SlideShare a Scribd company logo

JNIC 2015

Download as PPTX, PDF
Angel Jesus Varela Vaca
Angel Jesus Varela Vaca

Speech of JNIC 2015

Technology
1 of 31
Towards Automatic Integration of Information Security Governance and Management using a BPMS approach Dr. Ángel Jesús Varela Vaca y Dr. Rafael Martínez Gasca Grupo de investigación Quivir, Tecnologías Inteligentes y de Seguridad de los Sistemas de Información Departamento de Lenguajes y Sistemas Informáticos Universidad de Sevilla contact: ajvarela@us.es, gasca@us.es
Content • Security Challenges • Background • ISG Models and Frameworks • BMM and BPMS • Measurement IS Maturity Levels • Case Study: • Organizational Units • Automating Integration ISG/ISM using BPMS • Business Processes for ISG • Indicators specification • Reporting and compliance checking • Conclusions
Information Security Technologies ¿¿Good IS Governance and Management?? Security Challenges
Security Challenges • Information Security Governance (ISG) has emerged as a new information security discipline in response to last regulatory security challenges. • Corporations are driven by business processes. • Boards of directors and executive management have become accountable for the effectiveness of the internal controls of information security in their corporations. • Corporations need a framework to govern their information security.
Background 5 • Von Solms and von Solms (2006): An ISG model based on the principle of Direct-Control Cycle over three levels of structure: governance, management, and operation. • ISO/IEC 27014:2013 Information technology-Security techniques -- Governance of information security • provides “guidance on concepts and principles for the governance of information security, • identifies five ISG functions: direct, monitor, evaluate, report, and oversee.” • Control Objectives for Information and related Technology (COBIT 5) for security information: five principles for governance and management and 7 catalysts. Every corporation implements its catalysts.
Direct Monitoring Evaluate Business Processes Enacment, Compliance IT Projects Proposals IT Operations Gobierno Corporativo TI UNE 38500:2013 ISO/IEC 38500:2008 Background Projects, Director Plans, Policies
• Business = People + Process + Structure + Technology • Business Motivation Model v 1.1(BMM) por OMG (Mayo 2010) Means ¿Qué decides necesita hacer la empresa? Assessments Evaluación de impactos y decisiones de cómo actuar Influencers ¿Qué puede afectar al negocio? Ends ¿En qué estado necesita estar tu empresa? Resultados de las decisiones Background
Source: www.businessrulesgroup.org Background
9 <<depends>> Background Measurement collector and Communicator Database Engine Model Editor User Interface Process Participant <<depends>> Process Administrator <<models>> <<create and monitor process instances>>
• Business Motivation Model v 1.1(BMM) by OMG (Mayo 2010) Background Means ¿Qué decides necesita hacer la empresa? Assessments Evaluación de impactos y decisiones de cómo actuar Influencers ¿Qué puede afectar al negocio? Ends ¿En qué estado necesita estar tu empresa? Resultados de las decisiones Goals, Objectives SMART : Specific, Measurable, Achievable,Relevant Time-targeted
Controles SGSI Control Objective Efficiency and Effectiveness Testing Inspections Interviews Measurement methods Controls ISO/IEC 27002 Measurement objects Resources Products Projects Processes Unit of Measure ment Frequency Measurement Process Measurement Result Stakeholders (Client, Reviewer,…) Background atribute atribute atribute Indicator (KPI) Information Product
• Maturity levels in Information Assurance (ISO/IEC 21827:2008): 0. Incomplete Process 1. Informally Performed Processes 2. Managed Processes (Planned and Tracked) 3. Well Defined Processes (Resources and Responsab.) 4. Predictable Processes (Quantitatively Controlled) 5. Optimizing processes (Continuosly improving) o Estado actual  Estado del sector  Estado objetivo Background
Current Problems 13 Great Intentions Great outcomes
14 Case study Customers Activity Activity Activity Activity Activity Services Services Services Services Services Services Human Resource LDAP T1 T2 T3 ... ... BPMS Sec. Admin. Goal: Correct Identity Management Detected problems: • Weak passwords • Registration period • Discrepancies in DB
15 Customers Activity Activity Activity Activity Activity Services Services Services Services Services Services Human Resource LDAP T1 T2 T3 ... ... BPMS Sec. Admin.ISG T1 T2 T3 ... ... Activity Services Activity Services
