Mapping ISO 27002 into security ontology

In recent years, due to the increasingly interconnected environment, information is exposed to a growing number of threats and vulnerabilities. Therefore, it is especially important for an organization to have an efficient information security management system. Recently, it has been observed that organisations are looking for standards of best practice for guidance on how to manage their information security infrastructures. In this way, they can demonstrate that their information is adequately secured, and show to their customers and business partners that they can be trusted with protection of the important information. This document presents a methodology of mapping the ISO 27002 standard knowledge to the security ontology and it is intended for organisations that aim to maintain compliance with it

Ontology in Information Security

The past several years we have witnessed that information has become the most precious asset, while protection and security of information is becoming an ever greater challenge due to the large amount of knowledge necessary for organizations to successfully withstand external threats and attacks. This knowledge collected from the domain of information security can be formally described by security ontologies. A large number of researchers during the last decade have dealt with this issue, and in this paper we have tried to identify, analyze and systematize the relevant papers published in scientific journals indexed in selected scientific databases, in period from 2004 to 2014. This paper gives a review of literature in the field of information security ontology and identifies a total of 52 papers systematized in three groups: general security ontologies (12 papers), specific security ontologies (32 papers) and theoretical works (8 papers). The papers were of different quality and level of detail and varied from presentations of simple conceptual ideas to sophisticated frameworks based on ontology

Impact of Implementation of Information Security Risk Management and Security Controls on Cyber Security Maturity (A Case Study at Data Management Applications of XYZ Institute)

Information security is an important concern for governments and industry due to the increase in cyber attacks during Covid-19. The government is obliged to maintain information security in implementing an Electronic-Based Government System following Presidential Regulation of the Republic of Indonesia Number 95 of 2018. To overcome this problem, the XYZ Institute needs an approach to implementing information security risk management and information security controls. This study aims to risk identification, risk analysis, risk evaluation, risk treatment, risk acceptance, risk control, and analysis of cyber security maturity gaps in the domain of governance, identification, protection, detection, and response. ISO/IEC 27005:2018 as guidance for conducting risk assessments. The code of practice for information security control uses the ISO/IEC 27002:2013 standard and assessing maturity using the cyber security maturity model version 1.10 developed by the National Cyber and Crypto Agency of the Republic of Indonesia. The results show that the cyber maturity value increased from 3.19 to 4.06 after implementing 12 new security controls

Investigating the Relationship between IT and Organizations: A Research Trilogy

The overall objective of this dissertation is to contribute to knowledge and theory about the influence of information technology (IT) on organizations and their members. This dissertation is composed of three related studies, each examining different aspects of the relationship between IT and organizations. The objective of the first study is to provide an overview of the dominant theoretical perspectives that IS researchers have used in the last five decades to study the influence of technology on organizations and their members. Without being exhaustive, this study seeks more specifically to identify, for each decade, the dominant theoretical perspectives used in the IS field. These dominant theoretical perspectives are illustrated by the selection and description of exemplars published in the decade and their implications for researchers and practitioners are discussed. This review is useful not only for understanding past trends and the current state of research in this area but also to foresee its future directions and guide researchers in their future research on the influence of IT on organizations and their members. The objective of the second study is to theorize how IT artifacts influence the design and performance of organizational routines. This study adopts organizational routines theory as its theoretical lens. Organizational routines represent an important part of almost every organization and organizational routines theory is an influential theory that explains how the accomplishment of organizational routines can contribute to both organizational stability and change. However, the current form of this theory has several limitations such as its neglect of the material aspect of artifacts and the distinctive characteristics of IT artifacts, and its treatment of artifacts as outside of organizational routines. This study seeks to overcome these limitations by extending organizational routines theory. The objective of the third study is to develop a better understanding of information security standards by analyzing the structure, nature and content of their controls. This study investigates also the mechanisms used in the design of information security standards to make them both applicable to a wide range of organizations and adaptable to various specific organizational settings. The results of this study led to the proposition of a new theory for information systems called generative control theory

