Data protection regulation ontology for compliance

The GDPR is the current data protection regulation in Europe. A significant market demand has been created ever since GDPR came into force. This is mostly due to the fact that it can go outside of European borders if the data processed belongs to European citizens. The number of companies who require some type of regulation or standard compliance is ever-increasing and the need for cyber security and privacy specialists has never been greater. Moreover, the GDPR has inspired a series of similar regulations all over the world. This further increases the market demand and makes the work of companies who work internationally more complicated and difficult to scale. The purpose of this thesis is to help consultancy companies to automate their work by using semantic structures known as ontologies. By doing this, they can increase productivity and reduce costs. Ontologies can store data and their semantics (meaning) in a machine-readable format. In this thesis, an ontology has been designed which is meant to help consultants generate checklists (or runbooks) which they are required to deliver to their clients. The ontology is designed to handle concepts such as security measures, company information, company architecture, data sensitivity, privacy mechanisms, distinction between technical and organisational measures, and even conditionality. The ontology was evaluated using a litmus test. In the context of this ontology, the litmus test was composed of a collection of competency questions. Competency questions were collected based on the use-cases of the ontology. These questions were later translated to SPARQL queries which were run against a test ontology. The ontology has successfully passed the given litmus test. Thus, it can be concluded that the implemented functionality matches the proposed design

MASISCo—Methodological Approach for the Selection of Information Security Controls

As cyber-attacks grow worldwide, companies have begun to realize the importance of being protected against malicious actions that seek to violate their systems and access their information assets. Faced with this scenario, organizations must carry out correct and efficient management of their information security, which implies that they must adopt a proactive attitude, implementing standards that allow them to reduce the risk of computer attacks. Unfortunately, the problem is not only implementing a standard but also determining the best way to do it, defining an implementation path that considers the particular objectives and conditions of the organization and its availability of resources. This paper proposes a methodological approach for selecting and planning security controls, standardizing and systematizing the process by modeling the situation (objectives and constraints), and applying optimization techniques. The work presents an evaluation of the proposal through a methodology adoption study. This study showed a tendency of the study subjects to adopt the proposal, perceiving it as a helpful element that adapts to their way of working. The main weakness of the proposal was centered on ease of use since the modeling and resolution of the problem require advanced knowledge of optimization techniques.This research was funded by Universidad de La Frontera, research direction, research project DIUFRO DI22-0043

Security Analysis of Simpel Desa using Mobile Security Framework and ISO 27002:2013

The Personal Identification Number or KTP is prone to be stolen and used by unwanted parties, this is also a possibility for the Simpel Desa, a village administration application that also contain and use the Personal Identification Number. This study aims to detect information security vulnerabilities. This study aims to analyze security vulnerabilities in applications using MobSF and ISO 27002:2013. MobSF is used for penetration testing for malware in applications. In MobSF the Simpel Desa application is analyzed in two ways, namely static and dynamic. ISO 27002:2013 is used to map the findings of vulnerabilities and potential misuse of information so that they get accurate analysis results. The control used is domain 9 (access control) and 10 (cryptography). The results obtained in the static analysis found the existence of vulnerabilities in aspects of cryptography and permission access. The dynamic analysis found that Root Detection and Debugger Check Bypass had not been implemented. Overall, based on ISO 27002:2013 information security has not been maximally implemented. The recommendations given focus on the aspects of application permissions and access rights, user authentication, and the implementation of information security.The Personal Identification Number or KTP is prone to be stolen and used by unwanted parties, this is also a possibility for the Simpel Desa, a village administration application that also contain and use the Personal Identification Number. This study aims to detect information security vulnerabilities. This study aims to analyze security vulnerabilities in applications using MobSF and ISO 27002:2013. MobSF is used for penetration testing for malware in applications. In MobSF the Simpel Desa application is analyzed in two ways, namely static and dynamic. ISO 27002:2013 is used to map the findings of vulnerabilities and potential misuse of information so that they get accurate analysis results. The control used is domain 9 (access control) and 10 (cryptography). The results obtained in the static analysis found the existence of vulnerabilities in aspects of cryptography and permission access. The dynamic analysis found that Root Detection and Debugger Check Bypass had not been implemented. Overall, based on ISO 27002:2013 information security has not been maximally implemented. The recommendations given focus on the aspects of application permissions and access rights, user authentication, and the implementation of information security

