JNIC 2015
Download as PPTX, PDF
1 like299 views
This document proposes using a business process management system (BPMS) to automatically integrate information security governance and management. It presents a case study of an organization that uses a BPMS to define security policies, measure key performance indicators, analyze metrics, and generate automated reports to check compliance. The BPMS approach links business processes to information security by gathering measurements during process enactment and using the results to evaluate controls and apply new countermeasures if needed. The document concludes that a BPMS framework can help assess and implement the governance component of information security within an organization.
![Indicators Implementation
25
Long end = System.currentTimeMillis();
File file = new File("LogregisterTimes.log");
FileWriter writer;
writer = new FileWriter(file, false);
Long second = (end-start) / 1000;
writer.write(segundos.toString()+"n");
writer.close();
//Length
if(newPassword.length() >= 8){
leng = true;
}
// Number of letters
if(newPassword.matches('(.*[a-zA-Z].*){4}')){
check_4alfab = true;
}
// Check personal info
if(newPassword.indexOf(username) != -1){
check_Nocontiene = true;
}
// Upper and lower letters
if(newPassword.matches('(.*[A-Z].*){2}')){
check_mayus = true;
}
if(newPassword.matches('(.*[a-z].*){2}')){
check_minus = true;
}](https://image.slidesharecdn.com/speechjnic2015v2-160408103247/85/JNIC-2015-25-320.jpg)
JNIC 2015
- 1. Towards Automatic Integration of Information Security Governance and Management using a BPMS approach Dr. ngel Jes炭s Varela Vaca y Dr. Rafael Mart鱈nez Gasca Grupo de investigaci坦n Quivir, Tecnolog鱈as Inteligentes y de Seguridad de los Sistemas de Informaci坦n Departamento de Lenguajes y Sistemas Inform叩ticos Universidad de Sevilla contact: ajvarela@us.es, gasca@us.es
- 2. Content Security Challenges Background ISG Models and Frameworks BMM and BPMS Measurement IS Maturity Levels Case Study: Organizational Units Automating Integration ISG/ISM using BPMS Business Processes for ISG Indicators specification Reporting and compliance checking Conclusions
- 3. Information Security Technologies 多多Good IS Governance and Management?? Security Challenges
- 4. Security Challenges Information Security Governance (ISG) has emerged as a new information security discipline in response to last regulatory security challenges. Corporations are driven by business processes. Boards of directors and executive management have become accountable for the effectiveness of the internal controls of information security in their corporations. Corporations need a framework to govern their information security.
- 5. Background 5 Von Solms and von Solms (2006): An ISG model based on the principle of Direct-Control Cycle over three levels of structure: governance, management, and operation. ISO/IEC 27014:2013 Information technology-Security techniques -- Governance of information security provides guidance on concepts and principles for the governance of information security, identifies five ISG functions: direct, monitor, evaluate, report, and oversee. Control Objectives for Information and related Technology (COBIT 5) for security information: five principles for governance and management and 7 catalysts. Every corporation implements its catalysts.
- 6. Direct Monitoring Evaluate Business Processes Enacment, Compliance IT Projects Proposals IT Operations Gobierno Corporativo TI UNE 38500:2013 ISO/IEC 38500:2008 Background Projects, Director Plans, Policies
- 7. Business = People + Process + Structure + Technology Business Motivation Model v 1.1(BMM) por OMG (Mayo 2010) Means 多Qu辿 decides necesita hacer la empresa? Assessments Evaluaci坦n de impactos y decisiones de c坦mo actuar Influencers 多Qu辿 puede afectar al negocio? Ends 多En qu辿 estado necesita estar tu empresa? Resultados de las decisiones Background
- 9. 9 <<depends>> Background Measurement collector and Communicator Database Engine Model Editor User Interface Process Participant <<depends>> Process Administrator <<models>> <<create and monitor process instances>>
- 10. Business Motivation Model v 1.1(BMM) by OMG (Mayo 2010) Background Means 多Qu辿 decides necesita hacer la empresa? Assessments Evaluaci坦n de impactos y decisiones de c坦mo actuar Influencers 多Qu辿 puede afectar al negocio? Ends 多En qu辿 estado necesita estar tu empresa? Resultados de las decisiones Goals, Objectives SMART : Specific, Measurable, Achievable,Relevant Time-targeted
- 11. Controles SGSI Control Objective Efficiency and Effectiveness Testing Inspections Interviews Measurement methods Controls ISO/IEC 27002 Measurement objects Resources Products Projects Processes Unit of Measure ment Frequency Measurement Process Measurement Result Stakeholders (Client, Reviewer,) Background atribute atribute atribute Indicator (KPI) Information Product
- 12. Maturity levels in Information Assurance (ISO/IEC 21827:2008): 0. Incomplete Process 1. Informally Performed Processes 2. Managed Processes (Planned and Tracked) 3. Well Defined Processes (Resources and Responsab.) 4. Predictable Processes (Quantitatively Controlled) 5. Optimizing processes (Continuosly improving) o Estado actual Estado del sector Estado objetivo Background
- 14. 14 Case study Customers Activity Activity Activity Activity Activity Services Services Services Services Services Services Human Resource LDAP T1 T2 T3 ... ... BPMS Sec. Admin. Goal: Correct Identity Management Detected problems: Weak passwords Registration period Discrepancies in DB
- 16. Organizational Units - Assets 16 Entity Projects R+D Information Security Govern Management Team of Information Security Human Resources Staff Bussiness Manager System Administrator Administrative staff Researcher GROUPS ROLES Register new users* *Previously must beregistered in LDAP Register users leaving Modiy user information Modiy user information Registration in LDAPEstablish policies Monitor KPIs Get reports Modiy user in HR database Register user in HR database GroupRole Business Process Legend
- 17. 17 Organizational Units - Assets
- 18. Organizational Units Business Processes 18
- 19. 19 Organizational Units Business Processes
- 20. Organizational Units Business Processes 20
- 21. 21 IT Business Process Management Policies Bussiness rules Constraints Automated Security Governance Monitor Direct Evaluate Diagnosis KPI Trails Logs Analysis Connectors/ Validators Report Automatic Integration ISG/ISM using BPMS 1. Establish policies and define metrics. 2. Measurements are gathered during the enactment of processes. 3. Analyse the metrics in order to decide whether new countermeasures should be applied. Detected problems: Weak passwords Discrepancies in DB
- 22. Indicators Specification 22 KPI Name LDAP and HR database discrepancies ID KPI-003 Purpose To assess the quality of the authorized users Goal Check whether users registration process in the organization is conform to Control Objective A.9.2.6 in ISO 27001:2013 Measurement Specification Objects of Measurement 1. LDAP database 2. HR database Attributes 1. Number of users in LDAP database 2. Number of users in HR database 3. Id. of users that are not in LDAP database 4. Id. of users that are not in HR database Basic measures 1. Registration in LDAP 2. Registration in HR Method 1. Check for each entry in LDAP database whether it is contained in HR database. 2. Check for each entry in HR database whether it is contained in LDAP database. Measurement type 1. Objective measure 2. Objective measure Scale 1. Integer value 2. Integer value Scale type 1. Cardinal and text. 2. Cardinal and text. Measure unit Amount of users and identifiers of users.
- 23. Indicators Specification 23 Indicator Specification and Reporting Description a) Conformity Ratio b) List of non-authorized users. Analytical model a) Divide the total number of users in LDAP database by total users in HR. b) Select the users that are in LDAP database but not in HR database. Incdicator Interpretation a) Resulting ratio should be 1.0 to meet the control objective satisfactory b) List should be empty for meeting the control objective satisfactory Reporting Format A dashboard with charts where the amount of users registered in each database are represented and the list of id. of users that are in a LDAP database but not in HR database. Reporting Client ISG Team Collecting Frequency Each registration user Analysis Frequency Daily Reporting Frequency On demand of ISG team.
- 25. Indicators Implementation 25 Long end = System.currentTimeMillis(); File file = new File("LogregisterTimes.log"); FileWriter writer; writer = new FileWriter(file, false); Long second = (end-start) / 1000; writer.write(segundos.toString()+"n"); writer.close(); //Length if(newPassword.length() >= 8){ leng = true; } // Number of letters if(newPassword.matches('(.*[a-zA-Z].*){4}')){ check_4alfab = true; } // Check personal info if(newPassword.indexOf(username) != -1){ check_Nocontiene = true; } // Upper and lower letters if(newPassword.matches('(.*[A-Z].*){2}')){ check_mayus = true; } if(newPassword.matches('(.*[a-z].*){2}')){ check_minus = true; }
- 26. Business Processes for IS Governance 26
- 28. Reporting and compliance cheking 28
- 29. 29 Teaching: Success Story Prototypes: More than 40 different implementations Student in last year of grades in: Software engineering Computer engineering Information technologies Master/post graduate courses: User-centric design Main challenge: how to ISG raise an enhacement in Security for organizations Topics: integrity tools, confidentiality mechanisms, key exchange mechanism, analysis of cipher algorithms, analysis of net traffic, analysis of web vulnerabilities, security management
- 30. Conclusions 30 ISG as a key factor in the assurance and protection of information BPMS offers a framework which helps to assess and implement this ISG component of information security A framework for information security governance: business processes show the adequate integration between governance and management of information security
- 31. Thank for your attention, questions? Dr. ngel J. Varela Vaca & Dr. Rafael Mart鱈nez Gasca E-mail: ajvarela@us.es, gasca@us.es