Compliance framework for change management in cloud environments

Mención Internacional en el título de doctorThe Governance, Risk and Compliance (GRC) area is one of the critical management areas for every organization. This is particularly the case for information technology (IT) departments where both human resources and technical infrastructures (software and hardware) need to work seamlessly in order to provide the expected benefits. The study of the literature shows that sound GRC methods are key to running and maintaining secure and compliant computing infrastructures. An important and particularly challenging aspect of the IT landscape is its constant and perpetual evolution in order to keep pace with new and emerging technologies that find their way faster and faster into the organizational infrastructure. Since assessments of risks and compliance aspects always refer to a certain (more or less static) situation, such frequent changes pose a real danger to the overall relevance of these assessments in the mid and longterm perspective. So, a sound approach to ensuring compliance not only punctually (both in time and space) but holistically – considering the complete IT landscape in a continuous way – needs to integrate with the change management function of the organization. Another important development in the last eight to ten years was the emergence of Cloud Computing (CC) as a straightforward and efficient way of providing IT functionality to organizations. While it poses many various challenges to IT management in general, CC is particularly relevant for GRC as it makes an IT provision approach that was previously sometimes applied – outsourcing – to a predominant approach to provide infrastructure (called Infrastructure‐as‐a‐Service or IaaS), platforms (called Platform‐as‐a‐Service or PaaS), and software (called Software‐as‐a‐Service or SaaS) within an organization. CC and outsourcing entail wider challenges for GRC as it involves the inclusion of an external party as a service provider within an organization reflecting specific aspects of provider selection, contract management, service level agreements (SLAs), and monitoring. They become even more challenging in the context of frequent and interdependent changes. Therefore, this thesis is aimed at the definition and validation of a Compliance Framework for Change Management in Cloud Environments (short: CFC MCC). The proposed solution of the problem has been approached from a multidisciplinary point of view taking in consideration aspects from computer science, IT management and IT governance, but also such aspects as legal and cultural dimensions. The proposed solution provides a framework to support the solicitation of requirements from different subject areas (e.g., organizational, technological, cultural) and their subsequent consideration within the change management process of established IT management frameworks such as ITIL. It can be tailored to the specific situation of most organizations and provides a consistent approach to address GRC aspects in rapidly evolving cloud‐based organizational IT landscapes. The scientific discourse within the thesis has been structured following best academic practices and recommendations. In the last phase of the research methodology an empirical validation has been performed to verify the applicability of the framework. The data obtained from the validation indicate that the application of the framework for ensuring compliance in CC environments constitutes a relevant improvement of the change management process.El área de gobernanza, riesgo y cumplimiento (por sus siglas en inglés GRC) es una de las áreas de gestión clave en todas las organizaciones. En el caso de los departamentos de Tecnología de la Información (por sus siglas en inglés IT de Information Technology) el área cuenta con una importancia igualmente crucial. Estos departamentos deben orquestar los recursos de capital intelectual y las infraestructuras hardware y software para contribuir a la generación de beneficios empresariales. La literatura ha demostrado que un conjunto de procedimientos en el área GRC es clave para prestar el servicio de forma eficiente a partir del mantenimiento de una infraestructura tecnológica segura y compatible. Un aspecto importante y particularmente retador en el entorno IT es su constante evolución con el propósito de habilitar la adopción de nuevas tecnologías en apoyo de los procesos corporativos. Dado que la evaluación de riesgos y los aspectos de cumplimiento se refieren a una determinada situación que se puede considerar más o menos estática, los continuos cambios en el entorno IT representan una amenaza para la incorporación de nuevas tecnologías en ámbitos corporativos desde el punto de vista GRC. Por ello, un enfoque sólido para garantizar el cumplimiento no sólo de forma puntual en tiempo y espacio sino de forma integral, considerando el entorno IT en una forma continua e integrada con la gestión del cambio corporativa. Otro desarrollo importante y modificador de la situación actual es la emergencia de la computación en la nube (CC, siglas en inglés de Cloud Computing) como una forma efectiva y eficaz de proporcionar la función IT en las organizaciones. Pese a que CC suscita diversos desafíos para la administración IT, es en particular relevante para GRC ya que habilita la externalización del servicio como una aproximación predominante para proporcionar infraestructura (llamado Infraestructure‐as‐a‐Service o IaaS), plataformas (llamado Platformas‐ a‐Service o PaaS) y software (llamado Software‐as‐a‐Service o SaaS) dentro de una organización. CC y la externalización suponen retos más amplios para GRC, ya que implican la inclusión de un proveedor de servicios externo dentro de una organización. Esta circunstancia aflora cuestiones relativas a la selección de proveedores, la gestión de contratos, los acuerdos de nivel de servicio (por sus siglas en inglés SLA), y el seguimiento de las relaciones y los servicios prestados. Estos aspectos, se convierten en un reto aún mayor en el contexto de los cambios frecuentes e interdependientes en el ámbito IT. Por lo tanto, esta tesis está dirigida a la definición y validación de un marco de cumplimiento para la gestión del cambio en entornos relativos a la nube (abreviatura: CFC MCC). La solución propuesta del problema ha sido abordada desde un punto de vista multidisciplinar, tomando en consideración aspectos de la informática, la gestión de IT y el gobierno de IT pero incorporando también aspectos tales como las dimensiones legales y culturales. La solución propuesta proporciona un marco para apoyar la solicitud de requisitos de diferentes áreas (por ejemplo, organizativos, tecnológicos, culturales) y su posterior consideración en el proceso de gestión del cambio de los marcos establecidos de gestión de TI como pueda ser ITIL. EL marco puede ser adaptado a la situación específica de las organizaciones y proporciona un enfoque coherente para abordar los aspectos de GRC en rápida evolución entornos de TI de la organización basados en la nube. El discurso científico dentro de la tesis se ha estructurado siguiendo las prácticas académicas y recomendaciones de investigación. En la última fase de la metodología de la investigación empírica una validación se ha realizado para verificar la aplicabilidad del marco. Los datos obtenidos de la validación indican que la aplicación del marco para garantizar el cumplimiento en entornos CC constituye una mejora relevante del proceso de gestión del cambio de las organizaciones.Programa Oficial de Doctorado en Ciencia y Tecnología InformáticaPresidente: Antonio de Amescua Seco.- Secretario: José Antonio Manzano Calvo.- Vocal: Ahmed Barnaw

