Monthly Archives: September 2010

ISO 27002

ISO 27002 Codes of Practice 

Like governance, information security is a broad topic with ramifications in all parts of the modern organization.  Information security, and hence ISO/IEC 27002, is relevant to all types of organization including commercial enterprises of all sizes (from one-man-bands up to multinational giants), not-for-profits, charities, government departments and quasi-autonomous bodies – in fact any organization that handles and depends on information. The specific information security requirements may be different in each case but the whole point of ISO27k is that there is a lot of common ground.

The standard is explicitly concerned with information security, meaning the security of information assets, and not just IT/systems security per se.  The IT Department is merely the custodian of a good proportion of the organization’s information assets and is commonly charged with securing them by the information asset owners – the business managers who are accountable for the assets.  However a large proportion of written and intangible information (e.g. the knowledge and experience of non-IT workers) is nothing to do with IT.

Relationship to ISO/IEC 27001

ISO/IEC 27001 formally defines the mandatory requirements for an Information Security Management System (ISMS).  It uses ISO/IEC 27002 to indicate suitable information security controls within the ISMS, but since ISO/IEC 27002 is merely a code of practice/guideline rather than a certification standard, organizations are free to select and implement other controls, or indeed adopt alternative complete suites of information security controls) as they see fit.  ISO/IEC 27001 incorporates a summary (little more that than the section titles in fact) of controls from ISO/IEC 27002 under its Annex A.  In practice, organizations that adopt ISO/IEC 27001 also substantially adopt ISO/IEC 27002.

Structure and format of ISO/IEC 27002

ISO/IEC 27002 is a code of practice – a generic, advisory document, not truly a standard or formal specification such as ISO/IEC 27001. It lays out a reasonably well structured set of suggested controls to address information security risks, covering confidentiality, integrity and availability aspects. Organizations that adopt ISO/IEC 27002 must assess their own information security risks and apply suitable controls, using the standard for guidance. Strictly speaking, none of the controls are mandatory but if an organization chooses not to adopt something as common as, say, antivirus controls, they should certainly be prepared to demonstrate that this decision was reached through a rational risk management decision process, not just an oversight, if they anticipate being certified compliant to ISO/IEC 27001.

After the introduction, scope, terminology and structure sections, the remainder of ISO/IEC 27002 specifies some 39 control objectives to protect information assets against threats to their confidentiality, integrity and availability.  These control objectives in effect comprise a generic functional requirements specification for an organization’s information security management controls architecture.

There is one control objective for each second level heading in sections 6 through 15 of the standard (e.g. 8.2), or for the first level headings in the main sections with no second levels(i.e. sections 5 and 14).

Few people would quarrel with most of the control objectives, or, to put that an other way, it would be difficult to argue that the organization should not conform with the stated objectives in general.  However, some are not applicable in every case and the generic wording of the standard is unlikely to reflect each organization’s precise requirements. 

In our experience, the control objectives make an excellent starting point to define a comprehensive set of “axioms” or high level principles for information security policies with only slight re-wording.

Not mandating specific controls is a master stroke that makes the standard broadly applicable even as the technology and security risks change, and gives users tremendous flexibility in the implementation.  Unfortunately, it also makes it difficult for the certification bodies to assess whether an organization is fully compliant with the standard, hence there are no formal compliance certificates against ISO/IEC 27002 itself.  Organizations may instead get their information security governance/management processes, meaning the Information Security Management System as a whole, certified against ISO/IEC 27001 which describes the process for assessing risks and selecting, implementing and managing specific security controls from ISO/IEC 27002 or indeed other sources.

Section 0

Introduction

Starting from ‘What is information security?, the introduction explains how to make use of the standard.

Section 1

Scope

The standard gives information security management recommendations for those who are responsible for initiating, implementing or maintaining security.

Section 2

Terms and definitions

“Information security” is explicitly defined as the “preservation of confidentiality, integrity and availability of information”.  These and other related terms are further defined.  [In due course when ISO/IEC 27002 is revised, this section will presumably reference definitions in ISO/IEC 27000.]

Section 3

Structure of this standard

This page simply explains that the guts of the standard contain control objectives, suggested controls and implementation guidance.

Section 4

Risk assessment and treatment

ISO/IEC 27002 covers the topic of risk management in just a page and a half, woefully inadequate coverage for such a complex and central element of information security.  [When ISO/IEC 27002 is revised, it will probably reference ISO/IEC 27005 here although it has been suggested that the risk management section might be dropped entirely from ’27002 and moved to ’27001.  In keeping with the style of ’27002, ’27005 gives general guidance on selecting and using appropriate methods to analyze information security risk – it does not mandate a specific method since ‘appropriate’ depends on context.]

