The news has been plagued over the last year with stories of the UK Government and major corporations losing CDs with private information on them. But few days ago I notice in a story on the BBC website that the Italian Government has found a novel way to prevent the unauthorised loss of confidential information – they’re giving it away for free. How can you lose confidentiality over data that was not confidential in the first place?

It seems as if one of the last actions of Italian prime-minister Romano Prodi’s outgoing government was to sign off on a plan to release the names, addresses, birthdates and incomes of all Italian citizens via the Italian tax authority’s website, all in the name of freedom of information.

And, as you may expect, I find there to be an information security lesson in all of this…

You see, while some of my fellow information security specialists and most of the UK’s journalists have been clamouring for the heads of the hapless employees that lost our personal details on CDs in the mail, I have been more circumspect. I would question whether these Guy-Fawkes-figures quite deserve the vilification that they have received.

The security management standard (ISO/IEC 27001) teaches us that a secure information security management structure (ISMS) isn’t necessarily one in which security incidents don’t take place, but is one which attempts to prevent major incidents through training, education, well-understood policies, but accepts that incidents will happen and attempts to learn from them.

Let’s take the case of the lost CDs – the sender may be guilty of a lack of common sense, but they should only accept blame for the security incident if they have acted against the training that they have been given by the organisation. The question of whether they have broken the security policy is a completely moot point. The employee is only to blame if they knew the policy and then chose to act against it. And I would bet dollars-to-doughnuts that this isn’t the case.

So, is it the fault of the ISMS for not educating the employee? Perhaps. But security policies will never cover all eventualities, and security incidents are going to happen. In a situation like this, it’s somewhat futile to attempt to cast blame. ISO/IEC 27001 would rather have us attempt to identify where the mistake was made and correct it (with new policies or, as is more likely, through renewed training and education). Rather like the sports team that suffers an ignoble defeat at the hands of a team three leagues below them, a good information security manager will leave blame to the newspapers and concentrate on improving his game to the point where the ISMS won’t be caught off guard again.

But I hesitate even to say that the organisation’s ISMS was at fault in the case of the lost CD. No ISMS exists in a vacuum and all departments need access to the outside world. Perhaps the mail carrier to whom the data CD was given was regarded as a trusted sub-contractor who guaranteed a level of security as part of the contract with the organisation and provided sufficient evidence that they could cope with the job? Suddenly, the organisation needs take no blame at all, and it’s the mail carrier’s ISMS that needs to be examined.

Lastly, and to bring the whole post back to its original point, no ISMS can prevent a mistake that is made wilfully. If the senior management team cannot be persuaded that some action, for example publishing the name, address, birthdate, and income of every employee in the organisation, is a bad idea, then even the most brilliant security manager cannot do much beyond prepare for the inevitable storm of trouble that is heading his way. I have a certain measure of sympathy for information security team within the Italian tax authority today – it’s not going to be a good day for them.

In conclusion, security incidents are going to happen in any organisation: a good ISMS prevents what it can and reacts to what it cannot prevent. It seeks not to blame, but to repair, and hopefully the silver lining to all of these lost CD incidents will be better ISMS’s all around. What I want to know is why all the data was put on a CD in the first place: haven’t these people heard of solid state memory?

Dr. Alex Dent

Most of the privacy technology used on the Internet, and in many other places, is under-pinned by public-key cryptography; most notably, public-key key agreement protocols and public-key encryption algorithms. Almost all of this technology is based on two incredibly important mathematical algorithms: the Diffie-Hellman key agreement protocol (publicly discovered in 1976) and the RSA encryption algorithm (publicly discovered in 1978). If we hadn’t had these two algorithms, then the security world would have been a very different place. And we almost didn’t have them…

It’s relatively well known now that, before the whole concept of public-key cryptography was publicly discovered by Whitfield Diffie and Marty Hellman in 1976, it was discovered several years before by the UK Government’s military cryptography group at GCHQ.

The notion of public-key cryptography was first invented by James Ellis in 1969 — seven years before the idea would be re-discovered in the public domain. However, Ellis couldn’t come up with a practical system — just a proof of concept system that would never be useable in practice. A practical system was not discovered until 1973, when Clifford Cocks invented the algorithm that we now call the RSA algorithm. The idea, he says, came to him overnight. A few months later, another researcher at GCHQ, Martin Williamson, invented the algorithm that we now call Diffie-Hellman, also overnight.

