A Security Framework for Audit and Manage Information System Security
Teresa Susana Mendes Pereira
Superior School of Business Studies
Polytechnic Institute of Viana do Castelo
Information System Department
School of Engineering
University of Minho
established security standard ISO/IEC_JTCI11 .
The paper is structured as follows: in the section II it will be presented an overview of security management concepts; section III presents the proposed conceptual model, which contains the semantic concepts speciﬁed in the information security domain, and their relationships, hierarchical structured in an ontology; section IV presents the proposed framework to manage and audit information systems security, based on the ontology structure; conclusions and future work are presented in section V.
Abstract—Auditing Information Systems Security is difﬁcult and becomes crucial to ensure the daily operational activities of organizations as well as to promote competition and to create new business opportunities. A conceptual security framework to manage and audit Information System Security is proposed and discussed. The proposed framework is based on a conceptual model approach, based on the ISO/IEC_JCT1 standards, to assist organizations to better manage their Information
Keywords-Security audit management, information system security, ontology and conceptual model.
II. S ECURITY M ANAGEMENT
I. I NTRODUCTION
Managing information system security is increasingly concerning organizations, due to the continuous growing dependence of organizations on technology to conduct theirs businesses, to create a competitive advantage and achieving higher ROI. Organizations rely signiﬁcantly on technology, such as Internet, for businesses operations and secure business transactions . However organizations must consider how they are going to succeed to the continuous changing risk environment, since the technical controls alone are no longer guaranteed, but mainly dependent on other security requirements such as legislation, culture or the environment
. Currently security is a fundamental principle for organizations businesses performance. As a result, organizations need to evolve security management strategies in response to the evolving information security requirements. A properly security strategy demands for a rigorous process, similar to any other business process, where every agent interacting with critical resources need to be aware and participate in security management, both adopting secure behaviors and continuous evaluating security control’s performance .
The regular audit of information system security is one approach to evaluate the organizations information systems practices and operations. An auditing process will enable to obtain evidences of organizations information systems security policies efﬁciency to maintain the assets integrity, conﬁdentiality and availability, the typical organizations security
Speed and accessibility operations promoted by information and communication technologies, particularly the
Internet and the new Internet-enabled services, leads the organizations to become heavily dependent on the performance of their information systems. On the other hand the evolution of wireless communication and the rapid growth and availability of new services to facilitate accessibility, such as, for example, the new cloud computing services, have been gaining popularity not just by the organizations, but by generic users as well. Although these new solutions offer a better service with a promising technological initiatives at low operating cost, they also brings a set of new and