Data protection regulation ontology for compliance

The GDPR is the current data protection regulation in Europe. A significant market demand has been created ever since GDPR came into force. This is mostly due to the fact that it can go outside of European borders if the data processed belongs to European citizens. The number of companies who require some type of regulation or standard compliance is ever-increasing and the need for cyber security and privacy specialists has never been greater. Moreover, the GDPR has inspired a series of similar regulations all over the world. This further increases the market demand and makes the work of companies who work internationally more complicated and difficult to scale. The purpose of this thesis is to help consultancy companies to automate their work by using semantic structures known as ontologies. By doing this, they can increase productivity and reduce costs. Ontologies can store data and their semantics (meaning) in a machine-readable format. In this thesis, an ontology has been designed which is meant to help consultants generate checklists (or runbooks) which they are required to deliver to their clients. The ontology is designed to handle concepts such as security measures, company information, company architecture, data sensitivity, privacy mechanisms, distinction between technical and organisational measures, and even conditionality. The ontology was evaluated using a litmus test. In the context of this ontology, the litmus test was composed of a collection of competency questions. Competency questions were collected based on the use-cases of the ontology. These questions were later translated to SPARQL queries which were run against a test ontology. The ontology has successfully passed the given litmus test. Thus, it can be concluded that the implemented functionality matches the proposed design

Enterprise security architecture - mythology or methodology?

Security is a complex issue for organisations, with its management now a fiduciary responsibility as well as a moral one. Organisational security, such as computer security, human security, access control, risk management etc.; is conducted in separate business units creating a silo effect. A cohesive and holistic approach is required to mitigate the risk of security breaches and parts of the business not monitored by any silo. Without a holistic robust structure, the assets of an organisation are at critical risk. Enterprise architecture (EA) is a strong and reliable structure that has been tested and used effectively for designing, building, and managing organisations globally for at least 30 years. Grouping security with EA promises to leverage the benefits of EA in the security domain. Through a review of existing security frameworks this work evaluates the extent to which they employ EA and determines there is a need for developing a comprehensive solution. This research designs, develops, evaluates and demonstrates a security EA framework for organisations regardless of their industry, budgetary constraints or size. The framework is developed from the Zachman framework 2013 Version 3.0 because it is the most complete, most referenced in our frameworks review, and historically the methodology that is chosen by others to base their frameworks on. The results support the need for a holistic security structure and indicate benefits including reduction of security gaps, improved security investment decisions, clear functional responsibilities and a complete security nomenclature and international security standard compliance among others. This research bridges the gap and changes the way we fundamentally view security in an organisation, from individual silo capabilities to a holistic security eco-system with highly interdependent primitive security models.Thesis (Ph.D.) -- University of Adelaide, School of Computer Science, 202

Using ArchiMate to Assess COBIT 5 and ITIL Implementations

The assessment of Enterprise Governance of IT (EGIT) mechanisms, such as COBIT and ITIL, is considered highly complex and implies a duplication of resources. The main goal of this research is to reduce the complexity of EGIT mechanisms by facilitating the assessment of these mechanisms when used simultaneously. Organisational stakeholders should be able to easily understand the impact of implementing ITIL on COBIT 5 Processes Performance without being COBIT experts. On the other hand, they should know their organisation’s positioning according to ITIL, even if they just follow COBIT and do not master ITIL. In order to fulfil our goal, we propose a model that uses TIPA for ITIL, COBIT PAM and ArchiMate to analyse the impact of ITIL implementation on COBIT processes performance, and vice-versa. We demonstrate our proposal by analysing the impact of the Incident Management and Request Fulfilment ITIL processes on the COBIT 5 related process

Informacijos saugos reikalavimų harmonizavimo, analizės ir įvertinimo automatizavimas

