Yu Zhiwei,Tang Rengzhong,Jia Dongjiao,Ye Fanbo

DOI: https://doi.org/10.3321/j.issn:1004-132X.2007.04.021

2007-01-01

Abstract:To identify the security requirements of information systems, a business process-based security requirement analysis method was presented. Focused on the business process security, the related assets which affect the business process security were identified by security tree model. The security requirements of assets were identified by risk packet and risk transferring model, and then the security requirements list was formed after coverage analysis. Finally, a case was studied to illustrate the proposed method.

黄益民,平玲娣,潘雪增

DOI: https://doi.org/10.3785/j.issn.1008-973x.2001.06.005

2001-01-01

Abstract:After study of existing security models; analysis of information flow model, Bell-LaPadula(BLP) access control model and Biba access control model; and collation and comparison of their advantages and disadvantages, an improved model is put forward that satisfies the actual demands of information security. An implementation strategy is put forward that ensures information security, reliability, practicality and compatibility in the designed security system. An implementation scheme of this security system and its components and functions is provided. This system combines the following functions: mandatory access contro1, privilege separation, security audit, identity authentication and self-protection. It achieves the level 3 of national information security standard and level B1 of TCSEC standard. It was implemented in the Windows NT and Linux operating system and has yielded good resultsin application.

Qinghong Shen,Hongye Su

DOI: https://doi.org/10.1002/apj.1623

2012-01-01

Asia-Pacific Journal of Chemical Engineering

Abstract:Manufacturing industry needs a more effective and unified information system to meet market demand changes and societal/environmental requirements. The international standard ISO/IEC 62264 (an adoption of ISA SP95) presents an integrated framework for business planning & logistics, manufacturing operation management, and control. The information system integration models proposed in this standard are based on UML (Unified Modeling Language). OPM (Object Process Methodology) is a new modeling approach with much more advantages comparing to UML. This paper re-builds the information system integration models in ISO/IEC 62264 based on OPM. The application in an oil refinery factory verifies the effectiveness of these models and the convenience of OPM.

Zhi-wei YU,Ren-zhong TANG

DOI: https://doi.org/10.3785/j.issn.1008-973X.2007.08.003

2007-01-01

Abstract:A method of analyzing security objectives of business process elements (BPEs) was presented to determine the security requirements of business processes. According to the business process model, the initial security objectives of BPEs were identified based on a general classification. And the weighting coefficients of the security objectives of activities were affirmed by calculating the in-degree and out-degree of activities. The consistency checking rules and revising principles were brought forward to check and modify the security objectives, the final security objectives of BPEs were obtained. A case study showed that the proposed method could be used to get the security objectives of BPEs objectively.

YU Eric

2006-01-01

Abstract:We propose a methodological framework for designing security systems.This framework is founded on agent-oriented i* requirement modeling framework.We propose to use social modeling concepts to analyze the business and organizational context of systems with regard to security.This methodological framework encompasses analysis on the functional and non-functional requirements in relevance to security,making trade-off when design,thus integrating security into the system design process from the outset.This paper uses the Online Ordering example for illustration.

Yong li Tang,Yi qi Dai

DOI: https://doi.org/10.1109/WICOM.2009.5302149

2009-01-01

Abstract:it has attracted more attention to the researchers about how to build an appropriate model to assess the risk of information systems. Aimed at this issue, a measurement framework of combining qualitative analysis with quantitative computation is proposed. From the implementation of information security management measurement (ISMM), the model, factors, indices, means and implementation flow are also given in detail. At last, the implementation flow of ISMM is depicted.

Dong-hui HU,Xue-hai ZHOU

DOI: https://doi.org/10.3969/j.issn.1000-1220.2005.04.001

2005-01-01

Abstract:Security model, which guides the construction and evaluation of security system, is the representation of security policies. Several security models are first reviewed and analyzed on the basis of the introduction to the concepts of basic model, classical model and multi-policy model. Some of those are compared emphatically. The paper is concluded with the future research on security model.

