Skip to main content
SpringerLink
Log in

A Security Audit Framework to Manage Information System Security

  • Conference paper
Global Security, Safety, and Sustainability (ICGS3 2010)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 92))

Abstract

The widespread adoption of information and communication technology have promoted an increase dependency of organizations in the performance of their Information Systems. As a result, adequate security procedures to properly manage information security must be established by the organizations, in order to protect their valued or critical resources from accidental or intentional attacks, and ensure their normal activity. A conceptual security framework to manage and audit Information System Security is proposed and discussed. The proposed framework intends to assist organizations firstly to understand what they precisely need to protect assets and what are their weaknesses (vulnerabilities), enabling to perform an adequate security management. Secondly, enabling a security audit framework to support the organization to assess the efficiency of the controls and policy adopted to prevent or mitigate attacks, threats and vulnerabilities, promoted by the advances of new technologies and new Internet-enabled services, that the organizations are subject of. The presented framework is based on a conceptual model approach, which contains the semantic description of the concepts defined in information security domain, based on the ISO/IEC_JCT1 standards.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Baharin, K.N., Md Din, N., Jamaludin, M., Md Tahir, N.: Third Party Security Audit Procedure for Network Environment. In: 4th National Conference on Telecommunication Technology, Shah Alam, Malaysia (2003)

    Google Scholar 

  2. Common Criteria for Information Technology Security Evaluation, Part I: Introduction and General Model, Version 3.1, Revision 1, CCMB-2006-09-001 (September 2006)

    Google Scholar 

  3. Da Veiga, A., Eloff, J.H.P.: An information security governance framework. Information Systems Management 24, 361–372 (2007)

    Article  Google Scholar 

  4. Farahmand, F., Navathe, S.B., Sharp, G.P., Enslow, P.H.: Managing Vulnerabilities of Information System to Security Incidents. In: Proceedings of ICEC 2003, Pittsburg, PA. ACM, New York (2003) 1 58113-788-5/03/09.

    Google Scholar 

  5. Hayes, B.: Conducting a Security Audit: An Introductory Overview. Security Focus, http://www.securityfocus.com/infocus/1697 (accessed January 2010)

  6. Information Security Management, Part2: Specification for Information security management systems AS/NZS 7799.2:2003 BS 7799.2:2002. (2003) SANS, http://www.sans.org/score/checklists/ISO_17799_checklist.pdf

  7. ISO/IEC FDIS 27000 Information technology – Security techniques – Information security management systems Overview and vocabulary. ISO copyright office, Geneva, Switzerland (2009)

    Google Scholar 

  8. ISO/IEC FDIS 27001 Information technology – Security techniques – Information security management systems – Requirements. ISO copyright office, Geneva, Switzerland (2005)

    Google Scholar 

  9. Lo, E.C., Marchand, M.: Security Audit: A Case Study. In: Proceedings of the CCECE, Niagara Falls, 0-7803-8253-6/04. IEEE, Los Alamitos (May 2004)

    Google Scholar 

  10. Onwubiko, C.: A Security Audit Framework for Security Management in the Enterprise. In: Global Security, Safety, and Sustainability: 5th International Conference, ICGS3 2009, London, UK, September 1-2 (2009)

    Google Scholar 

  11. Onwubiko, C., Lenaghan, A.P.: Challenges and complexities of managing information security. Int. J. Electronic Security and Digital Forensic 2(3), 306–321 (2009)

    Article  Google Scholar 

  12. Onwubiko, C., Lenaghan, A.P.: Managing Security Threats and Vulnerabilities for Small and Medium Enterprises. In: Proceeding of the 5th IEEE International Conference on Intelligence and Security Informatics, IEEE ISI 2007, New Brunswick, New Jersey, May 23-24 (2007)

    Google Scholar 

  13. Pereira, T., Santos, H.: An Ontology Based Approach To Information Security. In: Sartori, F., Sicilia, M.-A., Manouselis, N. (eds.) Communication in computer and Information Science, vol. XIII, 330 p. (2009) (Soft-cover); 3rd International Conference, Metadata and Semantics Research (MTSR 2009), Milan, Italy, September 30th -October, pp. 183–193. Springer, Heidelberg (2009) ISBN: 978-3642-04589-9

    Google Scholar 

  14. Pfleeger, C.P., Pfleeger, S.L.: Security in Computing, 4th edn. Prentice Hall PTR, Englewood Cliffs (2007)

    Google Scholar 

  15. Walker, D.M., Jones, R.L.: Management Planning Guide for Information Systems Security Auditing, special publication of the National State Auditors Association and the U.S. General Accounting Office, December 10 (2001), http://www.gao.gov/special.pubs/mgmtpln.pdf

  16. Smith, M.K., Welty, C., McGuinness, D.L.: OWL Web Ontology Language Guide, W3C Recommendation. Technical report, W3C (February 10, 2004), http://www.w3.org/TR/owl-guide/

Download references

Author information

Authors and Affiliations

  1. Superior School of Business Studies, Polytechnic Institute of Viana do Castelo, Valença, Portugal

    Teresa Pereira

  2. School of Engineering Information System Department, University of Minho, Guimares, Portugal

    Henrique Santos

Authors
  1. Teresa Pereira
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Henrique Santos
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Universidade CatĂ³lica Portuguesa, R. de Camões, Braga, Portugal

    SĂ©rgio Tenreiro de MagalhĂ£es

  2. School of Computing and Information Technology and Engineering, University of East London, London,, UK

    Hamid Jahankhani

  3. Systems Assurance, City University, London, UK

    Ali G. Hessami

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Pereira, T., Santos, H. (2010). A Security Audit Framework to Manage Information System Security. In: Tenreiro de MagalhĂ£es, S., Jahankhani, H., Hessami, A.G. (eds) Global Security, Safety, and Sustainability. ICGS3 2010. Communications in Computer and Information Science, vol 92. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15717-2_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-15717-2_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-15716-5

  • Online ISBN: 978-3-642-15717-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation