Toward An Effective Information Security Risk Management .
(IJACSA) International Journal of Advanced Computer Science and Applications,Vol. 5, No. 6, 2014Toward an Effective Information Security RiskManagement of Universities’ Information SystemsUsing Multi Agent Systems, Itil, Iso 27002,Iso 27005S.FARISS.EL HASNAOUIEAS Team, LISER Laboratory,ENSEMCasablanca, MOROCCOEAS Team, LISER Laboratory,ENSEMCasablanca, MOROCCOH.MEDROMIH.IGUEREAS Team, LISER Laboratory,ENSEMCasablanca, MOROCCOEAS Team, LISER Laboratory,ENSEMCasablanca, MOROCCOA.SAYOUTIEAS Team, LISER Laboratory,ENSEMCasablanca, MOROCCOAbstract—Universities in the public and private sectorsdepend on information technology and information systems tosuccessfully carry out their missions and business functions.Information systems are subject to serious threats that can haveadverse effects on organizational operations and assets, andindividuals by exploiting both known and unknownvulnerabilities to compromise the confidentiality, integrity, oravailability of the information being processes, stored ortransmitted by those systems. Threats to information systems caninclude purposeful attacks, environmental disruptions, andhuman/machine errors, and can result in harm to the integrity ofdata. Therefore, it is imperative that all the actors at all levels ina university information system understand their responsibilitiesand are held accountable for managing information security riskthat is the risk associated with the operation and use ofinformation systems that support the missions and businessfunctions of their university.The purpose of this paper is to propose an informationsecurity toolkit namely URMIS (University Risk ManagementInformation System) based on multi agent systems andintegrating with existing information security frameworks andstandards, to enhance the security of universities informationsystems.Keywords—Information security; information systems; multiagent systems; ITIL V3; ISO 27002; ISO 27005I. INTRODUCTIONInformation systems (ISs) are everywhere. They have alarge impact on the everyday lives of universities as well as onindividuals. At the heart of information systems, securityaspects play a vital role and are thus becoming central issues inthose systems’ effective usage.The importance of security technologies and of theirenabling technical platforms has been widely recognized andreceives continuous attention (e.g., new encryption, algorithms,public key infrastructures, etc.).For some people, security management issues start withupdating an antivirus database, but from a more seriousperspective, universities understand that security concerns arethe source of important costs, not only in terms of technologiesbut especially in terms of related management activities.There are emerging calls for an integrated view ofinformation security, from the technological, human, andorganizational aspects, sometimes referred as MTO (Man,Technology, and Organization).However, there is a lack in the methods for tackling theMTO issues in information security. One of the researchfocuses on the development of information security checklistand standards in order to capture the best practice.Another research focuses on risk assessment by identifyingthe threats and vulnerabilities, and then determining thelikelihood and impact for each risk. Risk assessment couldeither be qualitative, categorizing low, medium and high risks,or be quantitative, calculating the value of “Annualized LossExpectancy”This paper is presented as follows: after a briefintroduction, in section two; a survey of available informationsecurity risk management methods and tools will be presented,and then the standards, ISO 27002, ISO 27005, and theframework ITIL will be described. Then, in the third sectionthe toolkit URMIS will be proposed and the multi agent system114 P a g ewww.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,Vol. 5, No. 6, 2014will be introduced. The fourth section will propose thearchitecture, before concluding this paper.II.STATE OF THE ARTA. Risk Management tools and frameworksAn organizational risk is the risk to the organization or toindividuals associated with the operation of an informationsystem. The management of organizational risk is a keyelement in the organization's information security program andprovides an effective framework for selecting the appropriatesecurity controls for an information system---the securitycontrols necessary to protect individuals and the operations andassets of the organization.The common view a Risk Assessment Framework provideshelps an organization see which of its systems are at low riskfor abuse or attack and which are at high risk. The data an RAFprovides is useful for addressing potential threats proactively, planning budgets and creating a culture in which thevalue of data is understood and appreciated.There are several risk assessment frameworks and riskmanagement methods that are accepted as industry standardsthat we can list in the figure below.Incorporation of the use of information and communicationtechnology in Moroccan universities, involves the need tosecure data in information systems.There is a very little research related to the applications ofmulti agent systems (MAS) in information system security.Besides to that, these tools are difficult to use because theyrequire a certain level of knowledge.Moreover, they don’t provide recommendations orimmediate solutions to security issues; they just give guidelinesto follow in order to ensure an effective security of theinformation system.Based on the methodologies aforementioned, and otherworks described in [4] [5] [6] [10] [11], we propose anintegration of the use of ISO 27002, ISO 27005, ITI, and multiagent systems to develop an information security riskmanagement tool of universities information systems namedURMIS (Universities Risk Management Information System).B. ISO 27002The ISO 27002 standard is a collection of informationsecurity guidelines that are intended to help an organizationimplement, maintain, and improve its information securitymanagement. It is a code of good practices that provideshundreds of potential controls that are designed to beimplemented with guidance provided within ISO 27001.The strengths of ISO 2700 are listed below: Optimize the costs of ISS by associating with ISO27001 Increased knowledge of risk management Does not require a technical solutionWhereas its weaknesses are listed below: Optimize the costs of ISS by associating with ISO27001 Increased knowledge of risk management Does not require a technical solutionIn the current version published 2013, ISO 27002:2013contains 114 controls, as opposed to the 133 documentedwithin the 2005 version. However for additional granularity,these are presented in fourteen sections, rather than the originaleleven.Fig. 1.Risk Management methods and frameworksNone of these tools implement the multi agent systemapproach.C. ISO 27005ISO 27005 is intended to provide guidelines forinformation security risk management. It is used eitherautonomously or as a support for ISO 27001. It supports thegeneral concepts specified in ISO 27001 and is designed toassist the satisfactory implementation of information securitybased on a risk management approach. It does not specify orrecommend any specific risk analysis method, although itspecifies a structured, systematic and rigorous process fromanalyzing risks to creating the risk treatment plan.115 P a g ewww.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,Vol. 5, No. 6, 2014The strengths of ISO 27005 are as follows: Flexible and reusable Continuous risk management Highlighting the human factor: the concept ofresponsibility Whereas its weaknesses are as follows: No specific methodology for risk managementThe figure below gives an overview of the informationsecurity risk management process in ISO 27005. Service operation Continual service improvementITIL can help companies assess their risks, and putprocedures in place to log and respond to incidents. ITIL, andmore specifically the ITIL security management process, iswidely used for the implementation of information securitywithin an organization. ITIL v3 has placed the informationsecurity management process within the Service Design corepractice book. The goal of the information securitymanagement process is to align IT security with businesssecurity and ensure that information security is effectivelymanaged in all services and service management activities(OGC, 2007; Taylor,2008).E. Information securityConfidentiality, integrity and availability are basicrequirements for business information security and provide themaintenance requirements of the business (ITGI, 2009), (Kwokand Longley, 1999), (Fitzgerald, 2007), (Sêmola, 2003), (Dias,2000), (Moreira, 2001). Confidentiality (C): All information must be protectedaccording to the degree of privacy of their content,aimed at limiting its access and used only by the peoplefor whom they are intended; Integrity (I): All information must be kept in the samecondition in which it was released by its owners, inorder to protect it from tampering, whether intentionalor accidental; Availability (A): All the information generated oracquired by an individual or institution should beavailable to their users at the time they need them forany purpose;Fig. 2.Information Security Risk Management processD. ITIL V3The Information Technology Infrastructure Library (ITIL)is a framework of best practices that promote qualitycomputing services in IT sector.ITIL is the most widely accepted approach to IT servicemanagement in the world. ITIL provides a cohesive set of bestpractice, drawn from the public and private sectorsinternationally.ITIL presents a broad set of management procedures,which apply to all aspects of IT infrastructure, with which anorganization can manage its IT operations (Zegers, 2006,Wegmann, 2008).The ITIL v3 Core consists of five publications, eachprovidingguidance on a specific phase in the service managementlifecycle.The ITIL Core publications are as follows: Service strategy Service design Service transitionIII. OBJECTIVES AND IMPORTANCE OF THE RESEARCHThe major objective of this work is to design andimplement an integrated toolkit for improving riskmanagement of a university information system.This work explores how to promote integration and theestablishment of a toolkit that would allow each university tohave reliable data on higher education, driving bettermanagement and improve their governance and riskmanagement.Implementing this toolkit involves taking a proactive,strategic and measured approach that is more efficient than thereactive one used in many universities. This can be reachedacross a strategic integration of appropriate frameworks,models and methods in governance and information security.Analyzing the relevant frameworks, models and methods,used in the aforementioned domains, and extracting the bestpractices for implementing them in URMIS, can provideeffective security of university IS assets.A. The proposed toolkitURMIS (Universities Risk Management InformationSystem) is an information security toolkit that providesguidance policies to achieve an effective information securityrisk management in universities’ information systems.116 P a g ewww.