834 resultados para security, usability, identity management, authentication, authorization
Resumo:
Objective To develop a safety protocol for the management of thirst in the immediate postoperative period. Method Quantitative, methodological, and applied study conducted in April-August 2012. An extensive literature search and expert consultation was carried out to develop the protocol and its operating manual. Theoretical and semantic analyzes were carried out by experts. Results Assessment of level of consciousness, reflexes of protection of the airways (cough and swallowing), and absence of nausea and vomiting were selected as safety criteria. These criteria were grouped and formatted in a graph algorithm, which indicates the need to interrupt the procedure if a security criterion does not reach the expected standard. Conclusion The protocol was elaborated to fill in the gap in the literature of a specific model concerning nursing actions in the safe management of thirst in the immediate postoperative period.
Resumo:
Objective To associate the territory of identity with the production of care within a PCC focusing on children and adolescents with drug abuse and their institutional identity. Method We used the “ process tracing methodology” in four research categories: focus groups, characterization of professionals, observing the everyday and interviewing two members of emblematic cases of the service. Results territory of identity of the institution, which operates the production of care is crossed by the difficulty of dealing with the complexity brought by the users and the performance of the PCC network. This paper is also permeated by different conceptions of care and small problematization of these issues in collective spaces of service. Conclusion The discussion in focus groups and other devices can be powerful resources to reframe the meaning of care and identity of collective service.
Resumo:
In this paper we explore the mechanisms that allow securities analysts to value companies in contexts of Knightian uncertainty, that is, in the face of information that is unclear, subject to unforeseeable contingencies or to multiple interpretations. We address this question with a grounded-theory analysis of the reports written on Amazon.com by securities analyst Henry Blodget and rival analysts during the years 1998-2000. Our core finding is that analysts' reports are structured by internally consistent associations that includecategorizations, key metrics and analogies. We refer to these representations as calculative frames, and propose that analysts function as frame-makers - that is, asspecialized intermediaries that help investors value uncertain stocks. We conclude by considering the implications of frame-making for the rise of new industry categories, analysts' accuracy, and the regulatory debate on analysts'independence.
Resumo:
For more than 20 years, many countries have been trying to set up a standardised medical record at the regional or at the national level. Most of them have not reached this goal, essentially due to two main difficulties related to patient identification and medical records standardisation. Moreover, the issues raised by the centralisation of all gathered medical data have to be tackled particularly in terms of security and privacy. We discuss here the interest of a noncentralised management of medical records which would require a specific procedure that gives to the patient access to his/her distributed medical data, wherever he/she is located.
Resumo:
Desenvolupament dels models matemàtics necessaris per a controlar de forma òptima la microxarxa existent als laboratoris del Institut de Recerca en Energia de Catalunya. Els algoritmes s'implementaran per tal de simular el comportament i posteriorment es programaran directament sobre els elements de la microxarxa per verificar el seu correcte funcionament.. Desenvolupament dels models matemàtics necessaris per a controlar de forma òptima la microxarxa existent als laboratoris del Institut de Recerca en Energia de Catalunya. Els algoritmes s'implementaran per tal de simular el comportament i posteriorment es programaran directament sobre els elements de la microxarxa per verificar el seu correcte funcionament.
