Electronic eavesdropping onto information systems: What can the auditor do?

Abstract

The effective protection of information stored in an electronic form requires a complex mixture of physical, administrative, logical access controls and data structuring/ encoding. Physical security of assets is an important consideration, but the key planning and operational aspects have been left to others, security management, line management etc. Network security, the protection of information during electronic transmission, has depended upon the utilisation of encryption techniques. The confidentiality and integrity of the data, and the knowledge associated with the administrative environment of the communication (e.g. the identity of the sender and the recipient) can be assured by a selection of graded encryption/de-encryption processes. The internal auditor is playing a greater role in recommending and supporting the encipherment of sensitive data both in transmission and in storage. Data when being used by humans, however, needs to be in a human readable form and not enciphered. Access to electronic information is invariably through the ubiquitous workstation. Good security is achieved by a mixture of administrative processes and logical access control, identification/authentication controls — passwords etc. The auditing profession has emphasised the need for good administrative controls surrounding an adequate set of software and, increasingly, hardware facilities. These embrace authentication of the user, authorisation over access to systems resources and the auditing of what has actually taken place. Physical security over resources has been primarily left to the security manager. New classes of technical threats to information resources may need a redistribution of planning, operational and monitoring responsibilities. One such threat, not yet fully understood, in the non-defence sector is the possible loss of valuable information by unauthorised monitoring of electronic emanations from office automation. Workstations especially may be considered increasingly at risk from remote electronic eavesdropping. There is a need for practical, marketable generic solutions to this problem to be integrated with the current security controls to produce a ‘secure commercial multi-functional workstation’. There has been little published material on the electronic propagation of workstations, or associated electronic storage and transmission devices and the associated eavesdropping opportunities into various networked/distributed electronic information systems. Solutions that would be economically acceptable (or even technically viable!) in the commercial sector have been restricted by a lack of understanding of technical issues. This article outlines some current research into solutions for non-defence organisations, where electronic hardening to defence ‘Tempest’ standards may be neither politically acceptable nor commercially viable! This research falls into the two major categories of administrative improvement and physical changes to equipment and/or the working environment. The technical aspects are considered first, to establish a base understanding of the extent of the problem.