Informacijos saugos reikalavimų harmonizavimo, analizės ir įvertinimo automatizavimas

The growing use of Information Technology (IT) in daily operations of enterprises requires an ever-increasing level of protection over organization’s assets and information from unauthorised access, data leakage or any other type of information security breach. Because of that, it becomes vital to ensure the necessary level of protection. One of the best ways to achieve this goal is to implement controls defined in Information security documents. The problems faced by different organizations are related to the fact that often, organizations are required to be aligned with multiple Information security documents and their requirements. Currently, the organization’s assets and information protection are based on Information security specialist’s knowledge, skills and experience. Lack of automated tools for multiple Information security documents and their requirements harmonization, analysis and visualization lead to the situation when Information security is implemented by organizations in ineffective ways, causing controls duplication or increased cost of security implementation. An automated approach for Information security documents analysis, mapping and visualization would contribute to solving this issue. The dissertation consists of an introduction, three main chapters and general conclusions. The first chapter introduces existing Information security regulatory documents, current harmonization techniques, information security implementation cost evaluation methods and ways to analyse Information security requirements by applying graph theory optimisation algorithms (Vertex cover and Graph isomorphism). The second chapter proposes ways to evaluate information security implementation and costs through a controls-based approach. The effectiveness of this method could be improved by implementing automated initial data gathering from Business processes diagrams. In the third chapter, adaptive mapping on the basis of Security ontology is introduced for harmonization of different security documents; such an approach also allows to apply visualization techniques for harmonization results presentation. Graph optimization algorithms (vertex cover algorithm and graph isomorphism algorithm) for Minimum Security Baseline identification and verification of achieved results against controls implemented in small and medium-sized enterprises were proposed. It was concluded that the proposed methods provide sufficient data for adjustment and verification of security controls applicable by multiple Information security documents.Dissertatio

Analysis of Information Security Risks and Protection Management Requirements for Enterprise Networks.

With widespread of harmful attacks against enterprises¿ electronic services, information security readiness of these enterprises is becoming of increasing importance for establishing the required safe environment for such services. Various approaches are proposed to manage enterprise information security risks and to assess its information security readiness. These approaches are, however, not adequate to manage information security risks, as all required information security components of its structural and procedural dimensions have not considered. In addition, current assessment approaches lack numerical indicators in assessing enterprise information security readiness. Furthermore, there is no standard approach for analysing cost versus benefit in selecting recommended protection measures. This thesis aims at contributing to the knowledge by developing comprehensive Enterprise Information Security Risk Management (EISRM) framework that integrates typical approaches for information security risk management, and incorporates main components of key risk management methodologies. In addition, for supporting phases of the proposed EISRM framework, analytical models for enterprise information security readiness assessment and cost-benefit analysis are developed. The practical evaluation, using the proposed enterprise information security readiness assessment model has been performed depending on a developed investigation form that used to investigate nine enterprises inside Saudi Arabia. The results demonstrate the effectiveness of the model in assessing and comparing enterprises information security readiness at all levels of the model, using numerical indicators and graphical representations. The EISRM framework and the analytical models presented in this research can be used by enterprises as single point of reference for assessing and cost effectively improving their information security readiness

Enterprise security architecture - mythology or methodology?

