Multimedia Information Security Architecture Framework

Size: px
Start display at page:

Download "Multimedia Information Security Architecture Framework"

Transcription

1 Multimedia Information Security Architecture Framework Heru Susanto PMC Information Security Technology King Saud University - Kingdom of Saudi Arabia & Indonesian Institute of Sciences Fahad bin Muhaya PMC Information Security Technology King Saud University Riyadh - Kingdom of Saudi Arabia Abstract - This paper presents a state-of-the-art overview of distinguishable approaches, overview of some writings that have themes and a similar discussion, with the background to provide an overview to the readers of control and things related to multimedia information security, all attempting to define multimedia information security architecture, followed by a proposition of requirements for multimedia integrated security architecture. Multimedia information security as part of Information security has holistic approach towards the implementation of information security by introducing the concept and model of multimedia security architecture. Keywords - Multimedia information security, ISA architecture, MISA architecture, PDCA, CIA I. INTRODUCTION In the early days of computing, security breaches mainly included viruses and worms that would flash a message or advertisement on the screen without causing any serious damage to the information or systems being used. Organizations across the globe conduct communication in an interconnected and information rich environment. Security in a company has many forms and variations; operational security, machinery & production security, political security, environmental security, etc [7]. There are many types of data and information to be communicated by the parties that interact. Both type of information are multimedia information and information nonmultimedia. Some aspects will greatly affect the treatment of both types of information above. Multimedia information security is a necessary and absolutely needed to transfer information from one place to another places. In this paper, our contribution is to propose and introduce architecture and security model for multimedia information. This architecture and security model refers to the information security architecture (ISA) which was introduced by Eloff []. Other ISA reference is the architecture that was introduced by Rees [] which has main phases in its architecture. Tudor [9] introduced about risk awareness, the assessment of current controls. Also architecture introduced by Gunnar Paterson [9] regarding Provides a framework for understanding disparate design and process considerations. II. RELATED WORK State of the art of this paper are about information security architecture introduced that provides a framework for understanding disparate design and process considerations; [9] to organize architecture and actions toward improving enterprise security. [] Introduced security architecture includes the process of developing risk awareness, the assessment of current controls, and finally the alignment of current and new controls to meet the organization s information security requirements. This integrated information security architecture (ISA) is the mechanism to ensure that all individuals know their responsibilities and how they need to go about protecting the company s information security resources. [9] His architecture is based on the balanced and holistic mix of five different aspects; there are security infrastructures; security policies, security culture; monitoring compliance; and security program. Referring to the previous paper, we propose a security architecture that focus on multimedia security multimedia information security architecture (MISA). III. ISMS The Information Security Management System (ISMS) is proposed in ISO 7799 Part, also COBIT (00) []. This ISMS is based on the continuous cycle of activities as proposed by the so-called PDCA model (Plan-Do-Check-Act) figure. The ISMS is a cyclic model that aims to ensure that the best practices of an organization are documented, reinforced and improved over time. During the Plan phase, the scope of the ISMS will be defined and the Information Security policy be established. If the organization has a security policy, it will be evaluated in order to determine whether it is still valid and appropriate /0/$ IEEE

2 The Plan Do Check Act process []: Plan phase will establish a security policy and relevant procedures and controls; then prepare a statement of the scope of its application, justifying why the controls were selected and why others were not. The formulation of a security policy is done at e planning stage []. Do phase implements the security policy and relevant procedures approach refers to the ISO 7799 code-ofpractice, which provides a comprehensive set of controls covering aspects such as information security policy, personnel security, network security, business continuity management and compliance. The Check phase implemented assesses and measure the process performance, and report the results to management The Act phase takes appropriate corrective actions. The decision as to what is appropriate depends upon understanding the risks and costs involved. Since risk appraisal includes all organizations and all departments, areas, staff and activities, the rationality and conformity of the appraisal is still a topic for research []. Understanding the risk means knowing what the assets are, what the possible threats to those assets are, and the likelihood and possible impact of a security breach on the business. The goal of information security is to suitably protect this asset in order to ensure business continuity, minimize business damage, and maximize return on investments [8]. As defined by ISO 7799, information security is characterized as the preservation of CIA []: Confidentiality ensuring that information is accessible only to those authorized to have access. Integrity safeguarding the accuracy and completeness of information and processing methods. Availability ensuring that authorized users have access to information and associated assets when required. V. ISO 7799 Part vs. ISO 7799 Part It is important things to understand the distinctions and differences between Part and Part of the ISO 7799 standard in order to understand the dilemma facing architecture and standardize of information security right issues. Figure : PDCA Model to ISM Process IV. SECURITY MANAGEMENT STANDARD ISO 7799 ISO 7799 is designed to assure the confidentiality, integrity and availability of information assets. ISO 7799 is exclusive to information security, and only addresses that issue []. The key areas identified by ISO 7799 for the implementation of an information security management system are: An information security policy Allocation of information security responsibilities within the organisation Asset classification and control Personnel security, responsibilities and training Physical and environmental security Communications and operational systems security Access controls Part is an implementation guide, based on suggestions. It is used as a means to evaluate and build comprehensive information security infrastructure. It details information security concepts an organization should do. ISO 7799 Part can also be referred to as Information Technology - Code of practice for information security management Part is an auditing guide based on requirements. It details information security concepts an organization shall do. ISO 7799 Part can also be referred to as Information Security Management Systems - Specification with guidance for use. Focused on how to implement an Information security management system (ISMS), referring to the information security management structure and controls identified this rigidity precluded widespread acceptance and support [8]. VI. E-BUSINESS SECURITY ARCHITECTURE Rees et al [] was initially developed for e-commerce activities but has since been adapted to address the security policy needs of any organization involved in information technology and Internet operations. It is important to note that suggest constant feedback throughout all four phases.

3 Each of these phases as indicated below: Assess phase policy assessment and risk assessment Plan phase policy development and requirements definitions Deliver phase definition and implementation of controls Operate phase monitoring of operations, review of trends and management of events VII. INFORMATION SECURITY ARCHITECTURE Tudor [9] introduced security architecture includes the process of developing risk awareness, the assessment of current controls, and finally the alignment of current and new controls to meet the organization s information security requirements. Clearly states that the security architecture is a process, Information Security Architecture is not something one can purchase. This integrated information security architecture (ISA) is the mechanism to ensure that all individuals know their responsibilities and how they need to go about protecting the company s information security resources. The architecture is based on the balanced and holistic mix of five different aspects; there are security infrastructures; security policies, security culture; monitoring compliance; and security program, figure. ISA. Security infrastructure. Security Policies. Security Culture. Monitoring Compliance. Security Program Figure : Information Security Architecture - ISA ISA Figure : Continuous Feed Back Approach for ISA The purpose of the information security architecture is to bring focus to the key areas of concern for the highlighting decision criteria and context for each domain [9]. Figure, provides a framework for understanding disparate design and process considerations; to organize architecture and actions toward improving enterprise security. Policy & Standards Identify Vulnerability Threat Goals Risk Management Data Application Host Network Assurance Security Management Risk Report Domain Figure : Information Security Architecture Blueprint by Gunnar Peterson VIII. MULTIMEDIA INFORMATION SECURITY ARCHITECTURE -MISA After we discussed the various kinds and types of framework and architecture from various kinds of information security and everything related to information security. Now we discuss about the architecture for multimedia information security. Basically multimedia information security is part of information security itself. Multimedia is media and content that uses a combination of different content forms. Multimedia includes a combination of text, audio, still images, animation, video, and interactivity content forms. Multimedia is usually recorded and played, displayed or accessed by information content processing devices, such as computerized and electronic devices, but can also be part of a live performance. Multimedia also describes electronic media devices used to store and experience multimedia content. Multimedia is distinguished from mixed media in fine art; by including audio,

4 for example, it has a broader scope. The term "rich media" is synonymous for interactive multimedia. Hypermedia can be considered one particular multimedia application. IX. PROPOSED MISA In order to meet the requirements of information security [], speed and ease of access to multimedia information retrieval from the place, it is necessary to consider several criteria and parameters that must be met [], which refers to the information security architecture that has been presented by some previous authors. In this paper the author provides alternatives and asks about the multimedia information security architecture (MISA). The MISA is a development of the ISA which has many known and proposed by the authors of previous papers. The development is meant to include a multimedia object, or issue into the existing architecture. To propose Multimedia Information Security Architecture authors take reference from the ISA architecture proposed by Eloff [] which has main components, which in the main component itself occurred updating, monitoring and evaluation of himself, figure. With this reference the author developed MISA architecture has 8 major components. Why 8 components? Because of the multimedia information security has a difficulty level higher than the general security of information issues, figure. ISA architecture introduced by Peterson [9] also has several advantages. In the last stage there is the layer that serves as an evaluation and monitoring of information assurance as an important requirement of information security itself. Figure 6, explained that the multimedia information sharing and security issue - policy has several stages down more detailed it to Encryption to include multimedia information that will be sharing these activities performed by the server (provider), while users are doing Decryption for restore information that has been in encrypt. Intruders can perform actions through a channel or a part that is not secure, as shown figure 7, so do the multimedia safety information through Encryption and Decryption methods are absolutely necessary to maintain the security of multimedia information. This method, often known as the Key and Lock methods, each side, servers and users, has the identical key to open the door of information. Cryptographic algorithms are needed to transform plaintext into ciphertext and vice versa [8] ISA MISA Figure : Proposed of Multimedia Information Security Architecture MISA A. Security Compliance / Governance Recognizing the importance of bringing collaboration and governance process many corporate governance guidelines have been published over the last decade [7]. Realizing that information security is a corporate governance responsibility [6] and clearly a Corporate Governance responsibility [6]. B. Security Program The purpose of security program is to make recommendations for improving the security of computer systems and the information residing on them and provide security initiative recommendations and priorities, and to perform high level threat and risk analysis. Reducing risks is the target of ISMS protection mechanism []. C. Multimedia Information Sharing It is critical to establish relationships and communication, architecture given alternative has developed key relationships. Security infrastructure. Security Policies. Security Culture. Monitoring Compliance. Security Program. Security Infrastructure. Security Policies. Security Culture. Monitoring Compliance. Security Program 6. Multimedia Information Sharing 7. Enterprise Security 8. Security Awareness