Section 5

Security policy

Management should define a policy to clarify their direction of, and support for, information security, meaning a short, high-level information security policy statement laying down the key information security directives and mandates for the entire organization.  This is normally supported by a comprehensive suite of more detailed corporate information security policies, typically in the form of an information security policy manual.  The policy manual in turn is supported by a set of information security standards, procedures and guidelines.

Although the standards are somewhat ambiguous on this point, the information security policy noted in ISO/IEC 27002 is generally understood to be separate and different from the ISMS policy required by ISO/IEC 27001.  The ISMS policy is seen by some as a strategy or governance paper laying out management’s support for the ISMS as a whole – in fact it may be as short at a statement by the CEO.

Section 6

Organization of information security

A suitable information security governance structure should be designed and implemented.

6.1 

Internal organization

The organization should have a management framework for information security. Senior management should provide direction and commit their support, for example by approving information security policies. Roles and responsibilities should be defined for the information security function. Other relevant functions should cooperate and coordinate their activities.  IT facilities should be authorized.  Confidentiality agreements should reflect the organization’s needs.  Contacts should be established with relevant authorities (e.g. law enforcement) and special interest groups.  Information security should be independently reviewed.

6.2 

External parties

Information security should not be compromised by the introduction of third party products or services.  Risks should be assessed and mitigated. when dealing with customers and in third party agreements.

 Section 7

 Asset management

The organization should be in a position to understand what information assets it holds, and to manage their security appropriately.

 7.1 

Responsibility for assets

All [information] assets should be accounted for and have a nominated owner.  An inventory of information assets (IT hardware, software, data, system documentation, storage media, supporting assets such as computer room air conditioners and UPSs, and ICT services) should be maintained. The inventory should record ownership and location of the assets, and owners should identify acceptable uses.

7.2 

Information classification

Information should be classified according to its need for security protection and labeled accordingly.  [While this is clearly most relevant to military and government organizations handling ‘protectively marked information’ (Top Secret etc.), the concept of identifying important assets, classifying/grouping them, and applying controls that are judged suitable for assets of that nature, is broadly applicable.]

Section 8:

Human resources security

The organization should manage system access rights etc. for ‘joiners, movers and leavers’, and should undertake suitable security awareness, training and educational activities.

8.1 

Prior to employment

Security responsibilities should be taken into account when recruiting permanent employees, contractors and temporary staff (e.g. through adequate job descriptions, pre-employment screening) and included in contracts (e.g. terms and conditions of employment and other signed agreements on security roles and responsibilities).

8.2

During employment

Management responsibilities regarding information security should be defined.  Employees and (if relevant) third party IT users should be made aware, educated and trained in security procedures.  A formal disciplinary process is necessary to handle security breaches.

8.3 

Termination or change of employment

Security aspects of a person’s exit from the organization (e.g. the return of corporate assets and removal of access rights) or change of responsibilities should be managed.

Section 9

Physical and environmental security

Valuable IT equipment should be physically protected against malicious or accidental damage or loss, overheating, loss of mains power etc.

9.1 

Secure areas

This section describes the need for concentric layers of physical controls to protect sensitive IT facilities from unauthorized access.

9.2 

Equipment security

Critical IT equipment, cabling and so on should be protected against physical damage, fire, flood, theft etc., both on- and off-site. Power supplies and cabling should be secured. IT equipment should be maintained properly and disposed of securely.

Section 10 

Communications and operations management

This lengthy, detailed section of the standard describes security controls for systems and network management.

10.1 

Operational procedures and responsibilities

IT operating responsibilities and procedures should be documented. Changes to IT facilities and systems should be controlled. Duties should be segregated between different people where relevant (e.g. access to development and operational systems should be segregated).

10.2 

Third party service delivery management

Security requirements should be taken into account in third party service delivery (e.g. IT facilities management or outsourcing), from contractual terms to ongoing monitoring and change management.  Do you have suitable security clauses in the contract with your ISP?

10.3 

System planning and acceptance

Covers IT capacity planning and production acceptance processes.

10.4 

Protection against malicious and mobile code

Describes the need for anti-malware controls, including user awareness.  Security controls for mobile code ‘associated with a number of middleware services’ are also outlined.

10.5 

Back-up

Covers routine data backups and rehearsed restoration.

