57,843 research outputs found

    Enterprise information security policy assessment - an extended framework for metrics development utilising the goal-question-metric approach

    Get PDF
    Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach

    FEMA's Integration of Preparedness and Development of Robust Regional Offices

    Get PDF
    In October 2006, Congress enacted major legislation to reform the function and organization of the Federal Emergency Management Agency (FEMA) in response to the recognized failures in preparation for and response to Hurricane Katrina. The Post-Katrina Emergency Management Reform Act of 2006 (PKEMRA) focused national preparedness responsibilities within FEMA and directed additional resources and responsibilities to FEMA's ten regional offices. Directed by Congress, in October 2008 a National Academy Panel began an independent assessment of FEMA's integration of preparedness functions and progress in development of robust regional offices.Main FindingsOver the past three years, FEMA has taken significant steps in an effort to integrate preparedness and develop more robust regional offices. These efforts, undertaken by both the previous and current Administrations, are documented throughout this report and should be recognized and applauded. However, FEMA has yet to define specific goals and outcomes that would permit it, Congress or the public to determine when preparedness has been fully integrated into all aspects of FEMA's work and whether the development and ongoing operation of robust regional offices has been achieved. In the absence of well-defined, measurable outcome indicators, the National Academy Panel relied upon the assessments of FEMA leaders and staff, documentation provided by FEMA, and a review of secondary sources material to inform its findings and recommendations. Based upon this evidence, the Panel has concluded that, while progress has been made: (1) preparedness is not fully integrated across FEMA, (2) FEMA's regional offices do not yet have the capacity required to ensure the nation is fully prepared, (3) stakeholders are not yet full partners with FEMA in national preparedness, and (4) FEMA has ineffective internal business practices, particularly with regard to human resource management. The Panel made seven recommendations for FEMA:Establish a cross-organizational process, with participation from internal and external stakeholders, to develop a shared understanding of preparedness integrationEstablish a robust set of outcome metrics and standards for preparedness integration, as well as a system to monitor and evaluate progress on an ongoing basisWork to eliminate organizational barriers that are adversely impacting the full integration of preparedness across the agencyContinue to build regional office capacity and monitor implementation consistent with the Administrator's recent policy guidanceUndertake steps to improve the ongoing working relationship between headquarters and the regions in accord with Panel-identified principlesTake steps to improve stakeholder engagement and relationships at all levels in accord with Panel-identified principles; andStrengthen internal business practices, especially in the area of human capital planning

    Department of Homeland Security Science and Technology Directorate: Developing Technology to Protect America

    Get PDF
    In response to a congressional mandate and in consultation with Department of Homeland Security's (DHS) Science and Technology Directorate (S&T), the National Academy conducted a review of S&T's effectiveness and efficiency in addressing homeland security needs. This review included a particular focus that identified any unnecessary duplication of effort, and opportunity costs arising from an emphasis on homeland security-related research. Under the direction of the National Academy Panel, the study team reviewed a wide variety of documents related to S&T and homeland security-related research in general. The team also conducted interviews with more than 200 individuals, including S&T officials and staff, officials from other DHS component agencies, other federal agencies engaged in homeland security-related research, and experts from outside government in science policy, homeland security-related research and other scientific fields.Key FindingsThe results of this effort indicated that S&T faces a significant challenge in marshaling the resources of multiple federal agencies to work together to develop a homeland security-related strategic plan for all agencies. Yet the importance of this role should not be underestimated. The very process of working across agencies to develop and align the federal homeland security research enterprise around a forward-focused plan is critical to ensuring that future efforts support a common vision and goals, and that the metrics by which to measure national progress, and make changes as needed, are in place

    Identity and Access Management System: a Web-Based Approach for an Enterprise

    Get PDF
    Managing digital identities and access control for enterprise users and applications remains one of the greatest challenges facing computing today. An attempt to address this issue led to the proposed security paradigm called Identity and Access Management (IAM) service based on IAM standards. Current approaches such as Lightweight Directory Access Protocol (LDAP), Central Authentication Service (CAS) and Security Assertion Markup Language (SAML) lack comprehensive analysis from conception to physical implementation to incorporate these solutions thereby resulting in impractical and fractured solutions. In this paper, we have implemented Identity and Access Management System (IAMSys) using the Lightweight Directory Access Protocol (LDAP) which focuses on authentication, authorization, administration of identities and audit reporting. Its primary concern is verification of the identity of the entity and granting correct level of access for resources which are protected in either the cloud environment or on-premise systems. A phased approach methodology was used in the research where it requires any enterprise or organization willing to adopt this must carry out a careful planning and demonstrated a good understanding of the technologies involved. The results of the experimental evaluation indicated that the average rating score is 72.0 % for the participants involved in this study. This implies that the idea of IAMSys is a way to mitigating security challenges associated with authentication, authorization, data protection and accountability if properly deployed

    Verifying and Monitoring IoTs Network Behavior using MUD Profiles

    Full text link
    IoT devices are increasingly being implicated in cyber-attacks, raising community concern about the risks they pose to critical infrastructure, corporations, and citizens. In order to reduce this risk, the IETF is pushing IoT vendors to develop formal specifications of the intended purpose of their IoT devices, in the form of a Manufacturer Usage Description (MUD), so that their network behavior in any operating environment can be locked down and verified rigorously. This paper aims to assist IoT manufacturers in developing and verifying MUD profiles, while also helping adopters of these devices to ensure they are compatible with their organizational policies and track devices network behavior based on their MUD profile. Our first contribution is to develop a tool that takes the traffic trace of an arbitrary IoT device as input and automatically generates the MUD profile for it. We contribute our tool as open source, apply it to 28 consumer IoT devices, and highlight insights and challenges encountered in the process. Our second contribution is to apply a formal semantic framework that not only validates a given MUD profile for consistency, but also checks its compatibility with a given organizational policy. We apply our framework to representative organizations and selected devices, to demonstrate how MUD can reduce the effort needed for IoT acceptance testing. Finally, we show how operators can dynamically identify IoT devices using known MUD profiles and monitor their behavioral changes on their network.Comment: 17 pages, 17 figures. arXiv admin note: text overlap with arXiv:1804.0435

    Measurement and reporting of climate-smart agriculture: technical guidance for a countrycentric process

    Get PDF
    Given the extent of climate-smart agriculture (CSA) initiatives at project, national, regional and global levels, there is increasing interest in tracking progress in implementing CSA at national level. CSA is also expected to contribute to higher-level goals (e.g., the Paris Agreement, Africa Union’s Vision 25x25, and the Sustainable Development Goals [SDGs], etc.). Measurement and reporting of climate-smart agriculture (MR of CSA) provides intelligence on necessary the status, effectiveness, efficiency and impacts of interventions, which is critical for meeting stakeholders’ diverse management and reporting needs. In this paper, we build the case for a stakeholder-driven, country-centric framework for MR of CSA, which aims to increase coordination and coherence across stakeholders’ MR activities, while also aligning national reporting with reporting on international commitments. We present practical guidance on how to develop an integrated MR framework, drawing on findings from a multi-country assessment of needs, opportunities and capacities for national MR of CSA. The content of a unified MR framework is determined by stakeholders’ activities (how they promote CSA), needs (why MR is useful to them) and current capacities to conduct periodic monitoring, evaluation and reporting (how ready are institutions, staff and finances). Our analysis found that explicit demand for integration of data systems and active engagement of stakeholders throughout the entire process are key ingredients for building a MR system that is relevant, useful and acted upon. Based on these lessons, we identify a seven-step framework for stakeholders to develop a comprehensive information system for MR of progress in implementing CSA
    • …
    corecore