A method for security governance, risk, and compliance (GRC): a goal-process approach

Authors:
Yudistira Asnar;Fabio Massacci
Affiliations:
Department of Information Engineering and Computer Science, University of Trento, Italy;Department of Information Engineering and Computer Science, University of Trento, Italy
Venue:
Foundations of security analysis and design VI
Year:
2011

Citing 18
Cited 0

A framework for information systems architecture

IBM Systems Journal
Business Modeling With UML: Business Patterns at Work

Business Modeling With UML: Business Patterns at Work
Modelling strategic relationships for process reengineering

Modelling strategic relationships for process reengineering
Tropos: An Agent-Oriented Software Development Methodology

Autonomous Agents and Multi-Agent Systems
Bayesian probabilistic risk analysis

ACM SIGMETRICS Performance Evaluation Review
Security Patterns: Integrating Security and Systems Engineering

Security Patterns: Integrating Security and Systems Engineering
Case handling: a new paradigm for business process support

Data & Knowledge Engineering
Requirements engineering for trust management: model, methodology, and reasoning

International Journal of Information Security
Security in Computing (4th Edition)

Security in Computing (4th Edition)
Enterprise Service Bus

Enterprise Service Bus
Computer-aided Support for Secure Tropos

Automated Software Engineering
Soa: principles of service design

Soa: principles of service design
Engineering Web Applications

Engineering Web Applications
How to integrate legal requirements into a requirements engineering methodology for the development of security and privacy patterns

Artificial Intelligence and Law
Modern Business Process Automation: YAWL and its Support Environment

Modern Business Process Automation: YAWL and its Support Environment
The Risk IT Framework

The Risk IT Framework
Model-Driven Risk Analysis: The CORAS Approach

Model-Driven Risk Analysis: The CORAS Approach
Goal-driven risk assessment in requirements engineering

Requirements Engineering

Quantified Score

Hi-index	0.00

Visualization

Abstract

The Governance, Risk, and Compliance (GRC) management process for Information Security is a necessity for any software systems where important information is collected, processed, and used. To this extent, many standards for security managements at operational level exists (e.g., ITIL, ISO27K family etc). What is often missing is a process to govern security at organizational level. In this tutorial, we present a method to analyze and design security controls that capture the organizational setting of the system and where business goals and processes are the main citizen. The SI*-GRC method is a comprehensive method that is composed of i) a modeling framework based on a requirement engineering framework, with some extensions related to security & GRC concerns, such as: trust, permission, risk, and treatment, 2) a analysis process defining systematical steps in analyzing and design security controls, 3) analytical techniques to verify that certain security properties are satisfied and the risk level is acceptable, and at last 4) a CASE tool, namely the SI* Tool to support analysts in using the method. To illustrate this method, we use a running example on e-Health adapted from a real-life process in an hospital partner.