Vaibhav Gowadia,Csilla Farkas,Michiharu Kudo

DOI: https://doi.org/10.48550/arXiv.0809.5266

2008-09-30

Cryptography and Security

Abstract:Ensuring compliance of organizations to federal regulations is a growing concern. This paper presents a framework and methods to verify whether an implemented low-level security policy is compliant to a high-level security policy. Our compliance checking framework is based on organizational and security metadata to support refinement of high-level concepts to implementation specific instances. Our work uses the results of refinement calculus to express valid refinement patterns and their properties. Intuitively, a low-level security policy is compliant to a high-level security policy if there is a valid refinement path from the high-level security policy to the low-level security policy. Our model is capable of detecting violations of security policies, failures to meet obligations, and capability and modal conflicts.

Vincent C. Hu,Evan Martin,JeeHyun Hwang,Tao Xie

DOI: https://doi.org/10.1109/compsac.2007.96

2007-01-01

Abstract:Access control is one of the most fundamental and widely used security mechanisms. Access control mechanisms control which principals such as users or processes have access to which resources in a system. To facilitate managing and maintaining access control, access control policies are increasingly written in specification languages such as XACML. The specification of access control policies itself is often a challenging problem. Furthermore, XACML is intentionally designed to be generic: it provides the freedom in describing access control policies, which are well-known or invented ones. But the flexibility and expressiveness provided by XACML come at the cost of complexity, verbosity, and lack of desirable-property enforcement. Often common properties for specific access control policies may not be satisfied when these policies are specified in XACML, causing the discrepancy between what the policy authors intend to specify and what the actually specified XACML policies reflect. In this position paper, we propose an approach for conducting conformance checking of access control policies specified in XACML based on existing verification and testing tools for XACML policies.

Xiang Li,Xin Jin,Qixu Wang,Mingsheng Cao,Xingshu Chen

DOI: https://doi.org/10.1155/2018/3078272

2018-01-01

Wireless Communications and Mobile Computing

Abstract:The Internet of Things (IoT) offers a wide variety of benefits to our daily lives in many ways, ranging from smart wearable devices to industrial systems. However, it also brings well-known security and compliance concerns, especially in the physical layer. In addition, due to numerous IoT architectures which have been developed and deployed based on the cloud, the security and compliance of IoT depend on the cloud thoroughly. In this paper, a secure and compliant continuous assessment framework (SCCAF) is proposed to evaluate the security and compliance levels of cloud services in life-cycle. The SCCAF facilitates cloud service to customers to select an optimal cloud service provider (CSP) which satisfies their desired security requirements. Moreover, it also enables cloud service customers to evaluate the compliance of the selected CSP in the process of using cloud services. To evaluate the performance and availability of SCCAF, we carry out a series of experiments with case study and real-world scenario datasets. Experimental results show that SCCAF can assess the security and compliance of CSPs efficiently and effectively.

Yinghui Xu,Xi Chen,Chuang Li,Lianzhu Ge,Haiyan Zhao,Tianying Jiang

DOI: https://doi.org/10.1051/shsconf/202315703015

2023-02-16

SHS Web of Conferences

Abstract:Data security compliance management is the fundamental premise that data application does not infringe on the interests of countries, enterprises and individuals. It is an important foundation for realizing the driving role of data elements. Based on the data security compliance management practices of typical enterprises at home and abroad, this paper summarizes the excellent practices of leading demonstration enterprises, and proposes six key strategies for enterprise data security compliance, including classification of typical data application scenarios, analysis of key links of data security compliance application, formulation of data security compliance application management system and standards, optimization of data security compliance application process mechanism, formulation of whole-process management measures of data security compliance, and improvement of data security compliance guarantee mechanism, as to provide references for the research and construction of enterprise data security compliance management system.

Fabiola Moyón,Daniel Méndez Fernández,Kristian Beckers,Sebastian Klepper

DOI: https://doi.org/10.1007/978-3-030-64148-1_5

2021-05-28

Abstract:Integrating security into agile software development is an open issue for research and practice. Especially in strongly regulated industries, complexity increases not only when scaling agile practices but also when aiming for compliance with security standards. To achieve security compliance in a large-scale agile context, we developed S2C-SAFe: An extension of the Scaled Agile Framework that is compliant to the security standard IEC~62443-4-1 for secure product development. In this paper, we present the framework and its evaluation by agile and security experts within Siemens' large-scale project ecosystem. We discuss benefits and limitations as well as challenges from a practitioners' perspective. Our results indicate that \ssafe contributes to successfully integrating security compliance with lean and agile development in regulated environments. We also hope to raise awareness for the importance and challenges of integrating security in the scope of Continuous Software Engineering.

