A Mark-Up Language for the Specification of Information Security Governance Requirements

As enterprises become dependent on information systems, the need for effective Information Security Governance ISG assumes significance. ISG manages risks relating to the confidentiality, integrity and availability of information, and its supporting processes and systems, in an enterprise. Even a medium-sized enterprise contains a huge collection of information and other assets. Moreover, risks evolve rapidly in today's connected digital world. Therefore, the proper implementation of ISG requires automation of the various monitoring, analysis, and control processes. This can be best achieved by representing information security requirements of an enterprise in a standard, structured format. This paper presents such a structured format in the form of Enterprise Security Requirement Markup Language ESRML Version 2.0. It is an XML-based language that considers the elements of ISO 27002 best practices.

[1]  Julia H. Allen,et al.  Governing for Enterprise Security , 2005 .

[2]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[3]  조영섭,et al.  OASIS SAML(Security Assertion Markup Language) v2.0 고찰 및 활용 , 2006 .

[4]  Gary Stoneburner SP 800-33. Underlying Technical Models for Information Technology Security , 2001 .

[5]  Frantisek Zboril,et al.  Security in Wireless Sensor Networks with Mobile Codes , 2012 .

[6]  日本規格協会 情報技術 : 情報セキュリティ管理実施基準 : 国際規格 : ISO/IEC 17799 = Information technology : code of practice for infromation security management : international standard : ISO/IEC 17799 , 2000 .

[7]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[8]  Padma Lochan Pradhan,et al.  Proposed Isomorphic Graph Model for Risk Assessment on a Unix Operating System , 2013 .

[9]  R von Solms,et al.  Information Security Governance , 2008 .

[10]  Gary Stoneburner,et al.  Underlying technical models for information technology security :: recommendations of the National Institute of Standards and Technology , 2001 .

[11]  Hervé Debar,et al.  The Intrusion Detection Message Exchange Format (IDMEF) , 2007, RFC.

[12]  C. Mazumdar,et al.  ESRML: a markup language for enterprise security requirement specification , 2004, Proceedings of the IEEE INDICON 2004. First India Annual Conference, 2004..

[13]  Paul Williams Information Security Governance , 2001, Inf. Secur. Tech. Rep..

[14]  C. M. Sperberg-McQueen,et al.  Extensible Markup Language (XML) , 1997, World Wide Web J..

[15]  Raj Sharman,et al.  Threats, Countermeasures and Advances in Applied Information Security , 2012 .

[16]  Rolf Moulton,et al.  Applying information security governance , 2003, Comput. Secur..