Using an Enterprise Architecture for IT Risk Management

In this paper we propose a novel approach for the systematic assessment and analysis of IT related risks in organisations and projects. The approach is model-driven using an enterprise architecture as the basis for the security management process. Using an enterprise architecture it is possible to provide an integrated description of an organisation’s structure, processes and its underlying IT landscape. That way we want to bridge the technical and business oriented views on information security. The proposed approach provides a detailed process of security management and defines the necessary responsibilities and roles of the participating stake-holders.

[1]  Arjen K. Lenstra,et al.  Information Security Risk Assessment, Aggregation, and Mitigation , 2004, ACISP.

[2]  Rolf Moulton,et al.  Operationalizing IT Risk Management , 2003, Comput. Secur..

[3]  Levent Ertaul,et al.  Security Planning Using Zachman Framework for Enterprises , 2005 .

[4]  August-Wilhelm Scheer,et al.  ARIS - Business Process Modeling , 1998 .

[5]  日本規格協会 情報技術 : 情報セキュリティ管理実施基準 : 国際規格 : ISO/IEC 17799 = Information technology : code of practice for infromation security management : international standard : ISO/IEC 17799 , 2000 .

[6]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[7]  Julia H. Allen,et al.  Managing for Enterprise Security , 2004 .

[8]  Rossouw von Solms,et al.  From information security to ... business security? , 2005, Comput. Secur..

[9]  Christopher J. Alberts,et al.  Managing Information Security Risks: The OCTAVE Approach , 2002 .

[10]  John A. Zachman,et al.  A Framework for Information Systems Architecture , 1987, IBM Syst. J..

[11]  Ingoo Han,et al.  The IS risk analysis based on a business model , 2003, Inf. Manag..

[12]  Thomas Peltier,et al.  Information Technology: Code of Practice for Information Security Management , 2001 .

[13]  Matunda Nyanchama,et al.  Enterprise Security Management: Managing Complexity , 2001, Inf. Secur. J. A Glob. Perspect..

[14]  Richard J. Mayver,et al.  USE OF THE ZACHMAN ARCHITECTURE FOR SECURITY ENGINEERING , 1996 .