5 and started key initiatives to share information with other important and relevant components. Why should involve other components? The answer is because the philosophy of multimedia itself which is a good combination and harmony between the format of data and information in plain text and data or information in the format of audio and video. E. Security Awareness Security awareness training is a vital component of the MISA overall approach. Information security awareness is a dynamic process, made even more difficult in that risks continuously change [0]. MISA is a key issue of the Multi-State Multimedia Information Sharing. The MISA, whose mission is to provide a common mechanism for raising multimedia security readiness, for whole user. D. Enterprise Security Enterprise Architecture has led initiatives to create technology standards. One key goal is to ensure that architecture are using and deploying security technology in a consistent manner. Key security technology standards that have been deployed and managed include: Enterprise Antivirus. A centralized solution resulting in consistent support, consistent enforcement, and enterprise reporting. Enterprise Patch Management. A centralized solution which enables agencies to manage their own patching but allows for enterprise compliance reporting. Enterprise Security Agent. Primarily defense against insider threats and zero-day worms. Internet Content Filtering & Access Control. A standard implementation of a Web filtering solution and enterprise policy to enforce a minimum filter set. Enterprise Administrator Monitoring. Figure 6: Multimedia Information Security Channel Approached by Proposed MISA Figure7: Potential Intruder to Hack Multimedia Unsecure Channel It ensures that users are familiar with information technology security especially in multimedia information security, best practices, policies, procedures and standards as well as the importance of protecting confidential and sensitive information. X. CONCLUSION REMARKS I discussed and showed definitions on keywords used in multimedia information security architecture -MISA. I showed step by step how I came MISA management and theory. The theory is about how to finding and coolaborate ISA architecture, security awareness and governance for defining multimedia information security itself. XI. REFERENCES [] Andrew Ren-Wei Fung, Kwo-Jean Farn & Abe C. Lin. Paper: a study on the certification of the information security management system. Computer Standards & Interfaces (00) 7-6. Elsevier Science Ltd. [] A. Da Veiga & J.H.P. Eloff A Framework and assessment instrument for information security culture. Computer & Security XXX (009) -. Elsevier Science Ltd. [] Basie Von Solms. 00. Information Security A Multidimensional Discipline. Computer & Security 0(00) Elsevier Science Ltd. [] Basie von Solms. 00. Information Security Governance: COBIT or ISO 7799 or both? Computer & Security Journal. Elsevier. Science Direct. [] Basie von Solms. 00. Information Security Governance Compliance Management vs Operational Management. Computer & Security Journal. Elsevier. Science Direct. [6] Basie von Solms & Rossouw von Solms. 00. The 0 deadly sins of Information Security Management. Computer & Security (00) Elsevier Science Ltd. [7] Debi Ashenden Information Security Management: A Human Challenge? Information Security Technical Report (008) 9-0. Elsevier Science Ltd. [8] Denis Trcek. 00. An integral framework for information system security management. Computer & Security (00) Elsevier Science Ltd. [9] Gunnar Peterson Security Architecture Blueprint. Arctec Group

6 [0] H.A. Kruger & W.D. Kearney. A Prototype for assessing information security. Computer & Security (006) Elsevier Science Ltd. [] J.H.P. Eloff, M.M. Eloff. 00. Information Security Architecture. Computer Fraud & Security. [] Kwo-Jean Farn. Shu-Kuo Lin & Andrew Ren-Wei Fung. 00. A Study on information security management evaluation-assets, threat and vulnerability. Computer Standards & Interfaces 6 (00) 0-. Elsevier Science Ltd. [] Maria Karyda, Evangelos Kiountouzis & Spyros Kokolakis. 00. Information System Security Policies: a Contextual Perspective. Computer & Security (00) Elsevier Science Ltd. [] Mikko Siponen & Robert Willison Information security standards: Problems and Solution. Information & Management 6(009) Elsevier Science Ltd. [] Rees J, Bandyopadhyay S & Spafford EH. 00 PFIRES: A Policy Framework for Information Security. Communications of the ACM July 00/Vol.6 (7) pp [6] Rossouw von Solmsa, S.H. (Basie) von Solmsb Information security governance: Due care. Computer & Security Journal. Elsevier. Science Direct. [7] Thomas Finne A conceptual Framework for Information Security Management. Computer & Security, 7 (998) Elsevier Science Ltd. [8] Tom Carlson. 00. Information Security Management: Understanding ISO Lucent Technologies Worldwide Services. [9] Tudor JK Information Security Architecture. Proceedings of the 6th International Conference on Software Engineering (ICSE 0) 070-7/0 $ IEEE.

