A Graph-Based Approach for Managing Enterprise Information System Security

An enterprise information system consists of assets and their inter-relationships. These inter-relationships are manifested in the connection of hardware assets in network architecture, or in the installation of software and information assets in hardware. Security policies are used to specify and control access to enterprise assets. Inter-relationships of assets, along with improper specification of policies, can lead to managerial vulnerabilities in the enterprise information system. Threats may exploit these vulnerabilities to breach the security of sensitive assets. This paper discusses a graph-based methodology for the specification of Enterprise Information Systems. The methodology captures enterprise information security requirements, helps specify security policies, and detects managerial vulnerabilities in enterprise information systems.

[1]  Anirban Sengupta,et al.  A Formal Methodology for Detecting Managerial Vulnerabilities and Threats in an Enterprise Information System , 2010, Journal of Network and Systems Management.

[2]  Mathias Ekstedt,et al.  Cyber Security Risks Assessment with Bayesian Defense Graphs and Architectural Models , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[3]  Nitesh V. Chawla,et al.  Visualizing graph dynamics and similarity for enterprise network security and management , 2010, VizSec '10.

[4]  Trent Jaeger,et al.  Practical safety in flexible access control models , 2001, TSEC.

[5]  Sylvia L. Osborn,et al.  The role graph model and conflict of interest , 1999, TSEC.

[6]  Judy Pearsall,et al.  The concise Oxford English dictionary , 2016 .

[7]  Lawrence Snyder On the synthesis and analysis of protection systems , 1977, SOSP '77.

[8]  Luigi V. Mancini,et al.  Foundations for a Graph-Based Approach to the Specification of Access Control Policies , 2001, FoSSaCS.

[9]  Luigi V. Mancini,et al.  A Formal Model for Role-Based Access Control Using Graph Transformation , 2000, ESORICS.

[10]  Luigi V. Mancini,et al.  On the specification and evolution of access control policies , 2001, SACMAT '01.

[11]  Luigi V. Mancini,et al.  A graph-based formalism for RBAC , 2002, TSEC.

[12]  Angus Stevenson,et al.  Concise Oxford English Dictionary , 2009 .

[13]  Anirban Sengupta,et al.  A Methodology for Conversion of Enterprise-Level Information Security Policies to Implementation-Level Policies/Rule , 2011, 2011 Second International Conference on Emerging Applications of Information Technology.

[14]  Kerry Ann Anderson Information Security Policies and Procedures , 2014 .

[15]  Anirban Sengupta,et al.  A formal methodology for detection of vulnerabilities in an enterprise information system , 2009, 2009 Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS 2009).