In a recent article, Dr. Craig Wright wrote about the problem with plagiarism in the security industry. In it, he referenced a past article when he personally ran into plagiarism years before, and wrote about his discovery (2008-06-29).
Dr. Wright describes the plagiarism as "Ms Rattray in one example of her writings took the text of text from Erik Guldentops "Harnessing IT for Secure, Profitable Use" and block copied this into an article she professed to have written." This is not entirely accurate, as pointed out in his original write-up which said "A change of language from US to Australian is still plagiarism. Similarly, changing 'So' to 'thus' and removing the word 'effective' does little to hide the document source." The material used by Stewart-Rattray rewrites small portions and changes words in attempt to make it appear original. This is textbook plagiarism, not using text and forgetting to attribute.
Dr. Wright was contacted by Stewart-Rattray, who offered a disingenious excuse:
"My omission came about by rushing a piece of work to meet a deadline and cobbling it together and not thoroughly reviewing it before sending it off. This is my error one of omission only."
No, this is not a case of omission. This is a clear case of systematic plagiarism. Worse, a second portion of text may have been copied from another source. Due to the relatively small amount, and the original material being quoted and re-quoted, it is difficult to be certain if she did.
Stewart-Rattray's article is titled "Information security governance: the nuts and bolts" and can be found in archived copies of (IN)SECURE Magazine, Issue 14 (November 2007). When Dr. Wright notified the publisher of the magazine, they removed her article from the issue. Some sites still maintain a copy of the original that include her article. In issue 18, the following note appeared:
In other news, Jo Stewart-Rattray, who was one of the authors featured in the November 2007 issue of (IN)SECURE, wanted to apologize for omitting proper attribution in her article - "Information Security, the Nuts and Bolts". The attribution that should have been included is "Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition", IT Governance Institute, 2006. The article has been removed from our archives as soon as questions have been raised and we are satisfied with her prompt response.
|Stewart-Rattray Text||Original Source|
|Information security relates to the protection of valuable assets that are recorded on, processed by, stored in, shared by, transmitted or retrieved from an electronic medium against loss, misuse, disclosure or damage. Information must be protected against harm from vulnerabilities.||Security relates to the protection of valuable assets against loss, misuse, disclosure or damage. In this context, the valuable assets are the information recorded on, processed by, stored in, shared by, transmitted or retrieved from an electronic medium. The information must be protected against harm, leading to different types of vulnerabilities such as loss, inaccessibility, alteration or wrongful disclosure. Threats include errors and omissions, fraud, accidents and intentional damage. Protection arises from a layered series of technological and nontechnological safeguards such as physical security measures, background checks, user identifiers, passwords, smart cards, biometrics and firewalls. These safeguards should address both threats and vulnerabilities in a balanced manner. [Source]|
|The objective of information security governance is to "protect the interests of those relying on information, and the systems and communications that deliver the information, from hard resulting from failures of availability,
confidentiality and integrity." There are emerging definitions that are adding concepts such as information usefulness and possession - the latter to cope with theft, deception and fraud. The networked economy certainly has added
the need for trust and accountability, particularly in electronic transactions. According to an IT Governance Institute (ITGI) publication, in most organizations, information security objectives are met when:
. Information is available and useful when required, and the systems that provide it can appropriately resist attacks and recover from failures. Availability.
. Information is observed by or disclosed to only those who have a right to know. Confidentiality.
. Information is protected against unauthorised modification. Integrity.
. Business transactions and information exchanges between enterprise locations or with partners can be trusted.Authenticity and non-repudiation.
|The objective of information security is "protecting the interests of those relying on information, and the systems and communications that deliver the information, from harm resulting from failures of availability, confidentiality
and integrity." While emerging definitions are adding concepts such as information usefulness and possession--the latter to cope with theft, deception and fraud--the networked economy has stressed the need for trust and
accountability in electronic transactions. For most organisations, the security objective is met when:|
. Information is available and usable when required, and the systems that provide it can appropriately resist attacks and recover from failures (availability)
. Information is observed by or disclosed to only those who have a right to know (confidentiality)
. Information is protected against unauthorised modification (integrity)
. Business transactions as well as information exchanges among enterprise locations or with partners can be trusted (authenticity and nonrepudiation) [Source]
|Roles and responsibilities relate to the need for information access rights to be based upon the needs of a person role. Such responsibilities and authority should be clearly established within an organization and
communicated so that they are understood.
Design is about developing a security and control framework that consists of standards, measures, practices and procedures.
Implementation is about implementing the solution in a timely manner and then maintaining it.
Monitoring refers to establishing measures by which to monitor the environment to detect security breaches and take corrective action and to ensure ongoing compliance with policy, standards and security practices. Not all of this will necessarily be accomplished in house.
|Roles and Responsibilities. Ensuring that individual roles, responsibilities and authority are clearly communicated and understood by all.|
Design. Developing a security and control framework that consists of standards, measures, practices and procedures.
Implementation. Implementing the solution on a timely basis, then maintaining it.
Monitoring. Establishing monitoring measures to detect and ensure correction of security breaches, such that all actual and suspected breaches are promptly identified, investigated and acted upon, and to ensure ongoing compliance with policy, standards and minimum acceptable security practices. [Source]
|Furthermore, organizations need to protect themselves against those risks inherent in the use of information systems, whilst recognizing the benefits that can accrue from having secure systems. So, as dependence on information systems increases, so too does the criticality of information security, bringing with it the need for information security governance.||Furthermore, organisations need to protect themselves against the risks inherent in the use of information systems while simultaneously recognising the benefits that can accrue from having secure information systems. Thus, as dependence on information systems increases, so too does the criticality of information security, bringing with it the need for effective information security governance. [Source]|