In addition to what we consider as being our five most important papers there over fifty others. Click on a title below to list the papers in that section.
Past events (all years)
a series of 25 papers presented over the years at various conferences and events
There are a wide variety of conferences and events at which we have presented. The table below lists all those since 2002 with links to the presentations.
KEY to topics:
||Operational risk, e.g. the Basel Accord
||Business Continuity Management Systems
||Integrated Management Systems
||Information Security Management Systems
|13 May, 2010
||The BSI ‘Information Security Conference - Latest Standards and Developments’, where we presented our views on ISO/IEC 27003 (Implementation Guidance), fresh back from the ISO SC 27 meetings in Malaysia (having successfully passed the business continuity challenges afforded by the Icelandic volcano!)
|22-24 September, 2009
||The Tenth International Common Criteria Conference where we presented our paper entitled “Common Criteria Development - Lessons from the ISMS World”
|23-25 September, 2008
||The Ninth International Common Criteria Conference where we presented our paper entitled “How to write Protection Profiles and Security Targets, the PPST Guide”
|12-13 May, 2008
||CISO Executive Summit, where we presented on Integrated Management Systems, showing this time that it is more than just fitting ISO standards together.
|15 April, 2008
||BSI’s BS 25999 launch seminar in Mumbai where we were invited to address the audience. Dr. Brewer made 8 observations in support of this new British Standard on business continuity management.
|16 February, 2008
||New Delhi, India
||The ISACA Conference of Information Security, Audit & Control, where we addressed the audience on the subject of Integrated Management Systems for Enterprise Security and IT Governance. Our presentation provided a survey of all our research to-date in internal control and was dedicated to the memory of our late friend and colleague, William List.
|22 September, 2007
||We gave three presentations to over 30 IT Heads of Banks at the Reserve Bank of India’s College of Agricultural Banking in Pune, India. The main thrust of our presentation was to share our views on meeting the standardised and advancement measurement approaches in Basel II for operational risk. As the concept of a management system is an important component in this regard, Dr. Brewer began with a presentation on the ISMS standards. He concluded with a case study of work he performed last year in conjunction with our partner, Secure Matrix.
November, 1 December 2006
three presentations to celebrate Computer Security Day. The event was
hosted by the National Computer Board and the IT Security Unit.
The first presentation was entitled
“Implementing ISO/IEC 27001”, the second “Information Security
Compliance for Sarbanes-Oxley and Basel II” and the third “ISO/IEC
27001: a comprehensive approach to Information Security”.
|19 - 21 September 2006
||We gave a
paper on “Alternative Assurance Criteria” at the 7th International
Common Criteria Conference.
| 21, 24 May 2006
||Kuwait, and UAE
||We gave the Keynote
address at the Information Security Conference - ISO 27001.
presented our paper “Measuring
the effectiveness of an internal control system” and
related material to a packed audience at the ISACA euro-CACS conference in London.
| 14 March
||Together with the British
Computer Society (Mauritius Section), the
Minister for IT and his Ministry, we gave a presentation on
ISO/IEC 27001 and integrated management systems.
| 18, 22 February 2006
Information Security Conference ISO 27001. The first conference
of its kind ever in India, sponsored by Secure Matrix, NASSCOM and the
Computer Society of India, Dr. David Brewer and Willie List were the
|25-26 October 2005
||The AIIM Europe Conference
and Exhibition where we spoke about the “IT security
implications of Basle II”.
|28 - 29
International Common Criteria Conference, where we spoke about the
“ISO PPST Guide” and answered the question “Is the CC the only way?”
|29 November - 1 December 2004
||The 2004 BS 7799 Goes Global conference, where we gave a presentation on “How do you know the ISMS is working”. We also had the privilege of
giving, reproduced with kind permission of the Ministry of Information
Technology and Telecommunications, Mauritius, their paper on our work in rolling out BS 177999 to various Ministries and Departments.
|October -December 2004
||Leeds, London, Manchester, Birmingham,
Five Institute of Chartered Accountants in England and Wales IT Faculty half-day Roadshows on how to create effective internal control across the whole organisation, reduce your risks and take charge.
