, Potchefstroom University for CHE, Private Bag X6001, Potchefstroom, 252�, RSA.
Produced by the Library COJ?Y Centre, University of Natal, Pietermaritzburg.
FOREWORD
The South African Institute for Computer Scientists and Information Technologists (SAICSIT) promotes the cooperation of academics and industry in the area of research and development in Computer Science, Information Systems and Technology and Software Engineering. The culmination of its activities throughout the year is the annual research symposium. This book is a collection of papers presented at the 1998 such event taking place on the 23'd and 24th of Noyember in Gordons Bay, Cape Town. The Conference is hosted by the Department of Information Systems, University of Cape Town in cooperation with the Department of Computer Science, Potchefstroom University for CHE and and Department of Computer Science and Information Systems of the University of Natal, Pietermaritzburg.
There are a total of 46 papers. The speakers represent practitioners and academics from all the major Universities and Technikons in the country. The number of industry based authors has increased compared to previous years.
We would like to express our gratitude to the referees and the paper contributors for their hard work on the papers included in this volume. The Organising and Programme Committees would like to thank the keynote speaker, Prof M.C.Jackson, Dean, University of Lincolshire and Humberside, United Kingdom, President of the International Federation for Systems Research as well as the Computer Society of South Africa and The University of Cape
Town for the cooperation as well as the management and staff of the Potchefstroom University for CHE and the University of Natal for their support and for making this event a success.
Giel Hattingh, Paul Licker, Lucas Venter and Don Petkov
Table of Contents
Lynette Drevin: Activities ofIFIP wg 11.8 (computer security education) & IT related ethics education in Southern Africa
Reinhardt A. Botha and Jan H.P. ElofT: exA Security Interpretation of the W orkflow Reference Model
Willem Krige and Rossouw von Solms: Effective information security monitoring using data logs
Eileen Munyiri and Rossouw von Solms: Introducing Information Security: A Comprehensive Approach
Carl Papenfus and Reinhardt A. Botha: A shell-based approach to information security
Walter Smuts: A 6-Dimensional Security Classification for Information
Philip Macha nick and Pierre Salverda: Implications of emerging DRAM technologies for the RAM page Memory hierarchy
Susan Brown: Practical Experience in Running a Virtual Class to Facilitate On-Campus Under Graduate Teaching
H.D. Masethe, T.A Dandadzi: Quality Academic Development of CS/IS Infrastructure in South Africa
Philip Machanick: The Skills Hierarchy and Curriculum
Theda Thomas: Handling diversity in Information Systems and Computer Science Students: A social Constructivist Perspective
Udo Averweg and G J Erwin: Critical success factors for implementation of Decision support systems
Magda Huisman: A conceptual model for the adoption and use of case technology
Paul S. Licker: A Framework for Information Systems and National Development Research
K. Niki Kunene and Don Petkov: On problem structuring in an Electronic Brainstorming (EBS) environment
Page
1
3
9
12
15
20
27
41
49
54
63
70
78
79
89
Derek Smith: Characteristics of high-performing Information Systems Project Managers and Project Teams
Lucas Venter: INST AP: Experiences in building a multimedia application
Scott Hazelhurst, Anton Fatti, and Andrew Henwood: Binary Decision Diagram Representations of Firewall and Router Access Lists
Andre Joubert and Annelie Jordaan: Hardware System interfacing with Delphi 3 to achieve quality academic integration between the fields of Computer Systems and Software Engineering
Borislav Roussev: Experience with Java in an Advanced Operating Systems Module
Conrad Mueller: A Static Programming Paradigm
Sipho Langa: Management Aspects of Client/Server Computing
T Nepal and T Andrew: An Integrated Research Programme in AI applied to Telecommunications at� Sultan Technikon
Yuri Velinov: Electronic lectures for the mathematical subjects in Computer Science
Philip Machanick: Disk delay lines
D Petkov and O Petkova: One way to make better decisions related to IT Outsourcing
Jay van Zyl: Quality Learning, Learning Quality
Matthew O Adigun: A Case for Reuse Technology as a CS/IS Training Infrastructure
Andy Bytheway and Grant Hearn: Academic CS/IS Infrastructure in South Africa: An exploratory stakeholder perspective
Chantel van Niekerk: The Academic Institution and Software Vendor Partnership
Christopher Chalmers: Quality aspects of the development of a rule-based architecture
Rudi Harmse: Managing large programming classes using computer mediated communication and cognitive modelling techniques
90
102
103
113
121
122
130
135
136
142
145
153
162
171
172
173
174
Michael Muller: How to gain Quality when developing a Repository Driven User Interface
Elsabe Cloete and Lucas Venter: Reducing Fractal Encoding Complexities
Jean Bilbrough and Ian Sanders: Partial Edge Visibility in Linear Time
Philip Machanick: Design of a scalable Video on Demand architecture
Freddie Janssen: Quality considerations of Real Time access to Multidimensional Matrices
Machiel Kruger and Giel Hattingh: A Partitioning Scheme for Solving the Exact k-item 0-1 Knapsack Problem
Ian Sanders: Non-orthogonal Ray Guarding
Fanie Terblanche and Giel Hattingh: Response surface analysis as a technique for the visualization oflinear models and data
Olga Petkova and Dewald Roode: A pluralist systemic framework for the evaluation of factors aff�cting software development productivity
Peter Warren and Marcel Viljoen: Design patterns for user interfaces
Andre de \Vaal and Giel Hattingh: Refuting conjectures in first order theories