10.6 

Network security management

Outlines secure network management, network security monitoring and other controls.  Also covers security of commercial network services such as private networks and managed firewalls etc.

10.7 

Media handling

Operating procedures should be defined to protect documents and computer media containing data, system information etc. Disposal of backup media, documents, voice and other recordings, test data etc. should be logged and controlled. Procedures should be defined for securely handling, transporting and storing backup media and system documentation.

10.8 

Exchange of information

Information exchanges between organizations should be controlled, for example though policies and procedures, and legal agreements. Information exchanges should also comply with applicable legislation. Security procedures and standards should be in place to protect information and physical media in transit, including electronic messaging (email, EDI and IM) and business information systems.

10.9

Electronic commerce services

The security implications of eCommerce (online transaction systems) should be evaluated and suitable controls implemented.  The integrity and availability of information published online (e.g. on websites) should also be protected.

10.10

Monitoring

Covers security event/audit/fault logging and system alarm/alert monitoring to detect unauthorized use.  Also covers the need to secure logs and synchronize system clocks.

Section 11

Access control

Logical access to IT systems, networks and data must be suitably controlled to prevent unauthorized use.  This is another lengthy and detailed section.

11.1 

Business requirement for access control

The organization’s requirements to control access to information assets should be clearly documented in an access control policy, including for example job-related access profiles (role based access control).  [This is an important obligation for information asset owners.]

11.2 

User access management

The allocation of access rights to users should be formally controlled through user registration and administration procedures (from initial user registration through to removal of access rights when no longer required), including special restrictions over the allocation of privileges and management of passwords, and regular access rights reviews.

11.3 

User responsibilities

Users should be made aware of their responsibilities towards maintaining effective access controls e.g. choosing strong passwords and keeping them confidential. Systems and information should be secured when left unattended (e.g. clear desk and clear screen policies).

11.4 

Network access control

Access to network services should be controlled, both within the organization and between organizations. Policy should be defined and remote users (and possibly equipment) should be suitably authenticated.  Remote diagnostic ports should be securely controlled. Information services, users and systems should be segregated into separate logical network domains.  Network connections and routine should be controlled where necessary. 

11.5 

Operating system access control

Operating system access control facilities and utilities (such as user authentication with unique user IDs and managed passwords, recording use of privileges and system security alarms) should be used. Access to powerful system utilities should be controlled and inactivity timeouts should be applied.

11.6 Application and information access control

Access to and within application systems should be controlled in accordance with a defined access control policy. Particularly sensitive applications may require dedicated (isolated) platforms, and/or additional controls if run on shared platforms.

11.7 

Mobile computing and teleworking

There should be formal policies covering the secure use of portable PCs, PDAs, cellphones etc., and secure teleworking (“working from home”, “road warriors” and other forms of mobile or remote working).

Section 12

Information systems acquisition, development and maintenance

Information security must be taken into account in the Systems Development Lifecycle (SDLC) processes for specifying, building/acquiring, testing, implementing and maintaining IT systems.

12.1 

Security requirements of information systems

Automated and manual security control requirements should be analyzed and fully identified during the requirements stage of the systems development or acquisition process, and incorporated into business cases.  Purchased software should be formally tested for security, and any issues risk-assessed.

12.2 

Correct processing in application systems

Data entry, processing and output validation controls and message authentication should be provided to mitigate the associated integrity risks.

12.3 

Cryptographic controls

A cryptography policy should be defined, covering roles and responsibilities, digital signatures, non-repudiation, management of keys and digital certificates etc.

12.4 

Security of system files

Access to system files (both executable programs and source code) and test data should be controlled.

12.5 

Security in development and support processes

Application system managers should be responsible for controlling access to [development] project and support environments.  Formal change control processes should be applied, including technical reviews.  Packaged applications should ideally not be modified. Checks should be made for information leakage for example via covert channels and Trojans if these are a concern. A number of supervisory and monitoring controls are outlined for outsourced development.

12.6

Technical vulnerability management

Technical vulnerabilities in systems and applications should be controlled by monitoring for the announcement of relevant security vulnerabilities, and risk-assessing and applying relevant security patches promptly.

Section 13

Information security incident management

Information security events, incidents and weaknesses (including near-misses) should be promptly reported and properly managed.

13.1

Reporting in information security events and weaknesses

An incident reporting/alarm procedure is required, plus the associated response and escalation procedures.  There should be a central point of contact, and all employees, contractors etc. should be informed of their incident reporting responsibilities.