Software Engineering

Michael Matthias Naumann,Stelian Mircea Olaru,Georg Sven Lampe,Fabian Pitz

DOI: https://doi.org/10.2478/picbe-2024-0043

2024-06-01

Proceedings of the International Conference on Business Excellence

Abstract:Abstract In the current global context, companies need a defined minimum level of information security to recognize and deal with related threats and risks. Due to market, customer or legal requirements, specifications and requirements for information security are implemented uniformly according to standards such as the information security management standard ISO/IEC 27001 or industry-specific standards such as Trusted Information Security Assessment Exchange - TISAX, ISO IEC 27019 Energy Utility Information Security Standard. The conformity to these standard requirements within the established management system is checked during periodically required audits. However, there are various reasons for which, even after many years of audits in companies, there are still insufficient process implementations for information security requirements. The aim of the paper is to analyze the status of conformity and thus also the process maturity in selected samples of companies that have already had information security management systems (ISMS) implemented for several years. In detail, the reasons for deviations from the minimum requirements with associated risks for the security of information in companies were analyzed, which allow conclusions to be drawn about possible process improvements. The paper also analyzes why, despite established measures and existing expertise, only a limited level of process maturity is achieved on average. Other possible approaches to the implementation procedure for dealing with non-conformities in information security are also considered. The results of this research show that there is a need for an adjusted continuous improvement process, which makes risks resulting from insufficient process maturity more visible. Proposals for such improvements are listed.

Sridevi Saralaya,Vishwas Saralaya,Rio D’Souza

DOI: https://doi.org/10.1007/978-3-319-93940-7_3

2018-07-27

Digital Business

Abstract:Business Process Compliance refers to the act of conformance of a business process with policies, regulations and rules that govern the organization. An imperative requirement of business processes in various fields such as Health care, Insurance, Finance and Online Trade is adherence to a large number of compliance requirements, constraints and quality policies from various sources. Lack of compliance may result in huge compensations and loss of customers and reputation. Compliance issues can be handled either retrospectively i.e. after non-complaint situations are observed or they can be handled proactively i.e. anticipation of possibilities leading to non-compliant circumstances during process execution which may prevent occurrence of deviations and thus save upon compensation effects. Hence compliance management tasks need to be incorporated into each phase of the life-cycle of a business process. In this article we discuss contemporary activities related to lifecycle of compliance management in business processes which involve compliance elicitation, compliance formalization, compliance implementation, compliance verification and compliance improvement based on existing literature. Compliance Monitoring Functionalities (CMFs) which may be used to categorize and also assess existing compliance management approaches and frameworks are also discussed.

Omar Shareef

DOI: https://doi.org/10.47760/ijcsmc.2024.v13i02.006

2024-02-28

International Journal of Computer Science and Mobile Computing

Abstract:The security and resilience of organizational IT systems are of paramount importance in today's fast-paced digital environment. With the proliferation of “cyber threats”, organizations must adopt proactive measures to protect their assets and maintain operational continuity. The purpose of this article is to provide insight into the nuances of the implementation of a robust framework for “IT controls”, so that organizations seeking to strengthen their defenses can better understand the importance of each component. The article begins by emphasizing the foundational role of governance and oversight in establishing clear policies, procedures, and accountability structures. Strong governance sets the stage for cultivating a culture of compliance and accountability throughout the organization. Next, the article delves into the critical aspect of “risk management”, highlighting the importance of identifying and mitigating IT-related risks to safeguard organizational security and resilience. Through comprehensive “risk assessments”, organizations can prioritize mitigation efforts and allocate resources effectively. In order to prevent unauthorized access to critical IT systems and resources, access controls are discussed, emphasizing the importance of robust authentication mechanisms and role-based access controls. Change management processes are explored as essential components in managing IT changes effectively, minimizing the risk of disruptions and vulnerabilities associated with system changes. “Data security” emerges as a key focus area, with an emphasis on protecting the confidentiality, integrity, and availability of organizational data assets through robust encryption, access controls, and data loss prevention technologies. Incident management processes are highlighted as crucial for responding swiftly and effectively to security incidents, minimizing their impact and restoring normal operations promptly. Compliance and audit processes are discussed in the context of ensuring adherence to regulatory requirements and industry standards, mitigating the risk of non-compliance penalties and reputational damage. The importance of security awareness training in cultivating a culture of security among employees is emphasized, along with the need for continuous monitoring and improvement to adapt to evolving “threats” effectively. Overall, the article underscores the importance of implementing a comprehensive framework for IT controls to enhance “organizational security”, “compliance” and resilience in today's digital landscape. Through collaborative efforts across all levels of the organization, organizations can effectively “mitigate risks”, safeguard their assets and achieve their business objectives amidst evolving “cyber threats”.