What is less well-known, and I only recently discovered, is that the UK government also considered patenting the ideas.

This revelation was announced during an invited talk by the cryptography pioneer Clifford Cocks at the Eurocrypt 2008 research conference — the largest and most highly regarded European conference in cryptographic research — which was held this year in Istanbul, Turkey. Geography buffs will be pleased to hear that it was held on the Western bank of the Bospherus river — if it had been held on the Eastern bank, then it would technically have had to be the Asiacrypt conference.

And so it was to a packed house of cryptographers, that Clifford Cocks announced that the UK Government had considered filing a patent on the Diffie-Hellman protocol and the RSA algorithm — the two algorithms which underpin privacy almost everywhere on the Internet. There was a collective gasp, from myself included, but I don’t think that I fully understood the implication of the revelation at that time. Naively, I only thought of the revenue that could have been created.

It’s not clear whether the UK Government would have actively sought to repress public-key cryptography during the 1980s. I think it’s fair to say that most major powers were worried about the proliferation about strong cryptography. Early attempts by the ISO standardisation committee to standardise the RSA algorithm in that decade were blocked for political reasons. However, it’s not really fair to say that this implies that the UK Government would have sought to control the technology, but if they had wanted to repress it, then a patent would have been the perfect weapon in their arsenal.

Regardless of the political controversy, it is fair to say that it is unlikely that RSA Labs are unlikely to have been formed if someone else had held the patent to the RSA algorithm, and this would have profound effects on the development of security technology. After the ISO standardisation committee failed to standardise public-key cryptography, it was RSA Labs that stepped in to help, by producing the RSA PKCS series of standards. These standards underpin the use of public-key key agreement and public-key encryption everywhere.

No public-key cryptography standards means there wouldn’t have been any secure commercial implementations, which means there wouldn’t have been a secure and private Internet.

So, even if the UK Government hadn’t inhibited the use of public-key technology, the patent would have probably had meant that we didn’t develop standards for public-key cryptography for many, many years. We might, at this stage, be as much as ten years behind on the development of practical privacy systems on the Internet.

So who should we thank for the development of useable public-key cryptography? Well, clearly we should thank the scientists involved in the discovery, both the governmental inventors of public-key cryptography (Ellis, Cocks, and Williamson) and their commercial counterparts (Merkle, Diffie, Hellman, Rivest, Shamir, and Adleman). However, in a weird way, we also need to thank the GCHQ lawyers who claimed that a patent on these ideas was unobtainable: if not for these lawyers, then we wouldn’t have the security sector that we have today.

Dr. Alex Dent

In asking whether the government has got the business case for ID cards right, we need to understand precisely what that business case is. Plenty has been written on how the government has been changing its mind on what benefits the ID cards provide since the inception of the programme. If we look at the speech made by the Home Secretary Jacqui Smith to Demos on the 6th of March 2008 giving an update on the identity card scheme, the justifications are broadly split into two areas.

Firstly, there are a number of preventative measures which have been previously touted as reasons for the scheme’s implementation: illegal immigration, illegal working, benefit fraud; fighting terrorism. Secondly, and what seems to be particularly emphasised this time round, is the perceived “added convenience” to the citizen.

This change of tack would appear to tie in directly with the change of the roll-out plans by the government. In these revised plans only foreign nationals and those working in “sensitive” positions will, initially, be required to register. UK nationals will then be “encouraged” to register from 2010, and all new passport details entered on the National Identity Register from 2011/12.

The government anticipates that the perceived benefits will convince individuals to register for the scheme leading to a “market driven” uptake of the cards. Many people feel this would appear to be a reaction to the recent embarrassing losses of data by several different government departments over the past 6 months.

Given that there are a number of ways in which the government could spend the estimated £5.4bn to act preventatively (in tackling illegal working, terrorism, etc), we focus our attention here on how the perceived benefits for the average citizen measure up.

The Home Secretary’s speech contains a number of facts and figures intended to provide evidential weight to strengthen the argument for the ID cards’ benefit to the individual. However some of these reasons – a reduction in identity fraud and ease of identity verification in particular – are difficult to justify, as we argue next.

In terms of reduction of identify fraud, a figure of £1.7bn is quoted as being the sum lost every year in the UK. However, the estimates on identity fraud include all frauds, where existing accounts are misused. ID cards would do very little to help in this scenario. In addition, many instances of opening an account these days happen remotely. As can be seen in the following piece from the BBC series “The Real Hustle” tens of thousands of pounds worth of debt can be racked up against an individual without the perpetrator having to ever transact with the financial institution face-to-face. Again, ID Cards would do nothing to prevent this type of fraud.