13.2

Management of information security incidents and improvements

Responsibilities and procedures are required to manage incidents consistently and effectively, to implement continuous improvement (learning the lessons), and to collect forensic evidence.

Section 14: 

Business continuity management

This section describes the relationship between IT disaster recovery planning, business continuity management and contingency planning, ranging from analysis and documentation through to regular exercising/testing of the plans.  These controls are designed to minimize the impact of security incidents that happen despite the preventive controls noted elsewhere in the standard.

Section 15:  Compliance

15.1 

Compliance with legal requirements

The organization must comply with applicable legislation such as copyright, data protection,protection of financial data and other vital records, cryptography restrictions, rules of evidence etc.

15.2 

Compliance with security policies and standards, and technical compliance

Managers and system owners must ensure compliance with security policies and standards, for example through regular platform security reviews, penetration tests etc. undertaken by competent testers.

15.3 

Information systems audit considerations

Audits should be carefully planned to minimize disruption to operational systems. Powerful audit tools/facilities must also be protected against unauthorized use.

 

 

 

Advertisements

ISO 27001

ISO/IEC 27001:2005 Information technology — Security techniques — Specification for an Information Security Management System

ISO/IEC 27001 is the formal set of specifications against which organizations may seek independent certification of their Information Security Management System (ISMS).

ISO/IEC 27001 specifies requirements for the establishment, implementation, monitoring and review, maintenance and improvement of a management system – an overall management and control framework – for managing an organization’s information security risks.  It does not mandate specific information security controls but stops at the level of the management system.

The standard covers all types of organizations (e.g. commercial enterprises, government agencies and non-profit organizations) and all sizes from micro-businesses to huge multinationals. 

This is clearly a very wide brief.

Bringing information security under management control is a prerequisite for sustainable, directed and continuous improvement.  An ISO/IEC 27001 ISMS therefore incorporates several Plan-Do-Check-Act (PDCA) cycles: for example, information security controls are not merely specified and implemented as a one-off activity but are continually reviewed and adjusted to take account of changes in the security threats, vulnerabilities and impacts of information security failures, using review and improvement activities specified within the management system. 

According to JTC1/SC27, the ISO/IEC committee responsible for ISO27k and related standards, ISO/IEC 27001 “is intended to be suitable for several different types of use, including:

  • Use within organizations to formulate security requirements and objectives;
  • Use within organizations as a way to ensure that security risks are cost-effectively managed;
  • Use within organizations to ensure compliance with laws and regulations;
  • Use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
  • The definition of new information security management processes;
  • Identification and clarification of existing information security management processes;
  • Use by the management of organizations to determine the status of information security management activities;
  • Use by the internal and external auditors of organizations to demonstrate the information security policies, directives and standards adopted by an organization and determine the degree of compliance with those policies, directives and standards;
  • Use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations that they interact with for operational or commercial reasons;
  • Implementation of a business enabling information security; and
  • Use by organizations to provide relevant information about information security to customers.”

Structure and content of ISO/IEC 27001

ISO/IEC 27001:2005 has the following sections:

0 Introduction – the standard uses a process approach.

1 Scope – it specifies generic ISMS requirements suitable for organizations of any type, size or nature.

Normative references – only ISO/IEC 27002:2005 is considered absolutely essential to the use of ’27001.

 3 Terms and definitions – a brief, formalized glossary, soon to be superseded by ISO/IEC 27000.

4 Information security management system – the ‘guts’ of the standard, based on the Plan-Do-Check-Act cycle where Plan = define requirements, assess risks, decide which controls are applicable; Do = implement and operate the ISMS; Check = monitor and review the ISMS; Act = maintain and continuously improve the ISMS.  Also specifies certain specific documents that are required and must be controlled, and states that records must be generated and controlled to prove the operation of the ISMS (e.g. certification audit purposes).

5 Management responsibility – management must demonstrate their commitment to the ISMS, principally by allocating adequate resources to implement and operate it.

6 Internal ISMS audits – the organization must conduct periodic internal audits to ensure the ISMS incorporate adequate controls which operate effectively.

7 Management review of the ISMS – management must review the suitability, adequacy and effectiveness of the ISMS at least once a year, assessing opportunities for improvement and the need for changes.

8 ISMS improvements – the organization must continually improve the ISMS by assessing and where necessary making changes to ensure its suitability and effectiveness, addressing nonconformance (noncompliance) and where possible preventing recurrent issues.

Annex A – Control objectives and controls – little more in fact than a list of titles of the control sections in ISO/IEC 27002, down to the second level of numbering (e.g. 9.1, 9.2).