Resumo:
LEGISLATIVE STUDY – The 83rd General Assembly of the Iowa Legislature, in Senate File 2273, directed the Iowa Department of Transportation (DOT) to conduct a study of how to implement a uniform statewide system to allow for electronic transactions for the registration and titling of motor vehicles. PARTICIPANTS IN STUDY – As directed by Senate File 2273, the DOT formed a working group to conduct the study that included representatives from the Consumer Protection Division of the Office of the Attorney General, the Department of Public Safety, the Department of Revenue, the Iowa State County Treasurer’s Association, the Iowa Automobile Dealers Association, and the Iowa Independent Automobile Dealers Association. CONDUCT OF THE STUDY – The working group met eight times between June 17, 2010, and October 1, 2010. The group discussed the costs and benefits of electronic titling from the perspectives of new and used motor vehicle dealers, county treasurers, the DOT, lending institutions, consumers and consumer protection, and law enforcement. Security concerns, legislative implications, and implementation timelines were also considered. In the course of the meetings the group: 1. Reviewed the specific goals of S.F. 2273, and viewed a demonstration of Iowa’s current vehicle registration and titling system so participants that were not users of the system could gain an understanding of its current functionality and capabilities. 2. Reviewed the results of a survey of county treasurers conducted by the DOT to determine the extent to which county treasurers had processing backlogs and the extent to which county treasurers limited the number of dealer registration and titling transactions that they would process in a single day and while the dealer waited. Only eight reported placing a limit on the number of dealer transactions that would be processed while the dealer waited (with the number ranging from one to four), and only 11 reported a backlog in processing registration and titling transactions as of June 11, 2010, with most backlogs being reported in the range of one to three days. 3. Conducted conference calls with representatives of the American Association of Motor Vehicle Administrators (AAMVA) and representatives of three states -- Kansas, which has an electronic lien and titling (ELT) program, and Wisconsin and Florida, each of which have both an ELT program and an electronic registration and titling (ERT) program – to assess current and best practices for electronic transactions. In addition, the DOT (through AAMVA) submitted a survey to all U.S. jurisdictions to determine how, if at all, other states implemented electronic transactions for the registration and titling of motor vehicles. Twenty-eight states responded to the survey; of the 28 states that responded, only 13 allowed liens to be added or released electronically, and only five indicated allowing applications for registration and titling to be submitted electronically. DOT staff also heard a presentation from South Dakota on its ERT system at an AAMVA regional meeting. ELT information that emerged suggests a multi-vendor approach, in which vendors that meet state specifications for participation are authorized to interface with the state’s system to serve as a portal between lenders and the state system, will facilitate electronic lien releases and additions by offering lenders more choices and the opportunity to use the same vendor in multiple states. The ERT information that emerged indicates a multi-interface approach that offers an interface with existing dealer management software (DMS) systems and through a separate internet site will facilitate ERT by offering access that meets a variety of business needs and models. In both instances, information that emerged indicates that, in the long-term, adoption rates are positively affected by making participation above a certain minimum threshold mandatory. 4. To assess and compare functions or services that might be offered by or through a vendor, the group heard presentations from vendors that offer products or services that facilitate some aspect of ELT or ERT. 5. To assess the concerns, needs and interest of Iowa motor vehicle dealers, the group surveyed dealers to assess registration and titling difficulties experienced by dealers, the types of DMS systems (if any) used by dealers, and the dealers’ interest and preference in using an electronic interface to submit applications for registration and titling. Overall, 40% of the dealers that responded indicated interest and 57% indicated no interest, but interest was pronounced among new car dealers (75% were interested) and dealers with a high number of monthly transactions (85% of dealers averaging more than 50 sales per month were interested). The majority of dealers responding to the dealer survey ranked delays in processing and problems with daily limits on transaction as ―minor difficulty or ―no difficulty. RECOMMENDATIONS -- At the conclusion of the meetings, the working group discussed possible approaches for implementation of electronic transactions in Iowa and reached a consensus that a phased implementation of electronic titling that addressed first electronic lien and title transactions (ELT) and electronic fund transfers (EFT), and then electronic applications for registration and titling (ERT) is recommended. The recommendation of a phased implementation is based upon recognition that aspects of ELT and EFT are foundational to ERT, and that ELT and EFT solutions are more readily and easily attained than the ERT solution, which will take longer and be somewhat more difficult to develop and will require federal approval of an electronic odometer statement to fully implement. ELT – A multi-vendor approach is proposed for ELT. No direct costs to the state, counties, consumers, or dealers are anticipated under this approach. The vendor charges participating lenders user or transaction fees for the service, and it appears the lenders typically absorb those costs due to the savings offered by ELT. Existing staff can complete the programming necessary to interface the state system with vendors’ systems. The estimated time to implement ELT is six to nine months. Mandatory participation is not recommended initially, but should be considered after ELT has been implemented and a suitable number of vendors have enrolled to provide a fair assessment of participation rates and opportunities. EFT – A previous attempt to implement ELT and EFT was terminated due to concern that it would negatively impact county revenues by