In terms of ease of identity verification, the government’s argument that the citizen will benefit relies strongly on the ability of a third party to be able to verify the citizen’s identity based on their fingerprints. To quote the Home Secretary from her recent speech:

“Because your name will be linked by your fingerprints to a unique entry on the National Identity Register, you will have much greater protection from identity theft – no-one will be able to impersonate you, like they can now, just by finding out your name and address and personal details.”

In which case, how many institutions are going to have the wherewithal to implement a robust and reliable mechanism for verifying a user’s fingerprint? This requires additional equipment, training for staff, increased transaction cost, physical presence of the customer, etc.

How will a third party be able to securely query the National Identity Register? If, as stated by the Home Secretary, the database will not be online, how will organisations of all sizes and types get access to this information?

How many types of transactions can have their security augmented in this way? Not those transactions which can happen remotely. Even those where the citizen is physically present, it is unclear how many would be suitable for a fingerprint to be used as part of the authentication process.

In addition, the known failure-rates for biometric technology are not insignificant. The non-match rates, where an authentic user cannot be verified, are of the order of 1-2%. When these percentages are applied to a user population the size of country, the numbers of errors expected are huge. What happens when someone tries to verify their fingerprint and the match is rejected? These are going to be very real concerns when someone comes to open a bank account or start a new job. There are two very real knock-on effects from this. Firstly, there will need to be processes to deal with these errors, which themselves open up the system to new weaknesses. Secondly, if people frequently encounter errors in the system, the perception of its benefit and reliability are likely to drop significantly.

In addition, the arguments put forward to support the practicality of the scheme – using the examples of how encryption is used on the new biometric passports and how more than one million biometric visas have been issued – have weaknesses in their assumptions, as we will now argue.

In terms of the encryption of information used on passports, the Basic Access Control implemented under the International Civil Aviation Organization (ICAO) regulations is known to have existing weaknesses in it. In addition, from the consumer’s perspective, it is ultimately the integrity of the data (both in terms of the verifiability of the data by a third party, and how that data is verified at registration) which is key.

In our view, the comparison to the biometric visa system is not valid because the visas are only processed in a small number of dedicated, government-run centres, with carefully vetted and trained members of staff. It is unclear how a similar system would scale to the population of the UK where the verifying party is likely to be any one of a disparate and large number of commercial entities.

Further issues which appear to have been given little attention, but will undoubtedly have a large effect on the effectiveness of the resulting scheme include: reliability of the registration process; liability; the insider threat; how to deal with errors in the database.

All in all, it would appear that the government is determined to pursue the implementation of the ID card scheme. In fact the Home Secretary herself has, on a number of occasions, identified how the government see this as a necessity in achieving their stated goals.

We do not disagree with the premise that a more robust way of asserting identity would be useful for the citizen. However, a person’s belief that a given course of action provides a particular benefit should be backed up by reasoned argument. If we leave the questions related to immigration and national security aside (and how the money might be better spent there), we are still to be convinced that the proposal, as it stands, can deliver the perceived benefit to the consumer in a cost effective manner, and without introducing a number of new threats and vulnerabilities.

Dr. Geraint Price

It is still too early to offer a definitive opinion on what went wrong at Société Générale and how to prevent it in future, but given the rumours swirling around, let’s focus instead on the established facts.

Société Générale’s own interim report is a veritable goldmine of information. At 27 pages, it’s not an easy document to digest, but it makes for fascinating reading. It explains that the trader at the centre of the storm, Jerome Kerviel, was able to disguise extreme trading positions by creating false trades in the reverse direction, using undetermined, internal or even non-existent counterparties.

The report also reveals that a total of 75 separate internal alerts were raised on Kerviel’s trading activities between 2005 and 2008, but that none led to a robust internal investigation. Several externally generated alarms seem to have been ignored too.

The interim report indicates that Kerviel was not some new breed of super-hacker, and did not appear to have accomplices in other parts of the bank. Instead, he understood how to create layers of obfuscation to disguise his trading activities, and how to throw internal investigations off the scent.

