A Methodology for Describing Information and Physical Security Architectures
IFIP/Sec '92 Proceedings of the IFIP TC11, Eigth International Conference on Information Security: IT Security: The Need for International Cooperation
Superseding Manual Generation of Access Control Specification - From Policies to Profiles
IFIP/Sec '93 Proceedings of the IFIP TC11, Ninth International Conference on Information Security: Computer Security
Organizational Modeling for Efficient Specification of Information Security Requirements
ADBIS '99 Proceedings of the Third East European Conference on Advances in Databases and Information Systems
Electronic information security documentation
ACSW Frontiers '03 Proceedings of the Australasian information security workshop conference on ACSW frontiers 2003 - Volume 21
A standard-compliant integrated security framework
ISPACT'10 Proceedings of the 9th WSEAS international conference on Advances in e-activities, information security and privacy
Hi-index | 0.00 |
Information security officers of large organisations have the responsibility, inter alia, to advise senior management on the current level of organisational risk and to overview the operation of effective security systems within the organisation.Current developments in risk analysis methodologies and system security certification, e.g. ITSEC, can provide security officers with information on the current level of organisational risk and the effectiveness of security systems. However these activities are commonly undertaken as large one-off projects. Hence they do not provide the methodologies or tools that allow security officers to respond to the often ad hoc demands made upon them.This paper deals with the development of a security model for use by information security officers, either as a method of monitoring the implementation of internal security policy, or as a preparatory step before seeking certification. The model comprises three main groups of security information: information system environment, information systems and information system assets. The model serves to indicate the current state of security in the organisation. A threat to the system environment can be traced through to its potential organisational impact, taking into account the current defences in the information processing systems.The two major areas of research in the project lie in the estimation of security effectiveness from threat countermeasure diagrams, and the means of inferring business impacts from the interrelationships amongst information processing assets.Current work is directed to the implementation of the model in a hypertext and an object oriented paradigm.