Security Management, Integrity, and Internal Control in Information Systems (eBook)

Preface 8
Contents 9
Session 1 - Security Standards 12
INFORMATION SECURITY STANDARDS: ADOPTION DRIVERS (INVITED PAPER) 13
1. INTRODUCTION 14
2. LITERATURE REVIEW 16
3. METHODOLOGY 20
3.1 Research context 20
3.2 Research approach 20
3.3 Analysis procedure 21
4. RESULTING PROPOSITIONS 22
4.1 Competitive Advantage as a primary motivator 22
4.2 Increased regulation and the need for compliance are not significant drivers 23
4.3 Access to, and delivery of, best practice 23
4.4 The role of senior management 25
5. CONCLUSION 26
DATA QUALITY DIMENSIONS FOR INFORMATION SYSTEMS SECURITY: A THEORETICAL EXPOSITION (INVITED PAPER) 33
1. INTRODUCTION 33
2. SIGNS, DATA AND IS SECURITY 34
2.1 Empirics 36
2.2 Syntactics 36
2.3 Semantics 37
2.4 Pragmatics 37
3. DATA QUALITY DIMENSIONS 38
3.1 Empiric dimensions 40
3.2 Syntactic dimensions 40
3.3 Semantic dimensions 42
3.4 Pragmatic dimensions 43
4. DISCUSSION 44
4.1 Implications for IS Security 46
5. CONCLUSION 48
6. REFERENCES 49
FROM XML TO RDF: SYNTAX, SEMANTICS, SECURITY, AND INTEGRITY (INVITED PAPER) 53
1. Introduction 53
2. Extensible Markup Language 55
2.1 XML Security 55
2.2 Limitations of Syntax-Based XML Security Models 56
3. XML and Semantics 58
3.1 XML as database 58
3.2 XML Security and Semantics 59
3.3 Secure XML for Web Services 62
4. Protecting Metadata 62
5. Conclusions 64
6. Acknowledgment 65
Session 2 - Security Culture 69
HOW MUCH SHOULD WE PAY FOR SECURITY? (INVITED PAPER) 71
1. INTRODUCTION 71
2. A MARKOV MODEL FOR DESCRIBING THE SECURITY OF AN INFORMATION SYSTEM 73
3. HOW MUCH SHOULD WE PAY FOR INSURANCE? 74
3.1 Actuarial values of premium and benefits 74
3.2 Calculation of the premium 75
4. HOW MUCH SHOULD WE INVEST IN SECURITY? 76
4.1 Some special cases 79
5. CONCLUSIONS 80
6. REFERENCES 81
DO NOT SHIP, OR RECEIVE, TROJAN HORSES 83
1. SCOPE 84
2. CONTEXT 85
3. VENDOR MATURITY MODEL 86
4. LIFECYCLE MODEL 86
5. PRODUCT DESIGN 87
6. SHOPPING SELLING AND DEMONSTRATION PROCESS
7. PRODUCTION 90
8. SHIPMENT AND RECEIVING 90
9. DEPLOYMENT 92
10. SERVICE CALIBRATION OR REPAIR
11. END OF LIFE DISPOSAL, SECURE TRANSFER OR DESTRUCTION OF DATA
12. SUMMARY 93
EMPLOYEE SECURITY PERCEPTION IN CULTIVATING INFORMATION SECURITY CULTURE 95
1. INTRODUCTION 95
2. CONCEPTS OF PERCEPTION 96
3. INTERPRETING EMPLOYEE SECURITY PERCEPTION IN THE CASE STUDY 98
4. A SYNTHESISED PERSPECTIVE ON APPROPRIATE EMPLOYEE SECURITY PERCEPTION 99
5. CONCLUSION 102
Session 3 - Access Management 105
A POLICY FRAMEWORK FOR ACCESS MANAGEMENT IN FEDERATED INFORMATION SHARING 107
1. INTRODUCTION 107
1.1 Contributions and organization 110
2. DESIGN APPROACH 111
3. X-GTRBAC POLICY FRAMEWORK 111
3.1 Language Specification 112
3.2 Policy Components 112
3.3 Salient Features 119
3.4 Policy Composition 122
4. SYSTEM ARCHITECTURE 122
4.1 Policy specification 123
4.2 Policy enforcement 124
5. RELATED WORK 125
6. CONCLUSION 127
A HIERARCHICAL RELEASE CONTROL POLICY FRAMEWORK 133
1. System Architecture and Framework Overview 136
1.1 System architecture 137
1.2 Subjects and objects 137
1.3 Policy authority 137
1.4 PO actions 139
2. Release Control Framework 140
2.1 Basic release specification language 140
2.2 Composition policies 143