It may be that the time Kerviel spent in the bank’s back-office gave him an insight into exactly how to achieve this. Sometimes, his techniques were laughably simple: bamboozling colleagues in the middle- and back-offices with phoney explanations for odd-looking trades, and even sending spoof-forwarded e-mails from alleged counterparties to persuade internal auditors that all was well.

The interim report shows Kerviel made a profit of 1.5 billion euros for Société Générale from these kinds of activities in 2007, and was apparently an overnight star performer. But Kerviel’s luck could not last, and in early 2008 his activities were uncovered. But only just.

The first sign came on 2 January, when a daily report passed to Société Générale’s group risk department failed because it did not contain up-to-date information on eight of Kerviel’s transactions. When Kerviel supplied the missing data, the risk team’s calculations revealed an unacceptably high level of risk associated with “Bank E”‘, the counterparty to these trades.

It then took the best part of three weeks of to-ing and fro-ing between various Société Générale departments before the full picture emerged. Société Générale discovered it had an exposure of around 49 billion euros on index futures that was offset only by fictitious trades in the reverse direction. Société Générale was then forced to unwind Kerviel’s positions under unfavourable market conditions, resulting in a loss of 6.4 billion euros.

A key issue is whether Société Générale’s internal controls were sufficiently robust to detect Kerviel’s trading patterns. It is surprising that the bank’s trading platform allowed Kerviel to initiate trades with bogus and non-existent counterparties. What controls, if any, were in place at the level of application software to detect or even prevent this from happening?

Of the 75 separate alerts concerning Kerviel’s fraudulent activities, only one led to the discovery of the rogue trades. This alert was raised because a set of eight Kerviel trades were not compliant with the Basel II risk standards. An almost comical chain of e-mails and telephone calls involving some 30 employees in various bank departments followed before a full appreciation of the situation was realised. Société Générale’s incident response procedures seems sorely lacking.

And what of the other 74 alerts? Each was acted on by bank staff in full accordance with the bank’s recommended controls. But these were simply ineffective. For example, in one case anomalies in Kerviel’s accounts were attributed to recurring problems with the bank’s IT systems. In another case, staff in the accounting department sought explanation for discrepancies, but did not alert their immediate superiors even though the amounts involved were high (in some cases, more than 1 billion euros). In yet other cases, the middle-office was fobbed off with explanations that would not have stood up to any serious scrutiny.

The Société Générale report repeatedly highlights that audit and accounting rules were followed to the letter, but that staff did not go beyond the rules to ask hard questions of Kerviel or his office. Kerviel’s activities were also spread across different financial instruments, and the bank lacked an integrated view of each trader’s activities.

To summarise: the back- and middle-office information security culture was not as it should have been, and lacked an appropriately cynical, hard-nosed and joined-up view of front-office activities.

Finally, we close with what would be the most amusing point of all, if it were not so startling. Société Générale’s interim report opens with a statement from the special investigation committee, composed of directors of the bank. It identifies the need to strengthen the bank’s control systems. And the number one control listed? The development of biometric identification solutions.

This seems to be a singularly inappropriate response to the problem, unless there are significant factors involved in Kerviel’s activities which are not covered in the interim report. Nothing in this case has anything to do with the bank’s inability to identify its employees. If biometrics are the answer, then what exactly was the question?

Prof. Kenny Paterson

In November last year, the Department of Work and Pensions disclosed that they had lost computer media containing the details of millions of people who were entitled to child benefit whilst it was in the process of being sent to the National Audit Office. Worse still, those details included personal bank identifiers on claimants. Despite investigations, at the time of writing this material had not been recovered and nobody knew where it was, or who has access to it. Worse, it was reported that the data was not encrypted. Well, mishaps occur, but in terms of information security, questions arise on precedent and procedure. As this was discussed in answer to a parliamentary question, the matter quickly became public knowledge, became the focus of media attention and left many families with cause for concern regarding the vulnerability of their financial assets. But is this the first time this has happened? Just by looking back six months to April 2007, in reported worldwide incidents we can see that data loss and disclosure from government departments and large organisations is not something new. Look at these:

April 2007

• USA - Bank of America – social security number of employees lost through theft of a laptop.
• New Zealand – Inland Revenue – an audit discovered loss of 106 laptops containing customer data.
• USA – Dept. of Agriculture – loss of data of 38,000 individuals receiving farm subsidies.
• UK – Dept. of Health – data loss of details of hundreds of junior doctors.
• USA – New York Special Funds Committee – laptop lost with details of 540,000 individuals.

.

May 2007

• USA – Louisiana State University – laptop lost with details of 750 students.
• USA – Maryland Dept. of Natural resources – thumb drive lost with details of 1,400 Police and Rangers.
• UK – Royal Cornwall Hospital – computer loss with details of 5,000 staff.
• USA – Virginia Dept. of the Ageing – hard drive loss with details of 40,000 people.
• UK – Marks & Spencer – laptop loss with details of 26,000 staff on pension plans.

.

June 2007

• UK – Bank of Scotland – computer disc loss with details of 62,000 customers.
• USA – Texas Police – laptop stolen with details of 97,000 employees.
• UK – Accountancy firm Moorepay – laptop stolen with details on Prince Charles & his estate.
• USA – Bowling Green University – loss of flash drive with details of 18,000 students.

.

July 2007

• USA – Transport Security Administration – loss of hard drive with details of 100,000employees.

.

October 2007

• UK - HM Revenue & Customs – laptop stolen with financial details of 400 people.

.

November 2007

• UK – HM Revenue & Customs – loss of CD with details of 15,000 pension policy holders.

.

Following the child benefit loss, in January 2008 the Ministry of Defence admitted the theft of a laptop containing details of military personnel. It just never seems to stop…

We do not need to postulate on Descartean Rationalism to understand that despite all the technical advances in information security, it is the basic and fundamental security measures that are being disregarded. Is it a lack of information security policies? Hardly. CESG (The National Technical Authority for Information Assurance) provides guidelines, policies and implements standards across all UK government departments and must be wondering where things are going wrong.

Like so many things it is not the knowing, but the doing, that matters in the end.

John Austen

Cryptography is currently a very active, thriving area of interdisciplinary academic research. Various new proposals for cryptographic algorithms and protocols are published every year. New proposals are usually followed by extensive public scrutiny, which may often uncover design flaws. Lessons learned are incorporated, often leading to more secure and efficient designs in the future. Algorithms are continuously being analysed by the academic community; the old principle of “security through obscurity” seems to have finally been abandoned.

An interesting question arising from such form of development lifecycle is: what are the practical implications from an academic break of a cryptographic algorithm? What if academic research shows some structural weakness in an algorithm, implying that the security claims made by the designers are no longer valid? Although it should certainly represent a danger to the algorithm long term deployment, how can we assess whether this compromises the algorithm’s current practical use? For example, imagine that a researcher can show that, due to some unexpected structural properties, the complexity of a key-recovery attack against a 128-bit encryption algorithm (e.g. the AES) is of the order of 2¹⁰⁰ operations, rather than 2¹²⁸ operations as expected. These are both extraordinarily large numbers, so should this put in doubt the protection provided by the algorithm? Likewise, if some weakness or irregular behaviour affecting a specific application of a cryptographic algorithm is uncovered, does this compromise different uses of the same algorithm?

These are not easy questions to answer! Most researchers would argue that common sense should prevail in these situations. While medium-term replacement of the affected algorithm must be considered and disclosure of such properties will probably lead to better designs in the future, in most cases academic breaks represent little practical danger for current use of an algorithm. Such weakness in an encryption algorithm should not mean that one would find (in practice) easier to recover an encrypted message. Likewise, the lack of collision resistance in a hash function algorithm should in principle represent little danger to passwords protected by the same algorithm. However we currently witness a growing trend of regulation-driven deployment of information security measures, and as consequence, of cryptography. As a result, this advice may need to be reassessed, as the case below illustrates.

In late 2004, a driver was caught by a digital speeding camera driving above the limit in a town in New South Wales, Australia. During the court case that followed, the driver chose not to give evidence and never questioned the speed recorded in the digital image provided by the NSW Road and Traffic Authority. Instead, his lawyer relied on questioning the cryptographic algorithm used to provide integrity protection of the digital photos. The NSW Road Transport (Safety and Traffic Management) Act 1999 explicitly specified the MD5 hash function algorithm as digital security indicator to ensure that speeding camera evidence had not been tampered with.

