An Assurance Framework for Independent Co-assurance of Safety and Security

Integrated safety and security assurance for complex systems is difficult for many technical and socio-technical reasons such as mismatched processes, inadequate information, differing use of language and philosophies, etc.. Many co-assurance techniques rely on disregarding some of these challenges in order to present a unified methodology. Even with this simplification, no methodology has been widely adopted primarily because this approach is unrealistic when met with the complexity of real-world system development. This paper presents an alternate approach by providing a Safety-Security Assurance Framework (SSAF) based on a core set of assurance principles. This is done so that safety and security can be co-assured independently, as opposed to unified co-assurance which has been shown to have significant drawbacks. This also allows for separate processes and expertise from practitioners in each domain. With this structure, the focus is shifted from simplified unification to integration through exchanging the correct information at the right time using synchronisation activities

Evolving Challenges In Information Security Compliance

With the proliferation of computer-driven organizations and internet-based business information systems, the need for security has increased significantly. In addition, information security compliance is becoming a controversial issue among IT professionals. This paper aims to address the concerns arising from compatibility of security standards, compliance cost, certification approval and human involvement that affect compliance management. A unified approach to information security compliance is suggested for organizations seeking to build strong relationships across business and IT departments, improving in that way a company’s security value

Framework for examination of software quality characteristics in conflict: A security and usability exemplar

© 2020, © 2020 The Author(s). This open access article is distributed under a Creative Commons Attribution (CC-BY) 4.0 license. Standards and best practices for software quality guide on handling each quality characteristic individually, but not when two or more characteristics come into conflict such as security and usability. The objectives of this paper are twofold: (a) to argue on the importance of handling the conflicts between quality characteristics in general; (b) to formulate a framework for conflict examination of the software quality characteristics, we do so while considering the specific case of security and usability. In line with the objectives, a framework called Pattern-oriented Design Framework (PoDF) was formulated. The PoDF provides a mechanism for identification of the conflicts, modeling the conflicts to illuminate the reason for their occurrence, and eliciting the suitable trade-offs between the conflicting characteristics. The suitable trade-offs are thus documented as design patterns. The patterns can assist developers and designers in handling the conflicts in other but similar context of use. To validate and instantiate the PoDF, two studies were conducted. Usable security patterns discovered as a result of the studies are also presented in the paper

Compliance with the private standards and capacity building of national institutions under globalization: new agendas for developing countries?

There are two assumptions regarding regulatory instruments under the globalizing economy. These are: (1) increasing role of private standards in shaping the economic activities of developing countries; and (2) diminishing role of national institutions in "open" and "liberal" markets. In other words it was considered that global private standards would eventually replace already weak or absent national and local institutions in developing countries. The purpose of our paper is to suggest an alternative interpretation to this widely held view about national regulations and institutions in developing countries under the "new standard regime" in the food and agricultural sector where the regulatory framework is traditionally stronger at national level. The role of national regulatory institutions is considered to diminish as the countries compete in the "open" and "liberal" global market since firms are obliged to comply with global private standards. Instead, we have observed cases in developing countries which demonstrate an opposite phenomenon. In these cases, the local and national institutional capacity had actually being enhanced through learning in the "open" and "liberal" market at global level. In other words, we discovered that while the global (private) standards intend to control and shape the economic activities in developing countries through value chains, the local institutions also were transformed in a co-evolutionary manner to sustain the viability of existing local economic activities. This paper hence tries to illustrate our argument with cases from developing countries to demonstrate how the process of adapting to survive in the "new regime" compliance to global (private) standards may have positive impacts on national and local institutions. Moreover, we intend to highlight some common features of transitions which are taking place in regulatory frameworks within the context of a global "new standards regime" (public-private regulations). We will discuss the following cases of standards compliance and their impacts on enhancement of national and local capabilities: (1) the salmon farming industry in Chile, (2) and the fresh agricultural products in Mexico. These cases illustrate the complex interactions between global standards (both private and public-private) and national and local institutions. As the cases are slightly different, the comparison brings about interesting dimensions in illustrating institutional capacity building "trajectories" from both private and non-private standards.Standards, Role of National Institutions, Capacity Building, Latin America, Agri-food

Italian National Framework for Cybersecurity and Data Protection

Data breaches have been one of the most common source of concerns related to cybersecurity in the last few years for many organizations. The General Data Protection Regulation (GDPR) in Europe, strongly impacted this scenario, as organizations operating with EU citizens now have to comply with strict data protection rules. In this paper we present the Italian National Framework for Cybersecurity and Data Protection, a framework derived from the NIST Cybersecurity Framework, that includes elements and tools to appropriately take into account data protection aspects in a way that is coherent and integrated with cybersecurity aspects. The goal of the proposed Framework is to provide organizations of different sizes and nature with a flexible and unified tool for the implementation of comprehensive cybersecurity and data protection programs

Unifying The Body Of Knowledge: Why Global Business Requires A Single Model For Information Security

Every sector in the global economy, from energy, through transportation, finance and banking, telecommunications, public health, emergency services, water, chemical, defense, right down to the industrial, and agriculture sectors, is totally dependent on the reliable functioning of its IT assets. Thus anything that threatens these effectively poses a threat to our way of life. And accordingly, almost any effort expended to protect them is both justifiable and necessary. So the obvious question is… “What is the current state of affairs”?

Selection of penetration testing methodologies: A comparison and evaluation

Cyber security is fast becoming a strategic priority across both governments and private organisations. With technology abundantly available, and the unbridled growth in the size and complexity of information systems, cyber criminals have a multitude of targets. Therefore, cyber security assessments are becoming common practice as concerns about information security grow. Penetration testing is one strategy used to mitigate the risk of cyber-attack. Penetration testers attempt to compromise systems using the same tools and techniques as malicious attackers thus attempting to identify vulnerabilities before an attack occurs. This research details a gap analysis of the theoretical vs. the practical classification of six penetration testing frameworks and/or methodologies. Additionally, an analysis of two of the frameworks was undertaken to evaluate each against six quality characteristics. The characteristics were derived from a modified version of an ISO quality model

PRIPARE: Integrating Privacy Best Practices into a Privacy Engineering Methodology

Data protection authorities worldwide have agreed on the value of considering privacy-by-design principles when developing privacy-friendly systems and software. However, on the technical plane, a profusion of privacy-oriented guidelines and approaches coexists, which provides partial solutions to the overall problem and aids engineers during different stages of the system development lifecycle. As a result, engineers find difficult to understand what they should do to make their systems abide by privacy by design, thus hindering the adoption of privacy engineering practices. This paper reviews existing best practices in the analysis and design stages of the system development lifecycle, introduces a systematic methodology for privacy engineering that merges and integrates them, leveraging their best features whilst addressing their weak points, and describes its alignment with current standardization efforts

Management of information security in organizations

Treball Final de Grau en Administració d'Empreses. Codi: AE1049. Curs 2017-201