Annex B – OECD principles and this International Standard – a table briefly showing which parts of this standard satisfy 7 key principles laid out in the OECD Guidelines for the Security of Information Systems and Networks.

Annex C – Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard – the standard shares the same basic structure of other management systems standards, meaning that an organization which implements any one should be familiar with concepts such as PDCA, records and audits.

Mandatory requirements for certification

ISO/IEC 27001 is written as a formalized specification such that accredited certification auditors are meant to be able to use the standard as a formal description of items that their clients must have in order to be certified compliant. It does indeed specify certain mandatory documents explicitly. 

However, in other areas it is vaguer and, in practice, other documents are commonly demanded, including certain items which provide the auditors with evidence or proof that the ISMS are operating. 

Organizations can specify the scope of their ISO/IEC 27001 certification as broadly or as narrowly as they wish.  Understanding the scoping documents plus Statements of Applicability (SoA) is therefore crucial if one intends to attach any meaning to the certificates.  If an organization’s ISO/IEC 27001 scope only notes “Acme Ltd. Department X”, for example, the associated certificate says nothing about the state of information security in “Acme Ltd. Department Y” or “Acme Ltd.” as a whole. 

Similarly, if the SoA asserts that antivirus controls are not necessary for some reason, the certification body will doubtless have checked that assertion but will not have certified the antivirus controls – in fact, they may not have assessed any technical controls since ISO/IEC 27001 is primarily a management system standard, so compliance requires the organization to have a suite of management controls in place but does not necessarily require specific information security controls.

Certification is entirely optional but is increasingly being demanded from suppliers and business partners by organizations that are concerned about information security. 

Certification against ISO/IEC 27001 brings a number of benefits above and beyond simple compliance, in much the same way that an ISO 9000-series certificate says more than “We are a quality organization”. Independent assessment necessarily brings some rigor and formality to the implementation process (implying improvements to information security and all the benefits that brings through risk reduction), and invariably requires management approval (which is an advantage in security awareness terms, at least!).

The certificate has marketing potential and should help assure most business partners of the organization’s status with respect to information security without the necessity of conducting their own security reviews.


ISO 17799 Background

Background and Overview of ISO 17799/27001(27001)

Sound information security is the cornerstone of sensible corporate governance. The emergence of an international standard to support this was perhaps, inevitable.

However, it took until the second half of the 1990’s for this process to really take shape.

ISO 17799 is often used as a generic term to describe what actually is two different documents they are: ISO17799 (aka ISO 27002), which is a set of security controls (a code of practice), and ISO 27001 (formerly BS7799-2), which is a standard ‘specification’ for an Information Security Management System (an ISMS).

Before the international information security standard known as ISO 17799, there was the preceding British Standard BS7799, published by the British Standards Institute (BSI).

The original BS 7799 had two parts. BS 7799 Part1 – Code of practice for informationsecurity management – established the overall requirements for an information securityprogram by breaking security into ten separate topic domains.           

BS 7799-1 was eventually adopted as the first international standard for information Security.

ISO 17799:2000. BS 7799 Part 2, entitled Information security management systems — Specification with guidance for use, was designed to allow an organization tobecome certified that it was following the techniques defined in Part 1 of the standard.        

Within Great Britain and around Europe hundreds of organizations became certifiedagainst BS7799. Up until last year, if an organization wished to become “certified” itcould only be done against the British Standard BS7799.

In 2005, the International Organization for Standardization (ISO) took two important steps relating to information security. First, it updated ISO 17799:2000 and called it ISO17799:2005”) Second, it adopted the part 2 of BS7799 and released it as ISO/IEC 27001:

Information technology — Security techniques— Information security management systems — Requirements.. For the first time, organizations can get certified against the ISO 17799:2005 standard.

By definition, ISO 17799:2005 and ISO 27001 are designed to be used by any organization in any industry. However, many smaller organizations may have troublemeeting some of the requirements of ISMS due to limited manpower and resources.

Basically, ISO 27001 sets out the requirements for how an organization can implement the security requirements of ISO 17799:2005. According to ISO 27001

“This International Standard has been prepared to provide a model for establishing,implementing, operating, monitoring, reviewing, maintaining and improving ,an Information Security Management System (ISMS).” According to the Standard, an ISMS is defined as

 “The management system includes organizational structure, policies, planningactivities, responsibilities, practices, procedures, processes and resources.”

In other words, the ISMS encompasses your entire information security program,including its relation to other parts of the organization.

While ISO 27001 does not provide a complete prescription for a proper information security program it does list the various organizational  ,functions required for certification.


eReaders, can we curl upto a book !

So there is no confusion to what we are writing about, when we say hardware we mean what you physically hold in your hand, some people do class hardware as the software running application, I do think that this seems to be I little misleading at times and I do believe that it can play a important role when designing and also reading from a eReader.

What do you say is the most important factor when designing a eReader, it’s stylish looks with all the modern applications, it’s ability to connect to the world wide web, crystal clear reading surface, back and white print or colour, it’s looks and feel to replicate a book or newspaper the list is endless and it will be a personnel choice but there must be a bare minimum requirement to all eReader designs.

This has to be a clear and crystal reading screen, you can have all the latest gadgets, but if this is not acceptable then you are on to a loser before you begin.

I think in the early days when the eReader was just starting this was a problem but as we all know as technology grows, these small areas are ironed out and we do not have such a problem anymore.

E Ink displays has somewhat slowed lately, with the Kindle and the Sony reader models being out for quite a while now. Things are looking up, however, with the latest announcement from E Ink trying to update the display tech in order to beat the Apple iPad.

Most noticeable features are an improvement from the standard 7:1 contrast ratio screens to the much easier on the eye 12:1 ratio – and a faster refresh rate. E Ink claims this refresh rate is fast enough to support simple animations.

So if we are starting to master the concept of the reading ability, then what else could you class as been important.

To follow are the products on the market that everybody is buying and they all have a general same design parameters.

I generally believe that it’s not what you class been important but what do you want to read and how you want to read it, Do you want to read the item on the go or do you want to read it in the comfort of your own home.

I do think that this area has reached a turning point as to what the customer perceives to what the product should be to what the designer perceives what the product should be.

 

All the above Ereaders are approximately designed the same with regards to the overall demin 8 * 5.3* 0.36 to 10.4 * 7.2 * 0.4 Inches. Weighs approximately 8 to 12 ounces some are designed with touch screen some are not the running applications are a other story, as I have mentioned within an other post.

 My main point is that the above Ereaders are designed to be small, compact, portable and are really designed for the so called on goes that are constant on the move and who require information at a press of a button.

Is there or should there be a section if you want to read in private or in the comfort of your own home, I certainly believe that there is, if I wanted to read a book or even a magazine then I would not want to read a small potable compact screen.

I do believe that these types of Ereaders are great and they do provide a great portable devices for people which require information or need to read a few pages etc, but if I wanted to curl up to a book or magazine this is not the type of environment that I would be comfortable with.

So is there an answer I generally believe that the above Ereaders are great for the purpose but I have my concerns with regards to the type of environment that this will slowly progress to, it is only matter of time before the general public will start and want to read a book or a newspapers in the comfort of they own home

The above products will not be acceptable, Why , to small and to expensive , there is a nature progression here that the eReader will be become a thing of the past and the new buss word will be Tech paper, a single sheet that will let you down load any book, newspaper or document, the size of approx the I pad where you can keep the feeling of that traditional aspect.

 


eReader File,Format (Matrix)

Hardware Reader  Plain text PDF ePub HTML Mobi- Pocket Fiction- Book DjVu
Amazon Kindle 2, DX   Y   Y   N    N     Y      N   N
Amazon Kindle 3    Y   Y    N     Y     Y      N   N
Android Devices    Y   Y    Y    Y     Y     Y   Y
Apple iPad    Y   Y    Y    Y     Y     Y   Y
Azbooka WISEreader    Y  N    Y    Y     Y     Y   N
Barnes & Noble Nook    Y   Y    Y     N     N     N   N
Bookeen Cybook Gen3, Opus     Y   Y    Y      Y     Y     Y    N
COOL-ER Classic     Y   Y    Y       Y     Y      Y    N
Foxit eSlick     Y   Y    Y     N     N     N    N
Hanlin e-Reader V3    Y   Y    Y    Y      Y     Y    Y
Hanvon WISEreader    Y    Y    Y    Y     N     N   N
iRex iLiad    Y    Y    Y    N     Y     N   Y
Iriver Story    Y    Y   Y     N     N     N     Y
Kobo eReader    N   Y   Y    N     N     N    N
Nokia N900    Y   Y    Y    Y     Y     Y   Y
NUUTbook 2    Y   Y   Y   N    N    N   N
OLPC XO, Sugar    Y   Y    Y    Y    N    N   Y
Onyx Boox 60    Y   Y   Y    Y     Y    Y   Y
Pocketbook 301 Plus, 302, 360°    Y  Y   Y    Y    Y    Y   Y
Sony Reader    Y  Y   Y   N    N    N   N
Viewsonic VEB612     Y  Y    Y    Y    Y     N   N
Hardware Reader  Broadband eBook eReader Kindle WOLF Tome Raider Open eBook              
Amazon Kindle 2, DX N N Y N N N              
Amazon Kindle 3 N N Y N N N              
Android Devices N Y Y N Y Y              
Apple iPad N Y Y N Y Y              
Azbooka WISEreader N N N N N N              
Barnes & Noble Nook N Y N N N N              
Bookeen Cybook Gen3, Opus N N N N N Y              
COOL-ER N N N N N N              
Foxit eSlick N Y N N N N              
Hanlin e-Reader V3 N N N Y N N              
Hanvon WISEreader N N N N N N              
iRex iLiad N N N N N N              
Iriver Story N N N N N N              
Kobo eReader N N N N N N              
Nokia N900 N N N N N Y              
NUUTbook 2 N N N N N N              
OLPC XO, Sugar N N N N N N              
Onyx Boox 60 N N N N N N              
Pocketbook 301 Plus, 302, 360° N N N N N N              
Sony Reader Y N N N N N              
Viewsonic VEB612 N N N N N N              

