7 research outputs found
La sécurité des applications en technologie de l'information : une approche d'intégration des éléments de sécurité dans le cycle de vie des applications et des systÚmes d'information
L'industrie des technologies de lâinformation (TI) et les organisations qui les utilisent ont Ă leur disposition beaucoup de moyens pour dĂ©velopper, acquĂ©rir et maintenir des applications sĂ©curitaires. Toutefois, bien quâil existe pour ce faire une panoplie de bonnes pratiques, de normes et dâoutils, les organisations peinent Ă atteindre ce but.
Seize problĂ©matiques permettant dâexpliquer cette situation ont Ă©tĂ© identifiĂ©es au cours de cette recherche dont le but est de concevoir, de faire approuver par une organisation internationale de normalisation, et de rendre accessible Ă ceux qui dĂ©veloppent ou qui utilisent des applications, un nouveau modĂšle de sĂ©curitĂ© des applications (modĂšle SA). Lâutilisation de ce modĂšle permet la mise en place et la dĂ©monstration de la sĂ©curitĂ© dâune application, assurant ainsi la protection des informations sensibles impliquĂ©es par son utilisation. Le modĂšle SA propose des concepts, des principes, des processus et des composants pour permettre Ă une organisation de se doter dâun cadre normatif rĂ©pondant Ă ses besoins de sĂ©curitĂ©, tout en respectant ses capacitĂ©s.
Ce modĂšle SA permet de prendre en compte les contextes dâaffaires, juridiques et technologiques spĂ©cifiques aux environnements oĂč les applications sont dĂ©veloppĂ©es et utilisĂ©es. Il permet aussi de gĂ©rer les risques de sĂ©curitĂ© provenant des personnes, des processus et de la technologie qui pourraient menacer les informations sensibles impliquĂ©es par ces applications. Ce modĂšle SA permet dâidentifier et de mettre en place un ensemble de contrĂŽles et de mesures de sĂ©curitĂ© afin dâassurer un niveau de confiance de la sĂ©curitĂ© dâune application durant son cycle de vie. Finalement, le modĂšle SA permet Ă lâorganisation qui lâutilise de fournir les preuves mesurables et rĂ©pĂ©tables indiquant lâatteinte et le maintien du niveau de confiance ciblĂ©, en fonction du contexte dâutilisation spĂ©cifique de ses applications.
Le modĂšle SA inclut les diffĂ©rents Ă©lĂ©ments dâune architecture de sĂ©curitĂ© des applications pouvant ĂȘtre utilisĂ©s par les organisations et lâindustrie des TI. Ces Ă©lĂ©ments sont dĂ©finis, validĂ©s, testĂ©s et intĂ©grĂ©s dans un cadre normatif qui sera utilisĂ© comme une source autoritaire guidant la mise en oeuvre de la sĂ©curitĂ© pour les applications dâune organisation
Privacy Preserving HIPAA-Compliant Access Control Model for Web Services
Software applications are developed to help companies and organizations process and manage data that support their daily operations. However, this data might contain sensitive clientsâ information that should be protected to ensure the clientsâ privacy. Besides losing the clientsâ trust, neglecting to ensure the clientsâ data privacy may also be unlawful and inflict serious legal and financial consequences. Lately, different laws and regulations related to data privacy have been enacted specially in vital sectors such as health care, finance, and accounting. Those regulations dictate how clientsâ data should be disclosed and transmitted within the organization as well as with external partners. The privacy rules in these laws and regulations presented a challenge for software engineers who design and implement the software applications used in processing the clientsâ private data. The difficulty is linked to the complexity and length of the letter of the law and how to guarantee that the software application is maintaining the clientsâ data privacy in compliance with the law. Some healthcare organization are trying to perform their own interpretation of the law privacy rules by creating custom systems. However, the problems with such approach is that the margin of error while interpreting the letter of the law is high specially with separate efforts carried out by individual companies. According to a survey carried out to check the Healthcare Insurance Portability and Accountability Act (HIPAA) requirements interpretation created for medical and healthcare related applications, none of the frameworks were well developed to capture the relationships specified in the law. To solve this problem, a standard framework is required that will analyze the regulatory text and provide a method to extract the relevant component that can be used during software roles engineering and development. The extracted components will include all the possible arrangements of roles, purposes, permissions, temporal factors, and any carried out obligations. In this work we propose a framework to analyze, extract, model, and enforce the privacy requirements from HIPAA regulatory text. The framework goal is to translate the law privacy rules text into more manageable components in the form of entities, roles, purposes, and obligations. Those components together can be used as building blocks to create formal privacy policies. The process concentrates on two main components; entities and their roles, and data access context. To accomplish the first part, the framework will parse the privacy sections of the regulatory text to mine all the subjects, and then categorize those subjects into roles based on their characterization in the law. To acquire the access context, the process will extract all the purposes, temporal clauses and any carried out obligations and classify them based on their permissibility
Extracting security requirements from relevant laws and regulations
âFor software systems that process and manage
sensitive information, compliance with laws has become not an
option but a necessity. Analysing relevant laws and aligning them
with the system requirements is necessary for attaining
compliance issues. But analyzing laws within the context of
software system requirements is a difficult task, mainly because
the concepts used in legal texts are different compared to the
concepts used in requirements engineering. This paper
contributes to that direction. In particular it presents a process to
model and analyse laws and regulations and to support the
elicitation of security requirements based on the relevant legal
and system context. Finally a case study is used to demonstrate
the applicability of the proposed approach
A semantic based framework for software regulatory compliance
Software development market is currently witnessing an increasing demand for software applications conformance with the international regime of GRC for Governance, Risk and Compliance. In this thesis, we propose a compliance requirement analysis method for early stages of software development based on a semantically-rich model, where a mapping can be established from legal and regulatory requirements relevant to system context to software system goals and contexts. This research is an attempt to address the requirement of General Data Protection Regulation (GDPR, Article 25) (European Commission) for implementation of a "privacy by designâ approach as part of organizational IT-systems and processes. It requires design of data protection requirements in the development of business processes for products and services. The proposed semantic model consists of a number of ontologies each corresponding to a knowledge component within the developed framework of our approach. Each ontology is a thesaurus of concepts in the compliance and risk assessment domain related to system development along with relationships and rules between concepts that compromise the domain knowledge. The main contribution of the work presented in this paper is a novel ontology-based framework that demonstrates how description-logic reasoning techniques can be used to simulate legal reasoning requirements employed by legal professions against the description of each ontology. The semantic modelling of each component of framework can highly inïŹuence the compliance of developing software system and enables the reusability, adaptability and maintainability of these components. Through the discrete modelling of these components, the ïŹexibility and extensibility of compliance systems will be improved.
Additionally, enriching ontologies with semantic rules increases the reasoning power and helps to represent rules of laws, regulations and guidelines for compliance, also mapping, refinement and inheriting of different components from each other. This novel approach offers a pedagogically effective and satisfactory learning experience for developers and compliance officers to be trained in area of compliance and query for knowledge in this domain. This thesis offers the theoretical models, design and implementation of a compliance system in accordance with this approach