33,230 research outputs found
A Framework to Support Alignment of Secure Software Engineering with Legal Regulations
Regulation compliance is getting more and more important for software systems that process and
manage sensitive information. Therefore, identifying and analysing relevant legal regulations and aligning them
with security requirements become necessary for the effective development of secure software systems.
Nevertheless, Secure Software Engineering Modelling Languages (SSEML) use different concepts and
terminology from those used in the legal domain for the description of legal regulations. This situation, together
with the lack of appropriate background and knowledge of laws and regulations, introduces a challenge for
software developers. In particular, it makes difficult to perform (i) the elicitation of appropriate security
requirements from the relevant laws and regulations; and (ii) the correct tracing of the security requirements
throughout the development stages. This paper presents a framework to support the consideration of laws and
regulations during the development of secure software systems. In particular, the framework enables software
developers (i) to correctly elicit security requirements from the appropriate laws and regulations; and (ii) to trace
these requirements throughout the development stages in order to ensure that the design indeed supports the
required laws and regulations. Our framework is based on existing work from the area of secure software
engineering, and it complements this work with a novel and structured process and a well-defined method. A
practical case study is employed to demonstrate the applicability of our work
Design Challenges for GDPR RegTech
The Accountability Principle of the GDPR requires that an organisation can
demonstrate compliance with the regulations. A survey of GDPR compliance
software solutions shows significant gaps in their ability to demonstrate
compliance. In contrast, RegTech has recently brought great success to
financial compliance, resulting in reduced risk, cost saving and enhanced
financial regulatory compliance. It is shown that many GDPR solutions lack
interoperability features such as standard APIs, meta-data or reports and they
are not supported by published methodologies or evidence to support their
validity or even utility. A proof of concept prototype was explored using a
regulator based self-assessment checklist to establish if RegTech best practice
could improve the demonstration of GDPR compliance. The application of a
RegTech approach provides opportunities for demonstrable and validated GDPR
compliance, notwithstanding the risk reductions and cost savings that RegTech
can deliver. This paper demonstrates a RegTech approach to GDPR compliance can
facilitate an organisation meeting its accountability obligations
Compliance framework for change management in cloud environments
Mención Internacional en el título de doctorThe Governance, Risk and Compliance (GRC) area is one of the critical management areas for
every organization. This is particularly the case for information technology (IT) departments
where both human resources and technical infrastructures (software and hardware) need to
work seamlessly in order to provide the expected benefits. The study of the literature shows
that sound GRC methods are key to running and maintaining secure and compliant computing
infrastructures.
An important and particularly challenging aspect of the IT landscape is its constant and
perpetual evolution in order to keep pace with new and emerging technologies that find their
way faster and faster into the organizational infrastructure. Since assessments of risks and
compliance aspects always refer to a certain (more or less static) situation, such frequent
changes pose a real danger to the overall relevance of these assessments in the mid and longterm
perspective. So, a sound approach to ensuring compliance not only punctually (both in
time and space) but holistically – considering the complete IT landscape in a continuous way –
needs to integrate with the change management function of the organization.
Another important development in the last eight to ten years was the emergence of Cloud
Computing (CC) as a straightforward and efficient way of providing IT functionality to
organizations. While it poses many various challenges to IT management in general, CC is
particularly relevant for GRC as it makes an IT provision approach that was previously
sometimes applied – outsourcing – to a predominant approach to provide infrastructure (called
Infrastructure‐as‐a‐Service or IaaS), platforms (called Platform‐as‐a‐Service or PaaS), and
software (called Software‐as‐a‐Service or SaaS) within an organization.
CC and outsourcing entail wider challenges for GRC as it involves the inclusion of an external
party as a service provider within an organization reflecting specific aspects of provider
selection, contract management, service level agreements (SLAs), and monitoring. They
become even more challenging in the context of frequent and interdependent changes.
Therefore, this thesis is aimed at the definition and validation of a Compliance Framework for
Change Management in Cloud Environments (short: CFC MCC). The proposed solution of the
problem has been approached from a multidisciplinary point of view taking in consideration
aspects from computer science, IT management and IT governance, but also such aspects as
legal and cultural dimensions. The proposed solution provides a framework to support the
solicitation of requirements from different subject areas (e.g., organizational, technological,
cultural) and their subsequent consideration within the change management process of
established IT management frameworks such as ITIL. It can be tailored to the specific situation
of most organizations and provides a consistent approach to address GRC aspects in rapidly
evolving cloud‐based organizational IT landscapes.
The scientific discourse within the thesis has been structured following best academic practices
and recommendations. In the last phase of the research methodology an empirical validation
has been performed to verify the applicability of the framework. The data obtained from the
validation indicate that the application of the framework for ensuring compliance in CC
environments constitutes a relevant improvement of the change management process.El área de gobernanza, riesgo y cumplimiento (por sus siglas en inglés GRC) es una de las áreas
de gestión clave en todas las organizaciones. En el caso de los departamentos de Tecnología de
la Información (por sus siglas en inglés IT de Information Technology) el área cuenta con una
importancia igualmente crucial. Estos departamentos deben orquestar los recursos de capital
intelectual y las infraestructuras hardware y software para contribuir a la generación de
beneficios empresariales. La literatura ha demostrado que un conjunto de procedimientos en
el área GRC es clave para prestar el servicio de forma eficiente a partir del mantenimiento de
una infraestructura tecnológica segura y compatible.