Organizational Units - Assets 16 Entity Projects R+D Information Security Govern Management Team of Information Security Human Resources Staff Bussiness Manager System Administrator Administrative staff Researcher GROUPS ROLES Register new users* *Previously must beregistered in LDAP Register users leaving Modiy user information Modiy user information Registration in LDAPEstablish policies Monitor KPIs Get reports Modiy user in HR database Register user in HR database GroupRole Business Process Legend
17 Organizational Units - Assets
Organizational Units – Business Processes 18
19 Organizational Units – Business Processes
Organizational Units – Business Processes 20
21 IT Business Process Management Policies Bussiness rules Constraints Automated Security Governance Monitor Direct Evaluate Diagnosis KPI Trails Logs Analysis Connectors/ Validators Report Automatic Integration ISG/ISM using BPMS 1. Establish policies and define metrics. 2. Measurements are gathered during the enactment of processes. 3. Analyse the metrics in order to decide whether new countermeasures should be applied. Detected problems: • Weak passwords • Discrepancies in DB
Indicators Specification 22 KPI Name LDAP and HR database discrepancies ID KPI-003 Purpose To assess the quality of the authorized users Goal Check whether users registration process in the organization is conform to Control Objective A.9.2.6 in ISO 27001:2013 Measurement Specification Objects of Measurement 1. LDAP database 2. HR database Attributes 1. Number of users in LDAP database 2. Number of users in HR database 3. Id. of users that are not in LDAP database 4. Id. of users that are not in HR database Basic measures 1. Registration in LDAP 2. Registration in HR Method 1. Check for each entry in LDAP database whether it is contained in HR database. 2. Check for each entry in HR database whether it is contained in LDAP database. Measurement type 1. Objective measure 2. Objective measure Scale 1. Integer value 2. Integer value Scale type 1. Cardinal and text. 2. Cardinal and text. Measure unit Amount of users and identifiers of users.
Indicators Specification 23 Indicator Specification and Reporting Description a) Conformity Ratio b) List of non-authorized users. Analytical model a) Divide the total number of users in LDAP database by total users in HR. b) Select the users that are in LDAP database but not in HR database. Incdicator Interpretation a) Resulting ratio should be 1.0 to meet the control objective satisfactory b) List should be empty for meeting the control objective satisfactory Reporting Format A dashboard with charts where the amount of users registered in each database are represented and the list of id. of users that are in a LDAP database but not in HR database. Reporting Client ISG Team Collecting Frequency Each registration user Analysis Frequency Daily Reporting Frequency On demand of ISG team.
Indicators Specification 24
Indicators Implementation 25 Long end = System.currentTimeMillis(); File file = new File("LogregisterTimes.log"); FileWriter writer; writer = new FileWriter(file, false); Long second = (end-start) / 1000; writer.write(segundos.toString()+"n"); writer.close(); //Length if(newPassword.length() >= 8){ leng = true; } // Number of letters if(newPassword.matches('(.*[a-zA-Z].*){4}')){ check_4alfab = true; } // Check personal info if(newPassword.indexOf(username) != -1){ check_Nocontiene = true; } // Upper and lower letters if(newPassword.matches('(.*[A-Z].*){2}')){ check_mayus = true; } if(newPassword.matches('(.*[a-z].*){2}')){ check_minus = true; }
Business Processes for IS Governance 26
Policies and indicators 27
Reporting and compliance cheking 28
29 Teaching: Success Story Prototypes: More than 40 different implementations Student in last year of grades in: • Software engineering • Computer engineering • Information technologies Master/post graduate courses: • User-centric design Main challenge: how to ISG raise an enhacement in Security for organizations Topics: integrity tools, confidentiality mechanisms, key exchange mechanism, analysis of cipher algorithms, analysis of net traffic, analysis of web vulnerabilities, security management …
Conclusions 30 • ISG as a key factor in the assurance and protection of information • BPMS offers a framework which helps to assess and implement this ISG component of information security • A framework for information security governance: business processes show the adequate integration between governance and management of information security
Thank for your attention, questions? Dr. Ángel J. Varela Vaca & Dr. Rafael Martínez Gasca E-mail: ajvarela@us.es, gasca@us.es

Recommended

The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...ManageEngine EventLog Analyzer
 
Arcsight explained
Arcsight explainedArcsight explained
Arcsight explainedanilkumar484492
 
Office 365 Security And Compliance
Office 365 Security And ComplianceOffice 365 Security And Compliance
Office 365 Security And ComplianceMicrosoft
 
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...Montrium
 
Review_2013
Review_2013Review_2013
Review_2013Jonathan Sinclair
 
Web ISO Documentation Management System
Web ISO Documentation Management SystemWeb ISO Documentation Management System
Web ISO Documentation Management SystemT7SR, ISOM
 
The Williams Group 2015 Transit Quals1
The Williams Group 2015 Transit Quals1The Williams Group 2015 Transit Quals1
The Williams Group 2015 Transit Quals1David Williams
 
MIS - Web 2.0 Review
MIS - Web 2.0 ReviewMIS - Web 2.0 Review
MIS - Web 2.0 ReviewJarvin Marconi Torrez
 

Recommended

The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...ManageEngine EventLog Analyzer
 
Arcsight explained
Arcsight explainedArcsight explained
Arcsight explainedanilkumar484492
 
Office 365 Security And Compliance
Office 365 Security And ComplianceOffice 365 Security And Compliance
Office 365 Security And ComplianceMicrosoft
 
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...Montrium
 
Review_2013
Review_2013Review_2013
Review_2013Jonathan Sinclair
 
Web ISO Documentation Management System
Web ISO Documentation Management SystemWeb ISO Documentation Management System
Web ISO Documentation Management SystemT7SR, ISOM
 
The Williams Group 2015 Transit Quals1
The Williams Group 2015 Transit Quals1The Williams Group 2015 Transit Quals1
The Williams Group 2015 Transit Quals1David Williams
 
MIS - Web 2.0 Review
MIS - Web 2.0 ReviewMIS - Web 2.0 Review
MIS - Web 2.0 ReviewJarvin Marconi Torrez
 
Discover Your HP
Discover Your HPDiscover Your HP
Discover Your HPEsther Okunrounmu
 
MKTG 341 Plans Book Finished
MKTG 341 Plans Book FinishedMKTG 341 Plans Book Finished
MKTG 341 Plans Book FinishedShaquayla Jones
 
PathOfMostResistance
PathOfMostResistancePathOfMostResistance
PathOfMostResistanceEdward Cleveland
 
G S Ajay Kumar
G S Ajay KumarG S Ajay Kumar
G S Ajay KumarAJAY KUMAR
 
O ctober december issue final
O ctober december issue finalO ctober december issue final
O ctober december issue finalDr. Anjani Kumar Jha
 
Kk
KkKk
KkRajesh Mungaji
 
SAP
SAPSAP
SAPWenqi Huang
 
1543 integration in mathematics b
1543 integration in mathematics b1543 integration in mathematics b
1543 integration in mathematics bDr Fereidoun Dejahang
 
Fuel Cell
Fuel CellFuel Cell
Fuel CellAlexander Nootens
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?mbmobile
 
Kiran_CV
Kiran_CVKiran_CV
Kiran_CVkiran kumar
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guideCenapSerdarolu
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guideAstalapulosListestos
 
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...PECB
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsOracle
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Oracle
 
O365Con18 - Compliance Manager - Tomislav Lulic
O365Con18 - Compliance Manager - Tomislav LulicO365Con18 - Compliance Manager - Tomislav Lulic
O365Con18 - Compliance Manager - Tomislav LulicNCCOMMS
 
Adaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_studyAdaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_studyRob Johnston, MBA
 
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...D. Scott Clark
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
State of the Market - Data Quality in 2023
State of the Market - Data Quality in 2023State of the Market - Data Quality in 2023
State of the Market - Data Quality in 2023RTTS
 
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docx
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docxCRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docx
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docxfaithxdunce63732
 

More Related Content

Viewers also liked

MKTG 341 Plans Book Finished
MKTG 341 Plans Book FinishedMKTG 341 Plans Book Finished
MKTG 341 Plans Book FinishedShaquayla Jones
 
G S Ajay Kumar
G S Ajay KumarG S Ajay Kumar
G S Ajay KumarAJAY KUMAR
 

Viewers also liked (9)

Discover Your HP
Discover Your HPDiscover Your HP
Discover Your HP
 
MKTG 341 Plans Book Finished
MKTG 341 Plans Book FinishedMKTG 341 Plans Book Finished
MKTG 341 Plans Book Finished
 
PathOfMostResistance
PathOfMostResistancePathOfMostResistance
PathOfMostResistance
 
G S Ajay Kumar
G S Ajay KumarG S Ajay Kumar
G S Ajay Kumar
 
O ctober december issue final
O ctober december issue finalO ctober december issue final
O ctober december issue final
 
Kk
KkKk
Kk
 
SAP
SAPSAP
SAP
 
1543 integration in mathematics b
1543 integration in mathematics b1543 integration in mathematics b
1543 integration in mathematics b
 
Fuel Cell
Fuel CellFuel Cell
Fuel Cell
 

Similar to JNIC 2015

How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?mbmobile
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guideCenapSerdarolu
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guideAstalapulosListestos
 
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...PECB
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsOracle
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Oracle
 
O365Con18 - Compliance Manager - Tomislav Lulic
O365Con18 - Compliance Manager - Tomislav LulicO365Con18 - Compliance Manager - Tomislav Lulic
O365Con18 - Compliance Manager - Tomislav LulicNCCOMMS
 
Adaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_studyAdaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_studyRob Johnston, MBA
 
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...D. Scott Clark
 
State of the Market - Data Quality in 2023
State of the Market - Data Quality in 2023State of the Market - Data Quality in 2023
State of the Market - Data Quality in 2023RTTS
 
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docx
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docxCRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docx
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docxfaithxdunce63732
 
Sap Security Assessment V3 English
Sap Security Assessment V3 EnglishSap Security Assessment V3 English
Sap Security Assessment V3 Englishguest5bd7a1
 
Sap audit programs_and_ic_qs
Sap audit programs_and_ic_qsSap audit programs_and_ic_qs
Sap audit programs_and_ic_qsPhong Ho
 
Active directory solutions brochure
Active directory solutions brochureActive directory solutions brochure
Active directory solutions brochureZoho Corporation
 
Aplication data security compliances
Aplication data security compliancesAplication data security compliances
Aplication data security compliancesAhmadi Madi
 

Similar to JNIC 2015 (20)

How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?
 
Kiran_CV
Kiran_CVKiran_CV
Kiran_CV
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guide
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guide
 
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controls
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...
 
O365Con18 - Compliance Manager - Tomislav Lulic
O365Con18 - Compliance Manager - Tomislav LulicO365Con18 - Compliance Manager - Tomislav Lulic
O365Con18 - Compliance Manager - Tomislav Lulic
 
Adaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_studyAdaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_study
 
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
State of the Market - Data Quality in 2023
State of the Market - Data Quality in 2023State of the Market - Data Quality in 2023
State of the Market - Data Quality in 2023
 
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docx
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docxCRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docx
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docx
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secure
 
Sap Security Assessment V3 English
Sap Security Assessment V3 EnglishSap Security Assessment V3 English
Sap Security Assessment V3 English
 
Unit Iii
Unit IiiUnit Iii
Unit Iii
 
Sap audit programs_and_ic_qs
Sap audit programs_and_ic_qsSap audit programs_and_ic_qs
Sap audit programs_and_ic_qs
 
Active directory solutions brochure
Active directory solutions brochureActive directory solutions brochure
Active directory solutions brochure
 