reducing interest income earned on state funds collected by the county and held until the monthly transfer to the state. To avoid that problem in this implementation, the EFT solution should remain revenue neutral to the counties, by allowing fees submitted by EFT to be immediately directed to the proper county account. Because ARTS was designed and has the capacity to accommodate EFT, a vendor is not needed to implement EFT. The estimated time to implement EFT is six to nine months. It is expected that EFT development will overlap ELT development. ERT – ERT itself must be developed in phases. It will not be possible to quickly implement a fully functioning, paperless ERT system, because federal law requires that transfer of title be accompanied by a written odometer statement unless approval for an alternate electronic statement is granted by the National Highway Traffic Safety Administration (NHTSA). It is expected that it will take as much as a year or more to obtain NHTSA approval, and that NHTSA approval will require design of a system that requires the seller to electronically confirm the seller’s identity, make the required disclosure to the buyer, and then transfer the disclosure to the buyer, who must also electronically confirm the buyer’s identity and electronically review and accept the disclosure to complete and submit the transaction. Given the time that it will take to develop and gain approval for this solution, initial ERT implementation will focus on completing and submitting applications and issuing registration applied for cards electronically, with the understanding that this process will still require submission of paper documents until an electronic odometer solution is developed. Because continued submission of paper documents undermines the efficiencies sought, ―full‖ ERT – that is, all documents necessary for registration and titling should be capable of approval and/or acceptance by all parties, and should be capable of submission without transmittal or delivery of duplicate paper documents .– should remain the ultimate goal. ERT is not recommended as a means to eliminate review and approval of registration and titling transactions by the county treasurers, or to place registration and titling approval in the hands of the dealers, as county treasurers perform an important role in deterring fraud and promoting accuracy by determining the genuineness and regularity of each application. Authorizing dealers to act as registration agents that approve registration and title applications, issue registration receipts, and maintain and deliver permanent metal license plates is not recommended. Although distribution of permanent plates by dealers is not recommended, it is recommended that dealers participating in ERT generate and print registration applied for cards electronically. Unlike the manually-issued cards currently in use, cards issued in this fashion may be queried by law enforcement and are less susceptible to misuse by customers and dealers. The estimated time to implement the electronic application and registration applied for cards is 12 to 18 months, to begin after ELT and EFT have been implemented. It is recommended that focus during this time be on facilitating transfers through motor vehicle dealers, with initial deployment focused on higher-volume dealers that use DMS systems. In the long term an internet option for access to ERT must also be developed and maintained to allow participation for lower-volume dealers that do not use a DMS system. This option will also lay the ground work for an ERT option for sales between private individuals. Mandatory participation in Iowa is not recommended initially. As with ELT, it is recommended that mandatory participation be considered after at least an initial phase of ERT has been implemented and a suitable number of dealers have enrolled to provide a fair assessment of participation rates and opportunities. The use of vendors to facilitate ERT is not initially proposed because 1) DOT IT support staff is capable of developing a system that will interact with DMS systems and will still have to develop a dealer and public interface regardless of whether a vendor acts as intermediary between the DMS systems, and 2) there is concern that the cost of the vendor-based system, which is funded by transaction-based payments from the dealer to the vendor, will be passed to the consumer in the form of additional documentation or conveyance fees. However, the DOT recommends flexibility on this point, as development and pilot of the system may indicate that a multi-vendor approach similar to that recommended for ELT may increase the adoption rate by larger dealers and may ultimately decrease the user management to be exercised by DOT staff. If vendors are used in the process, additional legislation or administrative rules may be needed to control the fees that may be passed to the consumer. No direct cost to the DOT or county treasurers is expected, as the DOT expects that it may complete necessary programming with existing staff. Use of vendors to facilitate ERT transactions by dealers using DMS systems would result in transaction fees that may ultimately be passed to consumers. LEGISLATION – As a result of the changes implemented in 2004 under Senate File 2070, the only changes to Iowa statutes proposed are to section 321.69 of the Iowa Code, ―Damage disclosure statement,and section 321.71, ―Odometer requirements.‖ In each instance, authority to execute these statements by electronic means would be clarified by authorizing language similar to that used in section 321.20, subsections ―2‖ and ―3,‖ which allows for electronic applications and directs the department to ―adopt rules on the method for providing signatures for applications made by electronic means.‖ In these sections, the authorizing language might read as follows: Notwithstanding contrary provisions of this section, the department may develop and implement a program to allow for any statement required by this section to be made electronically. The department shall adopt rules on the method for providing signatures for statements made by electronic means. Some changes to DOT administrative rules will be useful but only to enable changes to work processes that would be desirable in the long term. Examples of long term work processes that would be enabled by rule changes include allowing for signatures created through electronic means and electronic odometer certifications. The DOT rules, as currently written, do not hinder the ability to proceed with ELT, EFT, and ERT.