The lawyer had apparently learned of a recent work by a group of Chinese researchers led by Xiaoyun Wang, which proposed new techniques to efficiently compute collisions in two of the most popular hash function algorithms, namely MD5 and SHA-1. This represented a surprising breakthrough in hash function cryptanalysis, and has led to a surge in research in the area. Many academic articles have followed, showing how to improve and extend the attacks against other hash functions. However it is common agreement among researchers working in the field that, while their findings showed an essential structural weakness in these algorithms and has definitely accelerated their replacement (in fact, NIST has announced a competition to select a new hash function standard), they affect specific uses of hash functions (such as digital signatures, commitment) and in specific situations. Although it would very unwise to develop and deploy new products using the affected algorithms, there is currently no evidence that all other uses of MD5 and SHA-1 have been compromised (for some interesting examples of applications of the attacks, see here and here).

Yet, the lawyer in the case argued that the recent research meant that MD5 was in essence broken (which is true, in academic terms) and as such could not be relied on to provide integrity protection. Although the RTA was given eight weeks to provide an expert witness to argue otherwise, it nevertheless failed to do so, and as a result the magistrate had little option but to throw the case against the defendant. In March 2006, the NSW Supreme Court upheld the lower court case ruling dismissing the speeding camera ticket as unreliable, and ordered the government to pay the defendant’s legal costs.

Although it is very unlikely that a malicious player could exploit the lack of collision resistance in MD5 to temper with the speeding camera digital photo and the evidence provided, this particular case illustrates the possible implications of the wide-spread deployment of cryptography, driven by legislation and regulation, without clear understanding of its strengths and limitations. Was this simply an anomalous, isolated case or can it be a sign of more to come? While apparently there have been no similar follow-up cases in Australia, the implications of such outcome could be potentially staggering: an early case in which the accuracy of speeding cameras were put in doubt resulted in the refund or waive of fines for thousands of motorists caught by speed cameras in Victoria, at a cost of A$26 million! Thus, in addition to software vulnerabilities, malware and hackers, CSOs may also need to start paying special attention to cryptanalytic research.

Dr Carlos Cid

Although information security (IS) has always been important, the concept of specialist qualifications in this area is fairly recent. The IS “profession” began to emerge in the 1980s, albeit in an ad hoc and piecemeal fashion and with little formality or structure. Industry leaders were self-trained and many individuals had the label of IS specialist, whereas in reality they had a particular focus on only one area of IS. At the end of the 1980s both CISSP and the Royal Holloway MSc were under development.

These were, I believe, the first dedicated qualifications available in the pubic domain. Since then the number of people specialising in IS has increased at an amazing rate, prompted by many positive events, including our increasing reliance on IT and the advent of the internet and electronic trading, coupled with an unacceptably large number of viruses, trojans and other high profile security breaches.

As the number of security specialists increased, directors and managers in government and industry needed to trust that those who were responsible for IS in their organisation were competent, in the sense that they had the necessary knowledge and skills, and would behave in a professional and ethical manner.   

“How do you recognise a competent IS professional?” was a question acquiring ever increasing importance by the late 1990s. It was this that prompted a small group of people to propose the formation of a professional body for IS. Their ideas were published in a document called “The Institute for Information Security professionals: A Blueprint”, dated 7th December 2004, in which a professional institute was proposed to ”promote information security as a recognised discipline through the provision of a framework for developing, improving and measuring the competence of information security practitioners, recognised by employers, regulators and other professional bodies.”   

The Institute of Information Security Professionals (IISP) was launched in February 2006 and has attracted much interest. Well over 1,000 individuals have joined as associates and it has the support of more than 40 corporates and government departments (for details see www.instisp.com). Although in its infancy, the IISP has the ambitious principal objective to “advance the professionalism of information security practitioners and thereby the professionalism of the industry as a whole.  

By the year 2010 the institute aims to provide a universally accepted focal point for the information security profession.” In addition, IISP aims “to act as an accreditation authority for the industry, and Membership and Fellowship of the Institute will be the internationally accepted gold standard for information security professionals.” 

In my view it is its role as an accreditation body that justifies IISP. There are now numerous knowledge based qualifications, including some high quality university degrees. However, these merely provide an indication of someone’s level of knowledge, skills and/or competencies at a given time. Many of these qualifications, for example university degrees, are awarded ‘for life’ with no obligation on the recipient to practise the discipline or to keep informed about advances in the area. 

However, membership of a professional body like IISP should imply that the individual has followed a CPD programme which, as one of its aims and objectives, ensures that they have maintained an active interest in the discipline.    Joining IISP should enable graduates from programmes such as the Royal Holloway MSc Information Security to build on this sound knowledge based qualification, to acquire further skills and competencies and to become leaders of the profession. 

Professor Fred Piper