Aplication data security compliances
Aplication data security compliancesAplication data security compliances
Aplication data security compliances
 
S430199101
S430199101S430199101
S430199101
 

Recently uploaded

WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 

Recently uploaded (20)

WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 

JNIC 2015

  • 1. Towards Automatic Integration of Information Security Governance and Management using a BPMS approach Dr. Ángel Jesús Varela Vaca y Dr. Rafael Martínez Gasca Grupo de investigación Quivir, Tecnologías Inteligentes y de Seguridad de los Sistemas de Información Departamento de Lenguajes y Sistemas Informáticos Universidad de Sevilla contact: ajvarela@us.es, gasca@us.es
  • 2. Content • Security Challenges • Background • ISG Models and Frameworks • BMM and BPMS • Measurement IS Maturity Levels • Case Study: • Organizational Units • Automating Integration ISG/ISM using BPMS • Business Processes for ISG • Indicators specification • Reporting and compliance checking • Conclusions
  • 3. Information Security Technologies ¿¿Good IS Governance and Management?? Security Challenges
  • 4. Security Challenges • Information Security Governance (ISG) has emerged as a new information security discipline in response to last regulatory security challenges. • Corporations are driven by business processes. • Boards of directors and executive management have become accountable for the effectiveness of the internal controls of information security in their corporations. • Corporations need a framework to govern their information security.
  • 5. Background 5 • Von Solms and von Solms (2006): An ISG model based on the principle of Direct-Control Cycle over three levels of structure: governance, management, and operation. • ISO/IEC 27014:2013 Information technology-Security techniques -- Governance of information security • provides “guidance on concepts and principles for the governance of information security, • identifies five ISG functions: direct, monitor, evaluate, report, and oversee.” • Control Objectives for Information and related Technology (COBIT 5) for security information: five principles for governance and management and 7 catalysts. Every corporation implements its catalysts.
  • 6. Direct Monitoring Evaluate Business Processes Enacment, Compliance IT Projects Proposals IT Operations Gobierno Corporativo TI UNE 38500:2013 ISO/IEC 38500:2008 Background Projects, Director Plans, Policies
  • 7. • Business = People + Process + Structure + Technology • Business Motivation Model v 1.1(BMM) por OMG (Mayo 2010) Means ¿Qué decides necesita hacer la empresa? Assessments Evaluación de impactos y decisiones de cómo actuar Influencers ¿Qué puede afectar al negocio? Ends ¿En qué estado necesita estar tu empresa? Resultados de las decisiones Background
  • 9. 9 <<depends>> Background Measurement collector and Communicator Database Engine Model Editor User Interface Process Participant <<depends>> Process Administrator <<models>> <<create and monitor process instances>>
  • 10. • Business Motivation Model v 1.1(BMM) by OMG (Mayo 2010) Background Means ¿Qué decides necesita hacer la empresa? Assessments Evaluación de impactos y decisiones de cómo actuar Influencers ¿Qué puede afectar al negocio? Ends ¿En qué estado necesita estar tu empresa? Resultados de las decisiones Goals, Objectives SMART : Specific, Measurable, Achievable,Relevant Time-targeted
  • 11. Controles SGSI Control Objective Efficiency and Effectiveness Testing Inspections Interviews Measurement methods Controls ISO/IEC 27002 Measurement objects Resources Products Projects Processes Unit of Measure ment Frequency Measurement Process Measurement Result Stakeholders (Client, Reviewer,…) Background atribute atribute atribute Indicator (KPI) Information Product
  • 12. • Maturity levels in Information Assurance (ISO/IEC 21827:2008): 0. Incomplete Process 1. Informally Performed Processes 2. Managed Processes (Planned and Tracked) 3. Well Defined Processes (Resources and Responsab.) 4. Predictable Processes (Quantitatively Controlled) 5. Optimizing processes (Continuosly improving) o Estado actual  Estado del sector  Estado objetivo Background