Edna Randiki: Error analysis in Selected Medical Devices and Information Systems
184
193
200
211
218
229
230
236
243
252
261
262
INTRODUCING INFORMATION SECURITY: A COMPREHENSIVE APPROACH
Abstract
Eileen Munyiri & Rossouw von Solms Department of Infonnation Technology
Port Elizabeth Technikon Private Bag X60 1 1
Port Elizabeth 6000 SOUTH AFRICA
E-mail: [email protected]
Infonnation has become a very important asset in most organizations today. For this reason, it is imperative that
infonnation and the associated resources are properly protected. Traditionally, infonnation assets were protected through
a set of physical and technical controls, introduced and maintained by the technical personnel in the Information
Services Department. This scenario is no longer adequate and information security needs to be introduced, maintained
and managed in a much more comprehensive way to ensure a proper and acceptable level of protection in modem
business. The bulk of employees in an everyday organization work with information in an electronic format, and a large
percentage of these people are barely computer literate, not to mention information security literate. A second aspect
that was not addressed traditionally was the involvement of top management in the process of introducing information
security. Information security is a business issue and not a technical issue any longer. For this reason, information
security objectives, strategies and policies are required to introduce security in an orderly way into the organization.
Therefore, a total new approach to introducing infonnation security into an organization is required in the modem
organization, specifically because information security and electronic commerce go hand in hand.
The objective of this paper is to introduce a new comprehensive approach to introduce infonnation security in an
organization. This approach will ensure that all information security objectives and policies are in line with business
objectives and policies. This approach will also ensure that the most effective set of security controls is identified,
introduced and maintained. Further, that a set of associated procedures accompanies each security control to ensure
effectiveness. Through this approach, top management will get involved in the process and every user of information
or associated resources will be forced to follow specific procedures to ensure a proper level of information security.
This new comprehensive approach to information security is the result of an extended research project and the results
are currently being implemented in a software tool, called the Information Security Toolbox. Information Security
Toolbox will be a forms-driven system that will cater specifically for small to medium sized organizations, but should
also be useable in larger environments.
The Tool will firstly identify the requirement for and dependency on IT services in the organization. This will be done
through some business analysis process. Based on this, security objectives will be deduced by the logic from the
1 2
Toolbox. These security objectives will define a specific security requirement to be implemented in the organization.
The security requirement will dictate an information security policy, spelling out clearly what the organization envisages
to accomplish through their information security program. The individual policy statements will map onto some
: r1formation security controls that need to be introduced to obtain the level of security spelt out in the policy. Each of
these security controls will trigger some security procedures that need to be introduced in the organization to ensure that
each control functions maximally. This whole process is summarized in figure I .
Business Analysis
Determine
Security Objectives
Security
Dictate
Security Policy
Maps
Security Controls
Supported by
Control Procedures
Fig. l : Information Security Toolbox Architecture
It can clearly be seen from the architecture of the Toolbox, that the level of security required and dictated by the
information security policy, is carefully analyzed through a thorough business analysis process, taking all relevant
business objectives and policies into account. The security objectives are stated in terms of the five security services,
namely, authentication, authorization, confidentiality, integrity and non-repudiation, as defined in ISO 7498-2. The
1 3
controls can be drawn from any relevant security baseline manual . ln the case of the Toolbox, it is based on the British
Standard; BS7799.
The outputs from the complete process are: • A complete Information Security Policy document, • A set of security controls and • A set of procedures that supports each security control .
The Information Security Policy document wil l include a definition of information security, a statement of support from
top management, the security objectives, the individual security policy statements and lastly, penalties and disciplinary
actions.
The set of controls will be drawn from BS7799, and depending on the policy, can vary from entry level security (the
ten key controls) through to an advanced level of security, meaning full BS7799 security.
The control procedures would be in the form of user procedures, help the users to effectively utilize the security controls.
The lnformation Security Toolbox, should enable every small to medium sized organization to effectively define a
security policy and automatically determines which BS7799 controls are required to implement this level of security.
This should ensure that every organization can introduce a proper level of information security in an affordable way.
1 4
Related Documents
![Unisa [1] Economia](https://static.cupdf.com/doc/110x72/5571fa00497959916990fcc6/unisa-1-economia.jpg)
