La sécurité des applications en technologie de l'information : une approche d'intégration des éléments de sécurité dans le cycle de vie des applications et des systèmes d'information

L'industrie des technologies de l’information (TI) et les organisations qui les utilisent ont à leur disposition beaucoup de moyens pour développer, acquérir et maintenir des applications sécuritaires. Toutefois, bien qu’il existe pour ce faire une panoplie de bonnes pratiques, de normes et d’outils, les organisations peinent à atteindre ce but. Seize problématiques permettant d’expliquer cette situation ont été identifiées au cours de cette recherche dont le but est de concevoir, de faire approuver par une organisation internationale de normalisation, et de rendre accessible à ceux qui développent ou qui utilisent des applications, un nouveau modèle de sécurité des applications (modèle SA). L’utilisation de ce modèle permet la mise en place et la démonstration de la sécurité d’une application, assurant ainsi la protection des informations sensibles impliquées par son utilisation. Le modèle SA propose des concepts, des principes, des processus et des composants pour permettre à une organisation de se doter d’un cadre normatif répondant à ses besoins de sécurité, tout en respectant ses capacités. Ce modèle SA permet de prendre en compte les contextes d’affaires, juridiques et technologiques spécifiques aux environnements où les applications sont développées et utilisées. Il permet aussi de gérer les risques de sécurité provenant des personnes, des processus et de la technologie qui pourraient menacer les informations sensibles impliquées par ces applications. Ce modèle SA permet d’identifier et de mettre en place un ensemble de contrôles et de mesures de sécurité afin d’assurer un niveau de confiance de la sécurité d’une application durant son cycle de vie. Finalement, le modèle SA permet à l’organisation qui l’utilise de fournir les preuves mesurables et répétables indiquant l’atteinte et le maintien du niveau de confiance ciblé, en fonction du contexte d’utilisation spécifique de ses applications. Le modèle SA inclut les différents éléments d’une architecture de sécurité des applications pouvant être utilisés par les organisations et l’industrie des TI. Ces éléments sont définis, validés, testés et intégrés dans un cadre normatif qui sera utilisé comme une source autoritaire guidant la mise en oeuvre de la sécurité pour les applications d’une organisation

Privacy Preserving HIPAA-Compliant Access Control Model for Web Services

Software applications are developed to help companies and organizations process and manage data that support their daily operations. However, this data might contain sensitive clients’ information that should be protected to ensure the clients’ privacy. Besides losing the clients’ trust, neglecting to ensure the clients’ data privacy may also be unlawful and inflict serious legal and financial consequences. Lately, different laws and regulations related to data privacy have been enacted specially in vital sectors such as health care, finance, and accounting. Those regulations dictate how clients’ data should be disclosed and transmitted within the organization as well as with external partners. The privacy rules in these laws and regulations presented a challenge for software engineers who design and implement the software applications used in processing the clients’ private data. The difficulty is linked to the complexity and length of the letter of the law and how to guarantee that the software application is maintaining the clients’ data privacy in compliance with the law. Some healthcare organization are trying to perform their own interpretation of the law privacy rules by creating custom systems. However, the problems with such approach is that the margin of error while interpreting the letter of the law is high specially with separate efforts carried out by individual companies. According to a survey carried out to check the Healthcare Insurance Portability and Accountability Act (HIPAA) requirements interpretation created for medical and healthcare related applications, none of the frameworks were well developed to capture the relationships specified in the law. To solve this problem, a standard framework is required that will analyze the regulatory text and provide a method to extract the relevant component that can be used during software roles engineering and development. The extracted components will include all the possible arrangements of roles, purposes, permissions, temporal factors, and any carried out obligations. In this work we propose a framework to analyze, extract, model, and enforce the privacy requirements from HIPAA regulatory text. The framework goal is to translate the law privacy rules text into more manageable components in the form of entities, roles, purposes, and obligations. Those components together can be used as building blocks to create formal privacy policies. The process concentrates on two main components; entities and their roles, and data access context. To accomplish the first part, the framework will parse the privacy sections of the regulatory text to mine all the subjects, and then categorize those subjects into roles based on their characterization in the law. To acquire the access context, the process will extract all the purposes, temporal clauses and any carried out obligations and classify them based on their permissibility

Extracting security requirements from relevant laws and regulations

—For software systems that process and manage sensitive information, compliance with laws has become not an option but a necessity. Analysing relevant laws and aligning them with the system requirements is necessary for attaining compliance issues. But analyzing laws within the context of software system requirements is a difficult task, mainly because the concepts used in legal texts are different compared to the concepts used in requirements engineering. This paper contributes to that direction. In particular it presents a process to model and analyse laws and regulations and to support the elicitation of security requirements based on the relevant legal and system context. Finally a case study is used to demonstrate the applicability of the proposed approach

A semantic based framework for software regulatory compliance

Software development market is currently witnessing an increasing demand for software applications conformance with the international regime of GRC for Governance, Risk and Compliance. In this thesis, we propose a compliance requirement analysis method for early stages of software development based on a semantically-rich model, where a mapping can be established from legal and regulatory requirements relevant to system context to software system goals and contexts. This research is an attempt to address the requirement of General Data Protection Regulation (GDPR, Article 25) (European Commission) for implementation of a "privacy by design” approach as part of organizational IT-systems and processes. It requires design of data protection requirements in the development of business processes for products and services. The proposed semantic model consists of a number of ontologies each corresponding to a knowledge component within the developed framework of our approach. Each ontology is a thesaurus of concepts in the compliance and risk assessment domain related to system development along with relationships and rules between concepts that compromise the domain knowledge. The main contribution of the work presented in this paper is a novel ontology-based framework that demonstrates how description-logic reasoning techniques can be used to simulate legal reasoning requirements employed by legal professions against the description of each ontology. The semantic modelling of each component of framework can highly influence the compliance of developing software system and enables the reusability, adaptability and maintainability of these components. Through the discrete modelling of these components, the flexibility and extensibility of compliance systems will be improved. Additionally, enriching ontologies with semantic rules increases the reasoning power and helps to represent rules of laws, regulations and guidelines for compliance, also mapping, refinement and inheriting of different components from each other. This novel approach offers a pedagogically effective and satisfactory learning experience for developers and compliance officers to be trained in area of compliance and query for knowledge in this domain. This thesis offers the theoretical models, design and implementation of a compliance system in accordance with this approach