A Pattern-Based and Tool-Supported Risk Analysis Method Compliant to ISO 27001 for Cloud Systems

To benefit from cloud computing and the advantages it offers, obstacles regarding the usage and acceptance of clouds have to be cleared. For cloud providers, one way to obtain customers' confidence is to establish security mechanisms when using clouds. The ISO 27001 standard provides general concepts for establishing information security in an organization. Risk analysis is an essential part in the ISO 27001 standard for achieving information security. This standard, however, contains ambiguous descriptions. In addition, it does not stipulate any method to identify assets, threats, and vulnerabilities. In this paper, the authors present a method for cloud computing systems to perform risk analysis according to the ISO 27001. The authors' structured method is tailored to SMEs. It relies upon patterns to describe context and structure of a cloud computing system, elicit security requirements, identify threats, and select controls, which ease the effort for these activities. The authors' method guides companies through the process of risk analysis in a structured manner. Furthermore, the authors provide a model-based tool for supporting the ISO 27001 standard certification. The authors' tool consists of various plug-ins for conducting different steps of their method.

[1]  Oladokun Sulaiman Olanrewaju,et al.  Applying the safety and environmental risk and reliability model (SERM) for Malaysian langat river collision aversion , 2015 .

[2]  Diego Alexander Tibaduiza Burgos,et al.  Emerging Design Solutions in Structural Health Monitoring Systems , 2015 .

[3]  John Mylopoulos,et al.  Adaptive socio-technical systems: a requirements-based approach , 2011, Requirements Engineering.

[4]  Pijush Samui,et al.  Modeling and Simulation Techniques in Structural Engineering , 2016 .

[5]  Sankaran Mahadevan,et al.  Statistical Approach to Structural Damage Diagnosis under Uncertainty , 2015 .

[6]  Julio Flórez-López,et al.  Fracture and Damage Mechanics for Structural Engineering of Frames: State-of-the-Art Industrial Applications , 2014 .

[7]  Panagiotis G. Asteris,et al.  Handbook of Research on Seismic Assessment and Rehabilitation of Historic Structures , 2015 .

[8]  Randy H. Katz,et al.  Above the Clouds: A Berkeley View of Cloud Computing , 2009 .

[9]  Kristian Beckers,et al.  Structured Pattern-Based Security Requirements Elicitation for Clouds , 2013, 2013 International Conference on Availability, Reliability and Security.

[10]  Jhonatan Camacho Navarro,et al.  Case-Based Reasoning for Stiffness Changes Detection in Structures: Numerical Validation by using Finite Element Model , 2015 .

[11]  Henda Hajjami Ben Ghézala,et al.  Meta-Modeling Based Secure Software Development Processes , 2014, Int. J. Secur. Softw. Eng..

[12]  Robin A. Gandhi,et al.  Discovering Multidimensional Correlations among Regulatory Requirements to Understand Risk , 2011, TSEM.

[13]  Douglas C. Sicker,et al.  Maturity and Process Capability Models and Their Use in Measuring Resilience in Critical Infrastructure Protection Sectors , 2014, Int. J. Strateg. Inf. Technol. Appl..

[14]  Andreas Tjirkallis,et al.  Wavelet Transform Modulus Maxima Decay Lines: Damage Detection in Varying Operating Conditions , 2015 .

[15]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[16]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティ管理策の実践のための規範 : ISO/IEC 27002 = Information technology-Security techniques-Code of practice for information security controls : ISO/IEC 27002 , 2013 .

[17]  Antony Stathopoulos,et al.  Pareto Evolutionary Optimization of Joint Network Design and Pricing Strategies Related to Emissions in Urban Networks , 2014, Int. J. Oper. Res. Inf. Syst..

[18]  Alexander. Koutamanis,et al.  Computer-Mediated Briefing for Architects , 2013 .

[19]  Kristian Beckers,et al.  Pattern-Based Support for Context Establishment and Asset Identification of the ISO 27000 in the Field of Cloud Computing , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[20]  B. F. Castro Buschmann, Frank; Meunier, Regine; Rohnert, Hans; Sommerlad, Peter; Stal, Michael. Pattern-oriented software architecture: a system of patterns, John Wiley & Sons Ltd, 1996 , 1997 .

[21]  Kristian Beckers,et al.  A pattern-based method for establishing a cloud-specific information security management system , 2013, Requirements Engineering.

[22]  P. Mell,et al.  SP 800-145. The NIST Definition of Cloud Computing , 2011 .

[23]  Muthu Ramachandran,et al.  Financial Software as a Service: A Paradigm for Risk Modelling and Analytics , 2014, Int. J. Organ. Collect. Intell..

[24]  Ketil Stølen,et al.  Model-Driven Risk Analysis - The CORAS Approach , 2010 .

[25]  Frank Budinsky,et al.  Eclipse Modeling Framework , 2003 .

[26]  Maritta Heisel,et al.  A comparison of security requirements engineering methods , 2010, Requirements Engineering.

[27]  L. Kouris,et al.  Numerical Investigation and Empirical Seismic Vulnerability Assessment of Timber-Framed Masonry Buildings , 2015 .

[28]  Kristian Beckers,et al.  ISMS-CORAS: A Structured Method for Establishing an ISO 27001 Compliant Information Security Management System , 2014, Engineering Secure Future Internet Services and Systems.

[29]  Kristian Beckers,et al.  A catalog of security requirements patterns for the domain of cloud computing systems , 2014, SAC.

[30]  Ning Yang,et al.  Simulation-Based Scheduling of Waterway Projects Using a Parallel Genetic Algorithm , 2015, Int. J. Oper. Res. Inf. Syst..