【正文】 hanisms ensure that data is not garbled, modified, or lost during transmission across a work. Data integrity mechanisms also help to ensure that the data is from the intended sender, and not from an impostor. Data integrity mechanisms include checksums and digital signatures. Nonrepudiation. Nonrepudiation is the security concept that applies to proving the transmission of a particular message. If a system does technical nonrepudiation, then the sender of a message cannot later deny having sent the message, and the receiver of a message cannot later deny having received the message. Furthermore, if the message contains contractual information, the presence of a digital signature with the message can often be used to assert that the contractual information was not improperly altered. Public key infrastructure (PKI). The term generally used to describe the laws, policies, standards, and software that regulate or manipulate certificates and public and private keys. In practice, it is a system of digital certificates, certification authorities, and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction. Standards for PKI are still evolving, even though they are being widely implemented as a necessary element of electronic merce. Virtual private work (VPN). The extension of a private work that enpasses encapsulated, encrypted, and authenticated links across shared or public works. VPN connections can provide remote access and routed connections to private works over the Inter. 4 Processes and Activities This chapter provides a detailed discussion of the processes and activities that occur in the Security Administration SMF. Process Flow Summary Security management processes revolve around the six main security tes and their activities, as well as Auditing (important for disclosing security breaches). These are listed below ? Identification ? Authentication ? Biometric authentication systems ? Smart card authentication systems ? Password authentication systems ? Web access authentication ? Access control ? Authorized usage warning ? Accountability and shared user Ids ? Account lockout ? Settings to limit unauthorized session use and systems access ? Setting privileges and permission on objects ? Rolebased access control and delegation of authority ? Confidentiality ? Private key encryption ? Public key encryption and PKI ? Virtual private works ? File system confidentiality ? Integrity ? Nonrepudiation ? Auditing ? Planning auditing ? Implementing auditing ? Testing auditing 10 Security Administration Identification Identification is the mechanism by which the system asks the user, ―Who are you?‖ Users identify themselves to the system by means of a user ID (also referred to as a user, or logon, name). User IDs must be unique (that is, no two users in a system can have the same user ID). To ensure that user IDs are unique, it is important to develop a logonnaming standard that clearly addresses all name characteristics. This is especially important if the system limits user ID length to eight characters, although this consideration is not an issue with Microsoft Windows174。 operating systems. Issues in naming conventions arise when people have: ? Hyphenated last names. ? Last names that contain de, de la, van, van der, and so forth. ? A name identical to another user who is already on the system. A welldefined naming convention has the following characteristics: ? User IDs are easy for users to remember. ? User IDs are easy for administrators to create. ? Administrators can easily determine the owner of any user ID. Following are some suggestions for creating standard user IDs: ? Use first initial plus last name. For example, Lori Kane would have user ID lkane. ? For users who have elements in their last names, such as de, de la, van, van de and so on, retain the full last name, but remove the spaces. ? If user IDs are limited to eight characters, truncate the last name at eight characters. For example, Ariane Berthier would now have user ID aberthie). ? If two or more users have identical user IDs, replace the last character with a number. For example, if Ariane Berthier joins the pany first, her eightcharacter user ID would be aberthie. If a user with a similar first and last name joins the pany, the user ID would be aberthie1. If another user with a similar name joined the pany, that individual’s user ID would be aberthie2, and so forth. Many anizations use a fourdigit identifier at the end of logon names because this method often eliminates the possibility of duplicate IDs. The following number sequences might be used: ? Office phone extension. These four digits should be a number that is easy for the user to remember. ? Start date with the anization. Service Management Function 11 The following practices are not remended: ? Using a full government ID (social security number) as part of the user name. This could violate privacy laws and would increase the possibility of identity theft. ? Creating user IDs that are entirely numerical. User names should be easy to associate with the users to which they belong. It is much easier to recognize a name than a number. ? Allowing users to use nicknames as part of their user ID. This goes back to easily associating user names with users. For example, if a user uses a school nickname as part of a user ID, many people may not recognize to whom the user name is referring. ? Using the birth year as part of the user name. This raises age discrimination issues and may increase the possibility of identity theft. An additional point to consider is that the user ID is half of the information needed to get into the system if traditional user name/password authentication is used. If they