I-SolFramework: An Integrated Solution Framework Six Layers Assessment on Multimedia Information Security Architecture Policy Compliance

I-SolFramework: An Integrated Solution Framework Six Layers Assessment on Multimedia Information Security Architecture Policy Compliance International Journal of Electrical & Computer Sciences IJECS-IJENS Vol: 12 No: 01 20 I-SolFramework: An Integrated Solution Framework Six Layers Assessment on Multimedia Information Architecture Policy

More information

Information security governance control through comprehensive policy architectures

Information security governance control through comprehensive policy architectures Information security governance control through comprehensive policy architectures Rossouw Von Solms Director: Institute of ICT Advancement NMMU Port Elizabeth, South Africa rossouw.vonsolms@nmmu.ac.za

More information

This is the author s version of a work that was submitted/accepted for publication in the following source:

This is the author s version of a work that was submitted/accepted for publication in the following source: This is the author s version of a work that was submitted/accepted for publication in the following source: Corpuz, Maria (2011) The enterprise information security policy as a strategic within the corporate

More information

Heru Susanto 123, Mohammad Nabil Almunawar 1, Yong Chee Tuan 1, Mehmet Sabih Aksoy 3 and Wahyudin P Syam 4

Heru Susanto 123, Mohammad Nabil Almunawar 1, Yong Chee Tuan 1, Mehmet Sabih Aksoy 3 and Wahyudin P Syam 4 Integrated Solution Modeling Software: A New Paradigm on Information Security Review and Assessment Heru Susanto 123, Mohammad Nabil Almunawar 1, Yong Chee Tuan 1, Mehmet Sabih Aksoy 3 and Wahyudin P Syam

More information

Integrated Solution Modeling Software: A New Paradigm on Information Security Review and Assessment

Integrated Solution Modeling Software: A New Paradigm on Information Security Review and Assessment Integrated Solution Modeling Software: A New Paradigm on Information Security Review and Assessment Heru Susanto 123, Mohammad Nabil Almunawar 1, Yong Chee Tuan 1, Mehmet Sabih Aksoy 3 and Wahyudin P Syam

More information

Methodological approach to security awareness program

Methodological approach to security awareness program Methodological approach to security awareness program Abstract Predrag Tasevski Security in Computer Systems and Communications Eurecom, France e-mail: tasevski@eurecom.fr Currently, humans coupled with

More information

Big Data, Big Risk, Big Rewards. Hussein Syed

Big Data, Big Risk, Big Rewards. Hussein Syed Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Secure USB Flash Drive. Biometric & Professional Drives

Secure USB Flash Drive. Biometric & Professional Drives Secure USB Flash Drive Biometric & Professional Drives I. CONTENTS II. INTRODUCTION... 2 OVERVIEW... 2 COPYRIGHTS AND TRADEMARKS... 2 III. SECURE FLASH DRIVE... 3 DESCRIPTION... 3 IV. MODULES OF SECURE

More information

Secure Data Exchange Solution

Secure Data Exchange Solution Secure Data Exchange Solution I. CONTENTS I. CONTENTS... 1 II. INTRODUCTION... 2 OVERVIEW... 2 COPYRIGHTS AND TRADEMARKS... 2 III. SECURE DOCUMENT EXCHANGE SOLUTIONS... 3 INTRODUCTION... 3 Certificates

More information

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction Contents Acknowledgments Introduction 1. Governance Overview How Do We Do It? What Do We 1 Get Out of It? 1.1 What Is It? 1 1.2 Back to Basics 2 1.3 Origins of Governance 3 1.4 Governance Definition 5

More information

Strategic Information Systems Planning : A Brief Review

Strategic Information Systems Planning : A Brief Review IJCSNS International Journal of Computer Science and Network Security, VOL.11 No.5, May 2011 179 Strategic Information Systems Planning : A Brief Review Fahad N. Al-Aboud King Saud University, Riyadh Kingdom

More information

Security aspects of e-tailing. Chapter 7

Security aspects of e-tailing. Chapter 7 Security aspects of e-tailing Chapter 7 1 Learning Objectives Understand the general concerns of customers concerning security Understand what e-tailers can do to address these concerns 2 Players in e-tailing

More information

Integrated Information Management Systems

Integrated Information Management Systems Integrated Information Management Systems Ludk Novák ludek.novak@anect.com ANECT a.s. Brno, Czech Republic Abstract The article tries to find consensus in these tree different types of the systems the

More information

Information Security Management System for Cloud Computing

Information Security Management System for Cloud Computing ICT Innovations 2011 Web Proceedings ISSN 1857-7288 49 Information Security Management System for Cloud Computing Sashko Ristov, Marjan Gushev, and Magdalena Kostoska Ss. Cyril and Methodius University

More information

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security

More information

ISMS Implementation Guide

ISMS Implementation Guide atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 Tel: 512-615-7300 Fax: 512-615-7301 www.atsec.com ISMS Implementation Guide atsec information security ISMS Implementation

More information

GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001

GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001 1 GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001 Tolga MATARACIOGLU 1 and Sevgi OZKAN 2 1 TUBITAK National Research Institute of Electronics and Cryptology (UEKAE), Department of

