Frederick Yip

Rules and Ontology in Compliance Management

Compliance management (CM) is the management process that an organization implements to ensure organizational compliance with relevant requirements and expectations. It is a continual, manual and labor intensive process that is proved to be of great challenge for many organizations. CM affects almost every aspect of an organization and is in nature a complex problem due to voluminous knowledge and data involved. In our attempts to automate and simplify compliance, we propose and examine a semantic rule-based approach for modeling compliance knowledge with the use of semantic Web rules (SWRL) and Web ontology language (OWL). We study the use of exception handling approach to create a more robust rule base to deal with data incompleteness in the semantic Web.

Corporate Security Compliance in a Heterogeneous Environment

Organizations often have to audit and assess their information system security as a corporate compliance process based on a range of standards. The growing number of security standards such as CobiT, ISO17799 and BSI raises the potential interoperability problem in a heterogeneous environment. Often different standards are needed to satisfy different regional regulatory and obligatory requirements. In this paper, we present an ontology based approach to deal with the interoperability problem

Enforcing Business Rules and Information Security Policies through Compliance Audits; XISSF - A Compliance Specification Mechanism

Corporate enterprises are facing increased requirements to fulfill different regulations. Requirements such as routine compliance with security standards can provide risk mitigation and process performance benefits. However, compliance management is a manual and labor-intensive process and creates additional overheads to any businesses. To make matter worse, the growing number and constant changes of security standards such as CobiT and ISO17799 contributes to increased complexity. This paper presents XISSF, an extensible information security specification format that acts as a compliance audit mechanism for enforcing business rules and information security policies. A mechanism designed to alleviate the routine and manual task of compliance auditing and assessment as well as increasing the accuracy of audit results. The notion of checkpoints is subsequently introduced and modeled in high level finite state machines in this paper.

Towards Robust and Adaptive Semantic-Based Compliance Auditing

Compliance management (CM) is the management process that an organization implements to ensure organizational compliance with relevant requirements and expectations. Compliance auditing (CA) is a child-process of CM where compliance rules and policies are individually checked against the organization to determine the level of compliance achieved by the organization. In this paper, we arrange organizational knowledge and facts within OWL ontologies and model compliance rules as adaptive semantic-based rules for compliance audit automation. We study the issues of uncertainty and inconsistency in compliance and propose an adaptive human-like strategy for mimicking conventional compliance auditing.

Integrating Pattern Concepts a Network Security Architecture

The successful creation of an information security architecture relies heavily on the availability of expert knowledge, adherence to methodology, and the successful application of relevant tools. In this paper, we describe the beginnings of an attempt to unify a security methodology with the concept of design patterns. To further this aim, we describe the hierarchical and interdependent application of a pattern description system, and describe the concrete implementation of that system as an XML dialect, the security architecture description language (SADL). Limitations are discussed and proposals for future work are also considered

Integrated vulnerability management system for enterprise networks

The number of vulnerabilities in enterprise networks has greatly increased recently as seen from frequent vulnerability reports from organizations, such as Microsoft and the CERT. Researchers in a number of organizations are currently working to develop and deploy frameworks to comprehensively manage these network vulnerabilities. This paper examines the existing attempts to solve this problem and the gaps in the existing methodologies. The paper presents our proposed integrated vulnerability management (IVM) framework based on open software standards.