  • 16. Organizational Units - Assets 16 Entity Projects R+D Information Security Govern Management Team of Information Security Human Resources Staff Bussiness Manager System Administrator Administrative staff Researcher GROUPS ROLES Register new users* *Previously must beregistered in LDAP Register users leaving Modiy user information Modiy user information Registration in LDAPEstablish policies Monitor KPIs Get reports Modiy user in HR database Register user in HR database GroupRole Business Process Legend
  • 18. Organizational Units – Business Processes 18
  • 19. 19 Organizational Units – Business Processes
  • 20. Organizational Units – Business Processes 20
  • 21. 21 IT Business Process Management Policies Bussiness rules Constraints Automated Security Governance Monitor Direct Evaluate Diagnosis KPI Trails Logs Analysis Connectors/ Validators Report Automatic Integration ISG/ISM using BPMS 1. Establish policies and define metrics. 2. Measurements are gathered during the enactment of processes. 3. Analyse the metrics in order to decide whether new countermeasures should be applied. Detected problems: • Weak passwords • Discrepancies in DB
  • 22. Indicators Specification 22 KPI Name LDAP and HR database discrepancies ID KPI-003 Purpose To assess the quality of the authorized users Goal Check whether users registration process in the organization is conform to Control Objective A.9.2.6 in ISO 27001:2013 Measurement Specification Objects of Measurement 1. LDAP database 2. HR database Attributes 1. Number of users in LDAP database 2. Number of users in HR database 3. Id. of users that are not in LDAP database 4. Id. of users that are not in HR database Basic measures 1. Registration in LDAP 2. Registration in HR Method 1. Check for each entry in LDAP database whether it is contained in HR database. 2. Check for each entry in HR database whether it is contained in LDAP database. Measurement type 1. Objective measure 2. Objective measure Scale 1. Integer value 2. Integer value Scale type 1. Cardinal and text. 2. Cardinal and text. Measure unit Amount of users and identifiers of users.
  • 23. Indicators Specification 23 Indicator Specification and Reporting Description a) Conformity Ratio b) List of non-authorized users. Analytical model a) Divide the total number of users in LDAP database by total users in HR. b) Select the users that are in LDAP database but not in HR database. Incdicator Interpretation a) Resulting ratio should be 1.0 to meet the control objective satisfactory b) List should be empty for meeting the control objective satisfactory Reporting Format A dashboard with charts where the amount of users registered in each database are represented and the list of id. of users that are in a LDAP database but not in HR database. Reporting Client ISG Team Collecting Frequency Each registration user Analysis Frequency Daily Reporting Frequency On demand of ISG team.
  • 25. Indicators Implementation 25 Long end = System.currentTimeMillis(); File file = new File("LogregisterTimes.log"); FileWriter writer; writer = new FileWriter(file, false); Long second = (end-start) / 1000; writer.write(segundos.toString()+"n"); writer.close(); //Length if(newPassword.length() >= 8){ leng = true; } // Number of letters if(newPassword.matches('(.*[a-zA-Z].*){4}')){ check_4alfab = true; } // Check personal info if(newPassword.indexOf(username) != -1){ check_Nocontiene = true; } // Upper and lower letters if(newPassword.matches('(.*[A-Z].*){2}')){ check_mayus = true; } if(newPassword.matches('(.*[a-z].*){2}')){ check_minus = true; }
  • 26. Business Processes for IS Governance 26
  • 29. 29 Teaching: Success Story Prototypes: More than 40 different implementations Student in last year of grades in: • Software engineering • Computer engineering • Information technologies Master/post graduate courses: • User-centric design Main challenge: how to ISG raise an enhacement in Security for organizations Topics: integrity tools, confidentiality mechanisms, key exchange mechanism, analysis of cipher algorithms, analysis of net traffic, analysis of web vulnerabilities, security management …
  • 30. Conclusions 30 • ISG as a key factor in the assurance and protection of information • BPMS offers a framework which helps to assess and implement this ISG component of information security • A framework for information security governance: business processes show the adequate integration between governance and management of information security
  • 31. Thank for your attention, questions? Dr. Ángel J. Varela Vaca & Dr. Rafael Martínez Gasca E-mail: ajvarela@us.es, gasca@us.es