A process framework for information security management

Securing sensitive organizational data has become increasingly vital to organizations. An Information Security Management System (ISMS) is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization\u27s information security. Key elements of the operation of an ISMS are ISMS processes. However, and in spite of its importance, an ISMS process framework with a description of ISMS processes and their interaction as well as the interaction with other management processes is not available in the literature. Cost benefit analysis of information security investments regarding single measures protecting information and ISMS processes are not in the focus of current research, mostly focused on economics. This article aims to fill this research gap by proposing such an ISMS process framework as the main contribution. Based on a set of agreed upon ISMS processes in existing standards like ISO 27000 series, COBIT and ITIL. Within the framework, identified processes are described and their interaction and interfaces are specified. This framework helps to focus on the operation of the ISMS, instead of focusing on measures and controls. By this, as a main finding, the systemic character of the ISMS consisting of processes and the perception of relevant roles of the ISMS is strengthened

Governance, risk, and compliance in cloud scenarios

Cloud computing is changing the way organizations approach technology and its infrastructure. However, in spite of its attractiveness, cloud computing can be seen as a threat in terms of compliance. Given its intrinsic distributed nature, regulations and laws may differ and customers and cloud providers must find a way to balance increasing compliance pressures with cloud computing benefits. In this paper, the authors present a framework aimed to help organizations to cope with compliance aspects in their cloud-oriented environments. Built upon current literature on the topic and qualitative approaches, the framework has been implemented in two organizations. Results from its contribution are encouraging, leading to adopter organizations to less reported compliance violations and higher contribution of cloud computing to overall quality of service and organizational compliance management.publishedVersio