We also published a series of four short articles in CHARTECH magazine:
- Effectiveness of Internal Control Systems
- Risk analysis
- How is effectiveness measured in
internal control systems?
- Management Systems.
entitled “Security -Who is in charge? -The users? Or the system?”, given to the Nottingham and Derby Branch of the British Computer Society Winter School 2004.
|28 - 30 September 2004
International Common Criteria Conference where we spoke about “Simpler Security Targets” and “The
Relevance of the Common Criteria to Sarbanes-Oxley and Corporate
|22-24 September 2004
||e-Smart 2004 where we applied our time paper in the context of GlobalPlatform smart cards.
||The Independent Information Security Group (IISyG): a half day seminar entitled
“Rolling out ISO/BS (1) 7799 in the real world”.
|6 May 2004
||BS 7799 and IT
Corporate Governance, a whole day seminar hosted by Symantec, where we presented on corporate governance and intrusion detection.
|29 April 2004
||Domain Les Pailles, Mauritius
||Ministry of Information Technology and Telecommunications (Mauritius) seminar on rollout of ISO/IEC 17799 to government
|14 October 2003
||World Standards Day, where we gave a
presentation on information security
|17-19 September 2003
||e-Smart 2003, where we gave a presentation on the GlobalPlatform Card Security
||7799 Goes Global Conference, where we gave a presentation on
|7-9 September 2003
||The 4th International Common Criteria Conference, where we presented on dealing with smart cards as evaluated systems.
|4 December 2002
UK 7799 Users Group Meeting, where we role played an audit. There isn’t a paper or presentation, only a photograph of the event:
|19-20 September 2002
||e-Smart 2002, where we gave a paper on the ITRI/Gamma architecture for GlobalPlatform smart cards.
|4-5 September 2002
||The first 7799 Goes Global Conference where we gave a presentation entitled is IT governance enough?
||The IAAC workshop at Senate House, where we presented our thoughts on risk assessment. Just thee years years later, we totally changed our views.
Other IMS and ISMS papers (2004 — 2006)
a series of 4 papers concerning integrated management systems and ISMS
Gamma’s mainstream papers are still current, However, there are a number of papers that we wrote at around the same time which may be of historical interest. They are:
Common Criteria Conferences (2001 — 2010)
a series of 13 papers presented by us at various Common Criteria Conferences
Gamma has enjoyed a long and fruitful association with the
Common Criteria (ISO/IEC 15408) since its inception, having provided the
only non-government member of the ISO standardisation committee and having
helped to develop the ITSEC; one of the three security evaluation criteria
that were used to create the Common Criteria.
Essentially, the Common Criteria facilitate the means to confirm that
particular security features of some Target of Evaluation (TOE), which is
usually an IT product, have:
- Been implemented correctly and cannot be bypassed, deactivated,
corrupted or otherwise circumvented;
- Is able to resist direct attack with a given attack potential.
This evaluation is predicated on a detailed
examination of the construction of the TOE, commensurate with some given level of confidence (often
specified as a Common Criteria “Evaluation Assurance Level”).
The Common Criteria Recognition Arrangement facilitates the means for
the nominated authority in one country to formally accept Common Criteria
evaluations that have been certified in another country, and is singularly
responsible for the dramatic uptake of interest in the Common Criteria by
Visa and MasterCard at the turn of the century.
There is now a regular International Common Criteria Conference; the
last we attended was held in September in Antalya, Turkey 2010.
