Information Technology Reference
In-Depth Information
In this context, the organizations should be aware of the risks introduced by the
dynamic nature of information systems which support the business functions; thus, the
maintenance, management and administration of such network infrastructures should
be a continuing process, which requires greater effort compared to conventional net-
works [1], [2]. IS security requirements might stem from the stakeholders and the envi-
ronment of the organization (market trends, data protection acts). Therefore, there is a
need for the identification and implementation of robust security controls to ensure that
information resources are protected against potential threats. By the term “
Security
Control
” we mean the applicable, low-level technical countermeasures, which can be
applied directly to the IS devices. Traditionally, the requirements of such controls
come up as a result of an Information System (IS) Risk Analysis (RA) study, given the
thorough intervention of a (possibly group of) security expert(s). Furthermore, the
formulation of a generic security policy, which is linked with and exploits the RA
results, is a usual addition to the RA process. In all cases such a process, either assisted
through computerized tools or not, renders the security expert(s) responsible for the
following tasks: a) capturing the security control requirements of the IS, b) translating
organizational input to a set of semiformal security rules, c) transforming the security
rules into an effective set of security controls, d) deploying and managing the security
controls over the IS and, e) establish a risk management process over the effectiveness
and efficiency of the security controls in place (optional).
To accomplish the above tasks, security experts usually deal with high-level state-
ments from various sources (e.g. output of RA tools, policy statements expressed in a
managerial level, Service Level Agreements), combined with IS technical informati-
on. This is often an effort-consuming intervention - especially for large organizations
- which has not yet been properly assisted by automated processes. We argue that we
may employ a structured approach to support the process leading from informal, high-
level statements found in policy and RA documents to deployable technical controls.
The outcome of this process will be a knowledge-based, ontology-centric security ma-
nagement system, eventually bridging the IS risk assessment and organizational secu-
rity policies with security management.
This paper aims to provide the foundations of a framework for supporting the
above procedure. More specifically, the proposed framework will encapsulate IS secu-
rity management through the linking between high-level policy statements and explicit,
low-level security controls adaptable and applicable in the IS environment. Addition-
ally, in the specific paper we propose an architecture that will facilitate the implemen-
tation of the above framework (scheme). Our overall approach is outlined as follows;
1.
Identify and define the necessary components and mechanisms of the frame-
work.
2.
Gather the security requirements that stem from the policy statements and ex-
press them in an information-rich manner.
3.
Associate security requirements with appropriate risk mitigation actions (i.e.
specific countermeasures).
4.
Provide deployment mechanisms to the IS infrastructure.
5.
Define an architecture for security management of the IS.
It should be noted that the paper deals with the description of the total framework
and respective architecture, and as such, does not research into implementation details
