evolving the security emphasis
TRANSCRIPT
June 1992 Computer Fraud & Security Bulletrn
Posttlve benefits come from the enforced
regime of proper software release procedures,
proper authonzatron stgn-off for each user and
the timeouts actually Improve machine
performance
File and group permissions can cause
teamworking dlfflcultres but, by extending the
emarl to allow convenient transfer from the
marlrng directories to the wordprocessing
directories, this problem can be overcome
Engineer calls have to be logged for any
machine on the network so root passwords can
be changed, written down and resealed In a
secure location
Srmrlar problems apply to the PC
rmplementatron, but It IS more important to
evaluate all new software packages for
saksfactory coexistence with the security system
and other packages prior to any live installation
Particular problems can be created by badly
written programs, those which bypass the DOS
BIOS and Terminate and Stay Resident
packages
The future
31 IS moving towards a client/server
architecture based on Unix hosts as SQL central
and departmental servers The departmental
servers will run Novell Portable Netware as well
as BoKS and the PCs will have PC-Guard The
addition of these changes and the interaction of
the central database security, wide area network
security, local area server security and PC
security must present us with serious
admmrstratlon problems
The company IS, In addition, moving towards
unattended computer rooms with a small admln
team being warned of faults or vrolatlons through
the use of a voice marl system combrned with
messaging pagers The complexity of the clrent
server approach, and the tightly coupled PC/Unix
environment, will lead to additional work with
Dynasoft to develop direct links between each
security component This will allow central
reporting of network vrolatrons nght down to the
rndrvldual PC, and the secure central
admrnrstratron of all systems Thus facrlrty will
remain necessary although each new release of
Unix Improves the trusted level of the system
Effective secunty in a networked environment IS
still In Its infancy and will continue to require an
element of bespoke tarlonng for each mstallatron
for some time to come
The extension of the mall system to most of
the group documents and the need for more
sophisticated document authentrfrcatron, has led
to an rnvestlgatron of the use of file and signature
encryption based on the RSA algorithm It would,
however, be preferable for OSI standards to
become established together with the associated
products before makrng this investment
Conclusion
Securing a large network of Unix systems
Involves srgnlfrcant resources and generates
considerable user resistance The technology IS
not well established and the major suppliers are
slow to provide effective solutrons The third party
solutions (such as Dynasoft) can be made to fill
this gap but some bespoke tarlonng of the system
will probably be necessary
MEETING THE BUSINESS CHALLENGE OF THE 90s
Evolving the security emphasis
Ken Wong
PA Consultmg, UK
In recent years, we have experienced
constant changes in operational emphasis and
use of new technology In order to gain
competitive advantage or improve business
efficiency In these situations, exrstrng controls
can often become obsolete in the light of changed
01992 Elsevler Science Publishers Ltd 9
Computer Fraud & Secunty Bullet/n June 1992
busrness prachce, and their strengths and
weaknesses are Irrelevant In the new operating
environment
Secunty professionals are beginning to take
stock of their current practice and Introduce
radical changes to meet the business challenge
In the 90s Regular reviews of business
requirements are needed to identify any new,
emerging security Issues and to adopt a surtable
policy for protection To provide end-to-end
protection to networking and computing systems.
