Abstract
The widespread adoption of information and communication technology have promoted an increase dependency of organizations in the performance of their Information Systems. As a result, adequate security procedures to properly manage information security must be established by the organizations, in order to protect their valued or critical resources from accidental or intentional attacks, and ensure their normal activity. A conceptual security framework to manage and audit Information System Security is proposed and discussed. The proposed framework intends to assist organizations firstly to understand what they precisely need to protect assets and what are their weaknesses (vulnerabilities), enabling to perform an adequate security management. Secondly, enabling a security audit framework to support the organization to assess the efficiency of the controls and policy adopted to prevent or mitigate attacks, threats and vulnerabilities, promoted by the advances of new technologies and new Internet-enabled services, that the organizations are subject of. The presented framework is based on a conceptual model approach, which contains the semantic description of the concepts defined in information security domain, based on the ISO/IEC_JCT1 standards.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Baharin, K.N., Md Din, N., Jamaludin, M., Md Tahir, N.: Third Party Security Audit Procedure for Network Environment. In: 4th National Conference on Telecommunication Technology, Shah Alam, Malaysia (2003)
Common Criteria for Information Technology Security Evaluation, Part I: Introduction and General Model, Version 3.1, Revision 1, CCMB-2006-09-001 (September 2006)
Da Veiga, A., Eloff, J.H.P.: An information security governance framework. Information Systems Management 24, 361–372 (2007)
Farahmand, F., Navathe, S.B., Sharp, G.P., Enslow, P.H.: Managing Vulnerabilities of Information System to Security Incidents. In: Proceedings of ICEC 2003, Pittsburg, PA. ACM, New York (2003) 1 58113-788-5/03/09.
Hayes, B.: Conducting a Security Audit: An Introductory Overview. Security Focus, http://www.securityfocus.com/infocus/1697 (accessed January 2010)
Information Security Management, Part2: Specification for Information security management systems AS/NZS 7799.2:2003 BS 7799.2:2002. (2003) SANS, http://www.sans.org/score/checklists/ISO_17799_checklist.pdf
ISO/IEC FDIS 27000 Information technology – Security techniques – Information security management systems Overview and vocabulary. ISO copyright office, Geneva, Switzerland (2009)
ISO/IEC FDIS 27001 Information technology – Security techniques – Information security management systems – Requirements. ISO copyright office, Geneva, Switzerland (2005)
Lo, E.C., Marchand, M.: Security Audit: A Case Study. In: Proceedings of the CCECE, Niagara Falls, 0-7803-8253-6/04. IEEE, Los Alamitos (May 2004)
Onwubiko, C.: A Security Audit Framework for Security Management in the Enterprise. In: Global Security, Safety, and Sustainability: 5th International Conference, ICGS3 2009, London, UK, September 1-2 (2009)
Onwubiko, C., Lenaghan, A.P.: Challenges and complexities of managing information security. Int. J. Electronic Security and Digital Forensic 2(3), 306–321 (2009)
Onwubiko, C., Lenaghan, A.P.: Managing Security Threats and Vulnerabilities for Small and Medium Enterprises. In: Proceeding of the 5th IEEE International Conference on Intelligence and Security Informatics, IEEE ISI 2007, New Brunswick, New Jersey, May 23-24 (2007)
Pereira, T., Santos, H.: An Ontology Based Approach To Information Security. In: Sartori, F., Sicilia, M.-A., Manouselis, N. (eds.) Communication in computer and Information Science, vol. XIII, 330 p. (2009) (Soft-cover); 3rd International Conference, Metadata and Semantics Research (MTSR 2009), Milan, Italy, September 30th -October, pp. 183–193. Springer, Heidelberg (2009) ISBN: 978-3642-04589-9
Pfleeger, C.P., Pfleeger, S.L.: Security in Computing, 4th edn. Prentice Hall PTR, Englewood Cliffs (2007)
Walker, D.M., Jones, R.L.: Management Planning Guide for Information Systems Security Auditing, special publication of the National State Auditors Association and the U.S. General Accounting Office, December 10 (2001), http://www.gao.gov/special.pubs/mgmtpln.pdf
Smith, M.K., Welty, C., McGuinness, D.L.: OWL Web Ontology Language Guide, W3C Recommendation. Technical report, W3C (February 10, 2004), http://www.w3.org/TR/owl-guide/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Pereira, T., Santos, H. (2010). A Security Audit Framework to Manage Information System Security. In: Tenreiro de MagalhĂ£es, S., Jahankhani, H., Hessami, A.G. (eds) Global Security, Safety, and Sustainability. ICGS3 2010. Communications in Computer and Information Science, vol 92. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15717-2_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-15717-2_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15716-5
Online ISBN: 978-3-642-15717-2
eBook Packages: Computer ScienceComputer Science (R0)