Security and Control in the Cloud

ABSTRACT

Cloud computing is a new IT delivery paradigm that offers computing resources as on-demand services over the Internet. Like all forms of outsourcing, cloud computing raises serious concerns about the security of the data assets that are outsourced to providers of cloud services. To address these security concerns, we show how today's generation of information security management systems (ISMSs), as specified in the ISO/IEC 27001:2005, must be extended to address the transfer of security controls into cloud environments. The resulting virtual ISMS is a standards-compliant management approach for developing a sound control environment while supporting the various modalities of cloud computing.

This article addresses chief security and/or information officers of cloud client and cloud provider organizations. Cloud clients will benefit from our exposition of how to manage risk when corporate assets are outsourced to cloud providers. Providers of cloud services will learn what processes and controls they can offer in order to provide superior security that differentiates their offerings in the market.     

信息安全风险评估的定量与定性分析方法

在信息安全领域,对信息系统进行风险评估十分重要,其最终目的就是要指导决策者在“投资成本”和“安全级别”这两者之间找到平衡,从而为等级优化的资产风险制定保护策略和缓和计划。本文基于BS7799的结构特点阐述了定性与定量的分析方法在风险评估过程中的应用。     

一种实时的信息安全风险评估方法

信息安全风险评估是信息系统风险管理的重要组成部分,是建立信息系统安全体系的前提和基础。论文简要介绍了信息安全风险评估,进而提出了一种定性、定量评估相结合的实时的信息安全风险评估方法。该方法通过分析系统的资产、弱点和威胁,根据安全设备产生的安全事件,实时地评估信息系统的风险。     

组合对象信息安全风险评估研究

风险评估已经成为信息安全管理的重要组成部分,其方法的选择直接影响着风险结果的准确性和客观性,进而会影响到组织的整体信息安全水平。目前很多评估方法仅能对单个资产的威胁和脆弱性进行分析,并直接采用调查问卷或矩阵的方式得到风险,而没有从面向对象的角度给出威胁相对于系统的客观的整体风险值。论文提出了一种针对组合对象的定性与定量相结合的风险评估方法,有效解决了上述问题,并给出了合理的风险计算公式。     

Goal Setting and Trust in a Security Management Context

ABSTRACT

Information security can be viewed as the efficient control of uncertainty arising from malicious acts intended to exploit valuable assets and in the context of information systems the valuable assets under consideration are data. A large part of information security approaches is technical in nature with less consideration on people and organizational issues. The research presented in this paper adopts a broader perspective and presents an understanding of information security in terms of a socio-organizational perspective. In doing so, it uses the goal-setting approach to identify any possible weaknesses in security management procedures in relation to trust among the members of information technology groups in communicating efficiently security risk messages. Data for the research were collected through in-depth interviews within three case studies. Interview results suggest that goal setting and trust are interrelated in managing information security. The research contributes to interpretive information systems with the study of goal setting and trust in a security management context.     

基于评估流程的信息安全风险的综合评估

对信息安全风险评估提出了一种新的评估方式。根据风险评估流程,采用模糊综合评判法和AHP方法相结合的方法,对信息系统安全风险进行综合评估。采用模糊综合评判的方法,对资产、威胁、脆弱性进行评估,判断资产的风险等级,求出资产风险值,对系统风险进行定量评定。在评估资产时,对资产的安全特性：机密性、完整性、可用性,采用AHP的方法,构造比较判断矩阵,求出各因素的权重。通过实例验证,该方法操作方便,评估结果准确,具有一定的实际意义。     

信息系统安全风险评估定量方法比较研究

信息系统安全风险评估方法主要分为定性风险评估方法和定量风险评估方法,介绍了三种常用的定量风险评估方法,通过分析和研究各种方法的特点、可操作性、可行性和应用领域,指导企业、组织针对自己信息系统的特点选择适合自己的安全风险评估方法,依靠风险评估的结果使得企业、组织能够准确定位风险管理的策略、实践和工具,将安全活动的重点放在重要的问题上,选择低成本、高效益、适用的安全对策。     

基于云计算模式的信息安全风险评估研究

该文介绍了云计算的概况和面临的安全威胁,结合传统信息安全风险评估工作,分析了云计算信息安全风险评估中需要考虑的评估指标,重点论述了信息资产评估识别过程,给出了基于云计算的信息安全风险定量计算方法。     

综合风险评估工具的设计与实现

研究了信息安全风险评估工具的分类方法与发展趋势,在分析国内外多种风险评估方法的基础上,设计并实现了一个综合风险评估工具。该工具是多专家评估系统,集成了安全管理评价工具、系统软件评估工具和风险评估辅助工具3类工具的功能,运用定量和定性相结合的方法进行风险评估,为提高风险评估效率、确保评估结果的科学性提供了有力支持。     

An Information Security Governance Framework

ABSTRACT

Information security culture develops in an organization due to certain actions taken by the organization. Management implements information security components, such as policies and technical security measures with which employees interact and that they include in their working procedures. Employees develop certain perceptions and exhibit behavior, such as the reporting of security incidents or sharing of passwords, which could either contribute or be a threat to the securing of information assets. To inculcate an acceptable level of information security culture, the organization must govern information security effectively by implementing all the required information security components. This article evaluates four approaches towards information security governance frameworks in order to arrive at a complete list of information security components. The information security components are used to compile a new comprehensive Information Security Governance framework. The proposed governance framework can be used by organizations to ensure they are governing information security from a holistic perspective, thereby minimising risk and cultivating an acceptable level of information security culture.     