we may have to apply new control practice and
overhaul the existing control regimes to introduce
new countermeasures, and even extend such
regimes to beyond the company’s premises
Good examples are electronic data interchange,
or EDI, facilrtles management and lap top
portable computers
In the first instance, providing end-to-end
security entalls installing good protection
measures In the various In-house areas as well
as those of third party network providers and the
trading partners Involved, which are outside our
direct control In the second case, hands-off
access to computer facilities means we are
delegating our responslblllties to FM providers to
take care of our security needs Caveat emptor IS
the watch phrase of the day Unless we
emphasize our requirements on resrllence,
security and service level clearly to the service
providers, and Instigate measures to check for
compliance, chances are any security provided
will be mrnlmal or non-existent Fierce
competition dictates the need to only provide
non-essential services at marginal cost, and thus
paying IIP service to such areas as security
In the case of lap top computers, securing
off-site computing and mobile, workstatlon
access to the corporate network has often proved
more difficult than protecting ITfacllltles in house Witness the case of the banker who left his lap
top at a station platform In London, UK Or the lap
top left on the plane by Its owner and was blown
up as a SUSPICIOUS bomb package In each case, the information on the hard disk was lost along
with the equipment
Increasingly, as we gain a better
understanding of the underlying technology risks,
we also have to keep a watching brief on any
changing business requirements and operational
emphasis In the company Security should be
constantly refocussed to address any new
exposures to the business
So far, we have concentrated most of our
security efforts to counter such threats as
hacking, software piracy or computer viruses
Such emphasis IS slowly shifting ground The
current impetus is to go for a consrstent,
acceptable level of security across the company
This serves as a safety net to contarn most
corporate risk exposures to an acceptable level
The benefits obtained from a trouble-free service,
through provldrng sensible security, rntegnty and
resrlrence measures to cater for business needs,
coupled with fast response systems to frustrate
potential misuse or abuse of IT systems, often
outweigh the gratification of defeating teenage
hackers with intricate defence techniques
The case for costly security spending for the
latter must be debated In relation to the need to
counter a whole host of other technrcal and
business threats, which could imperil information
confrdentlalrty, Integrity, or service avarIabIlIty
There IS a growing need to extend the line of
defence to span the whole organization and
embrace both business and technical areas,
rather than concentrating most protection efforts
on a few hot spots in the network or information
systems As the power of local access and data
manlpulatron shifts to the end-user, the security
provisions on the host computer are powerless to
deter mrsuse on local area networks or networked
PCs And yet these are precisely the gaps which
have not been plugged in traditional security
practice
In our expenence, provrdrng sensible security
In most parts of the company often entails low
cost capital Investment to Improve the security
awareness of staff, and to adopt good security
practice by followrng a set of consistent,
acceptable security standards
10 c 1992 Elsevrer Science Publishers Ltd
June 1992 Computer Fraud & Security Bullet/n
What IS needed IS an understandrng, and a
clear statement, of the business requirements for
mformatron security This should take into
account any threats and exposures associated
with the company’s business direction, and any
new enabling technology which wdl be coming on
stream This will allow a suitable security policy
to be defined to protect the company and Its
informatron assets
The security policy will need to be supported
by a control requirements framework, spanning a
number of control domains, with the necessary
controls and procedures In each domain, to
provide a consistent level of protection from end
to end
Increasingly, the goal of promoting good
security practice IS to achieve the right level of
security for new systems, and at the same time
improve staff productivity and add value to
business processes The former can be achieved
by adopting reusable techniques to build controls
in system development, e g to validate input or
detect security breaches The latter IS made
possible by adopting proactive security design In
new systems, promotmg current best practice,
and actively managing lnformatron security to
provide value for money to the company
are
inherent our current security practice
building new system, the get a
prototype working first,
The system desrgner IS grven a
clean slate, total freedom
and free from any meet
business requirements for
data integrity and
the time security
the desrgn tablet has been
in stone, with little
any proposed changes to improve security And
the busmess benefits for secunty cannot
be clearly defined, then toll and sweat
bend twist a workrng system to
incorporate security
any proposed system changes the
grounds
cost system delivery
As a result, find security
may
be good defence against
and possibly some contrngency
the
general lack of security awareness
make company vulnerable
to misuse from
business
Our experience with development
that good security knowledge
and shared with others There may
for information exchange across but
they tend to revolve around such general topics
as quality management or project control
Esoteric such as security are
the protect team This
unfortunate result that staff tend to re-rnvent the
wheel own projects
and security problems This IS rneffrcrent
utrlrzatron of skilled labour and
time cost
Because of lack the
extent security and are
addressed
the personal knowledge and the
project manager himself Inconsistency
the security the company
will only good as weakest link
A case the recent rnrtratrve to inter-connect systems to facilitate Inter-operabrlrty, I e connectrng systems together
add functionality
This should help to delrver business
benefits the product supply chain, from materials end products and Unrx IS
often the for open systems inter-connection Unix developed the academic and IS
01992 Elsevrer Ltd 11
Computer Fraud & Security Bulletin June 1992
Inherently Insecure The lack of formal channels
to pool together a knowledge base of common
secunty weakness and system flaws In various Unix rmplementatlons could seriously jeopardize
the overall security of Inter-connecting systems
Current Impetus to improve system secunty
We have assisted a number of companies to
address the above shortcomings in the following
ways
1 incorporate secunty as part of a system’s
busrness reqwemenfs Security issues
should be identified m the requirements
definmon phase of the system design
lifecycle System designers will then have to
address the various stipulated control
requirements In the functional and physical designs This would avoid the pamful retrofit
of security features later, as often happens
with current development practice
2 Introduce nsk analysis techmques The idea
IS not new and IS certainly gaining momentum What IS needed IS a sample
approach for development staff to elucidate
from potential business users of the new
system, any special security requirements for data confrdentrallty, rntegrrty and
avallabrllty Such requirements could be
expressed in terms of the serious impact a
security breach or system disruption would have on loss of business or business opportunrty, or other adverse effects to the
company
The objective IS to ascertain the followrng
- are there any above normal security
requirements In the busmess applrcatron?