Lifestyles of university students in Bosnia and Herzegovina

Introduction: Currently, there is a growing interest in alcoholism-related studies among healthcare community. Cigarette smoking is five times more prevalent among adult men compared to women but these gender differences have been decreasing among young people. In developed countries, harmful effects of sedentary lifestyle and physical inactivity have led to increased rates of obesity in young population. The main aim of this study was to explore the lifestyles of students at the University of Sarajevo. We investigated the prevalence of cigarette smoking and alcohol consumption, eating habits, and physical activity in this student population. Methods: Students from Faculty of Health Sciences [FHS], Faculty of Political Science [FPS], and Faculty of Traffic Engineering and Communications [FTEC]) voluntarily participated in this questionnaire-based study. We surveyed a total of 410 students. Results: On average, 21.8% of participants consumed cigarettes (a significantly higher number of those who smoked cigarettes was in FPS group). The highest number of students who reported physical activity (recreational or active sport) was in FTEC group (66.5%), and the difference was statistically significant compared to FHS (48.2%) and FPS (51.9%) groups. Over 60% of participants in all three groups experienced stress occasionally. The majority of students in three groups consumed fast food while at campus. The highest number of students in all three groups reported to drink water compared to other drinks. Conclusions: Our results indicate that the lifestyles of university students in Sarajevo are subject to concern. Frequent alcohol consumption and cigarette smoking are typical examples of behaviour that should be reduced through educative programs and workshops

An Investigation into the Cytotoxic Effects of 13-Acetoxysarcocrassolide from the Soft Coral Sarcophyton crassocaule on Bladder Cancer Cells

Active compounds from natural products have been widely studied. The anti-tumor effects of 13-acetoxysarcocrassolide isolated from Formosan soft coral Sarcophyton crassocaule on bladder cancer cells were examined in this study. An MTT assay showed that 13-acetoxysarcocrassolide was cytotoxic to bladder female transitional cancer (BFTC) cells. We determined that the BFTC cells underwent cell death through apoptosis by flow cytometry. Due to the highly-migratory nature of the BFTC cells, the ability of 13-acetoxysarcocrassolide to stop their migration was assessed by a wound healing assay. To determine which proteins were affected in the BFTC cells upon treatment, a comparative proteomic analysis was performed. By LC-MS/MS analysis, we identified that 19 proteins were up-regulated and eight were down-regulated. Seven of the proteins were confirmed by western blotting analysis. This study reveals clues to the potential mechanism of the cytotoxic effects of 13-acetoxysarcocrassolide on BFTC cells. Moreover, it suggests that PPT1 and hnRNP F could be new biomarkers for bladder cancer. The results of this study are also helpful for the diagnosis, progression monitoring and therapeutic strategies of transitional cell tumors

Flare Stars: A Short Review

This project was carried out by co-author Dzombeta as a "senior thesis" in the Astronomy Major course AST424H, under the supervision of co-author Percy, who has revised and edited it for publication.Flare stars, or UV Ceti stars, are a type of eruptive variable star, defined by their flaring behaviour -- a rapid (minutes) increase in brightness, followed by a slower (hours) decrease. This short review outlines current knowledge about flare stars, their importance, recent research developments, future research directions, and some practical activities for skilled amateur astronomers and students -- the primary audience for this review. Over the past decade, flare stars have been the subject of intensive research, as a result of an abundance of new data, especially from the Kepler and TESS space telescopes. The large statistical samples of data have clarified the relation between flaring and stellar spectral type, luminosity, and rotation. They have allowed for the expansion of the range of spectral types of flare stars, from K and M type dwarfs, to F and G, and possibly even A. They have confirmed the greater frequency of flares on M dwarfs, compared to K, and that flare stars' energies follow a decreasing power law for the number of high-energy flares, although a break in the relationship has also been demonstrated. Current problems in flare-star research include improved modelling of the new observational results, using the dynamo theory which explains the stars' magnetic field. What is the difference, if any, between the dynamo in completely-convective stars such as M dwarfs, and in stars such as the sun with only partial convection zones

