Iterative and incremental mechanisms are not usually considered in existing approaches for information security management System (ISMS). In this paper, we propose SUP (security unified process) as a unified process to implement a successful and high-quality ISMS. A disciplined approach can be provided by SUP to assign tasks and responsibilities within an organization. The SUP architecture comprises static and dynamic dimensions; the static dimension, or disciplines, includes business modeling, assets, security policy, implementation, configuration and change management, and project management. The dynamic dimension, or phases, contains inception, analysis and design, construction, and monitoring. Risk assessment is a major part of the ISMS process. In SUP, we present a risk assessment model, which uses a fuzzy expert system to assess risks in organization. Since, the classification of assets is an important aspect of risk management and ensures that effective protection occurs, a Security Cube is proposed to identify organization assets as an asset classification model. The proposed model leads us to have an offline system health monitoring tool that is really a critical need in any organization. 1. Introduction Information security is a primary requirement in today’s communication world. These requirements are driven either by business need or by regulations. Many organizations find it difficult to derive a framework to define those requirements. In most cases, information has become the vital “asset” of businesses and is called “information asset” or “intellectual asset” [1]. It is essential to protect this asset so as to ensure its confidentiality, integrity, and availability [2]. While preserving these essential protections, the right information should be available to the right people, at the right place and at the right time. It is expected to make the information secure to guarantee that it is correct and available. Also, it can be guaranteed that information is not jeopardized by misuse, which could lead to the loss of business and low performance of regulations. Obviously, information security management plays a very important and crucial role in each organization. The organization is expected to follow certain security compliance regulations and standards, together with the implementation of an information security management infrastructure. Therefore, an appropriate information security infrastructure, which is a vital need for most organizations, must be provided and implemented. Information security standards are helping organizations at
References
[1]
M. Dey, “Information security management—a practical approach,” in Proceedings of the IEEE AFRICON, pp. 1–6, September 2007.
[2]
ISO, “Information technology Security techniques Information security management systems Requirements,” ISO/IEC 27001, 2005.
[3]
J. Eloff and M. Eloff, “Information security management—a new paradigm,” in Proceedings of the SAICSIT, pp. 130–136, 2003.
[4]
J. S. Broderick, “ISMS, security standards and security regulations,” Information Security Technical Report, vol. 11, no. 1, pp. 26–31, 2006.
[5]
L. Chung, “Dealing with security requirements during the development of information systems,” in Proceedings of the 5th International Conference on Advanced Information Systems Engineering (CAiSE '93), pp. 234–251, Paris, France, 1993.
[6]
S. Kondakci, “A new assessment and improvement model of risk propagation in information security,” International Journal of Information and Computer Security, vol. 1, no. 3, pp. 341–366, 2007.
[7]
S. Kondakci, “A causal model for information security risk assessment,” in Proceedings of the 6th International Conference on Information Assurance and Security, pp. 143–148, IEEE Computer Society, 2010.
[8]
S. Kondakci, “Network security risk assessment using bayesian belief networks,” in Proceedings of the 2nd IEEE International Conference on Social Computing, IEEE International Conference on Privacy, Security, Risk and Trust, pp. 952–960, IEEE Computer Society, August 2010.
[9]
S. Kondakci, “A recursive method for validating and improving network security solutions,” in Proceedings of the International Conference on Security of Information and Networks (SIN '07), pp. 74–83, Trafford Publishing, 2007.
[10]
C. Pak, “The near real time statistical asset priority driven (NRTSAPD) risk assessment methodology,” in Proceedings of the 9th ACM SIG-Information Technology Education Conference (SIGITE '08), pp. 105–112, ACM, October 2008, New York, NY, USA.
[11]
C. Pak and J. Cannady, “Asset priority risk assessment using hidden Markov models,” in Proceedings of the 10th ACM Special Interest Group for Information Technology Education (SIGITE '09), pp. 65–73, Fairfax, Va, USA, October 2009.
[12]
C. Xiaolin, T. Xiaobin, Z. Yong, and X. Hongsheng, “A markov game theory-based risk assessment model for network information system,” in Proceedings of the International Conference on Computer Science and Software Engineering (CSSE '08), pp. 1057–1061, December 2008.
[13]
B. C. Guan, C. C. Lo, P. Wang, and J. S. Hwang, “Evaluation of information security related risks of an organization—the application of the multi-criteria decision-making method,” in Proceedings of the 37th IEEE Annual International Carnahan Conference on Security Technology, pp. 168–175, October 2003.
[14]
Y. M. Wang and T. M. S. Elhag, “Fuzzy TOPSIS method based on alpha level sets with an application to bridge risk assessment,” Expert Systems with Applications, vol. 31, no. 2, pp. 309–319, 2006.
[15]
S. Kondakci, “A composite network security assessment,” in Proceedings of the 4th International Conference on Information Assurance and Security, pp. 249–254, IEEE Computer Society, 2008.
[16]
M. Hamdi and N. Boudriga, “Algebraic specification of network security risk management,” in Proceedings of the ACM Workshop on Formal Methods in Security Engineering (FMSE '03), pp. 52–60, October 2003.
[17]
L. Muller, M. Magee, P. Marounek, and A. Philipson, “IBM IT governance approach-business performance through IT execution,” 2008, http://www.redbooks.ibm.com/abstracts/sg247517.html.
[18]
IBM Rational Unified Process (RUP), http://www-01.ibm.com/software/awdtools/rup.
[19]
P. Kroll and P. Kruchten, Rational Unified Process Made Easy: A Practitioner's Guide to the RUP, Addison-Wesley, Boston, Mass, USA, 2003.
[20]
C. Larman and V. R. Basili, “Iterative and incremental development: a brief history,” Computer, vol. 36, no. 6, pp. 47–56, 2003.
[21]
A. Shameli-Sendi, M. Jabbarifar, M. Shajari, and M. Dagenais, “FEMRA: fuzzy expert model for risk assessment,” in Proceedings of the 5th International Conference on Internet Monitoring and Protection, pp. 48–53, Barcelona, Spain, 2010.
[22]
K. Haslum, A. Abraham, and S. Knapskog, “Fuzzy online risk assessment for distributed intrusion prediction and prevention systems,” in Proceedings of the 10th International Conference on Computer Modeling and Simulation, pp. 216–223, IEEE Computer Society Press, Cambridge, UK, 2008.
[23]
G. Stoneburner, A. Goguen, and A. Feringa, “Risk management guide for information technology systems,” http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf.
[24]
J. A. Zachman, “The Zachman framework,” http://www.zachmaninternational.com/.