More information

IT Security. Securing Your Business Investments

IT Security. Securing Your Business Investments Securing Your Business Investments IT Security NCS GROUP OFFICES Australia Bahrain China Hong Kong SAR India Korea Malaysia Philippines Singapore Sri Lanka Securing Your Business Investments! Information

More information

PCI Data Security Standards (DSS)

PCI Data Security Standards (DSS) ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants

More information

MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY

MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY HTTP://SCIENCE.HAMPTONU.EDU/COMPSCI/ The Master of Science in Information Assurance focuses on providing

More information

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security and Challenges

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security and Challenges Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security and Challenges Agenda Overview of Information Security Management Information

More information

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample

More information

An Approach to Information Security Management

An Approach to Information Security Management An Approach to Information Security Management Anene L. Nnolim, Annette L. Steenkamp College of Management Lawrence Technological University Abstract This paper reports on part of a doctoral dissertation

More information

Executive's Guide to

Executive's Guide to Executive's Guide to IT Governance Improving Systems Processes with Service Management, COBIT, and ITIL ROBERT R. MOELLER WILEY John Wiley & Sons, Inc. Contents Preface xiii PART I: IT GOVERNANCE CONCEPTS

More information

A WEB SECURITY SYSTEM MODEL TO ASSIST CIS/MIS COURSES DESIGN

A WEB SECURITY SYSTEM MODEL TO ASSIST CIS/MIS COURSES DESIGN A WEB SECURITY SYSTEM MODEL TO ASSIST CIS/MIS COURSES DESIGN Kuan C. Chen, Ph.D. School of Management Purdue University Calumet E-mail: kchen@calumet.purdue.edu ABSTRACT This paper demonstrates a model

More information

An Analysis of Data Security Threats and Solutions in Cloud Computing Environment

An Analysis of Data Security Threats and Solutions in Cloud Computing Environment An Analysis of Data Security Threats and Solutions in Cloud Computing Environment Rajbir Singh 1, Vivek Sharma 2 1, 2 Assistant Professor, Rayat Institute of Engineering and Information Technology Ropar,

More information

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

AN OVERVIEW OF INFORMATION SECURITY STANDARDS AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

More information

Information Security Awareness Training

Information Security Awareness Training Information Security Awareness Training Presenter: William F. Slater, III M.S., MBA, PMP, CISSP, CISA, ISO 27002 1 Agenda Why are we doing this? Objectives What is Information Security? What is Information

More information

HEC Security & Compliance

HEC Security & Compliance HEC Security & Compliance SAP Security, Risk & Compliance Office November, 2014 Public Version 2.0 Details Introduction Overview Security Offering Approach Certifications Introduction Dear Customer, Information

More information

Enterprise Information Security Policy Assessment - An Extended Framework for Metrics Development Utilising the Goal-Question-Metric Approach

Enterprise Information Security Policy Assessment - An Extended Framework for Metrics Development Utilising the Goal-Question-Metric Approach Enterprise Information Security Policy Assessment - An Extended Framework for Metrics Development Utilising the --Metric Approach Maria Soto Corpuz Information Security Institute, Queensland University

More information

Schneps, Leila; Colmez, Coralie. Math on Trial : How Numbers Get Used and Abused in the Courtroom. New York, NY, USA: Basic Books, 2013. p i.

Schneps, Leila; Colmez, Coralie. Math on Trial : How Numbers Get Used and Abused in the Courtroom. New York, NY, USA: Basic Books, 2013. p i. New York, NY, USA: Basic Books, 2013. p i. http://site.ebrary.com/lib/mcgill/doc?id=10665296&ppg=2 New York, NY, USA: Basic Books, 2013. p ii. http://site.ebrary.com/lib/mcgill/doc?id=10665296&ppg=3 New

More information

SecSDM: A Model for Integrating Security into the Software Development Life Cycle

SecSDM: A Model for Integrating Security into the Software Development Life Cycle SecSDM: A Model for Integrating Security into the Software Development Life Cycle Lynn Futcher, Rossouw von Solms Centre for Information Security Studies, Nelson Mandela Metropolitan University, Port Elizabeth,

More information

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available

More information

Concepts for a standard based crossorganizational information security management system in the context of a nationwide EHR

Concepts for a standard based crossorganizational information security management system in the context of a nationwide EHR Concepts for a standard based crossorganizational information security management system in the context of a nationwide EHR Alexander Mense University of Applied Sciences Technikum Wien MedInfo 2013 August

More information

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Security Threat Risk Assessment: the final key piece of the PIA puzzle Security Threat Risk Assessment: the final key piece of the PIA puzzle Curtis Kore, Information Security Analyst Angela Swan, Director, Information Security Agenda Introduction Current issues The value

More information

BMC s Security Strategy for ITSM in the SaaS Environment

BMC s Security Strategy for ITSM in the SaaS Environment BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...