Katja Tuma,Sven Peldszus,Daniel Strüber,Riccardo Scandariato,Jan Jürjens

DOI: https://doi.org/10.1007/s10270-022-00991-5

2022-03-18

Abstract:Abstract It is challenging to verify that the planned security mechanisms are actually implemented in the software. In the context of model-based development, the implemented security mechanisms must capture all intended security properties that were considered in the design models. Assuring this compliance manually is labor intensive and can be error-prone. This work introduces the first semi-automatic technique for secure data flow compliance checks between design models and code. We develop heuristic-based automated mappings between a design-level model (SecDFD, provided by humans) and a code-level representation (Program Model, automatically extracted from the implementation) in order to guide users in discovering compliance violations, and hence, potential security flaws in the code. These mappings enable an automated , and project-specific static analysis of the implementation with respect to the desired security properties of the design model. We developed two types of security compliance checks and evaluated the entire approach on open source Java projects.

computer science, software engineering

Liang Song,Jianmin Wang,Lijie Wen,Hui Kong

DOI: https://doi.org/10.1155/2013/962765

2013-01-01

Journal of Applied Mathematics

Abstract:Business process models are required to be in line with frequently changing regulations, policies, and environments. In the field of intelligent modeling, organisations concern automated business process compliance checking as the manual verification is a time-consuming and inefficient work. There exist two key issues for business process compliance checking. One is the definition of a business process retrieval language that can be employed to capture the compliance rules, the other concerns efficient evaluation of these rules. Traditional syntax-based retrieval approaches cannot deal with various important requirements of compliance checking in practice. Although a retrieval language that is based on semantics can overcome the drawback of syntax-based ones, it suffers from the well-known state space explosion. In this paper, we define a semantics-based process model query language through simplifying a property specification pattern system without affecting its expressiveness. We use this language to capture semantics-based compliance rules and constraints. We also propose a feasible approach in such a way that the compliance checking will not suffer from the state space explosion as much as possible. A tool is implemented to evaluate the efficiency. An experiment conducted on three model collections illustrates that our technology is very efficient.

Xiaoyang He,Jingang Guo,Yasha Wang,Ying Guo

DOI: https://doi.org/10.1109/apsec.2009.48

2009-01-01

Abstract:A lot of knowledge has been accumulated and documented in the form of process models, standards, best practices, etc. The knowledge tells how a high quality software process should look like, in other words, which constrains should be fulfilled by a software process to assure high quality software products. Compliance checking for a predefined process against proper constrains is helpful to quality assurance. Checking the compliance of an actual performed process against some constrains is also helpful to process improvement. Manual compliance checking is time-consuming and error-prone, especially for large and complex processes. In this paper, we record the process knowledge by means of process pattern. We provide an automatic compliance checking approach for process models against constrains defined in process patterns. Checking results indicate where and which constrains are violated, and therefore suggests the focuses of future process improvement. We have applied this approach in three real projects and the experimental results are also presented.

Nicolas Bus,Ana Roxin,Guillaume Picinbono,Muhammad Fahad

DOI: https://doi.org/10.48550/arXiv.1910.00334

IF: 14.4

2019-10-01

Artificial Intelligence

Abstract:Manually checking models for compliance against building regulation is a time-consuming task for architects and construction engineers. There is thus a need for algorithms that process information from construction projects and report non-compliant elements. Still automated code-compliance checking raises several obstacles. Building regulations are usually published as human readable texts and their content is often ambiguous or incomplete. Also, the vocabulary used for expressing such regulations is very different from the vocabularies used to express Building Information Models (BIM). Furthermore, the high level of details associated to BIM-contained geometries induces complex calculations. Finally, the level of complexity of the IFC standard also hinders the automation of IFC processing tasks. Model chart, formal rules and pre-processors approach allows translating construction regulations into semantic queries. We further demonstrate the usefulness of this approach through several use cases. We argue our approach is a step forward in bridging the gap between regulation texts and automated checking algorithms. Finally with the recent building ontology BOT recommended by the W3C Linked Building Data Community Group, we identify perspectives for standardizing and extending our approach.