基于AHP和模糊综合评判的信息安全风险评估

从信息安全风险评估的原理和研究现状入手,提出了基于层次分析法（AHP）和模糊综合评判的信息安全风险评估的方法,解决了风险评估中定性指标定量评估的难点。最后给出实例,证明该方法能有效地应用于信息安全风险评估。     

信息安全风险评估工具的设计与实现

研究了信息安全风险评估工具的分类方法与发展趋势,在参考国内外评估方法和评估工具的基础上,对风险评估工具进行了设计与实现。该工具是专家评估系统,根据自定义的安全策略和安全基线动态生成调查问卷表,运用定量和定性相结合的方法进行风险评估,为提高风险评估效率、确保评估结果的科学性提供了有力支持。     

Social Psychological Variables That Contribute to Resistance to Security Assessment Findings

Abstract

It is not uncommon for IT executive management to require sufficient time to review and digest the findings of a security or disaster recovery risk assessment or the recommendations of a follow-on remediation plan. This is normal and is to be expected. Security remediation or the institution of a disaster recovery plan is costly and resource intensive. But soon a milestone is passed and the security consultant realizes that by the time any action is to be taken by executive management, the findings of the assessment have decayed and the information from several months ago can no longer serve as the information for decision making today. In some instances, consultants have observed management, prompted by audit findings and resulting hard implementation dates, attempting to suddenly act on assessment findings that are months to years old. Other forms of non-action are to belatedly proceed with the security remediation, only to have the project flounder due to non-support.     

基于可拓集的信息安全风险评估

针对信息安全风险评估中风险要素关系复杂、评价因素难以准确度量的问题,以威胁为中心组织风险要素、建立风险评估模型并实现基于可拓集的风险评价方法。此模型应用资产、弱点和控制措施对威胁发生可能性和后果进行评估,并呈现系统风险的层次结构。基于此模型,可拓集方法将评价因素的定性表达区间化并利用区间关联函数实现定性向定量的转化,然后根据定量的风险关联度向量对系统风险做出定性的判决,从而实现系统风险的定性与定量相结合的评估。具体的实例分析表明了此方法的可行性和有效性。     

基于可拓集的软件工程安全监理的研究

针对软件工程的信息安全监理中各风险因子间的关联性及评价因素难以精确度量的问题,将可拓集方法与软件工程中信息风险因子结合,建立风险评估模型并实现基于可拓集的安全监理方法.基于该监理模型,可拓集方法将评价因素的定性表达区间化并利用区间关联函数实现定性定量的转化,从而实现风险的定性与定量相结合的评估,达到更好的监理效果.     

Assuring Data Security Integrity at Ford Motor Company

Abstract

Security auditing methods have not changed markedly from those first developed for the stand-alone computer environments of the 1960s. These methods were adequate for their time, but modern information system technology has made auditing computer security a much more imposing problem. There are numerous reasons for this. Personal computers have placed powerful tools for exploration and hacking onto everyone's desk. Networks have revolutionized the exchange of information, but they have also provided a direct path for hackers to attack and compromise critical computer assets. Even more threatening, employees and contractors can often readily gain unrestricted access to even the most sensitive information simply because standards for protection have not been designed or implemented. In this environment, bookkeeping-based auditing methods not only fall short, but can create a misleading impression that security is under control.     

Maximizing business information security's educational value

A business information security course's goals and objectives are quite different from most traditional security courses, which focus on designing and developing new security technologies. Business information security primarily concerns the strategic, tactical, and operational management issues surrounding the planning, analysis, design, implementation, and maintenance of an organization's information security program. Core issues include asset valuation, auditing, business continuity planning, disaster recovery planning, ethics, organizational communication, policy development, project planning, risk management, security awareness education and training, and various legal issues such as liability and regulatory compliance. Because businesses can't afford to mitigate all security risks, students must learn methods to identify and justify the optimal amount of expenditures to ensure that their information assets are sufficiently protected. Students should also understand the technical components of security so they can appreciate the problems experienced by the people they manage. This paper describes my experiences in developing a business information security course that provides students the knowledge arid experience to succeed in today's competitive information-intensive corporate environment.     

运营商安全资产管理技术研究

目前运营商资产管理主要为传统意义上的固定资产管理,资产的安全状况、安全基线等安全信息缺失严重,无法应对日益严峻的安全形势.本文从资产脆弱性、资产威胁、系统定级、安全评估、KPI考核等多个层面,探讨运营商资产安全管理如何实现,安全资产管理系统如何设计.     

机载系统安保风险评估方法

针对影响民用飞机机载系统安全的信息安保威胁问题,通过研究ISO27005和航空工业标准,提出了一种适用于机载系统的安保风险评估方法。该方法基于威胁条件和威胁场景进行系统脆弱性分析,并结合传统的飞机安全性分析方法与安保风险评估方法,提出一套可量化的风险值计算方法。通过关系矩阵在安全性与安保等级间建立了相关性,为系统需求和架构设计提供了依据。实例验证结果表明,该方法能提供正确与可信的机载系统安保风险评估数据。     

Incorporating HIPAA Security Requirements into an Enterprise Security Program

Abstract

HIPAA Security regulations are forcing many organizations to secure electronic individually identifiable health information. Some side benefits of such an undertaking are improving information management processes, creating a foundation for compliance with other regulations, and maintaining their level of readiness within a security program that aligns with the HIPAA security risk- based approach. This provides effective, enterprisewide risk management.