A Simple Enterprise Security Architecture (SESA): Towards a Pedagogic Architecture for Teaching Cyber Security

Size: px
Start display at page:

Download "A Simple Enterprise Security Architecture (SESA): Towards a Pedagogic Architecture for Teaching Cyber Security"

Transcription

1 A Simple Enterprise Security Architecture (SESA): Towards a Pedagogic Architecture for Teaching Cyber Security Harjinder Singh Lallie E-Security Group, WMG, University of Warwick, Coventry, CV4 7AL, UK, Abstract Enterprise Security is a highly complex issue which is complicated further by conflicting views of the different elements of cyber security which are often represented as a while in terms of an architecture or model. In this paper we consider a number of approaches to defining architectures in the computer science domain and determine a number of architectural guiding principles from these. We consider a number of approaches to defining cyber security architectures and propose a Simple Enterprise Security Architecture (SESA) which encompasses security from the strategic through to the protocol level in three simple layers. Keywords: Enterprise security; Security architecture; Security models 1 Introduction Architectural approaches have been used within the computer science domain to allow for a more thorough understanding of the individual components and processes within a digital system and in particular the manner of interaction between the components and processes. Defining a complex system through an architectural viewpoint serves a very useful pedagogic value in the classroom as it can help to relay often complex technical concepts more easily to students. This approach also helps to demonstrate elements of the security system from the viewpoint of the various stakeholders. That said however, architectural approaches to defining security systems are in their infancy and there is room for clearer and simpler proposals which can serve particular value in the classroom. Security architectures have previously been reviewed by Oda et al who approach the issue of security architectures by considering how security is built into the core enterprise architectures [4]. Shariati et al reviewed a number of architectures and frameworks including the Gartner, SABSA, RISE and SOAE Security Governance frameworks [5]. In this paper we review a number of approaches in order to demonstrate their shortcomings as a pedagogic model that can be used in the classroom. 1

2 This paper highlights the importance of adopting an architectural approach towards defining a security system and considers what the guiding principles of a security architecture should be. We do this by exploring and analysing similar approaches in other computer science domains such as network engineering, computer systems, software engineering and digital forensics. Based on those guiding principles we propose a Simple Enterprise Security Architecture (SESA) which considers the security system as a simple three layered hierarchy. The rest of this paper is structured as follows. We begin in Section 2 by clarifying some of the terminology used in the domain, we proceed in section 3 to highlight the importance of adopting an architectural approach to designing a security system. In the same section we explore approaches to architectural definition in other areas of computing. This gives us the benefit of considering the views and approaches of experts in other fields some of which are more mature in terms of the development of the disciplines and philosophies. Ultimately, the purpose of this is to establish some of the guiding principles used in those domains to influence architectural models. In section 4, we proceed to exploring and critiquing two holistic approaches to defining security architecture. Finally, in section 0 we propose a simpler model for a security architecture and in doing so consider the views presented by other writers in the context of each layer of the proposed architecture. 2 Defining terms A number of terms such as architecture, design, framework, model, process and implementation have tended to be used interchangeably often to mean the same thing. Such usage needs to be clarified. Eden and Kazman argue that whilst a similar array of terms are used within the software engineering industry, the terms are not well-defined enough and can cause miscommunication [6]. This is an issue that also applies within the cyber security domain wherein there is scope for miscommunication most particularly in understanding the distinctions between security architecture, design and implementation. A good designer may not necessarily be a good implementer and maintainer of the system. In the same way as a network administrator may be gifted in troubleshooting security related issues but may not necessarily be a good architect of a new system. An example of the confusion cause by the misuse of terms is typified by Talukder and Chaitanya who whilst appearing to speak about secure software systems architecture and the need to understand architectural principles in designing secured systems, the authors focus instead on design principles and give little or no consideration to architectural principles [7]. Eden and Kazman s view can also be illustrated by the approach taken by Whitman [8] who in defining security architecture models proposes a number of examples of these as being: The Trusted Computer System Evaluation Criteria (TCSEC). A DoD standard that defines the criteria for assessing access controls in a system. The Information Technology Security Evaluation Criteria (ITSEC). A set of international criteria for evaluating computer systems. 2

3 ISO/IEC the common criteria for Information Technology Security Evaluation. Bell-LaPadula Confidentiality Model. Biba Integrity Model Clark-Wilson Integrity Model Graham-Denning Access Control Model Harrison-Ruzzo-Ullman Model Brewer-Nash Model Each of the models referred to in Whitman s paper are unique and particular elements of a security architecture but are not an overarching enterprise wide security architecture. Indeed, it may not have been Whitman s intention to propose this, the context is nevertheless confusing. The models referred to by Whitman can be encompassed within particular layers of the holistic security architecture that we focus on in the present paper. 2.1 Architecture, design and implementation We base our definitions of these terms on the Oxford dictionary [9]. The term architecture means the conceptual structure and logical organization of a computer or computer-based system. A design is a plan or drawing produced to show the look and function or workings of a building, garment, or other object before it is made. We can see from this that an architecture and a design are not the same thing. A model is a thing used as an example to follow or imitate and a framework is a basic structure underlying a system, concept or text. A framework or model in our view is a structure which describes or imitates a design. Whilst this may not be a conclusive definition of what it is in the present context, we can certainly be clear of what it is not. It is not an architecture nor the implementation. An implementation is the enactment of that design and the design is quite often based on the architecture, hence a systems designer may most often have an architectural blueprint of some kind from which to guide the design. 3 Architectures, models and frameworks in other computer science disciplines. In this section we explore approaches towards defining complex systems in other computer science domains namely: network engineering, computer architecture, software architecture and digital forensics. This discussion serves two purposes, firstly to identify the benefits that architectural approaches provide within those domains and therefore whether the same may apply to approaching cyber security from an architectural viewpoint and secondly to highlight some guiding principles which influence our proposal. 3

4 3.1 Network architecture Architectural approaches to system definition are not new to the domain of computer science, efforts have previously been deployed in the areas of network engineering, computer architecture, software architecture, and digital forensics. Some of the models proposed in these domains have become widely accepted amongst academia and business. For instance, the ISO/OSI seven layer model is considered an academic standard in the domain of network architecture wherein the TCP/IP model has become a widely implemented practical standard. The ISO/OSI seven layer model provides students of network engineering with the conceptual constructs of a networked system, the model clearly delineates the various functions of the network and provides a mechanism for more easily understanding the communication flows between the various systems that exist within the network. 3.2 Computer architecture Similarly, computer systems also have been presented as conceptual architectures which present otherwise complex systems as logical structures that are easier to comprehend and understand. Comer highlights the importance of this approach and argues that it: makes it possible to write more efficient code that is less prone to errors, helps programmers understand the effects of their choices and also how to debug hardware issues [10]. There are benefits therefore to the designer, the user and also the person charged with the subsequent maintenance. We can see from Comer s viewpoint that understanding the architecture in this way helps achieve efficiency and to better understand the effects of choices, furthermore it helps to troubleshoot problems. Another important viewpoint is given by the ACM who propose that students should not be encouraged to view the computer as a black box but should understand the functional components of a computer system as well as develop a good understanding of the interaction and performance of those components, this is made easier through considering the system as a layered architecture [11]. 3.3 Software architecture Most of the conceptual thinking in architectural approaches in computer science has probably been proposed within the software engineering domain. Garlan notes that an architectural approach to designing software can provide significant benefits, this has resulted in numerous idiomatic patterns some of which have been documented as industrial or scientific standards [12]. Monroe et al add that by adopting an architectural approach towards software design, the designer can enjoy the benefits of design and code reuse, previously applied tested and understood solutions can be reapplied, the system design becomes intellectually tractable and also helps to establish whether a proposed new system will meet its most critical requirements [13]. Gutmann [14] proposes five key software architectural design principles, the design: Utilises independent objects 4

