500 research outputs found

    Data protection regulation ontology for compliance

    Get PDF
    The GDPR is the current data protection regulation in Europe. A significant market demand has been created ever since GDPR came into force. This is mostly due to the fact that it can go outside of European borders if the data processed belongs to European citizens. The number of companies who require some type of regulation or standard compliance is ever-increasing and the need for cyber security and privacy specialists has never been greater. Moreover, the GDPR has inspired a series of similar regulations all over the world. This further increases the market demand and makes the work of companies who work internationally more complicated and difficult to scale. The purpose of this thesis is to help consultancy companies to automate their work by using semantic structures known as ontologies. By doing this, they can increase productivity and reduce costs. Ontologies can store data and their semantics (meaning) in a machine-readable format. In this thesis, an ontology has been designed which is meant to help consultants generate checklists (or runbooks) which they are required to deliver to their clients. The ontology is designed to handle concepts such as security measures, company information, company architecture, data sensitivity, privacy mechanisms, distinction between technical and organisational measures, and even conditionality. The ontology was evaluated using a litmus test. In the context of this ontology, the litmus test was composed of a collection of competency questions. Competency questions were collected based on the use-cases of the ontology. These questions were later translated to SPARQL queries which were run against a test ontology. The ontology has successfully passed the given litmus test. Thus, it can be concluded that the implemented functionality matches the proposed design

    Legal compliance by design (LCbD) and through design (LCtD) : preliminary survey

    Get PDF
    1st Workshop on Technologies for Regulatory Compliance co-located with the 30th International Conference on Legal Knowledge and Information Systems (JURIX 2017). The purpose of this paper is twofold: (i) carrying out a preliminary survey of the literature and research projects on Compliance by Design (CbD); and (ii) clarifying the double process of (a) extending business managing techniques to other regulatory fields, and (b) converging trends in legal theory, legal technology and Artificial Intelligence. The paper highlights the connections and differences we found across different domains and proposals. We distinguish three different policydriven types of CbD: (i) business, (ii) regulatory, (iii) and legal. The recent deployment of ethical views, and the implementation of general principles of privacy and data protection lead to the conclusion that, in order to appropriately define legal compliance, Compliance through Design (CtD) should be differentiated from CbD

    A survey of compliance issues in cloud computing

    Get PDF

    Development of an intelligent e-commerce assurance model to promote trust in online shopping environment

    Get PDF
    Electronic commerce (e-commerce) markets provide benefits for both buyers and sellers; however, because of cyber security risks consumers are reluctant to transact online. Trust in e-commerce is paramount for adoption. Trust as a subject for research has been a term considered in depth by numerous researchers in various fields of study, including psychology and information technology. Various models have been developed in e-commerce to alleviate consumer fears, thus promoting trust in online environments. Third-party web seals and online scanning tools are some of the existing models used in e-commerce environments, but they have some deficiencies, e.g. failure to incorporate compliance, which need to be addressed. This research proposes an e-commerce assurance model for safe online shopping. The machine learning model is called the Page ranking analytical hierarchy process (PRAHP). PRAHP builds complementary strengths of the analytical hierarchy process (AHP) and Page ranking (PR) techniques to evaluate the trustworthiness of web attributes. The attributes that are assessed are Adaptive legislation, Adaptive International Organisation for Standardisation Standards, Availability, Policy and Advanced Security login. The attributes were selected based on the literature reviewed from accredited journals and some of the reputable e-commerce websites. PRAHP’s paradigms were evaluated extensively through detailed experiments on business-to-business, business-to-consumer, cloud-based and general e-commerce websites. The results of the assessments were validated by customer inputs regarding the website. The reliability and robustness of PRAHP was tested by varying the damping factor and the inbound links. In all the experiments, the results revealed that the model provides reliable results to guide customers in making informed purchasing decisions. The research also reveals hidden e-commerce topics that have not received attention, which generates knowledge and opens research questions for future researchers. These ultimately made significant contributions in e-commerce assurance, in areas such as security and compliance through the fusing of AHP and PR, integrated into a decision table for alleviating trustworthiness anxiety in various e-commerce transacting partners, e-commerce platforms and markets.College of Engineering, Science and TechnologyD. Phil. Information System

    Cyber-Security Policy Decisions in Small Businesses

    Get PDF
    Cyber-attacks against small businesses are on the rise yet small business owners often lack effective strategies to avoid these attacks. The purpose of this qualitative multiple case study was to explore the strategies small business owners use to make cyber-security decisions. Bertalanffy\u27s general systems theory provided the conceptual framework for this study. A purposive sample of 10 small business owners participated in the interview process and shared their decision-making methodologies and influencers. The small business owners were vetted to ensure their strategies were effective through a series of qualification questions. The intent of the research question and corresponding interview questions was to identify strategies that successful small business owners use to make cyber-security decisions. Data analysis consisted of coding keywords, phrases, and sentences from semi structured interviews as well as document analysis. The following themes emerged: government requirements, peer influence, budgetary constraints, commercial standards, and lack of employee involvement. According to the participants, budgetary constraints and peer influence were the most influential factors when making decisions regarding cyber-security strategies. Through exposing small business owners to proven strategies, the implications for social change include a reduction of their small business operating costs and assistance with compliance activities

    Privacy and security in the clouds: IT security and privacy standards in the EU and US

    Get PDF
    Cloud computing represents a revolutionary service model for accessing information technology (IT) services, and an opportunity for governments to reduce maintainance costs of IT infrastructure. However, relying on commercial cloud services may prove challenging for privacy and security if cloud service providers cannot guarantee adequate standards for their services. In this thesis, I analyze four IT security standards comparing them alongside each other. ISO/IEC 27001 and SOC 2 are two international IT frameworks issued by non-government organizations and available since 2005. FedRAMP and C5 are two more recent cloud-specific standards, respectively issued by the US and German governments. Examining the four standards in comparison, and evaluating their completeness and adequacy in guaranteeing information assurance in cloud environments, I question whether they really represent an improvement in cloud security, what are their shortcomings, and ultimately the necessity of new cloud security standards in the already crowded IT security landscape. I combine a broad contextual analysis with empirical results to help understand the reasons for creating C5, and shed lights on its role in the EU political agenda

    Application Security Verification Standard Compliance Analysis of a Low Code Development Platform

    Get PDF
    Low-code development platforms (LCDPs) are software development platforms that use artificial intelligence to help automate simple and routine tasks and make the software development process faster. By 2024, 60% of application development expect to be done using these platforms. Even though these platforms are gaining popularity, they have not been popular research topics, and their security features have not been assessed. One way to conduct such an assessment is by using Application Security Verification Standard (ASVS). ASVS is a community-driven security standard for web applications and services. ASVS is made of three requirement levels, and the security controls become more strict when moved up. ASVS is designed to give organizations a tool to develop and maintain more secure applications. One example of an LCDP is OutSystems, which is said to be “designed for the developers, by the developers”. OutSystems belongs to the Leader category in the 2021 release of Gartner¼ Magic QuadrantTM for Enterprise Low-Code Application Platforms. In this thesis, we will conduct a first of its kind compliance analysis between OutSystems and ASVS levels 1 and 2 to find out if and how compliant OutSystems is with the standard. This kind of compliance analysis has not been done before. Based on our analysis, we will do a “lessons learned” and write a guideline on how to evaluate LCDPs’ security features in the future. The results themselves show that OutSystems, for the most part, is compliant with ASVS. The biggest deficiencies in OutSystems are with authentication and input validation. We show that the deficiencies with authentication are trivial to fix, but meeting the requirements with the input validation requires some work. From the assessment, we learned that assessing LCDPs is not completely similar to a traditional security assessment. We learned that some functionalities are pre-made, and the developer can not customise them. We found that it is easier to evaluate first if the platform meets the requirement. If not, then see if the developer can do something about it

    Holding on to Compliance While Adopting DevSecOps: An SLR

    Get PDF
    The software industry has witnessed a growing interest in DevSecOps due to the premises of integrating security in the software development lifecycle. However, security compliance cannot be disregarded, given the importance of adherence to regulations, laws, industry standards, and frameworks. This study aims to provide an overview of compliance aspects in the context of DevSecOps and explore how compliance is ensured. Furthermore, this study reveals the trends of compliance according to the extant literature and identifies potential directions for further research in this context. Therefore, we carried out a systematic literature review on the integration of compliance aspects in DevSecOps, which rigorously followed the guidelines proposed by Kitchenham and Charters. We found 934 articles related to the topic by searching five bibliographic databases (163) and Google Scholar (771). Through a rigorous selection process, we selected 15 papers as primary studies. Then, we identified the compliance aspects of DevSecOps and grouped them into three main categories: compliance initiation, compliance management, and compliance technicalities. We observed a low number of studies; therefore, we encourage further efforts into the exploration of compliance aspects, their automated integration, and the development of metrics to evaluate such a process in the context of DevSecOps.publishedVersio

    The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda

    Get PDF
    Purpose \u2013 After 15 years of research, this paper aims to present a review of the academic literature on the ISO/ IEC 27001, the most renowned standard for information security and the third most widespread ISO certification. Emerging issues are reframed through the lenses of social systems thinking, deriving a theorybased research agenda to inspire interdisciplinary studies in the field. Design/methodology/approach \u2013 The study is structured as a systematic literature review. Findings \u2013 Research themes and sub-themes are identified on five broad research foci: relation with other standards, motivations, issues in the implementation, possible outcomes and contextual factors. Originality/value \u2013The study presents a structured overview of the academic body of knowledge on ISO/IEC 27001, providing solid foundations for future research on the topic. A set of research opportunities is outlined, with the aim to inspire future interdisciplinary studies at the crossroad between information security and quality management. Managers interested in the implementation of the standard and policymakers can find an overview of academic knowledge useful to inform their decisions related to implementation and regulatory activities
    • 

    corecore