Nicolas Mayer

A Systematic Approach to Define the Domain of Information System Security Risk Management

Today, security concerns are at the heart of information systems, both at technological and organizational levels. With over 200 practitioner-oriented risk management methods and several academic security modelling frameworks available, a major challenge is to select the most suitable approach. Choice is made even more difficult by the absence of a real understanding of the security risk management domain and its ontology of related concepts. This chapter contributes to the emergence of such an ontology. It proposes and applies a rigorous approach to build an ontology, or domain model, of information system security risk management. The proposed domain model can then be used to compare, select or otherwise improve security risk management methods.

Alignment of Misuse Cases with Security Risk Management

It is recognised that security has to be addressed through the whole system development process. However current practices address security only in late stages, i.e., development or maintenance. Due to the success of UML use cases, misuse cases have been accepted by industry as a means to tackle security. However misuse cases, firstly, lack a precise application process, secondly, are too general which results in under-definition or misinterpretation of their concepts. In this paper we examine misuse cases in the light of a reference model for information system security risk management (ISSRM). Using the well-known meeting scheduler example we show how misuse cases can be used to follow a security risk management process. Next we check the misuse case ontology according to the concepts found in current risk management standards. The paper suggests improvements for the conceptual appropriateness of misuse cases for the security risk domain.

Towards a Process Assessment Model for Management System Standards

Certification to management system standards is more and more attractive for organisations, and many companies are today certified according to several of them (e.g., ISO 9001, ISO 14001, ISO/IEC 27001, etc.). However, in this case, it is a remaining challenge to optimise the system in place by mutualising as much as possible the different processes required by the various management systems, and thus improving the integrated overall system. In order to fill this gap, this paper presents how a process assessment model for management system standards has been built. It is based on the High Level Structure proposed by ISO, which defines a set of common requirements for management system standards. This process assessment model will provide the core content and could be the basis of all the future process assessment models that will be developed to assess domain-specific management systems.

An ISO Compliant and Integrated Model for IT GRC (Governance, Risk Management and Compliance)

GRC (Governance, Risk and Compliance) is an umbrella acronym covering the three disciplines of governance, risk management and compliance. The main challenge behind this concept is the integration of these three areas, generally dealt with in silos. At the IT level (IT GRC), some research works have been proposed towards integration. However, the sources used for the construction of the resulting models are generally mixing formal standards, de facto standards arising from industrial consortia, and research results. In this paper, we specifically focus on defining an ISO compliant IT GRC integrated model, ISO standards representing by nature an international consensus. To do so, we analyse the ISO standards related to the GRC field and propose a way of integration. The result of this paper is an ISO compliant integrated model for IT GRC, aiming at improving the efficiency when dealing with the three disciplines together.

An integrated conceptual model for information system security risk management supported by enterprise architecture management

Risk management is today a major steering tool for any organisation wanting to deal with information system (IS) security. However, IS security risk management (ISSRM) remains a difficult process to establish and maintain, mainly in a context of multi-regulations with complex and inter-connected IS. We claim that a connection with enterprise architecture management (EAM) contributes to deal with these issues. A first step towards a better integration of both domains is to define an integrated EAM-ISSRM conceptual model. This paper is about the elaboration and validation of this model. To do so, we improve an existing ISSRM domain model, i.e. a conceptual model depicting the domain of ISSRM, with the concepts of EAM. The validation of the EAM-ISSRM integrated model is then performed with the help of a validation group assessing the utility and usability of the model.

A Framework for Assessing Organisational IT Governance, Risk and Compliance

Enterprises have reached to understanding that information technology (IT) is more than just a technical issue. Domains such as IT governance, risk management and compliance (GRC) have been established to steer it. Though there has been some improvements, these domains are usually considered separately, thus less business value is created due to complexity of the process flows. There has been little attempts to integrate all three aspects, however this was done using domain specific standard and not taking into account the existing state of the art. In this paper, we conduct a systematic literature review to understand the processes, roles, strategies, and technologies of IT GRC as well as their integration. Based on the results of the review, we propose an assessment framework, which could guide evaluation of the enterprise’s IT GRC concerns.

Towards a Systemic Approach for Information Security Risk Management

Risk management in the field of information security is most often handled individually by enterprises, taking only a limited view on the influential factors coming from their providers, clients or more globally from their environment. This approach becomes less appropriate in the case of networked enterprises, which tend to form ecosystems with complex influence links. A more holistic approach is needed to take these into account, leading to systemic risk management, i.e. risk management on the entire system formed by the networked enterprises, to avoid perturbations of the ecosystem due to local, individual, decision-making. In this paper, we propose a new meta-model for Information System Security Risk Management (ISSRM), comprising systemic elements as defined in the General Systems Theory. We discuss the design of this new model, highlighting in particular how risk management can be related to a problem-solving approach and the important concepts that are instantiated when taking a systemic approach to ISSRM.

An Improvement of Process Reference Model Design and Validation Using Business Process Management

During the design of a Process Reference Model (PRM), the modeler needs to describe processes. According to ISO/IEC 15504-2, each process shall be described in terms of a process purpose and process outcomes. The process purpose is “the high level measurable objectives of performing the process and the likely outcomes of effective implementation of the process”. A process outcome is “an observable result of a process”. The set of process outcomes shall be necessary and sufficient to achieve the purpose of the process. However, no method exists as ISO proposes requirements and guidelines (respectively in ISO/IEC 15504-2 and ISO/IEC 24774 for process description) for developing process models. So there is a need to support the development of a process model and the verification of the completeness of the process outcomes in the context of process design. This article proposes a structured approach to answer this challenge based on business process management and requirements engineering principles. We especially consider the use of both the transformative view and coordination view of a process to support the design and the validation of PRM processes based on a collection of requirements.

Défis de la sécurité de l'information : Support à la gestion des risques de sécurité par les modèles

Within the organisations, information system security is more and more tackled with the help of risk management approaches. However these approaches are on one hand not well suited to be applied on information system development and on the other hand, products coming from the different risk management steps performed are generally not enough formal. Our research work proposes to improve the different risk management steps with models. In order to achieve this objective, we first define a conceptual model associated with the information system security risk management domain, and enriched with appropriate metrics for performing reasoning. We define then a modelling language for a more formal representation of risks analysis artefacts.

Evaluation of Cloud Computing Offers through Security Risks - An Industrial Case Study.

Cloud provider selection is a difficult task, even more when security is a critical aspect of the processes to be moved on the cloud. To support cloud offer selection by a cloud consumer, we have introduced an innovative risk-based approach, proposing to distribute risk assessment activities between the cloud provider and the cloud consumer. This paper proposes an evaluation of this approach by assessing and comparing the portfolio of offers of POST Telecom, a cloud provider in Luxembourg. The case study will cover the evaluation of the offers with the help of standard security controls provided by three leading cloud organizations: Cloud Security Alliance, ISO/IEC and SANS Institute.