Manual Asset Inventory: NASA Kennedy Space Center

The National Aeronautics and Aerospace Administration (NASA) relies in the security and protection of the information and information systems to know the devices that are connected to the Agency networks whether these are business, mission, research, or engineering devices. The Agency uses different Information Technology resources in order to do this process automatically, however, there are some devices that need to be reported manually. As a result of this, every month the Agency distributes among its Information System Owners (ISOs) the Manual Asset Inventory, a document that consists of a Microsoft Excel spreadsheet with twenty field descriptions cells that has to be filled out by the ISO of every Security Plan in the Center [fifty three in total] and uploaded into the IT Security Enterprise Data Warehouse (ITSEC-EDW)

Business process security maturity: a paradigm convergence

Information technology developments in software and hardware have enabled radical changes in information systems, culminating in the paradigm Business Process Management. There has been a concomitant rise in the importance of information security and security engineering due to the increased reliance by society on information. Information is seen as a critical success factor which needs protection. Information security is the response to increased hazards created through recent innovations in Web technology and the advent of intra and inter enterprise-wide systems. Security engineering is based on a variety of codes of practice and security metrics which aim at ameliorating these increased security hazards. Its aim is to produce a balanced set of security needs which are integrated into the system activities to establish confidence in the effectiveness of the security counter-measures. It is generally accepted that security should be applied in an integrated approach, for example, in Information Systems development. This has proved to be a noble thought but is the exception to the rule. Security, historically, is generally applied as an after-thought in an Information Technology implementation. This motivated the concept of formulating a model of integrating security inherently within the paradigm of BPM. The overarching requirements of the model are to align the overall organisational security initiatives and ensure continuous improvement through constant evaluation and adaptation of the security processes. It is the intention of this research to show that these requirements are achievable through aligning the process management methodology of BPM, with the security paradigms of Information Security Management (using the ISO 17799 standard) and security engineering (using the Systems Security Engineering Capability Maturity Model – SSE-CMM). The aim of the Business Process Security Maturity model as the output of this research, is to link the SSE-CMM, as the security metric and appraisal method, to the ISO 17799 security standard, which provides the guidance for the information security management framework and security control selection, within the Business Process Management environment. The SSE-CMM, as the security version of the Capability Maturity Model, provides the necessary strategy to control the security engineering processes that support the information systems and it maintains that as processes mature they become more predictable, effective and manageable. The aim of the model is to provide an integrated, mature security strategy within the business process and monitor and correct the security posture of the implemented counter-measures

Ontology of information security in enterprises

Today’s global free-market enterprise is reliant on the interconnectedness of social, economic and political ecosystems. Enterprises no longer maintain a simple unary relationship between its customers and consumers. Enterprises have become an integral part of a complex relationship within the new socio- and techno- economic paradigm. The cornerstone of this new model is the Internet formed from a collection of eclectic commodity-based and inconsistently constructed technologies that, at an aggregate level, do not lend themselves to provide a secure and trustworthy channel to conduct or transact business. Enterprises have struggled to implement an appropriate and continuous level of protection in part by underestimating the effect of organizational complexity and not adopting a holistic (systems thinking) approach to the problem of enterprise security. This research paper examines key issues that undermine the ability of enterprises to formulate effective and viable security models and proposes an alternative framework that forms the basis and foundation to engineering more reliable fail-safe and fail–secure models. The proposed solution considers the creation of an enterprise-specific ontology that describes the enterprise as a complex system. A security framework is developed that recognizes the organization as a set of business capabilities that have measureable strategic outcomes against which business decisions regarding security are made. The proposed model advocates symmetry between security prevention, prediction and fail-safe concepts. To ensure the appropriate use of security, a business value model is defined that is a function of financial, operational and security-based quality assurance measures. The concept of value chain is used to describe the relationship between an organization’s strategy and its resources responsible for the execution of its operating plan. Validation of the ‘Enterprise Ontology’ and ‘Information Security Capability-Driven Framework’ is obtained from the creation of a business strategy to ‘business capability value map’ and quantification of key business and security metrics. A set of ontology-based competency questions allows the business to understand and make informed and prudent decisions regarding how and where security should be applied to ensure a favourable outcome for the enterprise. Analysis of the results of this study demonstrates the usefulness of the model in guiding the organization to assess current security risks and make informed and business-directed security decisions. The result is a deployment strategy that balances the scarce resources of the enterprise whilst maintaining strategic alignment. Further opportunities exist to improve the creation and quality of enterprise ontology including development of a more rigorous and systematic approach to modelling the enterprise’s current state and future state scenarios using the business capability framework. Semantically driven conceptual models of the enterprise may also be expressed within key security technologies and systems that support the organization by forming a collection of ontology-aware technologies that respond and react collectively to attacks in a fail-secure configuration.peer-reviewe