Сергій Толюпа,Сергій Штаненко,Serhiі Tolіupa,,Serhii Shtanenko,

DOI: https://doi.org/10.17721/ists.2023.1.28-36

2023-01-01

Information systems and technologies security

Abstract:An effective solution to the problems of analysis and synthesis of information security management systems can not be provided by simple ways of simply describing their behavior in different conditions - systems engineering solves problems that require quantitative evaluation of characteristics. Such data, obtained experimentally or by mathematical modeling, should reveal the properties of information security management systems. The main one is efficiency, which means the degree of compliance of the results of information protection to the goal. The latter, depending on the resources available, the knowledge of developers and other factors, can be achieved to one degree or another, and there are alternative ways to implement it. In a number of publications the authors propose the basics of the categorical apparatus of set theory, which allows to explain the relationship between sets of threats and sets of information protection system, which allows to build different mathematical models to analyze information exchange systems in critical application systems. At present, the creation of information security management systems is not possible without research and generalization of world experience in building information systems and their constituent subsystems, one of the key of which are information protection and intrusion prevention systems. Components of the process of attacking the mechanisms of protection and blocking or destruction of cyber threats themselves are components of the mathematical support of such systems. The basis of such models is the mathematical apparatus, which should ensure the adequacy of modeling of information security processes for any conditions of cyber threats. When defining the mathematical apparatus, it is necessary to clearly understand how certain sets of cyber threats are built, and how the sets of cyber threat sets, sets of security system elements and sets of cyber attack detection systems, which should control the correctness of the information security process. The article analyzes various options for building models of information security management system and creates a mathematical model that takes into account the internal relationships of different subsets of components of the information security system under the influence of cyber threats.

Thamer Alhussain,Ahmad Ali AlZubi,Osama AlFarraj,Salem Alkhalaf,Musab S. Alkhalaf

DOI: https://doi.org/10.1007/978-3-030-44041-1_108

2020-01-01

Abstract:This article proposes an information security management system (ISMS) model for automated data processing systems of critical applications (ADPS-CAs). The model allows users to carry out an assessment of the risk level for information security (IS) purposes and provides support for decision-making related to countering unauthorized access to the information circulating in an ADPS-CA. Further, this article analyzes the effect of a control parameter on the probability of launching an information integrity monitoring service (IMS) during a procedure that launches a typical ADPS-CA and its IS subsystem. The results present system quality indicators for protecting information from unauthorized access. The simulation was performed in relation to automated workstations as part of the ADPS-CA of a large enterprise.

Oldooz Karimi

DOI: https://doi.org/10.48550/arXiv.1108.1314

2011-08-05

Abstract:In this article, we examine how security applies to Service Oriented Architecture (SOA). Before we discuss security for SOA, lets take a step back and examine what SOA is. SOA is an architectural approach which involves applications being exposed as "services". Originally, services in SOA were associated with a stack of technologies which included SOAP, WSDL, and UDDI. This article addresses the defects of traditional enterprise application integration by combining service oriented-architecture and web service technology. Application integration is then simplified to development and integration of services to tackle connectivity of isomerous enterprise application integration, security, loose coupling between systems and process refactoring and optimization.

Software Engineering

杨洋,丁仁杰,闵勇

DOI: https://doi.org/10.3321/j.issn:1000-1026.2003.07.008

2003-01-01

Abstract:According to the characteristics of the information system in power enterprises, an in-depth analysis is made of the discretionary access control (DAC), mandatory access control (MAC) and role-based access control (RBAC). Some drawbacks of the three models under certain circumstances are discussed. To meet the need of massive and frequently changing data in the information system of power enterprises, a new access control model, the object-based access control (OBAC) model, is proposed. This model can be easily represented and is more extensible. Also, a practical design of the OBAC model is given.

Kwo‐Shing Hong,Yen‐Ping Chi,Louis R. Chao,Jih‐Hsing Tang

DOI: https://doi.org/10.1108/09685220310500153

2003-12-01

Abstract:With the popularity of electronic commerce, many organizations are facing unprecedented security challenges. Security techniques and management tools have caught a lot of attention from both academia and practitioners. However, there is lacking a theoretical framework for information security management. This paper attempts to integrate security policy theory, risk management theory, control and auditing theory, management system theory and contingency theory in order to build a comprehensive theory of information security management (ISM). This paper suggests that an integrated system theory is useful for understanding information security management, explaining information security management strategies, and predicting management outcomes. This theory may lay a solid theoretical foundation for further empirical research and application.

Weihui Dai,Qi Zhu,Chunshi Wang,Yujiao Zeng

DOI: https://doi.org/10.4304/jcp.7.2.317-324

2012-01-01

Journal of Computers

Abstract:I nformation system has become the indispensable support platform required by daily operations in modern enterprises. IC manufacturing industry is the most important base of advanced information products . Its rich knowledge innovation, complex production process , and high degree of cooperation require particular risk management on i nformation security. On the basis of referencing to latest information security management standards, PDCA risk management and best practices, this paper propose d an dynamic risk management model for the information security management in IC manufacturing industry. A fter an in-depth analysis of the actual current situation of IC manufacturing in China , that model has been successfully applied to guide the information security management practices in IC manufacturing compan ies, and offers a comprehensive and practical solution .

