Enterprise information security policy assessment - an extended framework for metrics development utilising the goal-question-metric approach

Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach

A policy and program for invigorating science and technology for national security: consultation paper – April 2014

This paper outlines the development of a new science and technology (S&T) policy for national security, and invites submissions. Introduction The Hon Stuart Robert MP, Assistant Minister for Defence is championing the development of a new framework for achieving a whole-of-government approach to national security science and technology (S&T). The framework will comprise a national security S&T policy statement and supporting Program. The intention is to transition from poorly coordinated and under-resourced S&T effort to a collaborative co-investment approach between government, academia and industry that effectively and efficiently delivers innovative S&T solutions in priority national security areas for Australia. The Defence Science and Technology Organisation (DSTO) is responsible for leading and coordinating national security S&T, a role transferred from the Department of the Prime Minister and Cabinet to the Department of Defence in February 2012. As part of that role, DSTO is leading the development of a new policy and supporting program in consultation with the national security S&T communities, for consideration and endorsement by Government in 2014. The national security S&T policy will: enunciate the Government’s priorities for national security S&T, provide a means by which S&T investment can be balanced to support short-term national security operational needs in addition to enduring security challenges, establish an efficient management and governance framework that delivers S&T outcomes to national security agencies, and encourage shared public and private investment in national security S&T, and facilitate commercialisation of research outcomes for national benefit. The policy will be delivered through a coherent and coordinated national security S&T program that address national security S&T priorities and delivers real tangible outcomes for national security users. The national security S&T policy and supporting program will harness S&T providers, including publicly funded research agencies (PFRAs), universities and industry to benefit national security ‘user’ agencies, including policy agencies, regulators, emergency response agencies, policing and law enforcement agencies, border protection agencies and the intelligence community. This paper aims to promote discussion and elicit input from government agencies and the S&T community that will assist in developing a national security S&T policy and program that will improve the delivery and application of S&T to address Australia’s national security challenges now and into the future.   Find out more about making a submission her

Towards alignment of architectural domains in security policy specifications

Large organizations need to align the security architecture across three different domains: access control, network layout and physical infrastructure. Security policy specification formalisms are usually dedicated to only one or two of these domains. Consequently, more than one policy has to be maintained, leading to alignment problems. Approaches from the area of model-driven security enable creating graphical models that span all three domains, but these models do not scale well in real-world scenarios with hundreds of applications and thousands of user roles. In this paper, we demonstrate the feasibility of aligning all three domains in a single enforceable security policy expressed in a Prolog-based formalism by using the Law Governed Interaction (LGI) framework. Our approach alleviates the limitations of policy formalisms that are domain-specific while helping to reach scalability by automatic enforcement provided by LGI

Secure Cloud Storage: A Framework for Data Protection as a Service in the Multi-cloud Environment

This paper introduces Secure Cloud Storage (SCS), a framework for Data Protection as a Service (DPaaS) to cloud computing users. Compared to the existing Data Encryption as a Service (DEaaS) such as those provided by Amazon and Google, DPaaS provides more flexibility to protect data in the cloud. In addition to supporting the basic data encryption capability as DEaaS does, DPaaS allows users to define fine-grained access control policies to protect their data. Once data is put under an access control policy, it is automatically encrypted and only if the policy is satisfied, the data could be decrypted and accessed by either the data owner or anyone else specified in the policy. The key idea of the SCS framework is to separate data management from security management in addition to defining a full cycle of data security automation from encryption to decryption. As a proof-of-concept for the design, we implemented a prototype of the SCS framework that works with both BT Cloud Compute platform and Amazon EC2. Experiments on the prototype have proved the efficiency of the SCS framework