The growing use of Information Technology (IT) in daily operations of enterprises requires an ever-increasing level of protection over organization’s assets and information from unauthorised access, data leakage or any other type of information security breach. Because of that, it becomes vital to ensure the necessary level of protection. One of the best ways to achieve this goal is to implement controls defined in Information security documents. The problems faced by different organizations are related to the fact that often, organizations are required to be aligned with multiple Information security documents and their requirements. Currently, the organization’s assets and information protection are based on Information security specialist’s knowledge, skills and experience. Lack of automated tools for multiple Information security documents and their requirements harmonization, analysis and visualization lead to the situation when Information security is implemented by organizations in ineffective ways, causing controls duplication or increased cost of security implementation. An automated approach for Information security documents analysis, mapping and visualization would contribute to solving this issue. The dissertation consists of an introduction, three main chapters and general conclusions. The first chapter introduces existing Information security regulatory documents, current harmonization techniques, information security implementation cost evaluation methods and ways to analyse Information security requirements by applying graph theory optimisation algorithms (Vertex cover and Graph isomorphism). The second chapter proposes ways to evaluate information security implementation and costs through a controls-based approach. The effectiveness of this method could be improved by implementing automated initial data gathering from Business processes diagrams. In the third chapter, adaptive mapping on the basis of Security ontology is introduced for harmonization of different security documents; such an approach also allows to apply visualization techniques for harmonization results presentation. Graph optimization algorithms (vertex cover algorithm and graph isomorphism algorithm) for Minimum Security Baseline identification and verification of achieved results against controls implemented in small and medium-sized enterprises were proposed. It was concluded that the proposed methods provide sufficient data for adjustment and verification of security controls applicable by multiple Information security documents.Dissertatio

IT GOVERNANCE AUDIT AT THE KAMPAR REGENCY LIBRARY AND ARCHIVES DEPARTMENT USING COBIT 2019 AND ITIL 4

Information Technology (IT) is a tool that plays an important role in helping improve the effectiveness and efficiency of a company's or organization's business processes. The Kampar Regency Library and Archives Service uses the Integrated Library System (INLIS) Lite to support operational, management, and decision-making functions in the library. However, the use of INLIS Lite has not been fully utilized properly, for this reason it is necessary to carry out an IT governance audit. The audit process aims to determine the extent of IT performance, human resources, and the level of IT maturity in the library. This study uses Control Objective for Information and Related Technology (COBIT) 2019 and Information Technology Infrastructure Library (ITIL) 4 to conduct audits. With the findings of the audit results obtained eight process domains, namely APO02 and APO012 domains are at level 1 (Performed) in the Largely Achieved category, APO09 and BAI08 domains are at level 2 (Managed) in the Largely Achieved category, domains APO013, BAI05 and MEA01 are in the Largely Achieved, and the APO07 domain is at level 4 (Predictable) and in the Fully Achieved category. In addition to the audit, an assessment of the capability level was also carried out using the Servqual Model and Importance Performance Analysis with the results of obtaining 2 criteria in quadrant A, 1 criterion in quadrant B, 2 criteria in quadrant C and 3 criteria in quadrant D. This study also provides recommendations for improvement using SWOT model approach refers to ITIL 4

Legal linked data ecosystems and the rule of law

This chapter introduces the notions of meta-rule of law and socio-legal ecosystems to both foster and regulate linked democracy. It explores the way of stimulating innovative regulations and building a regulatory quadrant for the rule of law. The chapter summarises briefly (i) the notions of responsive, better and smart regulation; (ii) requirements for legal interchange languages (legal interoperability); (iii) and cognitive ecology approaches. It shows how the protections of the substantive rule of law can be embedded into the semantic languages of the web of data and reflects on the conditions that make possible their enactment and implementation as a socio-legal ecosystem. The chapter suggests in the end a reusable multi-levelled meta-model and four notions of legal validity: positive, composite, formal, and ecological