The National Academies Press

Currently Skimming:

I - Industry-Specific Dimensions of Security
Pages 455-468

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 455... ... What follows is an indicative -- not exhaustive -- discussion of security issues as they relate to specific types of business.1 As discussed in Chapters 1 and 2, cryptography is only part of an overall approach to dealing with information security concerns; other factors also matter, such as administrative and technical procedures for controlling access to sensitive information and the trustworthiness of computer operating systems and applications software, among others. However, cryptographic technologies for authentication, integrity, and confidentiality can strengthen an organization's overall information security in many ways. Read the entire page →
From page 456... ... For these reasons, the banking industry may represent the leading edge of information security needs 2Note that banks, as part of a highly regulated industry, are relatively less concerned about government monitoring of their financial transactions, since governments usually have extensive authority to monitor any aspect of bank transactions in any event. Read the entire page →
From page 457... ... Computer storage, retrieval, and network accessibility of health care information, such as medical records and diagnostic test data, can sharply increase the efficiency with which patients, care providers, and others (such as payers, researchers, and public health officials) use that information.4 At the same time, the digitization and transmission of such information raises concerns about the heightened vulnerability of personal infor 3For example, losses on credit cards issued to consumers are considerable, but the amount lost due to outright fraud is small compared to the debts that consumers are simply unable or unwilling to pay. Read the entire page →
From page 458... ... • How does the consumer know that the institution with which he or she is interacting is a trustworthy one (e.g., an organization chartered and regulated by the Federal Deposit Insurance Corporation) Read the entire page →
From page 459... ... Box I.2 describes one cryptographic method that can be used to reduce the risk of improper data aggregation. The risks of improper disclosure of patient information come from 5It is interesting to note that for health care professionals, "confidentiality" refers to keeping certain information out of the hands of unauthorized individuals by whatever mechanisms are necessary, whereas for information security providers the term refers to a specific property of encrypted information. Read the entire page →
From page 460... ... With such a mechanism in place, a positive user action would be required to create an identifier, and the individual would gain control over the parties who could aggregate personal data because he or she could refuse to create an identifier for any given institution re questing particular data. In essence, the scheme relies on the individual's performing a public-key digital signature on the institution's name. Read the entire page →
From page 461... ... However, the need for interorganizational transmission of data is encouraging many health care administrators to re-evaluate their strategic risk analysis and consider cryptography for data confidentiality. Some informal discussions with health care leaders reveal that security issues are generally delegated to their chief information officers and are not a standing top-priority item in their overall strategic planning. Read the entire page →
From page 462... ... . To amortize these fixed costs, manufacturers necessarily seek larger markets for these variants, and the result is often a global market. Read the entire page →
From page 463... ... These flows contain sensitive and proprietary information related to: • Product design and research and development; • Marketing, sales, and bidding; • Plant operations, capabilities, and efficiencies; • Costs and prices of parts or services being purchased and products being sold; • Strategic plans; • Profits and losses; • Orders to and from suppliers; • Product readiness and repair; and • Product problems and incident investigations. These information flows need not necessarily be electronic; many companies still use people on airplanes with briefcases locked to their wrists. Read the entire page →
From page 464... ... Sensitive information of particular significance to the petroleum industry includes the following: • Personnel information. Top executives of large multinational oil companies are often placed at substantial physical risk by threats of kidnapping, extortion, and other criminal activity. Read the entire page →
From page 465... ... I.5 THE PHARMACEUTICAL AND CHEMICAL INDUSTRIES The pharmaceutical and chemical industries are also global, since foreign nations often possess both the intellectual expertise and the natural resources needed to be successful in these industries.13 The critical dimensions of these industries in which information must be protected involve not products per se but rather other areas: • The scientific and technical expertise that allows companies to conceptualize new molecules or adapt previously known molecules to new functionality. Research and development of new drugs and chemicals is the lifeblood of these industries, and information or data in which the creativity of their chemists is reflected is critical. Read the entire page →
From page 466... ... As more and more government services are implemented using electronic methods, it becomes increasingly important to identify and authenticate individuals and to verify the accuracy of data. To the extent that people wish to use electronic means to communicate personal information to the government, the need to maintain confidentiality also increases. Read the entire page →
From page 467... ... The use of digital signatures will allow the IRS to eliminate handwritten signatures without loss of authentication, which will streamline the data-gathering process. The IRS will be supporting the Digital Signature Standard, as well as other signature standards that become de facto commercial standards.16 While most electronic filing of income tax returns is currently carried out by authorized tax preparers, the IRS is working on creating a secure system using cryptography that would enable taxpayers to file directly from their home computers. Read the entire page →
From page 468... ... In addition to the citizen-to-government interactions described above, there is a complete spectrum of cryptographic methods used throughout the government for internal communication and processing purposes. The Treasury Department has long used cryptographic methods for the authentication, integrity, and confidentiality of financial transactions. Read the entire page →

From page 455...