Proposal for a Security Management in Cloud Computing for Health Care

Cloud computing is actually one of the most popular themes of information systems research. Considering the nature of the processed information especially health care organizations need to assess and treat specific risks according to cloud computing in their information security management system. Therefore, in this paper we propose a framework that includes the most important security processes regarding cloud computing in the health care sector. Starting with a framework of general information security management processes derived from standards of the ISO 27000 family the most important information security processes for health care organizations using cloud computing will be identified considering the main risks regarding cloud computing and the type of information processed. The identified processes will help a health care organization using cloud computing to focus on the most important ISMS processes and establish and operate them at an appropriate level of maturity considering limited resources

Governance, Risk, and Compliance in Cloud Scenarios

Cloud computing is changing the way organizations approach technology and its infrastructure. However, in spite of its attractiveness, cloud computing can be seen as a threat in terms of compliance. Given its intrinsic distributed nature, regulations and laws may differ and customers and cloud providers must find a way to balance increasing compliance pressures with cloud computing benefits. In this paper, the authors present a framework aimed to help organizations to cope with compliance aspects in their cloud-oriented environments. Built upon current literature on the topic and qualitative approaches, the framework has been implemented in two organizations. Results from its contribution are encouraging, leading to adopter organizations to less reported compliance violations and higher contribution of cloud computing to overall quality of service and organizational compliance management

A process framework for information security management

Securing sensitive organizational data has become increasingly vital to organizations. An Information Security Management System (ISMS) is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security. Key elements of the operation of an ISMS are ISMS processes. However, and in spite of its importance, an ISMS process framework with a description of ISMS processes and their interaction as well as the interaction with other management processes is not available in the literature. Cost benefit analysis of information security investments regarding single measures protecting information and ISMS processes are not in the focus of current research, mostly focused on economics. This article aims to fill this research gap by proposing such an ISMS process framework as the main contribution. It is based on a set of agreed upon ISMS processes in existing standards like ISO 27000 series, COBIT and ITIL. Within the framework, identified processes are described and their interaction and interfaces are specified. This framework helps to focus on the operation of the ISMS, instead of focusing on measures and controls. By this, as a main finding, the systemic character of the ISMS consisting of processes and the perception of relevant roles of the ISMS is strengthened

Expression of extracellular matrix proteins: tenascin-C, fibronectin and galectin-3 in prostatic adenocarcinoma

Introduction: The interchanged stromal-epithelial relations and altered expression profiles of various extracellular matrix (ECM) proteins creates a suitable microenvironment for cancer development and growth. We support the opinion that remodeling of the extracellular matrix (ECM) plays an important role in the cancer progression. The aim of this study was to examine the expression of ECM proteins tenascin-C, fibronectin and galectin-3 in prostatic adenocarcinoma. Methods: Glands and surrounding stroma were analyzed in randomly selected specimens from 52 patients with prostate cancer and 28 patients with benign prostatic hyperplasia (BHP). To evaluate the intensity of tenascin-C, fibronectin and galectin-3 expression the percentage of positively immunostained stromal cells was examined.Results: Compared to BPH, stroma of prostatic adenocarcinoma showed statistically significant increase in tenascin-C expression (p<0.001), predominantly around neoplastic glands, while fibronectin (p=0.001) and galectin-3 (p<0.001) expression in the same area was decreased.Conclusions: Our study confirms changes in the expression of ECM proteins of prostate cancer which may have important role in the cancer development