A Software-Based Trust Framework for Distributed Industrial Management Systems

One of the major problems in industrial security management is that most organizations or enterprises do not provide adequate guidelines or well-defined policy with respect to trust management, and trust is still an afterthought in most security engineering projects. With the increase of handheld devices, managers of business organizations tend to use handheld devices to access the information systems. However, the connection or access to an information system requires appropriate level of trust. In this paper, we present a flexible, manageable, and configurable software-based trust framework for the handheld devices of mangers to access distributed information systems. The presented framework minimizes the effects of malicious recommendations related to the trust from other devices or infrastructures. The framework allows managers to customize trust-related settings depending on network environments in an effort to create a more secure and functional network. To cope with the organizational structure of a large enterprise, within this framework, handheld devices of managers are broken down into different categories based upon available resources and desired security functionalities. The framework is implemented and applied to build a number of trust sensitive applications such as health care

Social security data mining : an Australian case study

University of Technology, Sydney. Faculty of Engineering and Information Technology.Data mining in business applications has become an increasingly recognized and accepted area of enterprise data mining in recent years. In general, while the general principle and methodologies of data mining and machine learning are applicable for any business applications, it is often essential to develop specific theories, tools and systems for mining data in a particular domain such as social security and social welfare business. This necessity has led to the concept of social security and social welfare data mining, the focus of this thesis work. Social security and social welfare business involves almost every citizen’s life at different life periods. It provides fundamental and crucial government services and support to varied populations of specific need. A typical scenario in Australia is that it not only connects one third of our populations, but also associates with many relevant stakeholders, including banking business, taxation and Medicare. Such business engages complicated infrastructure, networks, mechanisms, policies, activities, and transactions. Data mining of such business is a brand new application area in the data mining community. Mining such social welfare business and data is challenging. The challenges come from the unavailable benchmark and experience in the data mining for this particular domain, the complexities of social welfare business and data, the exploration of possible doable tasks, and the implementation of data mining techniques in relation to the business objectives. In this thesis, which adopts a practice-based innovative attitude and focusses on the marriage of social welfare business with data mining, we believe we have realised our objective of providing a systematic and comprehensive overview of the social security and social welfare data mining. The main contributions consist of the following aspects: • As the first work of its kind, to the best of our knowledge, we present an overall picture of social security and social welfare data mining, as a new domain driven data mining application. • We explore the business nature of social security and social welfare, and the characteristics of social security data. • We propose a concept map of social security data mining, catering for main complexities of social welfare business and data, as well as providing opportunities for exploring new research issues in the community. • Several case studies are discussed, which demonstrate the technical development of social security data mining, and the innovative applications of existing data mining techniques. The nature of social welfare is spreading widely across the world in both developed and developing countries. This thesis work therefore is timely and could be of important business and government value for better understanding our people, our policies, our objectives, and for better services of those people of genuine needs

Enterprise information security policy assessment - an extended framework for metrics development utilising the goal-question-metric approach

Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach