A Framework for Understanding, Prioritizing, and Applying Systems Security Engineering Processes, Activities, and Tasks

Current systems security practices lack an effective approach to prioritize and tailor systems security efforts to develop and field secure systems in challenging operational environments, which results in business and mission stakeholders becoming more susceptible to an array of disruptive events. This work informs Systems Engineers on recent developments in the field of system security engineering and provides a framework for more fully understanding the application of Systems Security Engineering (SSE) processes, activities, and tasks as described in the recently released National Institute of Standards and Technology (NIST) Special Publication 800-160. This SSE framework uniquely offers a repeatable and tailorable methodology that allows system developers to focus on high Return-on-Investment (RoI) SSE processes, activities, and tasks to more efficiently meet stakeholder protection needs and deliver trustworthy secure systems

Enhancing reuse of data and biological material in medical research : from FAIR to FAIR-Health

The known challenge of underutilization of data and biological material from biorepositories as potential resources formedical research has been the focus of discussion for over a decade. Recently developed guidelines for improved data availability and reusability—entitled FAIR Principles (Findability, Accessibility, Interoperability, and Reusability)—are likely to address only parts of the problem. In this article,we argue that biologicalmaterial and data should be viewed as a unified resource. This approach would facilitate access to complete provenance information, which is a prerequisite for reproducibility and meaningful integration of the data. A unified view also allows for optimization of long-term storage strategies, as demonstrated in the case of biobanks.Wepropose an extension of the FAIR Principles to include the following additional components: (1) quality aspects related to research reproducibility and meaningful reuse of the data, (2) incentives to stimulate effective enrichment of data sets and biological material collections and its reuse on all levels, and (3) privacy-respecting approaches for working with the human material and data. These FAIR-Health principles should then be applied to both the biological material and data. We also propose the development of common guidelines for cloud architectures, due to the unprecedented growth of volume and breadth of medical data generation, as well as the associated need to process the data efficiently.peer-reviewe

Information security assurance model for an examination paper preparation process in a higher education institution

In today’s business world, information has become the driving force of organizations. With organizations transmitting large amounts of information to various geographical locations, it is imperative that organizations ensure the protection of their valuable commodity. Organizations should ensure that only authorized individuals receive, view and alter the information. This is also true to Higher Education Institutions (HEIs), which need to protect its examination papers, amongst other valuable information. With various threats waiting to take advantage of the examination papers, HEIs need to be prepared by equipping themselves with an information security management system (ISMS), in order to ensure that the process of setting examination papers is secure, and protects the examination papers within the process. An ISMS will ensure that all information security aspects are considered and addressed in order to provide appropriate and adequate protection for the examination papers. With the assistance of information security concepts and information security principles, the ISMS can be developed, in order to secure the process of preparing examination papers; in order to protect the examination papers from potential risks. Risk assessment form part of the ISMS, and is at the centre of any security effort; reason being that to secure an information environment, knowing and understanding the risks is imperative. Risks pertaining to that particular environment need to be assessed in order to deal with those appropriately. In addition, very important to any security effort is ensuring that employees working with the valuable information are made aware of these risks, and can be able to protect the information. Therefore, the role players (within the examination paper preparation process (EPPP)) who handle the examination papers on a daily basis have to be equipped with means of handling valuable information in a secure manner. Some of the role players’ behaviour and practices while handling the information could be seen as vulnerabilities that could be exploited by threats, resulting in the compromise in the CIA of the information. Therefore, it is imperative that role players are made aware of their practices and iv behaviour that could result in a negative impact for the institution. This awareness forms part and is addressed in the ISMS

Review of human decision-making during computer security incident analysis

We review practical advice on decision-making during computer security incident response. Scope includes standards from the IETF, ISO, FIRST, and the US intelligence community. To focus on human decision-making, the scope is the evidence collection, analysis, and reporting phases of response. The results indicate both strengths and gaps. A strength is available advice on how to accomplish many specific tasks. However, there is little guidance on how to prioritize tasks in limited time or how to interpret, generalize, and convincingly report results. Future work should focus on these gaps in explication and specification of decision-making during incident analysis

Web Based Cyber Forensics Training For Law Enforcement

Training and education are two of the most important aspects within cyber forensics. These topics have been of concern since the inception of the field. Training law enforcement is particularly important to ensure proper execution of the digital forensics process. It is also important because the proliferation of technology in to society continues to grow at an exponential rate. Just as technology is used for good there are those that will choose to use it for criminal gains. It is critical that Law Enforcement have the tools and training in cyber forensics. This research looked to determine if web based training was a feasible platform for cyber forensics training. A group of Indiana State Police Troopers were asked to participate in an online study where they were presented cyber forensics training material. That study showed that there was statistical significance between the treatment groups and the control group. The results from the study showed that web based training is an effective means to train a large group of law enforcement officers

An Integrated Framework for the Methodological Assurance of Security and Privacy in the Development and Operation of MultiCloud Applications

x, 169 p.This Thesis studies research questions about how to design multiCloud applications taking into account security and privacy requirements to protect the system from potential risks and about how to decide which security and privacy protections to include in the system. In addition, solutions are needed to overcome the difficulties in assuring security and privacy properties defined at design time still hold all along the system life-cycle, from development to operation.In this Thesis an innovative DevOps integrated methodology and framework are presented, which help to rationalise and systematise security and privacy analyses in multiCloud to enable an informed decision-process for risk-cost balanced selection of the protections of the system components and the protections to request from Cloud Service Providers used. The focus of the work is on the Development phase of the analysis and creation of multiCloud applications.The main contributions of this Thesis for multiCloud applications are four: i) The integrated DevOps methodology for security and privacy assurance; and its integrating parts: ii) a security and privacy requirements modelling language, iii) a continuous risk assessment methodology and its complementary risk-based optimisation of defences, and iv) a Security and Privacy Service Level AgreementComposition method.The integrated DevOps methodology and its integrating Development methods have been validated in the case study of a real multiCloud application in the eHealth domain. The validation confirmed the feasibility and benefits of the solution with regards to the rationalisation and systematisation of security and privacy assurance in multiCloud systems

A Proposal for a European Cybersecurity Taxonomy

The Commission made a commitment in the Communication adopted in September 2018 (COM(2018) 630 final) to launch a pilot phase under Horizon 2020 to help bring national cybersecurity centres together into a network. In this context, the goal of this document is that of aligning the cybersecurity terminologies, definitions and domains into a coherent and comprehensive taxonomy to facilitate the categorisation of EU cybersecurity competencies.JRC.E.3-Cyber and Digital Citizens' Securit

A model-based methodology to support systems security design and assessment

Addressing cybersecurity aspects while designing systems is challenging. As our systems increasingly rely on digital technology to perform, security and resilience aspects need to be considered during the system design process. However, the integration of pertinent information into the systems engineering lifecycle is not trivial, as it is characterized by following verbose guidelines and documentation, and has no practical, model-based methodology to support threat-aware design of systems. In this article, we address this gap by presenting an integrative, model-based methodology to support the design and assessment of systems' security aspects. We discuss the methodology's design, specifically with respect to system development scenarios, and detail industrial case studies demonstrating the applicability of the methodology