5 Utilises intelligent objects Is platform independent Isolates the internal architecture from external code Is layered Gutmann s proposal highlights two fundamental architectural goals that of the need to adopt a layered approach and to achieve platform independence. Furthermore we can see from some of the ideas presented above that the issues of software architecture and design can be separated out wherein the architecture is the highest level of abstraction. 3.4 Digital Forensics Similar research has been undertaken in the digital forensics domain wherein endeavours have been made to define the digital investigation process in a model. However the proposals in this domain are primarily models of frameworks that propose particular investigative procedures or processes and are not architectural definitions. Reith et al proposed an abstract digital forensics model which describes the digital investigation procedure as a sequence of small processes [15]. Carrier and Spafford took this approach further, they combined the approach and preparation phases of Reith et als model and proposed a framework for investigation which subdivided key aspects of an investigation into a number of phases [16]. This research was developed further by Baryamureeba and Tushbe in their Enhanced Digital Investigation Process (EIDIP) Model which divided the investigative process into five phases [17]. Similar work has been conducted by Pollitt [18], Perumal [19] and Alharbi et al [20]. There may be scope to consider the need to present the digital forensics domain as an architectural system. We can see that most of the research in the digital forensics domain has focussed on proposing an investigative model which encompasses processes of investigation rather than an architectural approach to studying and understanding the domain. 3.5 Summary Having considered some of the approaches to architecture in other domains we can establish that the consideration of a security system from an architectural viewpoint would correspondingly provide the security system designer with the ability to produce a better and more efficient design, the system administrator to better troubleshoot the problems, the practitioner to better deploy and manage the various components of the system and the decision makers to understand the trade-offs in spend and most importantly the implications thereof. From this discussion we can also establish some guiding principles in terms of what an architectural model should conform to, it must be: Layered so as to separate the various levels of complexity into logical, abstract and intellectually tractable components Platform, protocol and technology independent 5

6 An abstracted architecture which does not focus on procedure but on the independent constructs of the various systems and sub-systems which contribute to the whole of the architecture 4 Previous approaches to defining security architecture Having considered some of the approaches in other computer science disciplines, we proceed to exploring and critiquing previous attempts at defining security architectures, frameworks and models. Goldman explores the issues surrounding the development of resilient security architectures and discusses architectural strategies and in particular outlines how resiliency can be built into such an architecture [21]. However, she does not proceed to define what she means by a security architecture or even the characteristics of such an architecture. Notably however, Goldman makes important recommendations for critical systems which she says must be easily adaptable, scalable, replaceable, reconfigurable and recoverable in the event of an unexpected disruption, degradation or compromise of critical system components, services and/or data. Goldman also refers to the security architecture as having layers of separation which allow for the monitoring and analysis of events, traffic and anomalous behaviour - a principle referred to by Goor as as orthogonality [22]. The ISO 7498 standard: Information Processing System-Open System Interconnections-Basic Reference Model, Part 2: Security Architecture [23] defines the concept of layering in the context of a security architecture. The standards used a number of principles to determine the allocation of security services to layers and the placement of security mechanisms in the layers as follows: a. that the number of alternative ways of achieving a service should be minimized; b. that it is acceptable to build secure systems by providing security services in more than one layer; c. that additional functionality required for security should not unnecessarily duplicate the existing OSI functions; d. that violation of layer independence should be avoided; e. that the amount of trusted functionality should be minimized; f. that, wherever an entity is dependent on a security mechanism provided by an entity in a lower layer, any intermediate layers should be constructed in such a way that security violation is impracticable; g. that, wherever possible, the additional security functions of a layer should be defined in such a way that implementation as a self-contained module(s) is not precluded; and h. that this part of ISO 7498 is assumed to apply to open systems consisting of end systems containing all seven layers and to relay systems. Here again, we are presented with a number of core architectural principles: a layered approach and the independence of those layers. 6

7 4.1 DSNET and MILNET One of the earlier attempts to define a security architecture was presented by Shirey [24]. This study focuses specifically on the architecture of the Department of Defense Data Network and analyses the physical network from a security viewpoint. That particular network is divided into two segments, Defense Secure NETwork (DSNET) and MILitary NETwork (MILNET). Shirey goes into significant detail and essentially describes the technical architecture of the network. It is unlikely that a network of such sensitivity (politically) could again be described to such detail. 4.2 Kiely and Petersons approaches Shirey s study is interesting because it is one of the earliest published security architectures, it presents primarily a technical architecture devoid of the human and enterprise elements. The domain of cyber security differs from those presented up to this point because of the way in which it encompasses every aspect of the business from the technical systems through to the people, procedures and policies of the enterprise. This has been recognised by Kiely who proposes a holistic approach towards security architecture which links up organisational strategy with technology [25]. However this approach appears to ignore the people in the organisation and also the policies in place (or lack thereof) in an organisation. Peterson defines a security architecture lifecycle (Figure 1) which focuses on: identifying the risks to an organisation, building security around this, implementing the designed system and then monitoring this [2]. Peterson s model is a high level strategic view of security and places more emphasis on the software architecture whilst providing some consideration to risk and other aspects of business strategy. There is a clear emphasis on OWASP (Open Web Application Security Project) with little or no consideration of the technical underpinnings of such a security system. Figure 1. Peterson's Security Architecture Lifecycle [2] 4.3 Cohen s model Cohen [1] proposes the Enterprise Information Protection Architecture which considers four core elements: the control architecture, technical security 7

8 architecture, risk/governance architecture and the business itself. An analysis of Cohen s model (Figure 2) will show that it is over-detailed particularly in specifying discreet protection mechanisms such as firewalls and diodes. On occasion it presents conflicting messages, for instance, one might expect certain controls such as the principle of least privilege and duty separation to be implemented as part of the control architecture along with the audit and access controls, however these principles are presented as a function of the technical security architecture alongside practical implementations such as firewalls and barriers. Furthermore certain components such as the auditors, the board etc are listed in two separate sub-categories ( oversight and Organizational Governance Architecture). In the case of auditors, their role and responsibility should be considered and integrated into the implementation of the audit procedure within the organizational governance architecture. Figure 2. Cohen's Enterprise Information Protection Architecture [1] 4.4 SABSA Sherwood et al proposes a model known as SABSA (Sherwood Applied Business Security Architecture) [3]. SABSA is a whole enterprise-wide socio-technical approach towards security management. SABSA is based on ISO part 2 security architecture and is a proprietary and practical model which is used for developing enterprise security architecture and strategy. In their approach, Sherwood et al recognised that a system can be viewed through the experiences of the users, their model: 8

9 provides an overarching framework that binds them [existing methods, models and standards] all together into a single holistic view of how to design and manage enterprise security [3]. Sherwood et al propose a layered model comprising of sub-architectural views as presented in Table 1. Each of the layers in this model can be expanded as follows: The business view (contextual security architecture) is the strategic view of the core business requirements from the CEO/shareholders perspective and has to govern and directly influence the development of the business security system. In the context of a business information system therefore, this is a definition of what it is, how it is used, who will use it etc. The architects view (conceptual security architecture). This layer guides the application security, network security, cryptographic infrastructure and access control strategies and is often referred to as the consultants view. The designers view (logical security architecture). The designer interprets the strategies defined above and specifies the essential components of the system The builders view (physical security architecture) refers to the view taken by those charged with implementing and configuring the system. The tradesmans view (component security architecture). This is where the model presents some problems. It is difficult to ascertain the difference between the physical and component architectures. From the SABSA models it seems that the component architecture is the system design point. i.e. the people that design the protocols, software, physical hardware etc. The facilities managers view (operational security architecture). This is another interesting feature of the model. The facility manager according to SABSA is the person(s) responsible for implementing and running the product. Interestingly, the model does not seem to incorporate the users (or what they see human interface) and we can only assume that this is accounted for within the designer/builder view. In our view, this model like Cohen s is overly complex and can be simplified further. One of the problems we have with this model is that the architect and designer views could be incorporated into a single layer which is effectively the consideration of the strategic requirements and their design thereof. Furthermore, the builder and the tradesman view can also be combined into a single view. That said, like the ISO/OSI seven layer model, the SABSA model is a good example of a system which can be seen from various stakeholder viewpoints. The application layer for instance is the view taken by the end user of a network component particularly where the networking component is a user-interface. Williams explores these various viewpoints and notes that hardware engineers and programmers view the same system in different ways as do the application user, systems administrators the high level language programmers and systems programmers [26]. 9

10 The business view Contextual security architecture The architects view conceptual security architecture The designers view logical security architecture The builders view physical security architecture The tradesmans view component security architecture The facilities managers view operational security architecture Table 1. Sherwood Et al s SABSA security Architecture [3] 5 A Simple Enterprise Security Architecture (SESA) We propose a Simple Enterprise Security Architecture (SESA) which encompasses the domain into 3 simple layers Business, People and System. Each of these layers are independent of each other and devoid of any specific technical implementation details. Most of these layers are subdivided into further sub layers each of which can be used to demonstrate particular user views of the security system. The proposed architecture has been used to teach Cyber Security and has been very well received in a University Post graduate masters level course. Our proposal places the users within the basic construct of the model and presents these as layers as shown in Figure 3. Each of the layers within the proposed model are discussed herein. 5.1 Business Layer This layer encompasses the core business goals and objectives and comprises of three sub-layers: Business Requirements and Strategy, Regulation and compliance and Security Strategy. To a CEO and/or board of directors (referred to herein simply as the board ), the security architecture defines a system which must Figure 3. A Simple Enterprise Security Architecture 10

11 encompass and support the generic business needs of the organisation. We refer to this as the Business Requirements and Strategy sub-layer and it comprises simply of the organisational goals, strategy and its market. This is an area of cyber security that students often struggle to comprehend particularly in the context of their chosen academic discipline. In the real world however one would expect a consultant or systems designer to have a good knowledge and understanding of the business context for which they are designing a particular system. More often today their view is driven by regulatory and compliance related requirements such as ISO 27001, PCI-DSS and the Data Protection Act to name a few. The responsibility for complying generally lies at board level and correspondingly is driven through all layers of the organisation from the board downwards. We refer to this sub-layer as the Regulation and Compliance sub-layer and within it sit the raft of standards, compliance and legislation described herein. This layer interacts with the business requirements and strategy layer because organisational goals are often influenced directly by this and also with the security strategy layer because this often influences policy and security strategy, Organisational strategy is often reflected through policy which in this context relates to system use, employment and other matters. We refer to this as the security strategy sub-layer. It is useful at this point to consider the view that the board has of the security architecture. Their immediate view (in addition to the three sub-layers described above) is of the people using the system, they rarely maintain a day-to-day view of the system layer, for instance, they do not maintain a view of the hardware/component level and rarely involve themselves strategically in the selection of hardware, components or the implementation of particular protocols. This is an important point which we discuss further in this paper. 5.2 People Layer The second layer in our architecture is referred to as the people layer which comprises of a single sub layer - the human interface layer. Software/web engineers/developers develop applications which are used by the end-users within an organisation (through the HCI). The user view of a security system however has often been criticised for being neglected and being the weakest link in most security systems [27-29]. To this end, a lot of research has more recently focussed on the user view of security and focuses for instance in the areas of presenting understanding security warnings to users [30-32], the use of PINs [33] and even the colour schemes used [34]. In our architecture, the user interface is the view that end users directly see, in other words their immediate view of the security of an organisation is typically the daily usage of a system through the HCI. At the same time however, the user has two further views: the security strategy sub-layer, i.e. the policies that they must comply with, and occasionally the user security interfaces such as physical access systems and biometric systems. 11

12 5.3 System Layer The system layer comprises of four sub-layers, namely: User Security Interface (described above), protocols, code and component. The protocols sub-layer comprises of a very large suite of security protocols such as SSL, Kerberos, IPSEC and even the cryptographic algorithms. Such protocols exist at this level as conceptual designs and are then programmed/hard coded into the system as code (the code sub-layer) and then implemented sometimes as hardwired code within the component sub-layer. The code sub-layer encompasses the programs, applications and software based utilities that incorporate protocols as well as the system requirements. The component sub-layer involves the design of the underlying electrical components that make up the physical security systems. This layer is quite general in that we incorporate within this the various levels of hardware design which includes the hardwired coding of protocols and also the various electrical devices and components themselves. The devices that we incorporate within this level are the routers, gateways, IDS/IPS systems, firewalls etc., however we do not incorporate within this sub layer the protocols that operate within these devices they sit in the protocol sub layer, are implemented in code in the code sub layer and then built as hardware at this sub layer. 6 Conclusions and Future work In this study we have considered a number of approaches towards defining architectures within the computer science domain. From that analysis we have established some fundamental guiding principles that should be incorporated within any architectural model. We have proceeded to analyse existing approaches towards defining security architectures and highlighted a number of benefits within these models as well as some shortcomings which often make them unsuitable for teaching Cyber Security in the classroom. We have proceeded to propose a Simple Enterprise Security Architecture which links up organisational strategy through to the underlying protocols of security architecture. Every aspect of enterprise security can be incorporated within these three layers. Whilst we have used the proposed architecture to teach Cyber Security at higher education level, we aim to develop this study further and test the architecture against given case studies so as to demonstrate its value in the classroom. Within that study we aim to further clarify the stake holder s various views and interactions with these layers as well as the communication flows therein. 12

13 References [1] F. Cohen, Enterprise Information Protection. New York, USA: Fred Cohen and Associates, [2] G. Peterson. (2007, 8th August). Security Architecture Blueprint Available: [3] J. Sherwood, A. Clark, and D. Lynas, Enterprise Security Architecture, A Business-Driven Approach. CA, USA: CMP Books, [4] S. M. Oda, H. Fu, and Y. Zhu, "Enterprise information security architecture a review of frameworks, methodology, and case studies," in 2nd IEEE International Conference oncomputer Science and Information Technology, Beijing, China 2009, pp [5] M. Shariati, F. Bahmani, and F. Shams, "Enterprise information security, a review of architectures and frameworks from interoperability perspective," Procedia Computer Science, vol. 3, pp , [6] A. H. Eden and R. Kazman, "Architecture, design, implementation," in 25th International Conference on Software Engineering, Portland, Oregon, USA, 2003, pp [7] A. K. Talukder and M. Chaitanya, Architecting secure software systems. New York, USA: CRC Press, [8] M. E. Whitman and H. J. Mattord, Management of Information Security. KY, USA: Course Technology Ptr, [9] Oxford University Press. (2010, 11th January). Oxford Dictionaries. Available: [10] D. Comer, Essentials of Computer Architecture. New York, USA: Pearson/Prentice Hall, [11] E. Roberts, G. Engel, C. Chang, J. Cross, R. Shackelford, R. Sloan, D. Carver, R. Eckhouse, W. King, and F. Lau. (2001, Computing Curricula 2001: Computer Science. Available: [12] D. Garlan and M. Shaw, "An introduction to software architecture," Advances in software engineering and knowledge engineering, vol. 1, pp. 1-40, [13] R. T. Monroe, A. Kompanek, R. Melton, and D. Garlan, "Architectural styles, design patterns, and objects," Software, IEEE, vol. 14, pp , [14] P. Gutmann, Cryptographic security architecture: design and verification. New York, USA: Springer-Verlag New York Inc, [15] M. Reith, C. Carr, and G. Gunsch, "An examination of digital forensic models," International Journal of Digital Evidence, vol. 1, pp. 1-12, [16] B. Carrier and E. H. Spafford, "An event-based digital forensic investigation framework," in 4th Digital Forensic Research Workshop, Baltimore, Maryland, USA, 2004, pp [17] V. Baryamureeba and F. Tushabe. (2004, 3rd November, 2011). The Enhanced Digital Investigation Process Model. Available: [18] M. M. Pollitt, "An ad hoc review of digital forensic models," in Second International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, Washington, USA, 2007, pp [19] S. Perumal, "Digital forensic model based on Malaysian investigation process," International Journal of Computer Science and Network Security, vol. 9, p. 38, [20] S. A. Soltan Alharbi, J. W. J. Jens Weber-Jahnke, and I. T. Issa Traore, "The Proactive and Reactive Digital Forensics Investigation Process: A Systematic 13

14 Literature Review," International Journal of Security and Its Applications, vol. 5, pp , [21] H. G. Goldman. (2010, 10th January, 2012). Building Secure, Resilient Architectures for Cyber Mission Assurance. Available: [22] A. J. C.-d. Goor, Computer Architecture and Design. New York, USA: Addison Wesley, [23] ISO, "7498," in Information Processing System-Open System Interconnections- Basic Reference Model, Part 2: Security Architecture, ed: ISO, [24] R. W. Shirey, "Defense Data Network Security Architecture," ACM SIGCOMM Computer Communication Review, vol. 20, pp , [25] L. Kiely and T. V. Benzel, "Systemic security management," Security & Privacy, IEEE, vol. 4, pp , [26] R. Williams, Computer systems architecture: A networking approach. New York, USA: Prentice Hall, [27] S. L. Pfleeger, "Making Security More Usable," The Innovator, vol. 4, [28] M. F. Theofanos and S. L. Pfleeger, "Guest Editors' Introduction: Shouldn't All Security Be Usable?," Security & Privacy, IEEE, vol. 9, pp , [29] D. Schutzer, "Bits and Bytes: Understanding Human Behaviour," The Innovator, vol. 4, [30] J. Sobey, P. van Oorschot, and A. S. Patrick, "Browser Interfaces and EV-SSL Certificates: Confusion, Inconsistencies and HUMAN INTERFACE Challenges," Technical Report TR (January 15, 2009), School of Computer Science, Carleton University, Canada2009. [31] R. Biddle, P. Van Oorschot, A. S. Patrick, J. Sobey, and T. Whalen, "Browser interfaces and extended validation SSL certificates: an empirical study," in The 2009 ACM workshop on Cloud computing security Chicago, IL, USA, 2009, pp [32] M. E. Maurer, "Bringing effective Security Warnings to mobile Browsing," presented at the Second International Workshop in Security and Privacy in Spontaneous Interaction and mobile Phone Use (IWSSI/SPMU), Helsinki, Finland, [33] S. Brostoff, P. Inglesant, and M. A. Sasse, "Evaluating the usability and security of a graphical one-time PIN system," in 24th BCS Interaction Specialist Group Conference University of Abertay, Dundee, UK, [34] A. S. El Ahmad, J. Yan, and U. o. N. U. T. C. Science, "Colour, usability and security: a case study," Citeseer, School of Computing Science, University of Newcastle upon Tyne, UK

The Perusal and Review of Different Aspects of the Architecture of Information Security

The Perusal and Review of Different Aspects of the Architecture of Information Security The Perusal and Review of Different Aspects of the Architecture of Information Security Vipin Kumar Research Scholar, CMJ University, Shillong, Meghalaya (India) Abstract The purpose of the security architecture

More information

Weighted Total Mark. Weighted Exam Mark

Weighted Total Mark. Weighted Exam Mark CMP4103 Computer Systems and Network Security Period per Week Contact Hour per Semester Weighted Total Mark Weighted Exam Mark Weighted Continuous Assessment Mark Credit Units LH PH TH CH WTM WEM WCM CU

More information

Practitioner Certificate in Information Assurance Architecture (PCiIAA)

Practitioner Certificate in Information Assurance Architecture (PCiIAA) Practitioner Certificate in Information Assurance Architecture (PCiIAA) 15 th August, 2015 v2.1 Course Introduction 1.1. Overview A Security Architect (SA) is a senior-level enterprise architect role,

More information

Security Engineering Approach for the Development of Secure Information Systems

Security Engineering Approach for the Development of Secure Information Systems Engineering Approach for the Development of Secure Information Systems Young-Gab Kim and Sungdeok Cha College of Information and Communication, Korea University, 1, 5-ga, Anam-dong, Sungbuk-gu, 136-701,

More information

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES Final Report Prepared by Dr Janet Tweedie & Dr Julie West June 2010 Produced for AGIMO by

More information

ARCHITECTURE SERVICES. G-CLOUD SERVICE DEFINITION.

ARCHITECTURE SERVICES. G-CLOUD SERVICE DEFINITION. ARCHITECTURE SERVICES. G-CLOUD SERVICE DEFINITION. Table of contents 1 Introduction...3 2 Architecture Services...4 2.1 Enterprise Architecture Services...5 2.2 Solution Architecture Services...6 2.3 Service

More information

BCS THE CHARTERED INSTITUTE FOR IT. BCS HIGHER EDUCATION QUALIFICATIONS BCS Level 6 Professional Graduate Diploma in IT SOFTWARE ENGINEERING 2

BCS THE CHARTERED INSTITUTE FOR IT. BCS HIGHER EDUCATION QUALIFICATIONS BCS Level 6 Professional Graduate Diploma in IT SOFTWARE ENGINEERING 2 BCS THE CHARTERED INSTITUTE FOR IT BCS HIGHER EDUCATION QUALIFICATIONS BCS Level 6 Professional Graduate Diploma in IT SOFTWARE ENGINEERING 2 EXAMINERS REPORT Friday 2 nd October 2015 Answer any THREE

More information

Internal Audit. Audit of HRIS: A Human Resources Management Enabler

Internal Audit. Audit of HRIS: A Human Resources Management Enabler Internal Audit Audit of HRIS: A Human Resources Management Enabler November 2010 Table of Contents EXECUTIVE SUMMARY... 5 1. INTRODUCTION... 8 1.1 BACKGROUND... 8 1.2 OBJECTIVES... 9 1.3 SCOPE... 9 1.4

More information

COBIT 5 and the Process Capability Model. Improvements Provided for IT Governance Process

COBIT 5 and the Process Capability Model. Improvements Provided for IT Governance Process Proceedings of FIKUSZ 13 Symposium for Young Researchers, 2013, 67-76 pp The Author(s). Conference Proceedings compilation Obuda University Keleti Faculty of Business and Management 2013. Published by

More information

CHALLENGES AND WEAKNESSES OF AGILE METHOD IN ENTERPRISE ARCHITECTURE

CHALLENGES AND WEAKNESSES OF AGILE METHOD IN ENTERPRISE ARCHITECTURE CHALLENGES AND WEAKNESSES OF AGILE METHOD IN ENTERPRISE ARCHITECTURE Zahra Askarinejad Amiri 1 1 Department of Computer Engineering, Staffordshire University ABSTRACT zahra.askarinejad@gmail.com As Information

More information

Basic Testing Concepts and Terminology

Basic Testing Concepts and Terminology T-76.5613 Software Testing and Quality Assurance Lecture 2, 13.9.2006 Basic Testing Concepts and Terminology Juha Itkonen SoberIT Contents Realities and principles of Testing terminology and basic concepts

More information

The Role of the Software Architect

The Role of the Software Architect IBM Software Group The Role of the Software Architect Peter Eeles peter.eeles@uk.ibm.com 2004 IBM Corporation Agenda Architecture Architect Architecting Requirements Analysis and design Implementation

More information

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model--- ---Information Technology (IT) Specialist (GS-2210) IT Security Model--- TECHNICAL COMPETENCIES Computer Forensics Knowledge of tools and techniques pertaining to legal evidence used in the analysis of

More information

OSI Solution Architecture Framework

OSI Solution Architecture Framework OSI Solution Architecture Framework Enterprise Service Center April 2008 California Health and Human Services Agency Revision History REVISION HISTORY REVISION/WORKSITE # DATE OF RELEASE OWNER SUMMARY

More information

The role of Information Governance in an Enterprise Architecture Framework

The role of Information Governance in an Enterprise Architecture Framework The role of Information Governance in an Enterprise Architecture Framework Richard Jeffrey-Cook, MBCS, CITP, FIRMS Head of Information and Records Management In-Form Consult Ltd, Cardinal Point Park Road,

More information

Setting Processes for Electronic Signature

Setting Processes for Electronic Signature Setting Processes for Electronic Signature Dr. Joachim Schiff On behalf of the SPES Consortium Workgroup City of Saarbruecken IKS Nell-Breuning-Allee 1 D-66115 Saarbruecken Germany Tel. 0049 681 905 5000

More information

Network Management and Monitoring Software

Network Management and Monitoring Software Page 1 of 7 Network Management and Monitoring Software Many products on the market today provide analytical information to those who are responsible for the management of networked systems or what the

More information

Survey on Different Phases of Digital Forensics Investigation Models

Survey on Different Phases of Digital Forensics Investigation Models Survey on Different Phases of Digital Forensics Investigation Models Priya S. Patil 1, Prof. A. S. Kapse 2 P. R. Patil College of Engineering and Technology, Amravati, India ABSTRACT: Most forensics models

More information

SABSA A Brief Introduction

SABSA A Brief Introduction SABSA A Brief Introduction Mark Battersby 2013-05-15 Agenda SABSA Overview SABSA Security Architecture SABSA Security Architecture Matrix Operational Security Architecture Matrix SABSA Business Attributes

More information

Component-based Development Process and Component Lifecycle Ivica Crnkovic 1, Stig Larsson 2, Michel Chaudron 3

Component-based Development Process and Component Lifecycle Ivica Crnkovic 1, Stig Larsson 2, Michel Chaudron 3 Component-based Development Process and Component Lifecycle Ivica Crnkovic 1, Stig Larsson 2, Michel Chaudron 3 1 Mälardalen University, Västerås, Sweden, ivica.crnkovic@mdh.se 2 ABB Corporate Research,

More information

A Comprehensive Study on Cloud Computing Standardization

A Comprehensive Study on Cloud Computing Standardization A Comprehensive Study on Cloud Computing Standardization Dr. Mukesh Chandra Negi Project Manager, Tech Mahindra Ltd, Noida, India ABSTRACT: Standard is a trust between standardization body, buyers and

More information

Asset Management Policy March 2014

Asset Management Policy March 2014 Asset Management Policy March 2014 In February 2011, we published our current Asset Management Policy. This is the first update incorporating further developments in our thinking on capacity planning and

More information

Enterprise Architecture Assessment Guide

Enterprise Architecture Assessment Guide Enterprise Architecture Assessment Guide Editorial Writer: J. Schekkerman Version 2.2 2006 Preface An enterprise architecture (EA) establishes the organization-wide roadmap to achieve an organization s

More information

Information Management Advice 39 Developing an Information Asset Register

Information Management Advice 39 Developing an Information Asset Register Information Management Advice 39 Developing an Information Asset Register Introduction The amount of information agencies create is continually increasing, and whether your agency is large or small, if

More information

A Model for Improving e-security in Australian Universities

A Model for Improving e-security in Australian Universities 1 and 2 1 Queensland University of Technology, Information Security Institute, l.may@qut.edu.au 2 Queensland University of Technology, Information Security Institute, tlane@scu.edu.au Received 04 December

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

The Information Security Ownership Question in ISO/IEC 27001 an Implementation Perspective

The Information Security Ownership Question in ISO/IEC 27001 an Implementation Perspective The Information Security Ownership Question in ISO/IEC 27001 an Implementation Perspective Lizzie Coles Kemp and Richard E. Overill Department of Computer Science, King s College London, University of

More information

Structuring Product-lines: A Layered Architectural Style

Structuring Product-lines: A Layered Architectural Style Structuring Product-lines: A Layered Architectural Style Tommi Myllymäki, Kai Koskimies, and Tommi Mikkonen Institute of Software Systems, Tampere University of Technology Box 553, FIN-33101 Tampere, Finland

More information

Business Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL:

Business Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL: Module Db Technical Solution Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL: Cost is reduced through greater economies of scale, removal of duplication

More information

Microsoft s Compliance Framework for Online Services

Microsoft s Compliance Framework for Online Services Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft

More information

CESG Certification of Cyber Security Training Courses

CESG Certification of Cyber Security Training Courses CESG Certification of Cyber Security Training Courses Supporting Assessment Criteria for the CESG Certified Training (CCT) Scheme Portions of this work are copyright The Institute of Information Security

More information

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination

More information

An Analysis of The SABSA Framework. Note: Most of this information comes from the SABSA website. TJS. SABSA Overview

An Analysis of The SABSA Framework. Note: Most of this information comes from the SABSA website. TJS. SABSA Overview Note: Most of this information comes from the SABSA website. TJS SABSA Overview SABSA is a model and a methodology for developing risk-driven enterprise information security architectures and for delivering

More information

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS

More information

The Role of Standards in Medical Information Security: An Opportunity for Improvement.

The Role of Standards in Medical Information Security: An Opportunity for Improvement. The Role of Standards in Medical Information Security: An Opportunity for Improvement. P. A. H. Williams School of Computer and Information Science Edith Cowan University Joondalup, Western Australia Abstract

More information

Bachelor of Information Technology (Network Security)

Bachelor of Information Technology (Network Security) Bachelor of Information Technology (Network Security) Course Structure Year 1: Level 100 Foundation knowledge subjects SEMESTER 1 SEMESTER 2 ITICT101A Fundamentals of Computer Organisation ITICT104A Internetworking

More information

September 25, 2014 EFFECTIVE METHODS FOR SOFTWARE AND SYSTEMS INTEGRATION P R E S E N T E D B Y: D R. B O Y D L. S U M M E R S

September 25, 2014 EFFECTIVE METHODS FOR SOFTWARE AND SYSTEMS INTEGRATION P R E S E N T E D B Y: D R. B O Y D L. S U M M E R S September 25, 2014 EFFECTIVE METHODS FOR SOFTWARE AND SYSTEMS INTEGRATION P R E S E N T E D B Y: D R. B O Y D L. S U M M E R S 1 Software Engineer (Quality) Defense and Space The Boeing Company - Seattle,

More information

The Role of Information Technology Studies in Software Product Quality Improvement

The Role of Information Technology Studies in Software Product Quality Improvement The Role of Information Technology Studies in Software Product Quality Improvement RUDITE CEVERE, Dr.sc.comp., Professor Faculty of Information Technologies SANDRA SPROGE, Dr.sc.ing., Head of Department

More information

Security Software Engineering: Do it the right way

Security Software Engineering: Do it the right way Proceedings of the 6th WSEAS Int. Conf. on Software Engineering, Parallel and Distributed Systems, Corfu Island, Greece, February 16-19, 2007 19 Security Software Engineering: Do it the right way Ahmad

More information

Recent Researches in Electrical Engineering

Recent Researches in Electrical Engineering The importance of introducing Information Security Management Systems for Service Providers Anel Tanovic*, Asmir Butkovic **, Fahrudin Orucevic***, Nikos Mastorakis**** * Faculty of Electrical Engineering

More information

Software Quality Assurance Plan. Introduction

Software Quality Assurance Plan. Introduction Software Quality Assurance Plan Introduction Scope and intent of Software Quality Assurance (SQA) activities The SQA team s objective is to ensure that the product does not deviate far from the original

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Design Specification for IEEE Std 1471 Recommended Practice for Architectural Description IEEE Architecture Working Group 0 Motivation

Design Specification for IEEE Std 1471 Recommended Practice for Architectural Description IEEE Architecture Working Group 0 Motivation Design Specification for IEEE Std 1471 Recommended Practice for Architectural Description IEEE Architecture Working Group 0 Motivation Despite significant efforts to improve engineering practices and technologies,

More information

Guideline on Auditing and Log Management

Guideline on Auditing and Log Management CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius

More information

Digital Industries Apprenticeship: Occupational Brief. Cyber Security Technologist. April 2016

Digital Industries Apprenticeship: Occupational Brief. Cyber Security Technologist. April 2016 Digital Industries Apprenticeship: Occupational Brief Cyber Security Technologist April 2016 1 Digital Industries Apprenticeships: Occupational Brief Level 4 Cyber Security Technologist Apprenticeship

More information

PROGRAMME DETAIL SPECIFICATION. Programme Summary

PROGRAMME DETAIL SPECIFICATION. Programme Summary PROGRAMME DETAIL SPECIFICATION Programme Summary 1 Awarding institution Liverpool John Moores University 2 Teaching institution university Liverpool John Moores University 3a Programme accredited by: 3b

More information

LONDON SCHOOL OF COMMERCE. Programme Specifications for the. Cardiff Metropolitan University. MSc in International Hospitality Management

LONDON SCHOOL OF COMMERCE. Programme Specifications for the. Cardiff Metropolitan University. MSc in International Hospitality Management LONDON SCHOOL OF COMMERCE Programme Specifications for the Cardiff Metropolitan University MSc in International Hospitality Management 1 Contents Programme Aims and Objectives 3 Programme Learning Outcomes

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

Communications and Computer Networks

Communications and Computer Networks SFWR 4C03: Computer Networks and Computer Security January 5-8 2004 Lecturer: Kartik Krishnan Lectures 1-3 Communications and Computer Networks The fundamental purpose of a communication system is the

More information

Implementation of ANSI/AAMI/IEC 62304 Medical Device Software Lifecycle Processes.

Implementation of ANSI/AAMI/IEC 62304 Medical Device Software Lifecycle Processes. Implementation of ANSI/AAMI/IEC 62304 Medical Device Software Lifecycle Processes.. www.pharmout.net Page 1 of 15 Version-02 1. Scope 1.1. Purpose This paper reviews the implementation of the ANSI/AAMI/IEC

More information

Blackhawk Technical College. Information Technology Services. Process Improvement Visioning Document

Blackhawk Technical College. Information Technology Services. Process Improvement Visioning Document Blackhawk Technical College Information Technology Services Process Improvement Visioning Document December 12, 2008 Steven Davidson Chief Information Officer Blackhawk Technical College sdavidson@blackhawk.edu

More information

Sytorus Information Security Assessment Overview

Sytorus Information Security Assessment Overview Sytorus Information Assessment Overview Contents Contents 2 Section 1: Our Understanding of the challenge 3 1 The Challenge 4 Section 2: IT-CMF 5 2 The IT-CMF 6 Section 3: Information Management (ISM)

More information

Capabilities for Cybersecurity Resilience

Capabilities for Cybersecurity Resilience Capabilities for Cybersecurity Resilience In the Homeland Security Enterprise May 2012 DHS Cybersecurity Strategy A cyberspace that: Is Secure and Resilient Enables Innovation Protects Public Advances

More information

Guideline on Access Control

Guideline on Access Control CMSGu2011-08 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Access Control National Computer Board Mauritius Version 1.0

More information

Developing the Corporate Security Architecture. www.avient.ca Alex Woda July 22, 2009

Developing the Corporate Security Architecture. www.avient.ca Alex Woda July 22, 2009 Developing the Corporate Security Architecture www.avient.ca Alex Woda July 22, 2009 Avient Solutions Group Avient Solutions Group is based in Markham and is a professional services firm specializing in

More information

Do You Have The Right Practices In Your Cyber Supply Chain Tool Box? NDIA Systems Engineering Conference October 29, 2014

Do You Have The Right Practices In Your Cyber Supply Chain Tool Box? NDIA Systems Engineering Conference October 29, 2014 Do You Have The Right Practices In Your Cyber Supply Chain Tool Box? NDIA Systems Engineering Conference October 29, 2014 2 Today s Reality Is Deep & Complex Global ICT Supply Chains IT and Communications

More information

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis An analogue approach to a digital world What foundations is CDCAT built on?

More information

What Do Master s Thesis Titles Inform about Media Technology?

What Do Master s Thesis Titles Inform about Media Technology? What Do Master s Thesis Titles Inform about Media Technology? Oittinen, P. Aalto University, School of Science (Aalto SCI), Department of Media Technology, P.O.Box 15500, FIN-00076 Aalto, Finland, http://media.tkk.fi

More information

Adi Armoni Tel-Aviv University, Israel. Abstract

Adi Armoni Tel-Aviv University, Israel. Abstract Informing Science Data Security Volume 5 No 1, 2002 Data Security Management in Distributed Computer Systems Adi Armoni Tel-Aviv University, Israel armonia@colman.ac.il Abstract This research deals with

More information

The business case for network management by Jason Peach

The business case for network management by Jason Peach The business case for network management by Jason Peach The business need for network management: the cost of downtime page 2 Network management function: best practice page 3 Network management function:

More information

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance Applying Integrated Risk Management Scenarios for Improving Enterprise Governance János Ivanyos Trusted Business Partners Ltd, Budapest, Hungary, ivanyos@trusted.hu Abstract: The term of scenario is used

More information

CloudDesk - Security in the Cloud INFORMATION

CloudDesk - Security in the Cloud INFORMATION CloudDesk - Security in the Cloud INFORMATION INFORMATION CloudDesk SECURITY IN THE CLOUD 3 GOVERNANCE AND INFORMATION SECURITY 3 DATA CENTRES 3 DATA RESILIENCE 3 DATA BACKUP 4 ELECTRONIC ACCESS TO SERVICES

More information

WHITE PAPER: STRATEGIC IMPACT PILLARS FOR OPTIMIZING BUSINESS PROCESS MANAGEMENT IN GOVERNMENT

WHITE PAPER: STRATEGIC IMPACT PILLARS FOR OPTIMIZING BUSINESS PROCESS MANAGEMENT IN GOVERNMENT WHITE PAPER: STRATEGIC IMPACT PILLARS FOR OPTIMIZING BUSINESS PROCESS MANAGEMENT IN GOVERNMENT IntelliDyne, LLC MARCH 2012 Strategic Impact Pillars for Optimizing Business Process Management in Government

More information

Digital Industries Trailblazer Apprenticeship. Software Developer - Occupational Brief

Digital Industries Trailblazer Apprenticeship. Software Developer - Occupational Brief Digital Industries Trailblazer Apprenticeship Software Developer - Occupational Brief Table of Contents Contents 1 Software Developer Trailblazer Apprenticeship Introduction... 1 2 Software Developer Trailblazer

More information

UKAS Guidance for bodies operating certification of Trust Service Providers seeking approval under tscheme

UKAS Guidance for bodies operating certification of Trust Service Providers seeking approval under tscheme CIS 3 EDITION 2 February 2014 UKAS Guidance for bodies operating certification of Trust Service Providers seeking approval under tscheme CONTENTS SECTION PAGE 1 Introduction 2 2 Requirements for Certification

More information

KPMG Advisory. Microsoft Dynamics CRM. Advisory, Design & Delivery Services. A KPMG Service for G-Cloud V. April 2014

KPMG Advisory. Microsoft Dynamics CRM. Advisory, Design & Delivery Services. A KPMG Service for G-Cloud V. April 2014 KPMG Advisory Microsoft Dynamics CRM Advisory, Design & Delivery Services A KPMG Service for G-Cloud V April 2014 Table of Contents Service Definition Summary (What s the challenge?)... 3 Service Definition

More information

Generally Accepted Recordkeeping Principles

Generally Accepted Recordkeeping Principles Generally Accepted Recordkeeping Principles Information Governance Maturity Model Information is one of the most vital strategic assets any organization possesses. Organizations depend on information to

More information

74. Selecting Web Services with Security Compliances: A Managerial Perspective

74. Selecting Web Services with Security Compliances: A Managerial Perspective 74. Selecting Web Services with Security Compliances: A Managerial Perspective Khaled Md Khan Department of Computer Science and Engineering Qatar University k.khan@qu.edu.qa Abstract This paper proposes

More information

Approach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera

Approach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera Approach to Information Security Architecture Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera About TeliaSonera TeliaSonera provides network access and telecommunication services that help

More information

What is effective Design Management?

What is effective Design Management? What is effective Design Management? Design Management is becoming increasingly recognised as critical to the success of complex construction projects. However, the role of the Design Manager is poorly

More information

Framework for a Digital Forensic Investigation

Framework for a Digital Forensic Investigation Framework for a Digital Forensic Investigation Michael Kohn 1, JHP Eloff 2 and MS Olivier 3 1 mkohn@cs.up.ac.za, 2 eloff@cs.up.ac.za, 3 molivier@cs.up.ac.za Information and Computer Security Architectures

More information

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) COBIT 5 For Cyber Security Governance and Management Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) Cybersecurity Governance using COBIT5 Cyber Defence Summit Riyadh, KSA

More information

An Overview of the Jumplist Configuration File in Windows 7

An Overview of the Jumplist Configuration File in Windows 7 An Overview of the Jumplist Configuration File in Windows 7 Harjinder Singh Lalli University of Warwick, International Digital Laboratory (WMG), University of Warwick, Coventry, CV4 7AL, UK; h.s.lallie@warwick.ac.uk

More information

Hardware and Software Security

Hardware and Software Security Today, with the big advancement of technology and the need to share data globally at all time. Security has become one of the most important topics when we talk about data sharing. This means that the

More information

Applying Mesh Networking to Wireless Lighting Control

Applying Mesh Networking to Wireless Lighting Control White Paper Applying Mesh Networking to Wireless Lighting Control www.daintree.net Abstract Recent advances in wireless communications standards and energy-efficient lighting equipment have made it possible

More information

Thales Service Definition for PSN Secure Email Gateway Service for Cloud Services

Thales Service Definition for PSN Secure Email Gateway Service for Cloud Services Thales Definition for PSN Secure Email Gateway Thales Definition for PSN Secure Email Gateway for Cloud s April 2014 Page 1 of 12 Thales Definition for PSN Secure Email Gateway CONTENT Page No. Introduction...