Resumo:
The identity [r]evolution is happening. Who are you, who am I in the information society? In recent years, the convergence of several factors - technological, political, economic - has accelerated a fundamental change in our networked world. On a technological level, information becomes easier to gather, to store, to exchange and to process. The belief that more information brings more security has been a strong political driver to promote information gathering since September 11. Profiling intends to transform information into knowledge in order to anticipate one's behaviour, or needs, or preferences. It can lead to categorizations according to some specific risk criteria, for example, or to direct and personalized marketing. As a consequence, new forms of identities appear. They are not necessarily related to our names anymore. They are based on information, on traces that we leave when we act or interact, when we go somewhere or just stay in one place, or even sometimes when we make a choice. They are related to the SIM cards of our mobile phones, to our credit card numbers, to the pseudonyms that we use on the Internet, to our email addresses, to the IP addresses of our computers, to our profiles... Like traditional identities, these new forms of identities can allow us to distinguish an individual within a group of people, or describe this person as belonging to a community or a category. How far have we moved through this process? The identity [r]evolution is already becoming part of our daily lives. People are eager to share information with their "friends" in social networks like Facebook, in chat rooms, or in Second Life. Customers take advantage of the numerous bonus cards that are made available. Video surveillance is becoming the rule. In several countries, traditional ID documents are being replaced by biometric passports with RFID technologies. This raises several privacy issues and might actually even result in changing the perception of the concept of privacy itself, in particular by the younger generation. In the information society, our (partial) identities become the illusory masks that we choose -or that we are assigned- to interplay and communicate with each other. Rights, obligations, responsibilities, even reputation are increasingly associated with these masks. On the one hand, these masks become the key to access restricted information and to use services. On the other hand, in case of a fraud or negative reputation, the owner of such a mask can be penalized: doors remain closed, access to services is denied. Hence the current preoccupying growth of impersonation, identity-theft and other identity-related crimes. Where is the path of the identity [r]evolution leading us? The booklet is giving a glance on possible scenarios in the field of identity.
Resumo:
This study aims to improve the accuracy and usability of Iowa Falling Weight Deflectometer (FWD) data by incorporating significant enhancements into the fully-automated software system for rapid processing of the FWD data. These enhancements include: (1) refined prediction of backcalculated pavement layer modulus through deflection basin matching/optimization, (2) temperature correction of backcalculated Hot-Mix Asphalt (HMA) layer modulus, (3) computation of 1993 AASHTO design guide related effective SN (SNeff) and effective k-value (keff ), (4) computation of Iowa DOT asphalt concrete (AC) overlay design related Structural Rating (SR) and kvalue (k), and (5) enhancement of user-friendliness of input and output from the software tool. A high-quality, easy-to-use backcalculation software package, referred to as, I-BACK: the Iowa Pavement Backcalculation Software, was developed to achieve the project goals and requirements. This report presents theoretical background behind the incorporated enhancements as well as guidance on the use of I-BACK developed in this study. The developed tool, I-BACK, provides more fine-tuned ANN pavement backcalculation results by implementation of deflection basin matching optimizer for conventional flexible, full-depth, rigid, and composite pavements. Implementation of this tool within Iowa DOT will facilitate accurate pavement structural evaluation and rehabilitation designs for pavement/asset management purposes. This research has also set the framework for the development of a simplified FWD deflection based HMA overlay design procedure which is one of the recommended areas for future research.
Resumo:
This study aims to improve the accuracy and usability of Iowa Falling Weight Deflectometer (FWD) data by incorporating significant enhancements into the fully-automated software system for rapid processing of the FWD data. These enhancements include: (1) refined prediction of backcalculated pavement layer modulus through deflection basin matching/optimization, (2) temperature correction of backcalculated Hot-Mix Asphalt (HMA) layer modulus, (3) computation of 1993 AASHTO design guide related effective SN (SNeff) and effective k-value (keff ), (4) computation of Iowa DOT asphalt concrete (AC) overlay design related Structural Rating (SR) and kvalue (k), and (5) enhancement of user-friendliness of input and output from the software tool. A high-quality, easy-to-use backcalculation software package, referred to as, I-BACK: the Iowa Pavement Backcalculation Software, was developed to achieve the project goals and requirements. This report presents theoretical background behind the incorporated enhancements as well as guidance on the use of I-BACK developed in this study. The developed tool, I-BACK, provides more fine-tuned ANN pavement backcalculation results by implementation of deflection basin matching optimizer for conventional flexible, full-depth, rigid, and composite pavements. Implementation of this tool within Iowa DOT will facilitate accurate pavement structural evaluation and rehabilitation designs for pavement/asset management purposes. This research has also set the framework for the development of a simplified FWD deflection based HMA overlay design procedure which is one of the recommended areas for future research.
Resumo:
Through this article, we propose a mixed management of patients' medical records, so as to share responsibilities between the patient and the Medical Practitioner by making Patients responsible for the validation of their administrative information, and MPs responsible for the validation of their Patients' medical information. Our proposal can be considered a solution to the main problem faced by patients, health practitioners and the authorities, namely the gathering and updating of administrative and medical data belonging to the patient in order to accurately reconstitute a patient's medical history. This method is based on two processes. The aim of the first process is to provide a patient's administrative data, in order to know where and when the patient received care (name of the health structure or health practitioner, type of care: out patient or inpatient). The aim of the second process is to provide a patient's medical information and to validate it under the accountability of the Medical Practitioner with the help of the patient if needed. During these two processes, the patient's privacy will be ensured through cryptographic hash functions like the Secure Hash Algorithm, which allows pseudonymisation of a patient's identity. The proposed Medical Record Search Engines will be able to retrieve and to provide upon a request formulated by the Medical ractitioner all the available information concerning a patient who has received care in different health structures without divulging the patient's identity. Our method can lead to improved efficiency of personal medical record management under the mixed responsibilities of the patient and the MP.
Resumo:
EXECUTIVE SUMMARY : Evaluating Information Security Posture within an organization is becoming a very complex task. Currently, the evaluation and assessment of Information Security are commonly performed using frameworks, methodologies and standards which often consider the various aspects of security independently. Unfortunately this is ineffective because it does not take into consideration the necessity of having a global and systemic multidimensional approach to Information Security evaluation. At the same time the overall security level is globally considered to be only as strong as its weakest link. This thesis proposes a model aiming to holistically assess all dimensions of security in order to minimize the likelihood that a given threat will exploit the weakest link. A formalized structure taking into account all security elements is presented; this is based on a methodological evaluation framework in which Information Security is evaluated from a global perspective. This dissertation is divided into three parts. Part One: Information Security Evaluation issues consists of four chapters. Chapter 1 is an introduction to the purpose of this research purpose and the Model that will be proposed. In this chapter we raise some questions with respect to "traditional evaluation methods" as well as identifying the principal elements to be addressed in this direction. Then we introduce the baseline attributes of our model and set out the expected result of evaluations according to our model. Chapter 2 is focused on the definition of Information Security to be used as a reference point for our evaluation model. The inherent concepts of the contents of a holistic and baseline Information Security Program are defined. Based on this, the most common roots-of-trust in Information Security are identified. Chapter 3 focuses on an analysis of the difference and the relationship between the concepts of Information Risk and Security Management. Comparing these two concepts allows us to identify the most relevant elements to be included within our evaluation model, while clearing situating these two notions within a defined framework is of the utmost importance for the results that will be obtained from the evaluation process. Chapter 4 sets out our evaluation model and the way it addresses issues relating to the evaluation of Information Security. Within this Chapter the underlying concepts of assurance and trust are discussed. Based on these two concepts, the structure of the model is developed in order to provide an assurance related platform as well as three evaluation attributes: "assurance structure", "quality issues", and "requirements achievement". Issues relating to each of these evaluation attributes are analysed with reference to sources such as methodologies, standards and published research papers. Then the operation of the model is discussed. Assurance levels, quality levels and maturity levels are defined in order to perform the evaluation according to the model. Part Two: Implementation of the Information Security Assurance Assessment Model (ISAAM) according to the Information Security Domains consists of four chapters. This is the section where our evaluation model is put into a welldefined context with respect to the four pre-defined Information Security dimensions: the Organizational dimension, Functional dimension, Human dimension, and Legal dimension. Each Information Security dimension is discussed in a separate chapter. For each dimension, the following two-phase evaluation path is followed. The first phase concerns the identification of the elements which will constitute the basis of the evaluation: ? Identification of the key elements within the dimension; ? Identification of the Focus Areas for each dimension, consisting of the security