2.3 Legal release paths 144
2.4 PO extension 144
3. Evaluation of Release Specifications 145
3.1 Materializing release specifications 145
3.2 Computation of release path 146
4. Related Work 147
5. Conclusions 148
Session 4 - Risk Management 151
MANAGING UNCERTAINTY IN SECURITY RISK MODEL FORECASTS WITH RAPSA/MC 153
1. Introduction 153
2. Modeling Information Security Risks 154
3. Survivable Systems Analysis 155
4. Adding Monte-Carlo Simulation to RAPSA 157
5. A RAPSA/MC Example 158
6. Analyzing the Example RAPSA/MC Simulation 164
7. Conclusions 167
THE MITIGATION OF ICT RISKS USING EMITL TOOL: AN EMPIRICAL STUDY 169
1. INTRODUCTION 170
2. METHODOLOGY 172
3. EMITL TOOL 172
4. BRIEF STATE OF ICT SECURITY IN THE STUDIED ORGANISATIONS 175
5. FINDINGS AND DISCUSSION 177
5.1 Results of subjecting the findings from the organisations to the EMitL tool 177
5.2 Discussion 183
6. CONCLUSION 184
RISK COMMUNICATION, RISK PERCEPTION AND INFORMATION SECURITY 187
1. INTRODUCTION 187
2. RISK PERCEPTION 188
3. RISK COMMUNICATION 189
4. FRAMING 190
5. COGNITIVE STYLE 191
6. FRAMING MESSAGES IN TERMS OF FD/FI 192
7. CONCLUSION 194
8. REFERENCES: 195
A HOLISTIC RISK ANALYSIS METHOD FOR IDENTIFYING INFORMATION SECURITY RISKS 197
1. INTRODUCTION 198
2. RISK ANALYSIS 198
3. TRADITIONAL RISK ANALYSIS OF INFORMATION SECURITY 199
3.1 Strengths of Traditional Risk Analysis 200
3.2 Limitations of Traditional Risk Analysis 201
4. A PROPOSED HOLISTIC RISK ANALYSIS METHOD 202
4.1 The Holistic Risk Analysis Method Described 203
4.2 Example of a Holistic Risk Analysis 206
4.3 Benefits of the Holistic Risk Analysis 208
5. EVALUATING THE HOLISTIC RISK ANALYSIS METHOD 209
6. FUTURE RESEARCH 211
7. CONCLUSION 212
Session 5 - Security Culture 215
A RESPONSIBILITY FRAMEWORK FOR INFORMATION SECURITY 217
1. INTRODUCTION 217
2. CORPORATE GOVERNANCE 219
2.1 What is Corporate Governance? 219
2.2 Why is Corporate Governance Important? 219
2.3 The Implications of Poor Corporate Governance 220
3. INFORMATION SECURITY GOVERNANCE 221
3.1 What is Information Security Governance? 221
3.2 Why is Information Security Governance Important? 222
3.3 How can Information Security Governance be Implemented? 222
4. INFORMATION SECURITY MANAGEMENT 223
4.1 What Is Information Security Management? 224
4.2 The Difference between Information Security Management and Information Security Governance 225
4.3 Information Security Management: The Process 226
5. INFORMATION SECURITY TASKS, ROLES AND RESPONSIBILITIES 227
5.1 The Role of the Board of Directors 227
5.2 The Role of Board Committees 227
5.3 The Role of the CEO 228
5.4 The Role of the CIO 228
5.5 The Role of the CISO 228
5.6 The Role of Data Owners (The Business Unit Leaders) 229
6. AN INFORMATION SECURITY RESPONSIBILITY FRAMEWORK 229
6.1 The Governance Side 230
6.2 The Management Side 230
7. CONCLUSION 231
INFORMATION SECURITY GOVERNANCE RE-DEFINITION 235
1. INTRODUCTION 235
2. THE EVOLUTION OF INFORMATION SECURITY AND THE EMERGENCE OF INFORMATION SECURITY GOVERNANCE 236
4. IT GOVERNANCE 239
5. EXISTING GUIDANCE ON INFORMATION SECURITY GOVERNANCE 240
6. PROPOSED DEFINITION OF INFORMATION SECURITY GOVERNANCE 241
7. THE 'GOVERNANCE' ASPECT OF INFORMATION SECURITY GOVERNANCE 241
8. THE 'PERFORMANCE' OUTCOMES ASPECT OF INFORMATION SECURITY GOVERNANCE 243
