Kwo-Jean Farn

A study on information security management system evaluation—assets, threat and vulnerability

Abstract The security of information system is like a chain. Its strength is affected by the weakest knot. Since we can achieve 100% Information Security Management System (ISMS) security, we must cautiously fulfill the certification and accreditation of information security. In this paper, we analyzed, studied the evaluation knowledge and skills required for auditing the certification procedures for the three aspects of ISMS—asset, threat, and vulnerability.

Paper: a study on the certification of the information security management systems

Abstract Current reliable strategies for information security are all chosen using incomplete information. With standards, problems resulting from incomplete information can be reduced, since with standards, we can decrease the choices and simplify the process for reliable supply and demand decision making. This paper is to study the certification of information security management systems based on specifications promulgated by the Bureau of Standards, Metrology and Inspection (BSMI), Ministry of Economic Affairs in accordance with international standards and their related organizations. And we suggest a certification requirement concept for five different levels of “Information and Communication Security Protection System” in our country, the Republic of China, Taiwan.

CORAS for the Research of ISAC

The development of the Internet has elicited the importance of information security. For national information security, other than providence and release of information security protection messages, critical infrastructure information protection (CIIP) has also become part of the overall network security. How to integrate the related information security data for industries and establish the integrative monitoring and analytical platform is the first priority at Taiwan. Hence, the establishment of the Information Sharing and Analysis Center (ISAC) for critical infrastructures has become the most important topic at present. The ISAC establishment places the greatest emphasis on information exchange and analysis so that there must be a unified standard for the exchange format and operation. Because the differences between critical infrastructures are quite large and the sources of the workflow processes and threats are not quite the same, a public tool is required for such establishment. This research discusses how to use Consultative Objective Risk Analysis System (CORAS) to establish ISAC of critical infrastructures and takes a telecom company as an example to simulate episodes of possible risks that might occur and to discuss how it functions, how it is established, and how it handles risks.

A Study on Implementations of Information Security Risk Assessment: Application to Chlorine Processing Systems of Water Treatment Plants

The international standard of information security risk management (ISO/IEC 27005:2011(E)) adopts an iterative approach and risk assessment methodology of information security incident scenarios analyses, applying the principle of 80/20 to calculate, and therefore should be able to save cost and to increase its effectiveness. On such a basis, we propose a rigorous and systematic approach to addressing related implementation issues involved in employing such an information security risk assessment standard, and use the chlorine processing system in a water treatment plant as an example to fully demonstrate the effectiveness of the proposed method. In particular, we would discuss the isought side of ISO/IEC 27005:2011(E), respectively. Moreover, an implementation of information security risk assessment is carried out.

Performance modelling and evaluation for the XMP shared-bus multiprocessor architecture

This paper presents the performance modelling and evaluation of a shared bus multiprocessor, XMP. A key characteristic of XMP is that it employs a special shared bus scheme featuring separate address bus and data bus with split transaction, pipelined cycle (called SSTP scheme). To assist evaluating the architectural alternatives of XMP, the features of the SSTP bus scheme as well as two important performance impacting factors: (1) cache, bus, and memory interferences and (2) DMA transfer, are modelled. We employ a Subsystem Access Time (SAT) modelling methodology. It is based on a Subsystem Access Time Per Instruction (SATPI) concept, in which we treat major components other than processors (e.g. off-chip cache, bus, memory, I/O) as subsystems and model for each of them the mean access time per instruction from each processor. Validated by statistical simulations, the performance model is fed with a given set of representative workload parameters, and then used to conduct performance evaluation for some initial system design issues. Furthermore, the SATPIs of the subsystems are directly utilized to identify the bottleneck subsystems and to help analyze the cause of the bottleneck.

A Study on E-Taiwan Promotion Information Security Governance Programs with E-government Implementation of Information Security Management Standardization

The promotion of Information Security Governance (ISG) has become an important factor in the implementation of e-government and information security management within the \National Information and Communications Technology Security Development Program (2009~2012)＂ in continuing the \Plan for Establishment of Information and Communication Technology Infrastructure Security Mechanism (2001~2008)＂ in Taiwan; in July 2013, the working outline of the project was adjusted. And, it was asked all departments of Executive Yuan and local government to process aggressively by regulation on December 25, 2013. This study examines information security development program, and strategies for meeting e-government and information security management requirements within the implementation of information security development programs through information security management systems (ISMS). Moreover, an action program for improved ISMS performance, using an approach combining ISG and ISMS, is proposed. Based on this, this research employs history analysis and in-depth interview methodologies to develop insights into e-Taiwan information security management. Furthermore, the research objective is to examine the relevance between the execution of e-government and information security management framework and ISMS implementation by using the ISG project approach.

A study on critical infrastructure information technology Malfunction controls-- illustration of Taiwan

A critical infrastructure (CI) consists of those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of governments. Nowadays, the operation controls of these infrastructures have been computerized and have gradually become open systems. The malfunction controls of the information technology (IT) have been one of the focuses in the researches of information security management in industrial control system (ICS). In this paper we discuss the IT malfunction of ICS security incidents which occurred in Taiwan, and explore the details of the controls for CI.