issues identified for each dimension; ? Identification of the Specific Factors for each dimension, consisting of the security measures or control addressing the security issues identified for each dimension. The second phase concerns the evaluation of each Information Security dimension by: ? The implementation of the evaluation model, based on the elements identified for each dimension within the first phase, by identifying the security tasks, processes, procedures, and actions that should have been performed by the organization to reach the desired level of protection; ? The maturity model for each dimension as a basis for reliance on security. For each dimension we propose a generic maturity model that could be used by every organization in order to define its own security requirements. Part three of this dissertation contains the Final Remarks, Supporting Resources and Annexes. With reference to the objectives of our thesis, the Final Remarks briefly analyse whether these objectives were achieved and suggest directions for future related research. Supporting resources comprise the bibliographic resources that were used to elaborate and justify our approach. Annexes include all the relevant topics identified within the literature to illustrate certain aspects of our approach. Our Information Security evaluation model is based on and integrates different Information Security best practices, standards, methodologies and research expertise which can be combined in order to define an reliable categorization of Information Security. After the definition of terms and requirements, an evaluation process should be performed in order to obtain evidence that the Information Security within the organization in question is adequately managed. We have specifically integrated into our model the most useful elements of these sources of information in order to provide a generic model able to be implemented in all kinds of organizations. The value added by our evaluation model is that it is easy to implement and operate and answers concrete needs in terms of reliance upon an efficient and dynamic evaluation tool through a coherent evaluation system. On that basis, our model could be implemented internally within organizations, allowing them to govern better their Information Security. RÉSUMÉ : Contexte général de la thèse L'évaluation de la sécurité en général, et plus particulièrement, celle de la sécurité de l'information, est devenue pour les organisations non seulement une mission cruciale à réaliser, mais aussi de plus en plus complexe. A l'heure actuelle, cette évaluation se base principalement sur des méthodologies, des bonnes pratiques, des normes ou des standards qui appréhendent séparément les différents aspects qui composent la sécurité de l'information. Nous pensons que cette manière d'évaluer la sécurité est inefficiente, car elle ne tient pas compte de l'interaction des différentes dimensions et composantes de la sécurité entre elles, bien qu'il soit admis depuis longtemps que le niveau de sécurité globale d'une organisation est toujours celui du maillon le plus faible de la chaîne sécuritaire. Nous avons identifié le besoin d'une approche globale, intégrée, systémique et multidimensionnelle de l'évaluation de la sécurité de l'information. En effet, et c'est le point de départ de notre thèse, nous démontrons que seule une prise en compte globale de la sécurité permettra de répondre aux exigences de sécurité optimale ainsi qu'aux besoins de protection spécifiques d'une organisation. Ainsi, notre thèse propose un nouveau paradigme d'évaluation de la sécurité afin de satisfaire aux besoins d'efficacité et d'efficience d'une organisation donnée. Nous proposons alors un modèle qui vise à évaluer d'une manière holistique toutes les dimensions de la sécurité, afin de minimiser la probabilité qu'une menace potentielle puisse exploiter des vulnérabilités et engendrer des dommages directs ou indirects. Ce modèle se base sur une structure formalisée qui prend en compte tous les éléments d'un système ou programme de sécurité. Ainsi, nous proposons un cadre méthodologique d'évaluation qui considère la sécurité de l'information à partir d'une perspective globale. Structure de la thèse et thèmes abordés Notre document est structuré en trois parties. La première intitulée : « La problématique de l'évaluation de la sécurité de l'information » est composée de quatre chapitres. Le chapitre 1 introduit l'objet de la recherche ainsi que les concepts de base du modèle d'évaluation proposé. La maniéré traditionnelle de l'évaluation de la sécurité fait l'objet d'une analyse critique pour identifier les éléments principaux et invariants à prendre en compte dans notre approche holistique. Les éléments de base de notre modèle d'évaluation ainsi que son fonctionnement attendu sont ensuite présentés pour pouvoir tracer les résultats attendus de ce modèle. Le chapitre 2 se focalise sur la définition de la notion de Sécurité de l'Information. Il ne s'agit pas d'une redéfinition de la notion de la sécurité, mais d'une mise en perspectives des dimensions, critères, indicateurs à utiliser comme base de référence, afin de déterminer l'objet de l'évaluation qui sera utilisé tout au long de notre travail. Les concepts inhérents de ce qui constitue le caractère holistique de la sécurité ainsi que les éléments constitutifs d'un niveau de référence de sécurité sont définis en conséquence. Ceci permet d'identifier ceux que nous avons dénommés « les