- If so, do they relate to information
confidentralrty, system Integrity, service
avarlabMy7
- how and where should these security
requirements be addressed in the system?
3
We shall return to risk analysrs later
Adopt a set of base/me controls The
baseline controls comprise a
comprehensive set of mrnrmum, acceptable security standards or code of good practice
for the company, to be adopted in all
systems by default They should be consistent across the company, and for some systems could be extended to the domains of external suppliers, contractors
and tradmg associates for end-to-end
protection
Effectively, the baseline controls provide a
safety net to ensure a minimum level of
security IS being applied to any business
application from end to end Any system
which has no special security requirements will be required to adopt the baseline
controls by default to provide an acceptable level of protection to the company
4 Use a speaa/H In hrgh secunfy work With the help of risk analysis and a set of baseline
controls, the system designer will implement
appropriate baseline measures m those
areas identified as requiring no special protection This leaves the security
specialist to address only high security
areas In the new system, instead of having to spread his efforts thinly to deal with all control Issues In system development
The security specialist IS effectively an
internal consultant engaged specrfrcally to
handle any special security Issues In a new
system HIS resource commitment on a
project should be made transparent to the
business sponsor as a part of the total
development cost In this way we make sure
the sponsor understands and endorses
security as an Integral part of his business requirements of the system, and corresponding effort IS being channelled to
address It
5 Manage and coorddmate lnltrally the security specialist will need to set down a method or
approach to conduct risk analysis, and to
12 Q1992 Elsevrer Science Publishers Ltd
June 1992 Computer Fraud & Securfty Bullets
make avallable a set of baseltne controls for
development staff to apply To do thus
properly, he has to have a good grasp of the busrness operation, and a good
understandrng of busrness exposures from
technology developments In the company
The next step IS to analyse mdrvrdual threat
characteristics to understand the exposures
further For instance
HIS or her key role IS not to admrnrster
security systems or procedures, but to manage and control IT risk exposures
Furthermore, when examrnrng the various
nsk issues from end to end, the perspective
may have to span the whole organrzatlon and beyond The security specraltst has to coordinate both central and devolved
secunty roles in business and technology
areas In the rnformatron supply chain
- would the nsk be confined to a staff group or
busmess area (as In the case of a local fraud)
or would rt be widespread among users (e g
loss of a part of the network when a major
node was knocked out)
- what IS the lrkelrhood or frequency of the risk
occurring, and
- how severely would this affect the busrness?
Having ascertained the nature and seventy
Risk analysis
of various threat exposures, the next step IS to
determine the security requrrements, I e how the
risks should be controlled
The use of rusk analysis IS generally
recognized as a logical process to manage
information risk exposures What IS not clear IS who should be conductrng the risk analysis In our
view, rf the process IS to prevarl In all development
work, then It should not be an exclusive service
provrded by the security specialist, otherwise this
could form a bottleneck and slow down the
delivery of results On the other hand, if rrsk
analysis IS to be performed by system staff, then
the method used must not assume that the
analyst has in-depth knowledge of security
technrques and processes
Risk control
A number of optrons are open for us to
formulate a viable risk control strategy Each of
the following may be used singly or rn
combrnatron, to prevent or curtail losses
- prevent risk occurrence
- reduce llkellhood
- localize losses
- detect early
The objective of nsk analysis IS to determine
the business requirements for information
security, I e an assessment of corporate
exposures and the impact of secunty breaches,
e g resulting from loss of confrdentrallty, integrity
or availabrlrty
- respond qurckly
- speed up recovery
- transfer lrabrlrty through Insurance or
contract
A number of risk scenanos may be used to As a matterof interest, rncreasrngly, pressure
identify any high security requirements In the IS being brought to bear on FM and VAN service
system, both deliberate and accidental, and providers to meet any business Interruption
where and how these could occur Specrfrcally losses, as well as to compensate for lost time or
one could select the risk of fraud as a specrfrc nsk service from a serious disruptron or breach of
scenano, and loss of service as another service level agreement They have also been
01992 Elsevrer Science Pubkshers Ltd 13
Computer Fraud & Secunty Bulletin June 1992
taken to task to compensate for any fraud or
cnmmal losses through service or network
rnsecunty
To help Implement the control strategy, we
could divide the company or IT system Into a
number of discrete control areas, or control
domarns
- staff responslbllrty
- system development
- operations
