System Health Monitoring Using a Novel Method: Security Unified Process

Iterative and incremental mechanisms are not usually considered in existing approaches for information security management System (ISMS). In this paper, we propose SUP (security unified process) as a unified process to implement a successful and high-quality ISMS. A disciplined approach can be provided by SUP to assign tasks and responsibilities within an organization. The SUP architecture comprises static and dynamic dimensions; the static dimension, or disciplines, includes business modeling, assets, security policy, implementation, configuration and change management, and project management. The dynamic dimension, or phases, contains inception, analysis and design, construction, and monitoring. Risk assessment is a major part of the ISMS process. In SUP, we present a risk assessment model, which uses a fuzzy expert system to assess risks in organization. Since, the classification of assets is an important aspect of risk management and ensures that effective protection occurs, a Security Cube is proposed to identify organization assets as an asset classification model. The proposed model leads us to have an offline system health monitoring tool that is really a critical need in any organization.

[1]  Chi-Chun Lo,et al.  Evaluation of information security related risks of an organization: the application of the multicriteria decision-making method , 2003, IEEE 37th Annual 2003 International Carnahan Conference onSecurity Technology, 2003. Proceedings..

[2]  Suleyman Kondakci,et al.  A causal model for information security risk assessment , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[3]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[4]  Suleyman Kondakci A new assessment and improvement model of risk propagation in information security , 2007, Int. J. Inf. Comput. Secur..

[5]  Mohamed Hamdi,et al.  Algebraic specification of network security risk management , 2003, FMSE '03.

[6]  Ying-Ming Wang,et al.  Fuzzy TOPSIS method based on alpha level sets with an application to bridge risk assessment , 2006, Expert Syst. Appl..

[7]  J. Eloff,et al.  Information security management: a new paradigm , 2003 .

[8]  M. Dey Information security management - a practical approach , 2007, AFRICON 2007.

[9]  Suleyman Kondakci A Composite Network Security Assessment , 2008, 2008 The Fourth International Conference on Information Assurance and Security.

[10]  Petr Marounek,et al.  IBM IT Governance Approach Business: Performance Through It Execution , 2008 .

[11]  Charles Pak The near real time statistical asset priority driven (nrtsapd) risk assessment methodology , 2008, SIGITE '08.

[12]  Suleyman Kondakci Network Security Risk Assessment Using Bayesian Belief Networks , 2010, 2010 IEEE Second International Conference on Social Computing.

[13]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[14]  Victor R. Basili,et al.  Iterative and incremental developments. a brief history , 2003, Computer.

[15]  J. Stuart Broderick ISMS, security standards and security regulations , 2006, Inf. Secur. Tech. Rep..

[16]  Hongsheng Xi,et al.  A Markov Game Theory-Based Risk Assessment Model for Network Information System , 2008, 2008 International Conference on Computer Science and Software Engineering.

[17]  Svein J. Knapskog,et al.  Fuzzy Online Risk Assessment for Distributed Intrusion Prediction and Prevention Systems , 2008, Tenth International Conference on Computer Modeling and Simulation (uksim 2008).

[18]  Michel Dagenais,et al.  FEMRA: Fuzzy Expert Model for Risk Assessment , 2010, 2010 Fifth International Conference on Internet Monitoring and Protection.

[19]  James Cannady,et al.  Asset priority risk assessment using hidden markov models , 2009, SIGITE '09.

[20]  Lawrence Chung,et al.  Dealing with Security Requirements During the Development of Information Systems , 1993, CAiSE.