 

The above is a simple matrix that will tell you which file, format is connected to which device, this is for reference only and it will give a guide to what is available at the time of print and I am sure it will change as things progress.

The main point is that if you look at the matrix there are so many different types for each device that it’s getting to appoint that we need to try to break it down to no more than 2 or 3 file types and a Platform can be designed to help all parties concerned.


eReaders software,files and formats

I have often wondered why it can be so confusing to read a book through an e reader or any other reading format. All we want to do is read a book, magazines and soon newspapers so why is it so confusing with regards to which format and file type to use.

Below are the bare basic that you should understand before you purchase an eReader and also we must try to remember that just because you are reading form a screen it does not mean that you are eReading.

To understand this subject it should be broken down in two area software and hardware (hardware will be posted soon)

So let take a look at the software first.

Which software?

That depends on the format, or file type, in which the e-book is presented. So in that sense the choice may be fixed, but you may also have additional software options available to enhance your reading experience.

A limitation with e-books at present is that in many cases the reader – either human or electronic – cannot simply convert file formats to other file formats. Therefore if an e-book is not offered in a format type that you have e-reader software already installed for, you may not be able to read it at all. Or you may need to obtain extra software first. Most e-reader software is available free however, and even the kinds you have to buy are usually not expensive.

It is important, though, that you be well aware of software issues before you purchase any e-books, or even try to read free ones. The information below will help you understand these issues. In addition, links are provided so you can obtain a variety of (mostly free) e-reader software.

Format Issues?         
The existence of different file formats has both good and bad features. Examples of the good are that particular formats may have various advantages suitable to particular types or styles of books (e.g. novels, textbooks or illustrated children’s books). As well, their rivalry stimulates the development of better software overall.

However, as frequently happens with new technology, the issue has also become a problem, as a result of intense competing commercial pressures. The biggest difficulty is caused by the failure of the players in the field to agree on common underlying standards, or to arrange for the inter-convertibility of formats for books that are commercially available (in so far as this could be possible).

There are several scenarios that might eventually resolve these difficulties. For example all or most e-books could be offered in multiple formats (many e-booksellers offer at least two or three at present). Alternatively, everyone could agree to use one particular format (the emergence of the ePub format may be a step in this direction). Or again, just one format – or a very few formats – could emerge as dominant in the marketplace. Or lastly, a technical & commercial mechanism could be established to facilitate the easy inter-convertibility of various formats through a trusted intermediary. The new Epub format mentioned above offers a potential platform for such a mechanism.

While some major corporations are still hoping that that their own product will win out over all others, there are also at present trends in e-publishing towards the first and fourth solutions. Viewed historically, e-books are still in their infancy, so it is too early to predict with any confidence what the final outcome will be.

HTML or plain text

If an e-book is offered in HTML, or plain text, you will be able to read it immediately with your web browser on your personal desktop or laptop computer. There is also extra software available to read it outside your browser (but still on your computer) in a more book-like experience, with additional features that a printed book can never offer. Examples are the ability to change the font size or style, or even the background texture, hyperlinks in the text (so you can jump straight to selected locations in the text or even on the Web), the ability to search the text in various ways, and an inbuilt dictionary.

You can also read HTML book files on various handheld devices that are equipped with modified web browsers, or various other e-reader software. Or you may be able to add such software to them. Check the information that comes with your device.