These are the papers that we have presented:
||“Using the Common Criteria in Practice”, by Mike Nash
||“Common Criteria Development - Lessons from the ISMS World”, by Mike Nash
||“How to write PPs and STs - the PPST Guide”, by Mike Nash
“CC Part II Tutorial”, by Mike Nash
Assurance Criteria”, by David Brewer
||“The ISO PPST Guide - Tool or
Irrelevance”, by Mike Nash
“Is the CC
the only way?”, by David Brewer
“Summary of Track A”, by Mike Nash
“Simpler Security Targets”, by Mike Nash
“The Relevance of the Common Criteria to
Sarbanes-Oxley and Corporate Governance” by David Brewer and
||“Dealing with smart cards as evaluated systems”, by David Brewer and Marc Kekicheff
||“Proving Protection Profile Compliance for the CCL/ITRI
Visa Open Platform Smart Card” by David Brewer, Chilung Wang and
||“The Open Platform Protection Profile (OP3)”, by
Marc Kekicheff, Forough Kashef and David Brewer
Smart cards (2001 — 2004)
a series of six papers concerning our work with GlobalPlatform smart cards
Smart cards, we believe, are generally good things. The GlobalPlatform idea is that we just need one piece of plastic to carry around with
us. Issued by our bank, or phone company perhaps, it will always give us
access to our account with them. The same card could also give us access
to Visa, MasterCard, etc and loyalty programmes with various retailers,
gasoline outlets, hotels and airlines. We could choose to have these other
businesses on our card at the time of issue or, provided that our Card Issuer agrees, download them later. So we just need one card. But what of
security? What if our card fell into the wrong hands? Could merchants do
nasty things when they put the card into their machines (called a Card
Acceptance Device or CAD for short)? What happens if I use it over
the Internet or with my WAP enabled mobile phone? Could I catch a virus?
Could someone steal all my money? or discover where I have been spending it?
These are very interesting questions. They are security related
questions and demand an answer. However, they are cardholder questions. What questions do the Card Issuers have regarding their
security risks? What about the Application Providers? Who loads the
software onto the cards? Can they be trusted? What about the Card
Manufacturers? (and we must bear in mind that the chip manufactures and
operating system providers are often different companies). What indeed do
organisations, such as Visa, think - whose brand names might be at stake?
Some of the answers to these questions present the Common Criteria (ISO/IEC
14508) as the answer, but these raise other questions.
What work has been done?
Pioneering work has been conducted in eight main areas:
In Europe, with EuroSmart,
which represents the smart card vendors’ perspective - eager to
embrace the Common Criteria and use it to as standard to express
what can be achieved.
In the US, with Visa and the Smart
Card Security Users’ Group (SCSUG) with the development of the
SCSUG-Smart Card Protection Profile, which expresses the users’ perspective on requirements.
In the US, with Visa and GlobalPlatform with the development of the
GlobalPlatform Card Specification
In the US, with Visa and the development of the Visa Open Platform Protection Profile (OP3)
In Taiwan, with the Industrial Technology Research Institute (ITRI)
with the development of a comprehensive smart card architecture (also see our e-Smart 2002 paper).
This led, with GlobalPlatform, to the development of the GP Card Security
Requirements Specification, which we presented at the 4th International Common Criteria Conference (also see our e-Smart 2003 paper).
- At the 2004 eSmart 2004 conference, GlobalPlatform reported that it
had embarked on a programme of formally specifying the card
specification, using our informal card security requirements specification as the starting point.
- At the same conference, Gamma presented in
work in applying internal control system
metrics in order to facilitate the correct choice of on-card and
various clients, Gamma has been
directly involved with the majority of these initiatives.
Other work of merit has been performed in Europe on a Protection
Profile for the integrated circuitry (IC) - the Silicon Vendors’ Security
Group Protection Profile (which is on the EuroSmart site) and some early
work on Java Card TM (referred to as the JCSPP).
Where did this get us?
This is a very good question. There are two parts to this
The ITRI/Gamma architecture and the GP Card Security Requirements
Specification pave the way to showing how a security target can
written that is compliant with all the relevant smart card protection
profiles. Moreover, it shows that the composition problem that
everyone has found so elusive is really a decomposition problem.
- The GP Card Security Requirements Specification identifies the areas
where off card measures are required, and ISO
SC27 WG3 work directed towards system evaluation will help
organisations to meet those requirements.
Two areas to watch were therefore GP developments and the ISO SC27 WG3
work. At the Fourth
International Common Criteria Conference (ICCC4) we ran a track
dedicated to such issues.
Projecting trust (1997 — 2000)
a series of five
papers concerning the projection of trustworthiness of a business
Standards, such as ISO/IEC 27001 , can be
used to project the trustworthiness of a business service. These
papers trace this idea from its inception, culminating in the SEDUCER
- SEDUCER - An EC study (Dec
2000) to devise a framework for projecting the trustworthiness of a
business service (such as a TTP). It makes use of BS7799 Part 2
and the Common Criteria.
