Eric Grandry

Conceptual Integration of Enterprise Architecture Management and Security Risk Management

Enterprise Architecture Management (EAM) is considered to provide the mechanism for, amongst others, governing enterprise transformations required by changes in the environment. In this paper, we focus on changes that result from the analysis of information security risks and of their impacts on the services delivered by an enterprise. We present how the concepts of an information system security risks management domain can be mapped into the ArchiMate enterprise architecture modeling language. We illustrate the application of the proposed approach through the handling of a lab case.

Towards a Design Method Supporting the Alignment between Business and Software Services

This paper proposes and illustrates an approach to identify and specify requirements on information-based business services and their associated derived software services. The approach proposes first to identify business services by modeling business requirements using the goal oriented modeling notation i*. Then, in a second phase, the identified services are refined according to these requirements using UML activity and class diagrams. This specification is based on a method and a supporting toolset, called Efficient. The approach is illustrated through the handling of a case study in the tourism sector.

Towards the ENTRI Framework: Security Risk Management Enhanced by the Use of Enterprise Architectures

Secure information systems engineering is currently a critical but complex concern. Risk management has become a standard approach to deal with the necessary trade-offs between expected security level and control cost. However, with the current interconnection between information systems combined with the increasing regulation and compliance requirements, it is more and more difficult to achieve real information security governance. Given that risk management is not able to deal with this complexity alone, we claim that a connection with Enterprise Architecture Management (EAM) contributes in addressing the above challenges, thereby sustaining governance and compliance in organisations. In this paper, we motivate the added value of EAM to improve security risk management and propose a research agenda towards a complete framework integrating both domains.

Sector-Based Improvement of the Information Security Risk Management Process in the Context of Telecommunications Regulation

The current European regulation on public communications networks requires today that Telecommunications Service Providers (TSPs) take appropriate technical and organizational measures to manage the risks posed to security of networks and services. However, a key issue in this process is the risk identification activity, which roughly consists in defining what are the relevant risks regarding the business operated and the architecture in place. The same problem appears when selecting relevant security controls. The research question discussed in this paper is: how to adapt generic Information Security Risk Management (ISRM) process and practices to the telecommunications sector? To answer this research question, a four-step research method has been established and is presented in this paper. The outcome is an improved ISRM process in the context of the telecommunications regulation.

Managing the Alignment between Business and Software Services Requirements from a Capability Model Perspective

In this paper we introduce a framework for capturing and managing the requirements associated with the non-functional part of the services like service management, security management, assurance, for which norms, recommendations and good practices exist. The proposed framework considers these service requirements both from a business and a software perspective. The elicitation, the capture and the traceability issues related to these requirements are solved with goal-oriented requirements engineering techniques, while the structuring and the assessment of the requirements is based on the ISO/IEC-15504 standard. The overall framework is illustrated with a business case run by our research centre in a public/private partnership. It is associated with the design of project management services delivered through a portal and is focusing on the services management requirements in relation with the IT service management ISO/IEC 20000 norm.

An Integrated Conceptual Model for Information System Security Risk Management and Enterprise Architecture Management Based on TOGAF

Risk management is today a major steering tool for any organization wanting to deal with Information System (IS) security. However, IS Security Risk Management (ISSRM) remains difficult to establish and maintain, mainly in a context of multi-regulations with complex and inter-connected IS. We claim that a connection with Enterprise Architecture Management (EAM) contributes to deal with these issues. According to our research agenda, a first step towards a better integration of both domains is to define an EAM-ISSRM conceptual integrated model. To build such a model, we will improve the ISSRM domain model, a conceptual model depicting the domain of ISSRM, with the concepts of EAM. The contribution of this paper is focused on the improvement of the ISSRM domain model with the concepts of TOGAF, a well-known EAM standard.

An integrated conceptual model for information system security risk management supported by enterprise architecture management

Risk management is today a major steering tool for any organisation wanting to deal with information system (IS) security. However, IS security risk management (ISSRM) remains a difficult process to establish and maintain, mainly in a context of multi-regulations with complex and inter-connected IS. We claim that a connection with enterprise architecture management (EAM) contributes to deal with these issues. A first step towards a better integration of both domains is to define an integrated EAM-ISSRM conceptual model. This paper is about the elaboration and validation of this model. To do so, we improve an existing ISSRM domain model, i.e. a conceptual model depicting the domain of ISSRM, with the concepts of EAM. The validation of the EAM-ISSRM integrated model is then performed with the help of a validation group assessing the utility and usability of the model.

Model-Driven Approach for Privacy Management in Business Ecosystem

Protection of individuals with regard to the processing of personal data and the free movement of such data constitutes new challenges in terms of privacy management. Although this privacy management ought to be conducted in compliance with national and international regulation, for now we observe that no solution, model or method, fully consider and integrate these new regulations yet. Therefore, in this paper, we propose to tackle this problem through the definition of an expressive privacy metamodel which aims to represent and aggregate the concepts that are relevant to define and to deal with privacy issues, at an organizational level. Secondly, we discuss how this privacy metamodel may support and may help understanding the management of the privacy in enterprises involve in interconnected societies, by integrating the privacy metamodel with the systemic business ecosystem.

Capability-Driven Design of Business Service Ecosystem to Support Risk Governance in Regulatory Ecosystems

Risk-based regulation and risk governance gain momentum in most sectorial ecosystems, should they be the finance, the healthcare or the telecommunications ecosystems. Although there is a profusion of tools to address this issue at the corporate level, worth is to note that no solution fulfils this function at the ecosystem level yet. Therefore, in this article, the Business Service Ecosystem (BSE) metamodel is semantically extended, considering the Capability as a Service (CaaS) theory, in order to raise the enterprise risk management from the enterprise level up to the ecosystem level. This extension allows defining a concrete ecosystem metamodel which is afterwards mapped with an information system risk management model to support risk governance at the ecosystem level. This mapping is illustrated and validated on the basis of an application case for the Luxembourgish financial sector applied to the most important concepts from the BSE: capability, resource, service and goal.

Towards Systemic Risk Management in the Frame of Business Service Ecosystem

Ecosystems gather enterprises which collaborate to achieve a common systemic goal like guaranteeing the national healthcare, the telecommunication, or the financial stability. These systems are governed by regulators that supervise the services provided at the ecosystem level using systemic capabilities and resources. In the same way at the enterprise level, risk management at the ecosystem level is a paramount activity for the stability of the targeted sector. This paper proposes a metamodel for modelling the ecosystem capabilities and resources, a risk management approach based on this metamodel, and an ArchiMate extension language to sustain the systemic risk management. The approach is illustrated with a real case study from the Luxembourgish financial market.