Security is a complex issue for organisations, with its management now a fiduciary responsibility as well as a moral one. Organisational security, such as computer security, human security, access control, risk management etc.; is conducted in separate business units creating a silo effect. A cohesive and holistic approach is required to mitigate the risk of security breaches and parts of the business not monitored by any silo. Without a holistic robust structure, the assets of an organisation are at critical risk. Enterprise architecture (EA) is a strong and reliable structure that has been tested and used effectively for designing, building, and managing organisations globally for at least 30 years. Grouping security with EA promises to leverage the benefits of EA in the security domain. Through a review of existing security frameworks this work evaluates the extent to which they employ EA and determines there is a need for developing a comprehensive solution. This research designs, develops, evaluates and demonstrates a security EA framework for organisations regardless of their industry, budgetary constraints or size. The framework is developed from the Zachman framework 2013 Version 3.0 because it is the most complete, most referenced in our frameworks review, and historically the methodology that is chosen by others to base their frameworks on. The results support the need for a holistic security structure and indicate benefits including reduction of security gaps, improved security investment decisions, clear functional responsibilities and a complete security nomenclature and international security standard compliance among others. This research bridges the gap and changes the way we fundamentally view security in an organisation, from individual silo capabilities to a holistic security eco-system with highly interdependent primitive security models.Thesis (Ph.D.) -- University of Adelaide, School of Computer Science, 202

Ontologies in Cloud Computing - Review and Future Directions

Cloud computing as a technology has the capacity to enhance cooperation, scalability, accessibility, and offers discount prospects using improved and effective computing, and this capability helps organizations to stay focused. Ontologies are used to model knowledge. Once knowledge is modeled, knowledge management systems can be used to search, match, visualize knowledge, and also infer new knowledge. Ontologies use semantic analysis to define information within an environment with interconnecting relationships between heterogeneous sets. This paper aims to provide a comprehensive review of the existing literature on ontology in cloud computing and defines the state of the art. We applied the systematic literature review (SLR) approach and identified 400 articles; 58 of the articles were selected after further selection based on set selection criteria, and 35 articles were considered relevant to the study. The study shows that four predominant areas of cloud computing—cloud security, cloud interoperability, cloud resources and service description, and cloud services discovery and selection—have attracted the attention of researchers as dominant areas where cloud ontologies have made great impact. The proposed methods in the literature applied 30 ontologies in the cloud domain, and five of the methods are still practiced in the legacy computing environment. From the analysis, it was found that several challenges exist, including those related to the application of ontologies to enhance business operations in the cloud and multi-cloud. Based on this review, the study summarizes some unresolved challenges and possible future directions for cloud ontology researchers.publishedVersio

Investigating the Relationship between IT and Organizations: A Research Trilogy

The overall objective of this dissertation is to contribute to knowledge and theory about the influence of information technology (IT) on organizations and their members. This dissertation is composed of three related studies, each examining different aspects of the relationship between IT and organizations. The objective of the first study is to provide an overview of the dominant theoretical perspectives that IS researchers have used in the last five decades to study the influence of technology on organizations and their members. Without being exhaustive, this study seeks more specifically to identify, for each decade, the dominant theoretical perspectives used in the IS field. These dominant theoretical perspectives are illustrated by the selection and description of exemplars published in the decade and their implications for researchers and practitioners are discussed. This review is useful not only for understanding past trends and the current state of research in this area but also to foresee its future directions and guide researchers in their future research on the influence of IT on organizations and their members. The objective of the second study is to theorize how IT artifacts influence the design and performance of organizational routines. This study adopts organizational routines theory as its theoretical lens. Organizational routines represent an important part of almost every organization and organizational routines theory is an influential theory that explains how the accomplishment of organizational routines can contribute to both organizational stability and change. However, the current form of this theory has several limitations such as its neglect of the material aspect of artifacts and the distinctive characteristics of IT artifacts, and its treatment of artifacts as outside of organizational routines. This study seeks to overcome these limitations by extending organizational routines theory. The objective of the third study is to develop a better understanding of information security standards by analyzing the structure, nature and content of their controls. This study investigates also the mechanisms used in the design of information security standards to make them both applicable to a wide range of organizations and adaptable to various specific organizational settings. The results of this study led to the proposition of a new theory for information systems called generative control theory