9. CONCLUSION 244
10. REFERENCES 244
CAN WE TUNE INFORMATION SECURITY MANAGEMENT INTO MEETING CORPORATE GOVERNANCE NEEDS? (INVITED PAPER) 249
1. BACKGROUND 249
2. SOME OBSERVATIONS IN RELATION TO IS/IT SECURITY MANAGEMENT 251
3. REFLECTIONS 255
Session 6 - Security Management 259
MEASUREMENT OF INFORMATION SECURITY IN PROCESSES AND PRODUCTS 261
1. INTRODUCTION 261
2. SECURITY METRICS USED BY INDUSTRY - AN INTERVIEW STUDY 263
2.1 Background 263
2.2 Security Objectives 263
2.3 Information Security Metrics 264
2.4 Metrics Implementation 264
2.5 Basis for Metrics 265
2.6 Risk and Quality Management 265
2.7 Needs for Metrics, Background and Development 266
3. INTEGRATION OF INFORMATION SECURITY MANAGEMENT INTO BUSINESS MANAGEMENT SYSTEMS - A PROCESS VIEW OF SECURITY METRICS 267
4. A TECHNICAL VIEW OF SECURITY METRICS 270
4.1 Case: Security Metrics for Mobile Ad Hoc Networlcs 272
4.2 Network Monitoring 273
5. CONCLUSIONS 274
6. FUTURE WORK 276
A PROTECTION PROFILES APPROACH TO RISK ANALYSIS FOR SMALL AND MEDIUM ENTERPRISES 279
1. INTRODUCTION 279
2. REQUIREMENTS 283
3. ELEMENTS CONSTITUTING THE RESULTING METHODOLOGY 284
3.1 The risk assessment stage 285
3.2 The financial considerations stage 291
3.3 The output stage 292
4. CONCLUSIONS 294
5. REFERENCES 294
A UML APPROACH IN THE ISMS IMPLEMENTATION 297
1. INTRODUCTION 297
2. UML REPRESENTATION OF PDCA MODEL 299
3. BUSINESS ENVIRONMENT OF THE ISMS 300
4. PLAN STAGE ELABORATION - EXAMPLE 302
5. CONCLUSIONS 307
Session 7 - Applications 311
ATTACK AWARE INTEGRITY CONTROL IN DATABASES (INVITED ABSTRACT) 313
CHARACTERISTICS AND MEASURES FOR MOBILE-MASQUERADER DETECTION 315
1. Introduction 315
2. Masquerader detection 317
3. Employing personality factors for masquerader detection 319
3.1 Multifactor-systems theory of individuality 319
3.2 Social Cognitive Theory 320
4. Individual behavioral aspects 321
5. Individual environmental aspects 324
6. Characteristics and measures 325
7. Conclusions 328
A DISTRIBUTED SERVICE REGISTRY FOR RESOURCE SHARING AMONG AD-HOC DYNAMIC COALITIONS 331
1. Introduction 331
2. Distributed Coalition-based Access Control (DCBAC) 333
3. Distributed Coalition Service Registry (DCSR) 335
3.1 Secure Communication Infrastructure 335
3.2 Computational infrastructure 338
4. Additional Functionalities 340
5. Conclusions and Future Work 344
Session 8 - Access Management 347
A TRUST-BASED MODEL FOR INFORMATION INTEGRITY IN OPEN SYSTEMS' 349
1. INTRODUCTION 350
2. RELATED WORK 352
3. THE TRUST-BASED DECISION MODEL AND POLICY SPECIFICATION 353
3.1 Methodologies 353
3.2 An Example 356
4. SELECTOR - THE POLICY LANGUAGE 358
4.1 Primary Statements 359
4.2 Implied Statements 360
4.3 The Residual Statements 361
5. OBJECT VERSION ATTRIBUTE VALUE DISCOVERY 362
6. CONCLUSIONS 364
SCALABLE ACCESS POLICY ADMINISTRATION (INVITED PAPER) 367
1. INTRODUCTION 367
1.1 Paper Goals and Roadmap 368
1.2 Requirements Discussion 370
2. SIMPLICITY 371
2.1 Parallels with the History of Data Management 371
2.2 Getting a Simpler Model 374
3. THE TENDENCY TO "DO IT YOURSELF" 376
3.1 Specialized Datatypes 376
3.2 Describing the Organization 377
4. SUMMARY 381
SEMANTIC INFORMATION INFRASTRUCTURE PROTECTION (INVITED ABSTRACT) 383
Author Index 384
More eBooks at www.ciando.com 0