racines de confiance ». Le chapitre 3 présente et analyse la différence et les relations qui existent entre les processus de la Gestion des Risques et de la Gestion de la Sécurité, afin d'identifier les éléments constitutifs du cadre de protection à inclure dans notre modèle d'évaluation. Le chapitre 4 est consacré à la présentation de notre modèle d'évaluation Information Security Assurance Assessment Model (ISAAM) et la manière dont il répond aux exigences de l'évaluation telle que nous les avons préalablement présentées. Dans ce chapitre les concepts sous-jacents relatifs aux notions d'assurance et de confiance sont analysés. En se basant sur ces deux concepts, la structure du modèle d'évaluation est développée pour obtenir une plateforme qui offre un certain niveau de garantie en s'appuyant sur trois attributs d'évaluation, à savoir : « la structure de confiance », « la qualité du processus », et « la réalisation des exigences et des objectifs ». Les problématiques liées à chacun de ces attributs d'évaluation sont analysées en se basant sur l'état de l'art de la recherche et de la littérature, sur les différentes méthodes existantes ainsi que sur les normes et les standards les plus courants dans le domaine de la sécurité. Sur cette base, trois différents niveaux d'évaluation sont construits, à savoir : le niveau d'assurance, le niveau de qualité et le niveau de maturité qui constituent la base de l'évaluation de l'état global de la sécurité d'une organisation. La deuxième partie: « L'application du Modèle d'évaluation de l'assurance de la sécurité de l'information par domaine de sécurité » est elle aussi composée de quatre chapitres. Le modèle d'évaluation déjà construit et analysé est, dans cette partie, mis dans un contexte spécifique selon les quatre dimensions prédéfinies de sécurité qui sont: la dimension Organisationnelle, la dimension Fonctionnelle, la dimension Humaine, et la dimension Légale. Chacune de ces dimensions et son évaluation spécifique fait l'objet d'un chapitre distinct. Pour chacune des dimensions, une évaluation en deux phases est construite comme suit. La première phase concerne l'identification des éléments qui constituent la base de l'évaluation: ? Identification des éléments clés de l'évaluation ; ? Identification des « Focus Area » pour chaque dimension qui représentent les problématiques se trouvant dans la dimension ; ? Identification des « Specific Factors » pour chaque Focus Area qui représentent les mesures de sécurité et de contrôle qui contribuent à résoudre ou à diminuer les impacts des risques. La deuxième phase concerne l'évaluation de chaque dimension précédemment présentées. Elle est constituée d'une part, de l'implémentation du modèle général d'évaluation à la dimension concernée en : ? Se basant sur les éléments spécifiés lors de la première phase ; ? Identifiant les taches sécuritaires spécifiques, les processus, les procédures qui auraient dû être effectués pour atteindre le niveau de protection souhaité. D'autre part, l'évaluation de chaque dimension est complétée par la proposition d'un modèle de maturité spécifique à chaque dimension, qui est à considérer comme une base de référence pour le niveau global de sécurité. Pour chaque dimension nous proposons un modèle de maturité générique qui peut être utilisé par chaque organisation, afin de spécifier ses propres exigences en matière de sécurité. Cela constitue une innovation dans le domaine de l'évaluation, que nous justifions pour chaque dimension et dont nous mettons systématiquement en avant la plus value apportée. La troisième partie de notre document est relative à la validation globale de notre proposition et contient en guise de conclusion, une mise en perspective critique de notre travail et des remarques finales. Cette dernière partie est complétée par une bibliographie et des annexes. Notre modèle d'évaluation de la sécurité intègre et se base sur de nombreuses sources d'expertise, telles que les bonnes pratiques, les normes, les standards, les méthodes et l'expertise de la recherche scientifique du domaine. Notre proposition constructive répond à un véritable problème non encore résolu, auquel doivent faire face toutes les organisations, indépendamment de la taille et du profil. Cela permettrait à ces dernières de spécifier leurs exigences particulières en matière du niveau de sécurité à satisfaire, d'instancier un processus d'évaluation spécifique à leurs besoins afin qu'elles puissent s'assurer que leur sécurité de l'information soit gérée d'une manière appropriée, offrant ainsi un certain niveau de confiance dans le degré de protection fourni. Nous avons intégré dans notre modèle le meilleur du savoir faire, de l'expérience et de l'expertise disponible actuellement au niveau international, dans le but de fournir un modèle d'évaluation simple, générique et applicable à un grand nombre d'organisations publiques ou privées. La valeur ajoutée de notre modèle d'évaluation réside précisément dans le fait qu'il est suffisamment générique et facile à implémenter tout en apportant des réponses sur les besoins concrets des organisations. Ainsi notre proposition constitue un outil d'évaluation fiable, efficient et dynamique découlant d'une approche d'évaluation cohérente. De ce fait, notre système d'évaluation peut être implémenté à l'interne par l'entreprise elle-même, sans recourir à des ressources supplémentaires et lui donne également ainsi la possibilité de mieux gouverner sa sécurité de l'information.
