Because for many companies, continuous operation and maintenance of custom software are crucial, they usually want to ensure that this continues even if the software licenser cannot operate in the future, for example, due to bankruptcy. The easiest way to overcome this for the licensee is to get a copy of the updated source code. Software developers are understandably reluctant to give a copy of their proprietary source code to the customer. The most significant asset of software developers is usually their source code, which can contain valuable trade secrets. One of the ways a software developer can deal with a client that requires access to the source code is to agree to store the source code using a triple escrow agreement. Under the escrow source code agreement, the developer provides a copy of the source code and documentation to a neutral party for safekeeping. The third party will hand over the source code to the buyer only after certain conditions defined by the contract have been met, such as the bankruptcy of software developers. That keeps the developer's source code confidential while, in theory, giving the user access to it if necessary. In this paper, we present the term software escrow contract.

Personal health information is regarded by many as being among the most confidential of all types of personal information. Due to violation of the right to privacy the European Court of Human Rights issued large number verdicts against EU countries, for failure to protect citizens' medical records and confidential data that they contain. Many data protection laws and the EU Data Protection Directive require that the data controller must implement appropriate technical and organizational measures to protect personal data. Personal health information is considered a special category of personal data, for which an extra level of protection is required under data protection rules. Taking into account increasing use of automatic processing of medical data by information systems, this paper presents issue of personal health information protection and the situation in this matter in Bosnia and Herzegovina.

Critical Information Infrastructure Protections (CIIP) is one of the key priorities of the European Union. High dependence on critical information infrastructure, their cross-border interconnection and interdependencies with other infrastructures, as well as the vulnerabilities and threats they are exposed to increase need to address issues of their security and resilience in a systematic way. There are numerous new EU initiatives in this area such as the adoption of regulations that regulate the issue of security and integrity of public communications networks, the measures aimed at addressing the issues of security of European operators of critical infrastructure, redefining the role of the European Agency for Network and Information Security related to CIIP, harmonization of the criminal legislation regarding cyber crime, funding for relevant research and development in the EU, etc. CIIP is a global issue that impacts developed and developing countries alike. Developing countries present a challenge that cannot be ignored without risk to global cyber security. The main objective of this paper is to presents the results of initial assessment of national preparedness of Bosnia and Herzegovina for the risk management of critical information infrastructure, based on ENISA methodology, and to provide an overview to the law of information security in Bosnia and Herzegovina.

Modern societies are highly dependent on information technology (IT) and therefore on IT professionals. The fact is that a large number of practitioners in the IT field have not passed a formal engineering education, and many have other (or no) college degrees. Unfortunately, even a large number of those who completed the engineering studies are not familiar with the issue of professionalism and ethics. IT professionals produce many business systems in today's digital economy, but also they produce, implement and maintain some critical systems – a system whose failure to operate correctly could result in physical injury or loss of life, or catastrophic economic damage. The public has entrusted in these IT professionals a level of responsibility because systems they design, implement and maintain affect the public directly and indirectly. Therefore, IT professionals must exercise the utmost conscientiousness in their designs, implementations and maintenance of IT systems. As such, IT professionals should have an understanding of the responsibilities associated with IT professionals practice.

1 ISACA JOURNAL VOLUME 2, 2012 Government and commercial organizations rely heavily on the use of information to conduct their business activities. Loss of confidentiality, integrity, availability, accountability, authenticity and reliability of information and services can have an adverse impact on organizations. Consequently, there is a critical need to protect information and to manage the security of IT systems within organizations. Alongside significant benefits, every new technology introduces new challenges for the protection of this information. The requirement to protect information is particularly important in today’s environment because many organizations are internally and externally connected by networks of IT systems.1 IT systems are prone to failure and security violations due to errors and vulnerabilities. These errors and vulnerabilities can be caused by many factors, such as rapidly changing technology, human error, poor requirement specifications, poor development processes or underestimating the threat. In addition, system modifications, new flaws and new attacks are frequently introduced, which contributes to increased vulnerabilities, failures and security violations throughout the IT system life cycle.2 The industry came to the realization that it is almost impossible to guarantee an error-free, riskfree and secure IT system due to the imperfection of the opposing security mechanisms, human error or oversight, and component or equipment failure.3 Completely secure IT systems do not exist; only those in which the owners may have varying degrees of confidence that security needs of a system are satisfied do.4 In addition, many information systems have not been designed to be secure. The security that can be achieved through technical means is limited and should be supported by appropriate management and procedures.5 The task of IT security (ITS) engineering and management is to manage the security risk by mitigating the vulnerabilities and threats with technological and organizational security measures to achieve an IT system with acceptable assurance. ITS management has an additional task: establishing acceptable assurance and risk objectives. In this way, the stakeholders of an IT system will achieve reasonable confidence that the IT system performs in the way intended or claimed, with acceptable risk and within budget.6 ISO/IEC TR 15443 Information technology— Security techniques—A framework for IT security assurance is a multipart technical report intended to guide ITS professionals in the selection of an appropriate assurance method when specifying, selecting or deploying a security service, product or environmental factor (known as a “deliverable”).7 The objective of ISO/IEC TR 15443 is to present a variety of assurance methods and to guide the ITS professional in the selection of an appropriate assurance method (or combination of methods) to achieve confidence that a given IT system satisfies its stated ITS assurance requirements. ISO/IEC TR 15443 analyzes assurance methods that may not be unique to ITS; however, guidance given in the standard is limited to ITS requirements. This article introduces the fundamental concepts of ITS assurance based on ISO/IEC TR 15443.

1 ISACA JOURNAL VOLUME 2, 2011 Organizations have various ways of judging business success. In the public sector, one success criterion is quality of service to the citizens. In the private sector, growth of market share is a success measure. In all sectors, a condition for success is that business should continue to function in the face of fire, flood and other disasters. The discipline that ensures that the business can continue is business continuity management (BCM).1 In most organizations, the processes that deliver products and services depend on information and communication technology (ICT). Disruptions to ICT can, therefore, constitute a strategic risk, damaging the organization’s ability to operate and undermining its reputation. The consequences of a disruptive incident vary and can be far-reaching, and they may not be immediately obvious at the time of the incident. In 2008, the British Standards Institution (BSI) released BS 25777:2008, Information and Communications Technology Continuity Management: Code of Practice, to help organizations plan and implement an ICT continuity strategy. BS 25777 gives recommendations for ICT continuity management within the framework of BCM provided by BS 25999-1:2006, Business Continuity Management: Code of Practice. This article provides an introduction to the key elements of ICT continuity based on BS 25777.