- network management and support
- PCs and local area network
- off -site working
Once the control domains are clearly
Identified, we have to determine how the various
security roles should be coordinated and
dove-tailed across these domains
Within each domain, we need to ascertarn the
following
- who will pay for the various controls
- who will install and implement them
- who WIII admrnrster the security system on a
day-to-day basis
- who will pay for the rnrtial set-up cost and the
operational cost of the security system
- who IS liable for losses
- how will the losses be assessed and proven
The last two aspects are particularly relevant
when more than one organization IS Involved in
the Information supply chain
When it comes to selecting specific
counter-measures, they fall Into the following
broad categories
- organrzatronal, e g segregation of duties,
personnel control procedures, security
classrfrcatron of data, non-disclosure of proprietary information, prohibition of
unauthorized or pirated software
- procedural, e g for sensitive tasks, high
security operations, off-site working, dial-up
connection
- technical, e g use of security or audit
software, security systems or devices
- contractual, e g service level agreement,
contracts with external suppliers, insurance
To provide robustness In the security system,
we should ensure that If one control fails, it should
not threaten the security of the system We
should never rely on a single control to meet a
special security requirement In the system This
could lead to a single point of failure and would
jeopardize the whole security planning for the
system Ideally, there should be compensating
controls implemented in complementary control
domains In case certain controls are
compromised or fall to operate
Having agreed the various control domains
and the countermeasures contained therein, we
now have a security framework for the new
system This IS the time to take stock of whether
the controls proposed are viable for the business
requirement SpecifIcally we need to assess their
likely impact on the followrng
- service level
- external/internal user acceptance
- operational overheads
- residual risks remainrng in the system
If the above are unacceptable, we may need
to reconsider our control strategy and review
some of the controls to look for cost reduction, or
to take on higher risks In the end we have to look
for a viable approach for the system as a whole
to ensure the total project Investment and the
14 01992 Elsevrer Science Publishers Ltd
June 1992 Computer Fraud & Securrty Bullet/n
financial returns are acceptable to the business
sponsor
System design lifecycle
To rllustrate the nsk control approach, Figure
2 sets out on the left a typical development
framework with Its various phases In the system design life cycle On the rrght IS a rusk
management framework with Its various analysis
and control phases Let us walk through the risk
management process In the development life cycle
The system development process starts with
a business study to define the business problems
to be addressed, explore the feasrbrlrty of an IT-based solution, and undertake a risk analysts
Development phase Risk management framework
Business study -
Problem deflnrtlon -
Feasrbrlrty study -
Development risk analysis -
Requirements defrnrtron Risk analysis
Functional system design High level control
requirements
Computer system design High level control specification
Technical specrfrcatron Detailed controls
specification
Build and test Security testing
Implementation -
Review Security audit
Figure 2 Risk management framework
of the development protect The last aspect refers
to an assessment of the risks associated with
protect overruns on cost or delivery, and whether the project should go ahead Suppose the protect
gets the green light
The next phase IS a requirements defrnltron
of the new system Within the risk management
framework, this IS where the system designer applies risk analysis to determine If there are any
special security requirements above the
baseline Suppose the system has the following
attributes
-
-
-
it is a financial application
it carries extremely sensitive commercial
InformatIon, and
its service IS very time-critical
Suppose the risk analysis determines that
the specific high security requirements are service avallabrkty and protection from fraud and industrial espionage
Because the system has a number of security requirements above the baseline, the risk analysis will trigger off the mandatory
involvement of a security specialist in the design
process He would be asked to review the
analysis results and recommend certain global
control requirements in the functional systems
design, e g
-
-
-
provide system redundancy and routing
drversrty to address high service level
requirement
use a smartcard and challenge response
system to protect dial-up connectron
implement an encryption scheme to protect
sensrtrve commercial data
In the computer system design phase, the controls WIII be elaborated further, I e
- where to provide system redundancy and
which communrcatron links should have diverse routing
01992 Elsevrer Science Publishers Ltd 15
Computer Fraud Secunfy Bullefrn June 1992
- how WI/ the dral-up securtty system be
admrnrstered
- where should encryptron be applied, using
hardware or software, etc
In the technrcal specification, the controls will be specified with further details, e g
- how the system redundancy will be
configured, and the type of equipment involved
- physical lmplementatron of diverse routing
- admrnrstenng staff changes in the dial-up security system
- audit trails to track sensitive events and
security breaches
- details of the encryption algorithm and key
management, etc
In some cases the controls may be specified
by the system designer, In consultation with
telecommunrcatrons specialists, operations and
security staff The security specialist will be
required to verify the proposed lmplementatron In
the technrcal specrficatron, and to sign off that the
detailed approach IS acceptable
In the build and test phase, for very high
security systems, sometimes the development
manager may decide to commlssron a ‘tiger team’
to conduct a certain amount of security testing to
check for any system flaws or loopholes in the
detailed security provisions In most cases, the
protect will normally go on to the rmplementatron
phase
In the post-lmplementatron review, the
computer audit function may be involved to
conduct a security audit of the system to validate
the controls rmplementation
Evolution of security emphasis
In recent years, we have experienced many
radical changes In IT, driven partly by new
advances In technology, and partly by corporate
lnltlatrves to improve effrcrency and service At
first the operational emphasis was shifting from a
central to a distributed environment Then
In-house IT services were opened up and shared
with outside customers, trading partners and
business associates Eventually such services
were out-sourced to FM or VAN providers Each
move has provided system managers with fresh
challenges to secure their business systems and
data
In the good old days, everything revolved
around the host mainframe, and one could be
reasonably confident that central control of
access to information can be effectively planned
and administered to protect sensitive data Hence
the popularity of such access control products as
RACF and ACF2 Then wide area network came
to the fore and we began to address
communications security, to protect against
wire-tapping and computer hacking
Gradually, intelligent terminals came into
play and central control of dlstnbuted IT
resources across geographical locations became
ineffective to constrain data downloadrng and
access to local devices and storage media With
the advent of PC networks, the traditional use of
the central host to control access permissions
from rndrvldual PC workstations became
out-dated Often one PC can communicate
directly with another down the line and the host
computer IS neither involved to route the call nor
referenced to seek permrssron to talk to one
another
Indeed, because most local area networks
use broadcast technology and pay lrttle attention
to confrguration control, there are growing risks
of eavesdropping on the line with network support
tools such as protocol analysers, or connecting a
rogue terminal to one of the spare network access
points In the burldrng to masquerade as a genuine
workstation With PCs, there has been great
temptation to play computer games obtained
from dubious sources, or wanton copying of
commercial software among employees for office
16 01992 Elsevrer Science Publishers Ltd
June 1992 Computer Fraud & Secunty Bullet/n
and home use They have led to the prollferatron
of computer viruses and flagrant rnfnngement of
software copynght which bnng many companies
into disrepute
With the move towards down-slzrng and
migration to client/server architectures to build
applrcatrons quickly, usrng a fourth generation
language, to meet fast changing business needs,
the central security role IS reduced to the
following
- maintain the integrity and resilience of the central relational database
- safeguard the database from corruption
through accident or misuse
- provide consistency for data reference across applications
At the workstation client level, a security
infrastructure will need to be In place for local management to control the following
- provide simultaneous access from various
client workstations for different business
purposes
- protect access from various categories of
users to manrpulate the corporate data model
In the various business processes
The cooperative processing environment
requires a clear definition of central security
responsrbllrtres and the corresponding devolved,
local control roles In distributed locations, to
dove-tall to business requirements and provide
consistent security across the company
When we open our in-house system or
network to share access with other trading
partners, associates or external customers, the
security dimension takes a new twist In-house
controls of one organization may not be
compatrble with those of other organizations
involved in the information supply chain The
tradltronal control domains whrch span the whole
company will need to be extended to embrace the
entire community of users of the business
service, comprising employees, customers or
agents A high degree of cooperatron IS required
to coordinate security responsrbllrtres across
companies to provide effective protection and
detection
Then we want to outsource our IT or network
facrlrtres to external FM or VAN providers, and
along with It the responsrbllrty for security,