Resumo:
Financial information is extremely sensitive. Hence, electronic banking must provide a robust system to authenticate its customers and let them access their data remotely. On the other hand, such system must be usable, affordable, and portable.We propose a challengeresponse based one-time password (OTP) scheme that uses symmetriccryptography in combination with a hardware security module. The proposed protocol safeguards passwords from keyloggers and phishing attacks.Besides, this solution provides convenient mobility for users who want to bank online anytime and anywhere, not just from their owntrusted computers.
Resumo:
The use of open source software continues to grow on a daily basis. Today, enterprise applications contain 40% to 70% open source code and this fact has legal, development, IT security, risk management and compliance organizations focusing their attention on its use, as never before. They increasingly understand that the open source content within an application must be detected. Once uncovered, decisions regarding compliance with intellectual property licensing obligations must be made and known security vulnerabilities must be remediated. It is no longer sufficient from a risk perspective to not address both open source issues.
Resumo:
The production and use of false identity and travel documents in organized crime represent a serious and evolving threat. However, a case-by-case perspective, thus suffering from linkage blindness and a limited analysis capacity, essentially drives the present-day fight against this criminal problem. To assist in overcoming these limitations, a process model was developed using a forensic perspective. It guides the systematic analysis and management of seized false documents to generate forensic intelligence that supports strategic and tactical decision-making in an intelligence-led policing approach. The model is articulated on a three-level architecture that aims to assist in detecting and following-up on general trends, production methods and links between cases or series. Using analyses of a large dataset of counterfeit and forged identity and travel documents, it is possible to illustrate the model, its three levels and their contribution. Examples will point out how the proposed approach assists in detecting emerging trends, in evaluating the black market's degree of structure, in uncovering criminal networks, in monitoring the quality of false documents, and in identifying their weaknesses to orient the conception of more secured travel and identity documents. The process model proposed is thought to have a general application in forensic science and can readily be transposed to other fields of study.
Resumo:
Purpose The purpose of our multidisciplinary study was to define a pragmatic and secure alternative to the creation of a national centralised medical record which could gather together the different parts of the medical record of a patient scattered in the different hospitals where he was hospitalised without any risk of breaching confidentiality. Methods We first analyse the reasons for the failure and the dangers of centralisation (i.e. difficulty to define a European patients' identifier, to reach a common standard for the contents of the medical record, for data protection) and then propose an alternative that uses the existing available data on the basis that setting up a safe though imperfect system could be better than continuing a quest for a mythical perfect information system that we have still not found after a search that has lasted two decades. Results We describe the functioning of Medical Record Search Engines (MRSEs), using pseudonymisation of patients' identity. The MRSE will be able to retrieve and to provide upon an MD's request all the available information concerning a patient who has been hospitalised in different hospitals without ever having access to the patient's identity. The drawback of this system is that the medical practitioner then has to read all of the information and to create his own synthesis and eventually to reject extra data. Conclusions Faced with the difficulties and the risks of setting up a centralised medical record system, a system that gathers all of the available information concerning a patient could be of great interest. This low-cost pragmatic alternative which could be developed quickly should be taken into consideration by health authorities.