More information

Metrics to Assess and Manage Software Application Security Risk. M. Sahinoglu, S. Stockton, S. Morton, P. Vasudev, M. Eryilmaz

Metrics to Assess and Manage Software Application Security Risk. M. Sahinoglu, S. Stockton, S. Morton, P. Vasudev, M. Eryilmaz Metrics to Assess and Manage Software Application Security Risk M. Sahinoglu, S. Stockton, S. Morton, P. Vasudev, M. Eryilmaz Auburn University at Montgomery (AUM) and ATILIM University, Ankara msahinog@aum.edu,

More information

INFORMATION SECURITY AWARENESS: Baseline Education and Certification

INFORMATION SECURITY AWARENESS: Baseline Education and Certification INFORMATION SECURITY AWARENESS: Baseline Education and Certification LINDIE DU PLESSIS AND ROSSOUW VON SOLMS Port Elizabeth Technikon, s9944977@student.petech.ac.za rossouw@petech.ac.za Key words: Information

More information

Technical Standards for Information Security Measures for the Central Government Computer Systems

Technical Standards for Information Security Measures for the Central Government Computer Systems Technical Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 2.1 General...

More information

Road map for ISO 27001 implementation

Road map for ISO 27001 implementation ROAD MAP 1 (5) ISO 27001 adopts the "Plan-Do-Check-Act" (PDCA) model, which is applied to structure all ISMS processes: PDCA Plan (establish the ISMS) Do (implement and operate the ISMS) Descriprion Establish

More information

IT Security Management 100 Success Secrets

IT Security Management 100 Success Secrets IT Security Management 100 Success Secrets 100 Most Asked Questions: The Missing IT Security Management Control, Plan, Implementation, Evaluation and Maintenance Guide Lance Batten IT Security Management

More information

CONTENTS. 1.0 Introduction

CONTENTS. 1.0 Introduction CONTENTS 1.0 Introduction 2.0 Why we are different? 2.1 What can a Firewall do? 2.2 What can an Intrusion Detection System do? 2.3 What can a Mail Security System do? 2.4 What can Defencity NetSecure do?

More information

EXECUTIVE STRATEGY BRIEF. Securing the Cloud Infrastructure. Cloud. Resources

EXECUTIVE STRATEGY BRIEF. Securing the Cloud Infrastructure. Cloud. Resources EXECUTIVE STRATEGY BRIEF Securing the Cloud Infrastructure Cloud Resources 01 Securing the Cloud Infrastructure / Executive Strategy Brief Securing the Cloud Infrastructure Microsoft recognizes that trust

More information

Information Security Measurement Roles and Responsibilities

Information Security Measurement Roles and Responsibilities Information Security Measurement Roles and Responsibilities Margareth Stoll and Ruth Breu Abstract An adequate information security management system (ISMS) to minimize business risks and maximize return

More information

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

A Review of Anomaly Detection Techniques in Network Intrusion Detection System A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In

More information

I. Introduction to Privacy: Common Principles and Approaches

I. Introduction to Privacy: Common Principles and Approaches I. Introduction to Privacy: Common Principles and Approaches A. A Modern History of Privacy a. Descriptions and definitions b. Historical and social origins c. Information types i. Personal and non-personal

More information

(Instructor-led; 3 Days)

(Instructor-led; 3 Days) Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Project Management Self-Assessment Contents Introduction 3 User Guidance 4 P3M3 Self-Assessment Questionnaire

More information

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security? ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security? Agenda Threats Risk Assessment Implementation Validation Advanced Security Implementation Strategy

More information

Information Technology Security Program

Information Technology Security Program Information Technology Security Program Office of the CIO December, 2008 1 AGENDA What is it? Why do we need it? An international Standard Program Components Current Status Next Steps 2 What is It? A Policy

More information

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide Oracle Database Controls Department of Technology, Management, and Budget March 2015 071-0565-14 State of Michigan Auditor General Doug

More information

Security Control Standard

Security Control Standard Security Standard The security and risk management baseline for the lottery sector worldwide Updated by the WLA Security and Risk Management Committee V1.0, November 2006 The WLA Security Standard is the

More information

November Version 01.3

November Version 01.3 November 2012 Version 01.3 The Experts in certifying Professionals e-mail: info@peoplecert.org, www.peoplecert.org Copyright 2012 PEOPLECERT International Ltd. All rights reserved. No part of this publication

More information

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and

More information

IT Governance: The benefits of an Information Security Management System

IT Governance: The benefits of an Information Security Management System IT Governance: The benefits of an Information Security Management System Katerina Cai, CISSP Hewlett-Packard 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to

More information

The Human Factor of Cyber Crime and Cyber Security

The Human Factor of Cyber Crime and Cyber Security The Human Factor of Cyber Crime and Cyber Security Challenges: September 11th has marked an important turning point that exposed new types of security threats and disclosed how cyber criminals pursuit

More information

John Essner, CISO Office of Information Technology State of New Jersey

John Essner, CISO Office of Information Technology State of New Jersey John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management

More information

A Method for Eliciting Security Requirements from the Business Process Models

A Method for Eliciting Security Requirements from the Business Process Models A Method for Eliciting Security Requirements from the Business Process Models Naved Ahmed and Raimundas Matulevičius Institute of Computer Science, University of Tartu J. Liivi 2, 50409 Tartu, Estonia

More information

Achieving SOX Compliance with Masergy Security Professional Services

Achieving SOX Compliance with Masergy Security Professional Services Achieving SOX Compliance with Masergy Security Professional Services The Sarbanes-Oxley (SOX) Act, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 (and commonly called

More information

Information Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University.