Qiang YAN,Hua-ying SHU,Zhong CHEN,Yun-suo DUAN

DOI: https://doi.org/10.3969/j.issn.1007-5321.2005.04.017

2005-01-01

Abstract:Security evaluation is an important approach for the security risk management of the information system. But there are lack of effective methods and tools for security evaluation. To resolve the problem, an object model of security evaluation is established based on the object oriented technology. The concepts of correlation test and dependency test are introduced and a set of tools is also developed according to the model. The practical application indicates that the object oriented technology can improve the efficiency of security evaluation, and the correlation test and dependency test also improve the penetration testing effects.

Y Hu,XR Xie,YZ Xin

DOI: https://doi.org/10.1109/pes.2004.1372957

2005-01-01

Abstract:This paper presents a modeling language and a quantitative evaluation approach for the security of power information systems. We firstly design a security architecture design trace language to universally describe system structures, services, security policies, attack behaviors and countermeasures. Next an automated risk analysis algorithm is proposed to get attack traces of power information systems. Then, based on the concept of relative security degree, security architecture can be quantitatively evaluated. Finally, with a case study in a real power information system, the effectiveness of the presented approach is demonstrated. In practice, the approach can be employed for assessing various kinds of countermeasures, such as increasing a new security function, adjusting system self structure, and changing customer operation requirements. And it can greatly decrease the subjectivity of counter-measure selection.

Marek Amanowicz,Mariusz Kamola

DOI: https://doi.org/10.3390/electronics11223835

IF: 2.9

2022-11-22

Electronics

Abstract:Protection against a growing number of increasingly sophisticated and complex cyberattacks requires the real-time acquisition of up-to-date information on identified threats and their potential impact on an enterprise's operation. However, the complexity and variety of IT/OT infrastructure interdependencies and the business processes and services it supports significantly complicate this task. Hence, we propose a novel solution here that provides security awareness of critical infrastructure entities. Appropriate measures and methods for comprehensively managing cyberspace security and resilience in an enterprise are provided, and these take into account the aspects of confidentiality, availability, and integrity of the essential services offered across the underlying business processes and IT infrastructure. The abstraction of these entities as business objects is proposed to uniformly address them and their interdependencies. In this paper, the concept of modeling the cyberspace of interdependent services, business processes, and systems and the procedures for assessing and predicting their attributes and dynamic states are depicted. The enterprise can build a model of its operation with the proposed formalism, which takes it to the first level of security awareness. Through dedicated simulation procedures, the enterprise can anticipate the evolution of actual or hypothetical threats and related risks, which is the second level of awareness. Finally, simulation-driven analyses can serve in guiding operations toward improvement with respect to resilience and threat protection, bringing the enterprise to the third level of awareness. The solution is also applied in the case study of an essential service provider.

engineering, electrical & electronic,computer science, information systems,physics, applied

CHAI Yueting,ZHANG Xiaodong,LI Fangyun

DOI: https://doi.org/10.3321/j.issn:1000-0054.1999.05.032

1999-01-01

Abstract:Agile information system is the one of re constructivity and fast adaptability. The key of developing agile information system is building system model by formal methodology. Based on the deep analysis of the characteristics of enterprise business activities, both the fundamental constructs and their inter relationship of the agile information system were presented. In terms of the methodology of object oriented, the principle of Business Process Reengineering (BPR) and the notation of the Unified Modeling Language (UML), the model structure of this kind of system were outlined. The system model structure not only substantially differentiate the relatively stable and unstable aspects of the business activities, but also explicitly reflect the relationship between them and integrate the information of the system development as well, which is the foundation of the system reconstruction rapidly.

Peng Liu,Zhong Chen

DOI: https://doi.org/10.1109/wi.2004.10081

2004-01-01

Abstract:Business process describes a set of services that span enterprise boundaries and are provided by enterprises that see each other as partners. Web services is widely accepted and adopted to construct business process. Web services are built in exposed environment and open to security threats. When a web service contained in a business process is authorized to illegal users, it will cause economic loss of the service provider. Although there exist some standards for security of Web services and access control for services in distributed systems are well studied, there is a lack of comprehensive approach in access control for web services, especially in business process. In this paper, an extended RBAC model, called WS-RBAC, is proposed to secure web services in business process. The model takes web services in business process as protected objects and extends the classical RBAC model. Next, The software architecture of WS-RABC is presented. This paper also presents how to specify business process in the model and the authorization constraints of WS-RBAC based on WS-Policy.

Luo Xing,Wang Wei,Shi Bole

DOI: https://doi.org/10.3969/j.issn.1000-386X.2007.02.024

2007-01-01

Abstract:In this paper,we proposed a formal security database system access model including a multilevel relation model and a element-level authorization.We extended sandhu's MLR model by giving a new explanation of how the database represents the real world.Under new semantic model,the data-borrow operation was strengthened.Further more,with the support of element-level authorization,user privilege management of database system could be more reasonable.