Un aspecto importante y particularmente retador en el entorno IT es su constante evolución
con el propósito de habilitar la adopción de nuevas tecnologías en apoyo de los procesos
corporativos. Dado que la evaluación de riesgos y los aspectos de cumplimiento se refieren a
una determinada situación que se puede considerar más o menos estática, los continuos
cambios en el entorno IT representan una amenaza para la incorporación de nuevas tecnologías
en ámbitos corporativos desde el punto de vista GRC. Por ello, un enfoque sólido para garantizar
el cumplimiento no sólo de forma puntual en tiempo y espacio sino de forma integral,
considerando el entorno IT en una forma continua e integrada con la gestión del cambio
corporativa.
Otro desarrollo importante y modificador de la situación actual es la emergencia de la
computación en la nube (CC, siglas en inglés de Cloud Computing) como una forma efectiva y
eficaz de proporcionar la función IT en las organizaciones. Pese a que CC suscita diversos
desafíos para la administración IT, es en particular relevante para GRC ya que habilita la
externalización del servicio como una aproximación predominante para proporcionar
infraestructura (llamado Infraestructure‐as‐a‐Service o IaaS), plataformas (llamado Platformas‐
a‐Service o PaaS) y software (llamado Software‐as‐a‐Service o SaaS) dentro de una
organización.
CC y la externalización suponen retos más amplios para GRC, ya que implican la inclusión de un
proveedor de servicios externo dentro de una organización. Esta circunstancia aflora
cuestiones relativas a la selección de proveedores, la gestión de contratos, los acuerdos de nivel
de servicio (por sus siglas en inglés SLA), y el seguimiento de las relaciones y los servicios
prestados. Estos aspectos, se convierten en un reto aún mayor en el contexto de los cambios
frecuentes e interdependientes en el ámbito IT. Por lo tanto, esta tesis está dirigida a la
definición y validación de un marco de cumplimiento para la gestión del cambio en entornos
relativos a la nube (abreviatura: CFC MCC). La solución propuesta del problema ha sido
abordada desde un punto de vista multidisciplinar, tomando en consideración aspectos de la
informática, la gestión de IT y el gobierno de IT pero incorporando también aspectos tales como
las dimensiones legales y culturales. La solución propuesta proporciona un marco para apoyar
la solicitud de requisitos de diferentes áreas (por ejemplo, organizativos, tecnológicos,
culturales) y su posterior consideración en el proceso de gestión del cambio de los marcos
establecidos de gestión de TI como pueda ser ITIL. EL marco puede ser adaptado a la situación
específica de las organizaciones y proporciona un enfoque coherente para abordar los aspectos
de GRC en rápida evolución entornos de TI de la organización basados en la nube.
El discurso científico dentro de la tesis se ha estructurado siguiendo las prácticas académicas y
recomendaciones de investigación. En la última fase de la metodología de la investigación
empírica una validación se ha realizado para verificar la aplicabilidad del marco. Los datos
obtenidos de la validación indican que la aplicación del marco para garantizar el cumplimiento
en entornos CC constituye una mejora relevante del proceso de gestión del cambio de las
organizaciones.Programa Oficial de Doctorado en Ciencia y Tecnología InformáticaPresidente: Antonio de Amescua Seco.- Secretario: José Antonio Manzano Calvo.- Vocal: Ahmed Barnaw
Rational Cybersecurity for Business
Use the guidance in this comprehensive field guide to gain the support of your top executives for aligning a rational cybersecurity plan with your business. You will learn how to improve working relationships with stakeholders in complex digital businesses, IT, and development environments. You will know how to prioritize your security program, and motivate and retain your team. Misalignment between security and your business can start at the top at the C-suite or happen at the line of business, IT, development, or user level. It has a corrosive effect on any security project it touches. But it does not have to be like this. Author Dan Blum presents valuable lessons learned from interviews with over 70 security and business leaders. You will discover how to successfully solve issues related to: risk management, operational security, privacy protection, hybrid cloud management, security culture and user awareness, and communication challenges. This open access book presents six priority areas to focus on to maximize the effectiveness of your cybersecurity program: risk management, control baseline, security culture, IT rationalization, access control, and cyber-resilience. Common challenges and good practices are provided for businesses of different types and sizes. And more than 50 specific keys to alignment are included. What You Will Learn Improve your security culture: clarify security-related roles, communicate effectively to businesspeople, and hire, motivate, or retain outstanding security staff by creating a sense of efficacy Develop a consistent accountability model, information risk taxonomy, and risk management framework Adopt a security and risk governance model consistent with your business structure or culture, manage policy, and optimize security budgeting within the larger business unit and CIO organization IT spend Tailor a control baseline to your organization’s maturity level, regulatory requirements, scale, circumstances, and critical assets Help CIOs, Chief Digital Officers, and other executives to develop an IT strategy for curating cloud solutions and reducing shadow IT, building up DevSecOps and Disciplined Agile, and more Balance access control and accountability approaches, leverage modern digital identity standards to improve digital relationships, and provide data governance and privacy-enhancing capabilities Plan for cyber-resilience: work with the SOC, IT, business groups, and external sources to coordinate incident response and to recover from outages and come back stronger Integrate your learnings from this book into a quick-hitting rational cybersecurity success plan Who This Book Is For Chief Information Security Officers (CISOs) and other heads of security, security directors and managers, security architects and project leads, and other team members providing security leadership to your busines
- …