... What follows is an indicative -- not exhaustive -- discussion of security issues as they relate to specific types of business.1 As discussed in Chapters 1 and 2, cryptography is only part of an overall approach to dealing with information security concerns; other factors also matter, such as administrative and technical procedures for controlling access to sensitive information and the trustworthiness of computer operating systems and applications software, among others. However, cryptographic technologies for authentication, integrity, and confidentiality can strengthen an organization's overall information security in many ways.

Read the entire page →

From page 456...

... For these reasons, the banking industry may represent the leading edge of information security needs 2Note that banks, as part of a highly regulated industry, are relatively less concerned about government monitoring of their financial transactions, since governments usually have extensive authority to monitor any aspect of bank transactions in any event.

Read the entire page →

From page 457...

... Computer storage, retrieval, and network accessibility of health care information, such as medical records and diagnostic test data, can sharply increase the efficiency with which patients, care providers, and others (such as payers, researchers, and public health officials) use that information.4 At the same time, the digitization and transmission of such information raises concerns about the heightened vulnerability of personal infor 3For example, losses on credit cards issued to consumers are considerable, but the amount lost due to outright fraud is small compared to the debts that consumers are simply unable or unwilling to pay.

Read the entire page →

From page 458...

... • How does the consumer know that the institution with which he or she is interacting is a trustworthy one (e.g., an organization chartered and regulated by the Federal Deposit Insurance Corporation)

Read the entire page →

From page 459...

... Box I.2 describes one cryptographic method that can be used to reduce the risk of improper data aggregation. The risks of improper disclosure of patient information come from 5It is interesting to note that for health care professionals, "confidentiality" refers to keeping certain information out of the hands of unauthorized individuals by whatever mechanisms are necessary, whereas for information security providers the term refers to a specific property of encrypted information.

Read the entire page →

From page 460...

... With such a mechanism in place, a positive user action would be required to create an identifier, and the individual would gain control over the parties who could aggregate personal data because he or she could refuse to create an identifier for any given institution re questing particular data. In essence, the scheme relies on the individual's performing a public-key digital signature on the institution's name.

Read the entire page →

From page 461...

... However, the need for interorganizational transmission of data is encouraging many health care administrators to re-evaluate their strategic risk analysis and consider cryptography for data confidentiality. Some informal discussions with health care leaders reveal that security issues are generally delegated to their chief information officers and are not a standing top-priority item in their overall strategic planning.

Read the entire page →

From page 462...

... . To amortize these fixed costs, manufacturers necessarily seek larger markets for these variants, and the result is often a global market.

Read the entire page →

From page 463...

... These flows contain sensitive and proprietary information related to: • Product design and research and development; • Marketing, sales, and bidding; • Plant operations, capabilities, and efficiencies; • Costs and prices of parts or services being purchased and products being sold; • Strategic plans; • Profits and losses; • Orders to and from suppliers; • Product readiness and repair; and • Product problems and incident investigations. These information flows need not necessarily be electronic; many companies still use people on airplanes with briefcases locked to their wrists.

Read the entire page →

From page 464...

... Sensitive information of particular significance to the petroleum industry includes the following: • Personnel information. Top executives of large multinational oil companies are often placed at substantial physical risk by threats of kidnapping, extortion, and other criminal activity.

Read the entire page →

From page 465...

... I.5 THE PHARMACEUTICAL AND CHEMICAL INDUSTRIES The pharmaceutical and chemical industries are also global, since foreign nations often possess both the intellectual expertise and the natural resources needed to be successful in these industries.13 The critical dimensions of these industries in which information must be protected involve not products per se but rather other areas: • The scientific and technical expertise that allows companies to conceptualize new molecules or adapt previously known molecules to new functionality. Research and development of new drugs and chemicals is the lifeblood of these industries, and information or data in which the creativity of their chemists is reflected is critical.

Read the entire page →

From page 466...

... As more and more government services are implemented using electronic methods, it becomes increasingly important to identify and authenticate individuals and to verify the accuracy of data. To the extent that people wish to use electronic means to communicate personal information to the government, the need to maintain confidentiality also increases.

Read the entire page →

From page 467...

... The use of digital signatures will allow the IRS to eliminate handwritten signatures without loss of authentication, which will streamline the data-gathering process. The IRS will be supporting the Digital Signature Standard, as well as other signature standards that become de facto commercial standards.16 While most electronic filing of income tax returns is currently carried out by authorized tax preparers, the IRS is working on creating a secure system using cryptography that would enable taxpayers to file directly from their home computers.

Read the entire page →

From page 468...

... In addition to the citizen-to-government interactions described above, there is a complete spectrum of cryptographic methods used throughout the government for internal communication and processing purposes. The Treasury Department has long used cryptographic methods for the authentication, integrity, and confidentiality of financial transactions.

Read the entire page →

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.

I - Industry-Specific Dimensions of Security Pages 455-468

I - Industry-Specific Dimensions of Security
Pages 455-468