Adobe PDF, Microsoft Reader or eReader (Palm) formats

If an e-book is offered in a format other than HTML or plain text , such as Adobe PDF, Microsoft Reader or eReader (Palm) formats, you must first download & install particular (free) software on your computer or handheld device in order to read the book.

In some cases, computer users will already have at least one of these installed on their PC. Most commonly this will be some version of the Adobe Reader for .pdf files. Meanwhile, many handheld devices do come with some variety of e-reader software pre-installed, or supplied available for installation.

Just because you have a particular operating system on your device, this does not mean that all e-books that seem to come from an “opposing” system cannot be read. For example you can read eReader (Palm) format e-books on a Windows or Mac PC, or on a (Windows) Pocket PC. Similarly you can read PDF format e-books on a Palm, PocketPC or Symbian OS device. However, in such cases you must first install the appropriate e-reader software to make this possible.

What if there is e-reader software already installed on my device?

Some devices have proprietary e-reader software already installed, or reserved to the buyer for individual installation. You need to know the implications of this, as explained below:

 a) Where the software is the only one the device will allow – for example with the Kindle devices – the only books you will be able to read on the device are those that are offered in that format. So there you need to be careful, as if the books you want aren’t offered, or the companies that support the e-reader stops offering books in that format, the device may not be of so much use to you.

b) Sometimes a device may have its own proprietary format reader installed, but also allow you to install another type of e-reader software. For example the Franklin eBookman has its own Franklin Reader with a limited variety of books available, but you can also install Mobipocket Reader on it, which allows you to read a much larger variety of books.

c) Some handhelds may not come with any particular e-reader software, but may allow you to install one (or more) of your own choice. Or they may include one of the more popular ones, but allow you to uninstall it and add another instead.

As you can see from above it can get a bit confusing with regards to all the different types of files and formats, but help it on its way as mentioned in the above section with the introduction of Epub it’s got to be the way forward to help this area with regards to a regulation reading platform.

My last comment is very a simple one I wish that they could just leave the software designers to design the software applications but also leave the designers to design the hardware i.e. what we physically hold in our hands to read the item. Because at times it seems that they want to re design the whole wheel and not just an eReader.


ESR 2000 Data Protection

Data Protection

5.—(1) A certification-service-provider who issues a certificate to the public and to whom this paragraph applies in accordance with paragraph (6) below—

(a)shall not obtain personal data for the purpose of issuing or maintaining that certificate otherwise than directly from the data subject or after the explicit consent of the data subject, and

(b)shall not process the personal data referred to in sub-paragraph (a) above—

(i)to a greater extent than is necessary for the purpose of issuing or maintaining that certificate, or

(ii)to a greater extent than is necessary for any other purpose to which the data subject has explicitly consented,

unless the processing is necessary for compliance with any legal obligation, to which the certification-service-provider is subject, other than an obligation imposed by contract.

(2) The obligation to comply with paragraph (1) above shall be a duty owed to any data subject who may be affected by a contravention of paragraph (1).

(3) Where a duty is owed by virtue of paragraph (2) above to any data subject, any breach of that duty which causes that data subject to sustain loss or damage shall be actionable by him.

(4) Compliance with paragraph (1) above shall also be enforceable by civil proceedings brought by the Crown for an injunction or for an interdict or for any other appropriate relief or remedy.

 (5) Paragraph (4) above shall not prejudice any right that a data subject may have by virtue of paragraph (3) above to bring civil proceedings for the contravention or apprehended contravention of paragraph (1) above.

(6) Paragraph (1) above applies to a certification-service-provider in respect of personal data only if the certification-service-provider is established in the United Kingdom and the personal data are processed in the context of that establishment.

(7) For the purposes of paragraph (6) above, each of the following is to be treated as established in the United Kingdom—

(a)an individual who is ordinarily resident in the United Kingdom,

(b)a body incorporated under the law of, or in any part of, the United Kingdom,

(c)a partnership or other unincorporated association formed under the law of any part of the United Kingdom, and

(d)any person who does not fall within sub-paragraph (a), (b) or (c) above but maintains in the United Kingdom—

(i)an office, branch or agency through which he carries on any activity, or

(ii)a regular practice.

(8) In this regulation—

“data subject” and “personal data” and “processing” shall have the same meanings as in section 1(1) of the Data Protection Act 1998(1), and

“obtain” shall bear the same interpretation as “obtaining” in section 1(2) of the Data Protection Act 1998.