Safe Harbor Montegen

" To successfully protect the assets of the business, security can't be an afterthought. Security must be holistically integrated into the entire network infrastructure "

To support " the strategic goals of the business, a secure network architecture adapts to changing business requirements dynamically. "

MONTEGEN and the SAFE HARBOR principles

PRINCIPLES

ACTION

Notice

"An organization must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure".

MONTEGEN informs the business clients about the purposes for which it collects and uses information about them.

A Non-Disclosure / Non-Circumvention Agreement will be signed by both the parties.

The collected data are stored in office computers, on paper or on CD-RW.. Considering that the hard drive can be scanned via the Internet, the files referred to the client's project are kept on a computer that will not be connected to the Internet.

MONTEGEN will share information with the government when required by law.

Choice

"An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a third party or (b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual".

MONTEGEN discusses the policy for personal / technical data treatment with the client itself; this claim is enclosed into the Agreement.

The classic security triad referred to confidentiality, integrity, availability is applied to the received information. In particular,

confidentiality implies control possession

integrity implies authenticity and non-repudiation

availability implies the utility of information.

Sensitive Information Principle

"… an organization should treat as sensitive any information received from a third party where the third party treats and identifies it as sensitive."

MONTEGEN signs three types of documents with his clients: (i) a letter of intent, with the object of the collaboration, (ii) a Non-Disclosure Agreement, (iii) a Non-Circumvention Agreement. The information considered sensitive or confidential needs to be written on papers reporting the declaration "sensitive" on the page. The sensitive information transmitted electronically needs to be encrypted. At this regard both the parties involved in the electronic transaction will establish specific procedures.

MONTEGEN will share information with the government when required by law.

Onward transfer

To disclose information to a third party, organizations must apply the Notice and Choice Principles. Where an organization wishes to transfer information to a third party that is acting as an agent, as described in the endnote, it may do so if it first either ascertains that the third party subscribes to the Principles or is subject to the Directive or another adequacy finding or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Principles".

Should MONTEGEN needs the assistance of a commercial partner to develop the client's project, a Co-Finder Agreement will be signed. It will cover all the aspects of privacy and security for the data received from the MONTEGEN's client and for their treatment.

Security

" Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction".

MONTEGEN protects the received information from potential computer related crimes [defined "as any illegal act , in which knowledge of computer technology is used to commit the offense" [from:" Cyber Crime" by L. Quarantiello (1997), LimeLight Books, Lake Geneva (WI, U.S.A.)].

MONTEGEN follows the following criteria:

User Authentication, to validate the user who attempts to access any sensitive material (a password, PIN, "smart card", biometrics)

User Identification, to issue electronic credentials (that grant access to certain protected files, but not others), once the individual is authenticated.

Data integrity

"Consistent with the Principles, personal information must be relevant for the purposes for which it is to be used. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current".

MONTEGEN uses encryption that permits to keep communications private. In the electronic documents, a digital signature assures data integrity as well as non-repudiation. Over the Internet MONTEGEN transacts commercial activities that are focused on technology transfer / product development; the company is focusing a particular attention on the question of non-repudiation, referred to: origin, submission and receipt of the messages.

Access

"Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated".

MONTEGEN informs periodically the client about the evolution of the business contacts, including the reference to the names of persons interested in the business. At the same time, the client can have access to the information already in the MONTEGEN databank for a periodical review (control possesssion of confidentiality, availability and utility of the information).

Enforcement

"Effective privacy protection must include mechanisms for assuring compliance with the Principles, recourse for individuals to whom the data relate affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed".

All the signed Non-Disclosure / Non-Circumvention Agreements report a claim referred to a potential dispute resolution and remedies.

A disaster recovery planning cycle has been established

To defend the network perimeter, "in-house" security assessment software is available to provide active, 24-hour surveillance of suspicious activity: password cracking, access control checking, user account restrictions, system vulnerability, data confidentiality checks, virus checking, intrusion monitoring.

To defend company mainframe, physical security tools are used.

These systems may be implemented (using also outsourcing services) in a near future.

A computer security survey has been created and currently implemented to reveal vulnerabilities and to identify critical areas [with reference to the book "The Ultimate Computer Security Survey" by James L. Schaub and Ken D. Biery (1995), Butterworth-Heinemann (Boston)]. The survey and its reports are considered "sensitive material".

References:

"Continental Devide" by Daintry Duffy, on: CIO 15 (13), 92 - 97 (2002)

"Planning for secute networks" on: Baseline, issue 022, 30 - 31, September 2003

"Developing business - Requirements for Secure Networks" on Baseline, issue 024, 34 - 35, November 2003

"Delivering secure networks for your enterprise" on Baseline, issue 025, 50 - 51, December 2003

"To protect and serve" (perimeter security) by Jeff Moad on: Baseline, issue 022, 86 - 88, September 2003