More information

Impact of Service Oriented Architecture on ERP Implementations in Technical Education

Impact of Service Oriented Architecture on ERP Implementations in Technical Education Impact of Service Oriented Architecture on ERP Implementations in Technical Education Swati Verma Department of Computer Science & Engg, B.T. Kumaon Institute of Technology, Dwarahat, 263653, India. E-mail:

More information

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction Policy: Title: Status: 1. Introduction ISP-S12 Network Management Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1.1. This information security policy document covers management,

More information

The Proactive and Reactive Digital Forensics Investigation Process: A Systematic Literature Review

The Proactive and Reactive Digital Forensics Investigation Process: A Systematic Literature Review The Proactive and Reactive Digital Forensics Investigation Process: A Systematic Literature Review Soltan Alharbi 1, 1, Jens Weber-Jahnke 2, Issa Traore 1 1 Electrical and Computer Engineering, University

More information

Chapter 3 Chapter 3 Service-Oriented Computing and SOA Lecture Note

Chapter 3 Chapter 3 Service-Oriented Computing and SOA Lecture Note Chapter 3 Chapter 3 Service-Oriented Computing and SOA Lecture Note Text book of CPET 545 Service-Oriented Architecture and Enterprise Application: SOA Principles of Service Design, by Thomas Erl, ISBN

More information

Enterprise Security Architecture

Enterprise Security Architecture Enterprise Architecture -driven security April 2012 Agenda Facilities and safety information Introduction Overview of the problem Introducing security architecture The SABSA approach A worked example architecture

More information

Cloud Security: The Grand Challenge

Cloud Security: The Grand Challenge Dr. Paul Ashley IBM Software Group pashley@au1.ibm.com Cloud Security: The Grand Challenge Outline Cloud computing: the pros, the cons, the blind spots Security in the cloud - what are the risks now and

More information

IF2261 Software Engineering. Introduction. What is software? What is software? What is software? Failure Curve. Software Applications Type

IF2261 Software Engineering. Introduction. What is software? What is software? What is software? Failure Curve. Software Applications Type IF2261 Software Engineering Introduction Program Studi Teknik Informatika STEI ITB What is software? Definitions: Computer programs, procedures, and possibly associated documentation and data pertaining

More information

Service Definition Document

Service Definition Document Service Definition Document QinetiQ Secure Cloud Protective Monitoring Service (AWARE) QinetiQ Secure Cloud Protective Monitoring Service (DETER) Secure Multi-Tenant Protective Monitoring Service (AWARE)

More information

A Model for Component Based E-governance Software Systems

A Model for Component Based E-governance Software Systems A Model for Component Based E-governance Software Systems A.SHRABAN KUMAR 1, G.JAYARAO 2,B.SHANKAR NAYAK 3, KBKS. DURGA 4 A.ESWARA RAO 5 1,2,3,4 Associate Professor CSE, St.MARTIN S ENGINEERING COLLEGE,

More information

Privacy and Security within an Interoperable EHR

Privacy and Security within an Interoperable EHR 1 Privacy and Security within an Interoperable EHR Stan Ratajczak Director Privacy and Security Solutions Architecture Group November 30, 2005 Electronic Health Information and Privacy Conference Ottawa

More information

Business Solutions Realisation and Strategy Strategic Architecture Consultancy

Business Solutions Realisation and Strategy Strategic Architecture Consultancy Applying Technology in Support of Business Objectives Business Solutions Realisation and Strategy Strategic Architecture Consultancy The ability for organisations to develop and deploy real-world IT solutions

More information

Contents. viii. 4 Service Design processes 57. List of figures. List of tables. OGC s foreword. Chief Architect s foreword. Preface.

Contents. viii. 4 Service Design processes 57. List of figures. List of tables. OGC s foreword. Chief Architect s foreword. Preface. iii Contents List of figures List of tables OGC s foreword Chief Architect s foreword Preface Acknowledgements v vii viii 1 Introduction 1 1.1 Overview 4 1.2 Context 4 1.3 Purpose 8 1.4 Usage 8 2 Management

More information

IEEE SESC Architecture Planning Group: Action Plan

IEEE SESC Architecture Planning Group: Action Plan IEEE SESC Architecture Planning Group: Action Plan Foreward The definition and application of architectural concepts is an important part of the development of software systems engineering products. The

More information

Extended Enterprise Architecture Framework Essentials Guide

Extended Enterprise Architecture Framework Essentials Guide Extended Enterprise Architecture Framework Essentials Guide Editorial Writer: J. Schekkerman Version 1.5 2006 Preface An enterprise architecture (EA) establishes the organization-wide roadmap to achieve

More information

Lecture Slides for Managing and Leading Software Projects. Chapter 1: Introduction

Lecture Slides for Managing and Leading Software Projects. Chapter 1: Introduction Lecture Slides for Managing and Leading Software Projects Chapter 1: Introduction developed by Richard E. (Dick) Fairley, Ph.D. to accompany the text Managing and Leading Software Projects published by

More information

Dynamism and Data Management in Distributed, Collaborative Working Environments

Dynamism and Data Management in Distributed, Collaborative Working Environments Dynamism and Data Management in Distributed, Collaborative Working Environments Alexander Kipp 1, Lutz Schubert 1, Matthias Assel 1 and Terrence Fernando 2, 1 High Performance Computing Center Stuttgart,

More information

Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project

Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project Introduction This Advice provides an overview of the steps agencies need to take

More information

An Information Assurance and Security Curriculum Implementation

An Information Assurance and Security Curriculum Implementation Issues in Informing Science and Information Technology Volume 3, 2006 An Information Assurance and Security Curriculum Implementation Samuel P. Liles and Reza Kamali Purdue University Calumet, Hammond,

More information

NCOE whitepaper Master Data Deployment and Management in a Global ERP Implementation

NCOE whitepaper Master Data Deployment and Management in a Global ERP Implementation NCOE whitepaper Master Data Deployment and Management in a Global ERP Implementation Market Offering: Package(s): Oracle Authors: Rick Olson, Luke Tay Date: January 13, 2012 Contents Executive summary

More information

Architecture Position Description

Architecture Position Description February 9, 2015 February 9, 2015 Page i Table of Contents General Characteristics... 1 Career Path... 3 Typical Common Responsibilities for the ure Role... 4 Typical Responsibilities for Enterprise ure...

More information

This document includes information about the role for which you are applying and the information you will need to provide with the application.

This document includes information about the role for which you are applying and the information you will need to provide with the application. Further Particulars This document includes information about the role for which you are applying and the information you will need to provide with the application. 1. Role details Vacancy reference: 7770

More information

IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region

IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

Application of software product quality international standards through software development life cycle

Application of software product quality international standards through software development life cycle Central Page 284 of 296 Application of software product quality international standards through software development life cycle Mladen Hosni, Valentina Kirinić Faculty of Organization and Informatics University

More information