integrity and recovery of information facrlrtres and
services With hands-off computing, we need to
define our security requirements clearly to the
service providers, and at the same time provide
benchmarks to measure their compliance with
such requirements
The management of information security in a
company Involves an ever growing number of key
players The task will simply become untenable
without radically overhauling our established
security practice
Future security practice
To succeed In providing good security In new
systems, we need to adopt the following approach, I e to be
- proactive get involved early to examine the
business process top-down, to determine the
business requirements for security and to
steer the direction of system design This IS the least controversial way to prescribe good
measures for security We have very little
leeway to modify a system design which IS
too far advanced
- consistent make sure the same security
level IS being applied from end to end, I e a
seamless approach to embrace both IT and business areas, from locatron to locatron, and
for all key players Involved In the Information
supply chain
- efficient encourage the adoption of reusable
processes to address control issues, so that the same techniques can be regularly reapplied to handle srmrlar risk exposures
across projects, systems, and technology platforms The efforts invested In developing
01992 Elsevrer Science Publishers Ltd 17
Computer Fraud & Securrty Bulletin June 1992
fraud detection, encryptlon, file control and
other techniques will be fully explolted to
bring cost savings as well as to speed up the
delivery of new systems
- secure current best practice should be
widely adopted to ensure the best security
techniques or approaches are being
promoted across the company The security
function should act as the focal point to
channel system designers to the In-house
champions of current best practice In various
security areas Efforts to develop new
security techniques will begln from a position
of strength, to build on from current best
practice, and not to start from scratch
- cost-justified the objective IS not to provide
too much or too little security but to go for the
level of security We started the system
security process by specifying our security
requirements based on business exposures
By the same token, we should also aim to
cost-justify any controls according to
business needs
- add value the security activities should not
be construed as unproductive overheads
They should aim to bring benefits to the
business application, to reduce fraud, cut
down on reworking, or to ensure a good and
reliable service
In a major electronic funds transfer project,
PA consultants were involved In the substantive
security testing of a key component of the
system The tests unearthed a large number of
security flaws More significantly, the exercise
also found three times as many functionality
problems when the component failed to meet its
technical specification In this case, the security
activity has provided added value to the new
system through improving the quality of the end
product
How are we doing?
Are we getting there yet? Well, the progress
so far has been encouraging, not least because
the need for cost-effective security practice IS
critical to business success In the 90s In an
Increasingly competitive world, we have to
constantly innovate and manage radical business
and technology changes at least cost This
means harnessing efficient processes to build
systems By adding value to the development
process and providing the right level of security
In new systems, we are working with our business
colleagues to strive for competitive advantage
EVENTS CORPORATE FRAUD June 3-4 1992 Locahon London UK Contact Amanda Stuart. IBC Techmcal Services. Gllmoora House, 57-61 Mortlmer Street, London, WlN 7TD, UK, tel +44 (0)71 637 4363, fax +44 (0)71 631 3214
COMPUTER SECURITY FOUNDATIONS WORKSHOP V June 16-16 1992 Locahon Francoma, New Hampshire, USA Contact Leonard J LaPadula, InformatIon Security
Techmcal Center The MITRE Corporation Bedford, MA 01730-0206 USA, tel tl 617 271 3261
SECUNET 92 June 22-24 1992 Location Koln, Germany Contact BIFOA Veranstaltungsburo. Universitatstrase 45, W-5000 Koln 41, Germany tel +49 (0)221 4760333, fax +49 (0)221 4760321
FRAUD IN THE CITY FACING REALITY June 25-26. 1992 Location London UK Contact Amanda Stuart, IBC Techntcal Services. Gllmoora House, 57-61 Morhmer Street London, WIN 7TD, UK, tel +44 (0)71 637
4383 fax +44 (0)71 631 3214
PRACTICAL DATA SECURITY RISKS, COSTS & SOLUTIONS June 30 July 1,1992 Locatlon London, UK Contact Unicorn Seminars, Brunei Science Park, Cleveland Rd, Uxbndge, Middlesex, UB8 3PH. UK, tel +44 (0)895 256484, fax t44 (0)895 813095
PRIVACY LAWS & BUSINESS July 20 22 1992 Location Cambndge. UK Contact Stuart Dresner. 3 Central Avenue, Pinner, Middlesex, HA5 5BT. UK,
Tel t44 (0)81 866 8641 Fax t44 (0)81 8682915
2nd VIRUS BULLETIN CONFERENCE September 2-3 1992 Location Edinburgh. Scotland Contact Petra Duffield 21 The Quadrant, Ablngdon Science Park Abmgdon. OX14 3YS UK, tel +44 (0)235 531889, fax +44 (0)235 559935
EUROPEAN SMARTCARDS & APPLICATIONS September 2 4 1992 Location Helsinki, Finland Contact
El11 Ohrnberg, PO Box 35, 00621 Helsmkl, Finland, tel +358 (0) 7520 711 fax t358 (0) 7520 899
18 01992 Elsevler Science Publishers Ltd