Information Technology Reference
In-Depth Information
and enablers such as knowledge representation, information extraction, IS manage-
ment standards, and best practices from wide accepted security standards. The (vague)
security knowledge that is present to high-level policy statements is transformed thro-
ugh successive steps into applicable security countermeasures. For simplicity, with
the term “
policy statements
” hereafter we refer to RA outputs, lists of security cont-
rols requirements, organization policy statements and SLA requirements.
In the next sections we present the components of our architecture, as well as the
necessary steps that demonstrate the framework establishment.
3.1 Sources of Security Knowledge
A number of security-related knowledge information sources exist that influence in a
direct or indirect way the security expert so as to implement the security controls.
Direct sources are bound to the specific IS and include organization policies and
SLAs, RA outputs and IS infrastructure information. Indirect sources are implicitly
associated with the given IS and include security and risk management standards [8]
[9], technical best practices [10], security advisories from vendors [11] and security
portals [12], security mailing lists [13] and vulnerability catalogues such as CVE [14].
C lient
Ponder
Fram ework
Client
Printer
Router
Client
W ireless LAN
Ponder Rules
Deployment
Database
Server Farm
Web Server
Deployable
Technical
Controls
“What” &
“How”
Matching
High-Level
Stmts
(Policy, RA
output)
Infrastructure Level
Inform ation
Technical
Controls
(“How”)
Security
Requirements
(“W hat”)
High-Level
Security
Inform ation
Technical
Controls
Database
Structured
Security
Inform ation
Inform ation
Extraction
Best Practice
Managerial Level
Inform ation
Security Ontology
Security &
Assurance
Standards
Database
Stakeholders /
Management
Fig. 1.
An ontology-centric architecture for IS security management