3. X-GTRBAC POLICY FRAMEWORK (p. 99-101)

This section describes the key features of X-GTRBAC (XML-based Generalized Temporal Role Based Access Control), our XML-based policy specification framework. Our specification language is an extension of the RBAC model suitable for addressing the access management challenges in federated systems discussed in this paper.

3.1 Language Specification

X-GTRBAC language specification is captured through a contextfree grammar called X-Grammar, which follows the same notion of terminals and non-terminals as in BNF, but supports the tagging notation of XML which also allows expressing attributes within element tags. The use of attributes helps maintain compatibility with XML schema syntax, which serves as the type definition model for our language. Since it follows BNF convention, X-Grammar can be accepted by a well-defined automaton to allow automatic translation into XML schema documents.

This allows automatic creation of strongly typed policy Schemas based on the supplied grammar specification. We choose to use X-Grammar syntax instead of directly working with XML Schemas for ease of analysis (since existing compiler tools for BNF grammars can be applied) and better readability and presentation. Examples of X-Grammar policies are given in following sections. The complete syntax of X-GTRBAC language specification appears in Appendix A.

3.2 Policy Components

We now describe the main components of our policy language. While doing so, we motivate our design decision by evaluating existing approaches against our stated requirements, and pointing out the merits of our design with respect to our objectives.

3.2.1 Credentials

Credentials are a key component of an access control language. A credential encodes the authentication and authorization information for the users. We have earlier motivated that a heterogeneous and unfamiliar user and resource pool in a federated system complicates credential specification, since it precludes the use of traditional approaches to distributed authorization (such as X.509 based PKI) that assume knowledge of user identities and resource locations.

[12, 13] are well-known examples of distributed schemes that have used identity-based X.509 certificates for user authentication. The authentication information (i.e. public keys) is then used to construct an authorization credential that comprises of a set of resource-specific rules. The credentials are bound to user identities and therefore this approach to credential specification is not scalable. Even when knowledge of identities is available, the requirement of fine-grained access control would lead to rule-explosion in the access control policy given the size of federated population in open systems. Additionally, this approach tightly couples authentication with authorization, and is therefore inflexible, and violates one of our design principles.

Our policy framework addresses this problem through the use of attributebased (as opposed to identity-based) credential specification. We adopt a modular approach and allow independent specification of credentials used in authentication and authorization. The authenticating credential comprises of authentication information expressed in terms of user attributes which are used by the access control processor for role assignment. This idea is similar to the one used in [14]. However, unlike in [14], we do not require reliance on X.509 identity-based certificates to encode user authentication information. Instead, the user attributes may be supplied in any mutually agreed format, such as an Attribute Statement in the emerging identity federation standard SAML [7]. This supports the requirement for credential federation (See Section 3.3.3).