- Guaranteeing Secure Transactions (e-Trust) - A paper based on a presentation given at the second E-Commerce and the
Supply Chain Revolution Conference held in London in June
criteria for secure information systems -
This paper traces the evolution of criteria for
the homologation (accreditation) of secure
information systems and services, and shows the
importance of real time risk management. It also
suggests that BS7799 may offer a more attractive
alternative to ITSEC system evaluation. It was presented
on 16 March 1998 at Eurosec in Paris.
Expectations of Trustworthiness in Third Party
Electronic Services - a summary of our market
survey for the UK Department of Trade and Industry published in
April 1997, together with an extract concerning a taxonomy of
independent accreditation: an effective way ahead - examine why the directors of the Insurefast
Company were seeking a public statement of
assurance in the security of their service and
how we proposed to provide one. The paper was presented on
18 March 1997 at Eurosec in Paris.
Royal Air Force Security (1993 — 1996)
a series of
four papers concerning a rare example of a very large - and very
successful - secure system development where the security policies and
practices have been published.
The Royal Air Force (RAF)
Logistics Information Technology System (LITS) is a rare example of a very large
- and very successful - secure system development where the security policies
and practices have been published. These
four papers provide a introduction to this programme, and contain many useful
tips, still valid today, for anyone about to embark on purchasing a large,
networked system that has to be secure. If
you work in UK Government, or have an interest in the aerospace industry, you
should find these papers particularly interesting. All the papers are British Crown Copyright, and we would like to thank
the Controller of HMSO for permission to make these papers web-accessible.
The first paper, Information
Security in a Complex Defence System Procurement: A Personal Management
Experience was presented at the Canadian Computer Security
Symposium in May 1993. This was
very much a cook-book on how to extend the project management and system
development methodologies in use in the UK Ministry of Defence at that time to
handle information security. It was
widely adopted by other defence systems in the UK in the years that followed.
Policy in a Complex Logistics Procurement was presented later
that year at the 1993 Computer Security Applications Conference in the US. It documented the theoretical work that was necessary to apply the
generic guidance on information security available from CESG (the UK national
security authority) to a large, networked, multi-stage programme. CESG must be thanked for their support in preparing this paper, including
permission to publish openly the outline of their approved security
documentation lifecycle. Once
again, much of the innovation within this paper subsequently became part of the
officially adopted UK Government approach.
Information in Large Defence Procurements: the Royal Air Force LITS Experience (another long title!) was presented at the 1995 Canadian Computer Security
Symposium. This paper recorded the
LITS security team’s experiences in assessing the security knowledge,
experience and capabilities of bidders to specify and develop the LITS system,
and also the benefits to that process from early start “quick results”
final paper of the set, Implementing
Security Policy in a Large Defence Procurement, was published
at the 1996 Computer Security Applications Conference. This reported our first experiences of system implementation
and in particular a growing realisation that both UK national security policy
and the role of the RAF were changing radically as a consequence of the end of
the Cold War and the dissolution of the Warsaw Pact. In consequence, the security threat to LITS was changing, and
the design and implementation strategy had to adapt to and encompass the
consequential change to both operational and security requirements.
Early papers (pre 1992)
three very early papers including our seminal Chinese Wall Security Policy paper
The Chinese Wall Security Policy - our seminal paper contrasting the Orange Book to the 1986
Financial Services Act. First published at the IEEE
Symposium on Security and Privacy, Oakland 1989.
Concerning Separation of Duty - another seminal
Gamma research paper, on the need for Role Based Access
Control (RBAC), although written before the acronym RBAC was
first popularised by Ferraiolo and Kuhn. First published at
the 1990 IEEE Symposium on Security and Privacy.
Security Evaluation - a craftsman-led approach to
system security evaluation that combines business
risk analysis, evaluation and corrective action
rolled into one, that is faster and less
expensive than the Common Criteria - based on research performed in 1986,
and is still relevant today.