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,Vol. 5, No. 6, 2014With the intention of implementing the task of informationsecurity risk management, URMIS needs to collect data aboutthe status of information asset, recognize kinds of risk, andperform risk management task based on a good defined riskmanagement process. That means the working environment ofURMIS consists of knowledge, data, process and strategies.However, knowledge, data, process and strategies are resourcesin different formalization, and it is a complex work to designinterface for each resource. This work is based on the multiagent systems approach, because of its benefits. It encompassescooperation, resolution of complex problems, modularity,efficiency, reliability and reusability. All these advantagesprovided by MAS fit these needs.B. Agent and Multi agent systems (MAS)Jennings and Wooldridge [Jennings & Wooldridge 1998]have defined an agent as "a computer system located in certainenvironment which is able to act autonomously in thisenvironment, in order to meet its design goals". Agents havethe following main properties and characteristics:MVC separates the layers; presentation layer (UI: UserInterface), business (BLL: Business Logic Layer) and dataaccess(DAL:DataAccessLayer).The goal is to have a minimum length between the differentlayers of the application; and changes made to any layer of theapplication do not affect other layers.B. URMIS architectureURMIS is composed of five layers: client layer, mediatorlayer, service layer, risk management layer and resource layer.The system is based on the following multi agent systems:client agents, mediator agent, service agents, risk agents,incident agent and internet agent. The figure 4 below representsthe architecture of URMIS Autonomy : agents encapsulate a state (which is notavailable to other agents), and make decisions on whatto do based on this state, without direct humanintervention or other persons; Social ability: agents interact with other agents (andpossibly humans) via some kind of agentcommunication Language, and generally have the opportunity toparticipate in social activities (such as cooperation forsolving problems or negotiating) to achieve their goals. Reactivity: agents are put in an environment (whichmay be the physical world, a user via a graphicalinterface, a collection of other agents, the internet, orperhaps many of these combinations), are able toperceive this environment (through the use ofpotentially imperfect sensors), and are able to respondto timely changes that occur in it. Proactivity: Agents do not simply act in response totheir environment; they are able to solve a problem bytaking the initiative.A multi-agent system (MAS) is a system composed ofseveral intelligent agents that interact with each other. Theycan be used to solve problems that are difficult or impossible tosolve for an individual agent or monolithic system. Multi-agentsystems are open and scalable systems that enable theimplementation of autonomous and proactive softwarecomponents. They are characterized by the local autonomy,social interaction, adaptability, robustness and scalability, andfor these reasons, they are a very promising paradigm toaddress the challenges facing automation and check systems.IV.URMIS INFORMATION SECURITY ARCHITECTUREA. Model-View-Controller (MVC)URMIS is based upon the widely used Model-ViewController (MVC) architecture common in interactive webbased applications.Fig. 3.URMIS architectureClient agent: They consist of all agents on the client layer,namely agent teacher, agent student, and agent administrativebody. They manage the interaction between the users (teachers,students and administrative body) and the system. They allowusers to connect to the system by specifying their names, emailaddresses and id. Every user has a unique id; this fielddifferentiates between the user if it is a teacher, a student or anadministrative body.The id is composed of eight alphanumeric characters; id’teacher starts with the character “t”, id’s student starts with “s”,and id’s administrative body starts with “ab”. Client agentscommunicate with the mediator agent by sending users’information of connection.In case of an incident of connection (password or idforgotten), the user can ask for a solution by sending hisrequest to the risk multi agent system.117 P a g ewww.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,Vol. 5, No. 6, 2014Mediator agent: This agent acts like a security checker.It checks the identities of the users so it can allow them toaccess to the service layer. It also performs a permission checkof the user’s access rights and, thereafter, allows him to exploitthe service for which he’s authorized.In order to have their needs processed a user requests aservice from the mediator agent which then forwards themessages to the destination (service agents) if the access isgranted or drops the message and returns a FAILURE messageto the sender otherwise. To guarantee a high level ofperformance several Mediator agents can be triggered todistribute the work among them.To distinguish between the requesting agents, it isnecessary for the mediator agent to link between the user andits category (teacher, student or administrative body).Therefore, the Mediator consults the database which in arestored the users, their corresponding category, and the types ofservices they can access.Service agent: These agents communicate with theresource layer to accomplish their tasks.Risk agents: In the risk management layer we have fouragents namely risk identification agent, risk estimation agent,risk evaluation agent and risk treatment agent. Risk identification agent: It contains in itsknowledge base risks that could potentially preventURMIS to achieve its goals.It includes documenting and communicating theusers in case of a bad use of URMIS with a list ofthreats, vulnerabilities and risks that can affect thesystem. Risk estimation agent: This agent calculates thelikelihood of an incident happening, by applying therisk formula risk threat * vulnerability * impact. Risk evaluation agent: It classifies the risk based onthe ISO 27005 risk assessment matrix (very low, low,medium, high, very high). Risk treatment agent: It is in charge of selecting andimplementing measures to modify risk. Risktreatment measures can include avoiding, accepting,transferring or reducing risk. The measures(i.e. security measurements) can be selected out ofsets of security measurements that are used withinthe InformationSecurityManagement System(ISMS) of the university complying with the standardISO 27001.Incident agent: It contains in its knowledge base solutionsto similar incidents which occur frequently. This agent storesscenarios of solutions to incidents and make it available forother agents. With this information, other agents are able totake the right decisions in the right moment.Internet agent: Its role is to store in the knowledge base allthe threat and vulnerabilities that it receives from internet.V. CONCLUSION AND PERSPECTIVESRisk management techniques used before wereinappropriate to avoid risks before their occurrence. Theseapproaches were in a reactive perspective. It has thereforebecome necessary to run into for an integrated approach with aproactive perspective to avoid risks and treat them withoutcompromising the information systems.In this paper, we describe how information securityactivities can contribute to the protection of information andinfrastructure assets against the risks of loss, bad use ordestruction.In a future work, we will detail the architecture of eachagent and the communication between them in URMIS. Wewill also integrate the processes of the method OCTAVE, inorder to quantify risks that can affect 14][15][16]REFERENCESY. Rezgui, and A. Marks, “Information security awareness in highereducation: An exploratory study,” Computers & Security, vol. 27(7-8),pp. 241-253, July 2008.Defta (Ciobanu) Costinela – Luminita, 2011,Information security in Elearning Platforms, Procedia Social and Behavioral Sciences 15 (2011)2689–2693M. Wooldridge. Agents and software engineering. In AI*IA NotizieXI(3), 1998 ,pages 31-37.E. Humphreys ,”Information security management standards:Compliance, governance and risk management”.J. Info. Secur. Tech,Rep. 13(4), 247-255,2008.W. Boehmer, “Appraisal of the effectiveness and efficiency of anInformation Security Management System based on ISO 27001”. Proc.Secon
effective security of university IS assets. A. The proposed toolkit URMIS (Universities Risk Management Information System) is an information security toolkit that provides guidance policies to achieve an effective information security risk management in universities’ information systems.
Management Attitudes Toward Information Security in Omani Public Sector Organisations Fathiya Al-Izki & George R. S. Weir . encourage employees to take an interest in information security and help to shape effective information security within the organisation [10]. There is a need for leaders to realize that
Attending an AO briefing given by the Chief Information Security Officer. 4.1.2 Information Systems Security Managers (ISSM), Information Systems Security Officers (ISSO) Individuals currently serving as an Information Systems Security Manager (ISSM) and Information Systems Security Officer (ISSO) are also identified in GSA's FISMA inventory.
Perform the dissection only on the dissection tray. Follow proper hygiene practices before, during, and after the lab. 2 Direction or Plane Definition Lateral Toward the right or left side Medial Toward the midline Proximal Near or toward the point of reference Distal Away from the point of reference Dorsal Toward the back Ventral Toward the belly
tilt of the pelvis toward the left. Thus the lumbar spine showed a scoliosis that was convex toward theleft. 6. The lumbar lordosis usually wasincreased. 7. The vertebral bodies rotated toward the right side,-that is, toward the concavity ofthe scoliosis ‘. 8. Thetrunk, asawhole, tended tolist toward the right.
toward change, which are positive (willingness toward change) or negative (resistance toward change). Willingness for change is the most common positive attitude toward change, toward which,many studies have been undertaken in the literature of the organizational change. And actually, by reviewing the literature that Bouckenooghe (2010)
Resourcing security risk management 13 2. Developing a framework 14 3. Governance and accountability 17 Creating an effective security risk management structure 17 4. Policy and principles 21 Developing a security policy 22 Establishing security requirements 24 5. Operations and programmes 25 Security risk assessments 28 Security plans 30
AVG Internet Security 9 ESET Smart Security 4 F-Secure Internet Security 2010 Kaspersky Internet Security 2011 McAfee Internet Security Microsoft Security Essentials Norman Security Suite Panda Internet Security 2011 Sunbelt VIPRE Antivirus Premium 4 Symantec Norton Internet Security 20
EMC standards generally cover the range from 0 Hz to 400 GHz. Currently, however, not all frequency ranges are completely regu-lated. The first important frequency range is the range around the power network frequency, which in Europe is 50 Hz. Most loads connected to the power network are non-linear loads, i.e., they draw a current that does not follow the sinusoidal voltage. Non-linear loads .