Information Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University. Information Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University P a g e 1 P a g e 2 Table of Contents Abstract... 3 Introduction... 3 Previous

More information

How small and medium-sized enterprises can formulate an information security management system

How small and medium-sized enterprises can formulate an information security management system How small and medium-sized enterprises can formulate an information security management system Royal Holloway Information Security Thesis Series Information security for SMEs Vadim Gordas, MSc (RHUL) and

More information

Logging the Pillar of Compliance

Logging the Pillar of Compliance WHITEPAPER Logging the Pillar of Compliance Copyright 2000-2011 BalaBit IT Security All rights reserved. www.balabit.com 1 Table of Content Introduction 3 Open-eyed management 4 ISO 27001 5 PCI DSS 5 Sarbanes

More information

Evaluate the Usability of Security Audits in Electronic Commerce

Evaluate the Usability of Security Audits in Electronic Commerce Evaluate the Usability of Security Audits in Electronic Commerce K.A.D.C.P Kahandawaarachchi, M.C Adipola, D.Y.S Mahagederawatte and P Hewamallikage 3 rd Year Information Systems Undergraduates Sri Lanka

More information

CloudCheck Compliance Certification Program

CloudCheck Compliance Certification Program CloudCheck Compliance Certification Program Ensure Your Cloud Computing Environment is Secure with CloudCheck Certification Organizations today are increasingly relying on a combination of private and/or

More information

ISO/IEC 27002 INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

ISO/IEC 27002 INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management INTERNATIONAL STANDARD This is a preview - click here to buy the full publication ISO/IEC 27002 First edition 2005-06-15 Information technology Security techniques Code of practice for information security

More information

Security metrics to improve information security management

Security metrics to improve information security management Security metrics to improve information security management Igli TASHI, Solange GHERNAOUTIHÉLIE HEC Business School University of Lausanne Switzerland Abstract The concept of security metrics is a very

More information

State of Montana Montana Board of Crime Control. Agency IT Plan Fiscal Year 2012-2017

State of Montana Montana Board of Crime Control. Agency IT Plan Fiscal Year 2012-2017 State of Montana Montana Board of Crime Control Agency IT Plan Fiscal Year 2012-2017 Prepared July 2012 Brooke Marshall, Executive Director Jerry Kozak, IT Manager Board of Crime Control 5 S Last Chance

More information

Management Standards for Information Security Measures for the Central Government Computer Systems

Management Standards for Information Security Measures for the Central Government Computer Systems Management Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 1.1 General...

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all

More information

Compliance Guide: ASD ISM OVERVIEW

Compliance Guide: ASD ISM OVERVIEW Compliance Guide: ASD ISM OVERVIEW Australian Information Security Manual Mapping to the Principles using Huntsman INTRODUCTION In June 2010, The Australian Government Protective Security Policy Framework

More information

AN AGILE IT SECURITY MODEL FOR PROJECT RISK ASSESSMENT

AN AGILE IT SECURITY MODEL FOR PROJECT RISK ASSESSMENT AN AGILE IT SECURITY MODEL FOR PROJECT RISK ASSESSMENT Damien Hutchinson, Heath Maddern, Jason Wells School of Information Technology, Deakin University drh@deakin.edu.au, hmma@deakin.edu.au, wells@deakin.edu.au

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

Recent Advances in Automatic Control, Information and Communications

Recent Advances in Automatic Control, Information and Communications Proposal of the improvement of actual ITIL version based on comparative IT Service Management methodologies and standards The implementation of IT Service Management frameworks and standards Anel Tanovic*,

More information

IT Audit and Compliance

IT Audit and Compliance Problem IT Audit and Compliance IT audit is about the formal verification and validation of the quality and effectiveness of IT controls to support the overall business control objectives. From a security

More information

PrivyLink Cryptographic Key Server *

PrivyLink Cryptographic Key Server * WHITE PAPER PrivyLink Cryptographic Key * Tamper Resistant Protection of Key Information Assets for Preserving and Delivering End-to-End Trust and Values in e-businesses September 2003 E-commerce technology

More information

VARIABILITY MODELING FOR CUSTOMIZABLE SAAS APPLICATIONS

VARIABILITY MODELING FOR CUSTOMIZABLE SAAS APPLICATIONS VARIABILITY MODELING FOR CUSTOMIZABLE SAAS APPLICATIONS Ashraf A. Shahin 1, 2 1 College of Computer and Information Sciences, Al Imam Mohammad Ibn Saud Islamic University (IMSIU) Riyadh, Kingdom of Saudi

More information

Vs Encryption Suites

Vs Encryption Suites Vs Encryption Suites Introduction Data at Rest The phrase "Data at Rest" refers to any type of data, stored in the form of electronic documents (spreadsheets, text documents, etc.) and located on laptops,

More information

TELEFÓNICA UK LTD. Introduction to Security Policy

TELEFÓNICA UK LTD. Introduction to Security Policy TELEFÓNICA UK LTD Introduction to Security Policy Page 1 of 7 CHANGE HISTORY Version No Date Details Authors/Editor 7.0 1/11/14 Annual review including change control added. Julian Jeffery 8.0 1/11/15

More information

IT Security Governance for e-business

IT Security Governance for e-business Vol. 2, No. 3, July, 2008 IT Security Governance for e-business Rosslin John Robles, Na-Yun Kim, Tai-hoon Kim School of Multimedia, Hannam University, Daejeon, Korea rosslin_john@yahoo.com, bijou0318@nate.com,

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 14 Risk Mitigation Objectives Explain how to control risk List the types of security policies Describe how awareness and training

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

Enabling Information PREVIEW VERSION

Enabling Information PREVIEW VERSION Enabling Information These following pages provide a preview of the information contained in COBIT 5: Enabling Information. The main benefit of this publication is that it provides COBIT 5 users with a

More information

10 Hidden IT Risks That Threaten Your Financial Services Firm

10 Hidden IT Risks That Threaten Your Financial Services Firm Your firm depends on intelligence. But can you count on your technology? You may not be in the intelligence technology business, but it s probably impossible to imagine your business without IT. Today,

More information

This is a free 15 page sample. Access the full version online.

This is a free 15 page sample. Access the full version online. AS/NZS ISO/IEC 17799:2001 This Joint Australian/New Zealand Standard was prepared by Joint Technical Committee IT-012, Information Systems, Security and Identification Technology. It was approved on behalf

More information

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1 APPENDIX A Appendix A Learning Continuum A-1 Appendix A Learning Continuum A-2 APPENDIX A LEARNING CONTINUUM E D U C A T I O N Information Technology Security Specialists and Professionals Education and

More information

Enterprise K12 Network Security Policy

Enterprise K12 Network Security Policy Enterprise K12 Network Security Policy I. Introduction The K12 State Wide Network was established by MDE and ITS to provide a private network infrastructure for the public K12 educational community. Therefore,

More information

INTERNATIONAL AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

INTERNATIONAL AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS INTERNATIONAL PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS (This Statement is effective) CONTENTS Paragraph Introduction... 1 5 Skills and Knowledge... 6 7 Knowledge

More information

Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013 Transition guide Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013 The new international standard for information security management systems ISO/IEC 27001 - Information Security Management - Transition

More information

StratusLIVE for Fundraisers Cloud Operations

StratusLIVE for Fundraisers Cloud Operations 6465 College Park Square Virginia Beach, VA 23464 757-273-8219 (main) 757-962-6989 (fax) stratuslive.com Contents Security Services... 3 Rackspace Multi Layered Approach to Security... 3 Network... 3 Rackspace

More information

Unified Security Anywhere SOX COMPLIANCE ACHIEVING SOX COMPLIANCE WITH MASERGY SECURITY PROFESSIONAL SERVICES

Unified Security Anywhere SOX COMPLIANCE ACHIEVING SOX COMPLIANCE WITH MASERGY SECURITY PROFESSIONAL SERVICES Unified Security Anywhere SOX COMPLIANCE ACHIEVING SOX COMPLIANCE WITH MASERGY SECURITY PROFESSIONAL SERVICES SOX COMPLIANCE Achieving SOX Compliance with Professional Services The Sarbanes-Oxley (SOX)

More information

NetDefend Firewall UTM Services

NetDefend Firewall UTM Services NetDefend Firewall UTM Services Unified Threat Management D-Link NetDefend UTM firewalls (DFL-260/860) integrate an Intrusion Prevention System (IPS), gateway AntiVirus (AV), and Web Content Filtering

More information

SECURITY RISK MANAGEMENT

SECURITY RISK MANAGEMENT SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W

More information

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM Okumoku-Evroro Oniovosa Lecturer, Department of Computer Science Delta State University, Abraka, Nigeria Email: victorkleo@live.com ABSTRACT Internet security

More information

PATCH MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region

PATCH MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region PATCH MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Data Handling in University Case Study- Information Security in University Agenda Case Study Background

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Driving Company Security is Challenging. Centralized Management Makes it Simple. Driving Company Security is Challenging. Centralized Management Makes it Simple. Overview - P3 Security Threats, Downtime and High Costs - P3 Threats to Company Security and Profitability - P4 A Revolutionary

More information

Data Leakage Detection in Cloud Computing using Identity Services

Data Leakage Detection in Cloud Computing using Identity Services International Journal of Computer Sciences and Engineering Open Access Research Paper Volume-4, Issue-04 E-ISSN: 2347-2693 Data Leakage Detection in Cloud Computing using Identity Services K. Mythili 1*,

More information