Wenqin Li,Rongmin Liu,Linhui Sun,Zigu Guo,Jie Gao

DOI: https://doi.org/10.3390/ijerph192316038

IF: 4.614

2022-12-01

International Journal of Environmental Research and Public Health

Abstract:Employee security compliance behavior has become an important safeguard to protect the security of corporate information assets. Focusing on human factors, this paper discusses how to regulate and guide employees' compliance with information security systems through effective methods. Based on protection motivation theory (PMT), a model of employees' intention to comply with the information security system was constructed. A questionnaire survey was adopted to obtain 224 valid data points, and SPSS 26.0 was applied to verify the hypotheses underlying the research model. Then, based on the results of a regression analysis, fuzzy set qualitative comparative analysis (fsQCA) was used to explore the conditional configurations that affect employees' intention to comply with the information security system from a holistic perspective. The empirical results demonstrated that perceived severity, perceived vulnerability, response efficacy, and self-efficacy all positively influenced the employees' intention to comply with the information security system; while rewards and response costs had a negative effect. Threat appraisal had a greater effect on employees' intention to comply with the information security system compared to response appraisal. The fsQCA results showed that individual antecedent conditions are not necessary to influence employees' intention to comply with an information security system. Seven pathways exist that influence an employees' intention to comply with an information security system, with reward, self-efficacy, and response cost being the core conditions having the highest probability of occurring in each configuration of pathways, and with perceived severity and self-efficacy appearing in the core conditions of configurations with an original coverage greater than 40%. Theoretically, this study discusses the influence of the elements of PMT on employees' intention to comply with an information security system, reveals the mechanism of influence of the combination of the influencing factors on the outcome variables, and identifies the core factors and auxiliary factors in the condition configurations, providing a new broader perspective for the study of information security compliance behavior and providing some theoretical support for strengthening enterprise security management. Practically, targeted suggestions are proposed based on the research results, to increase the intention of enterprise employees to comply with information security systems, thereby improving the effectiveness of enterprise information security management and the degree of information security in enterprises.

public, environmental & occupational health,environmental sciences

Guido Governatori

DOI: https://doi.org/10.48550/arXiv.1403.6865

2014-03-27

Abstract:In this paper we propose an ITC (Information and Communication Technology) approach to support regulatory compliance for business processes, and we report on the development and evaluation of a business process compliance checker called Regorous, based on the compliance-by-design methodology proposed by Governatori and Sadiq

Software Engineering,Computers and Society

Heru Susanto,Mohammad Nabil Almunawar,Yong Chee Tuan,Mehmet Sabih Aksoy,Wahyudin P. Syam

DOI: https://doi.org/10.48550/arXiv.1203.6214

2012-03-28

Abstract:Actually Information security becomes a very important part for the organization's intangible assets, so level of confidence and stakeholder trusted are performance indicator as successes organization. Since information security has a very important role in supporting the activities of the organization, we need a standard or benchmark which regulates governance over information security. The main objective of this paper is to implement a novel practical approach framework to the development of information security management system (ISMS) assessment and monitoring software, called by I-SolFramework. System / software is expected to assist stakeholders in assessing the level of their ISO27001 compliance readiness, the software could help stakeholders understood security control or called by compliance parameters, being shorter and more structured. The case study illustrated provided to the reader with a set of guidelines, that aims easy understood and applicable as measuring tools for ISMS standards (ISO27001) compliance.

Cryptography and Security

Elham Ramezani,Dirk Fahland,Jan Martijn van der Werf,Peter Mattheis

DOI: https://doi.org/10.1007/978-3-642-28115-0_43

2012-01-01

Abstract:The ever growing set of regulations and laws organizations have to comply to, introduces many new challenges. Current approaches that check for compliance by implementing controls in an existing information system (IS) decrease the maintainability of both the set of compliance rules and the IS. In this position paper, we advocate the separation of the compliance process from the organization’s business processes. We introduce a life cycle for the management of compliance rules. A separate compliance engine is used to define and check compliance rules independent from the existing IS within an organization.

Alessandro Palma,Giacomo Acitelli,Andrea Marrella,Silvia Bonomi,Marco Angelini

DOI: https://doi.org/10.1016/j.cose.2024.104070

IF: 5.105

2024-08-26

Computers & Security

Abstract:The Incident Management (IM) process is one of the core activities for increasing the overall security level of organizations and better responding to cyber attacks. Different security frameworks (such as ITIL and ISO 27035) provide guidelines for designing and properly implementing an effective IM process. Currently, assessing the compliance of the actual process implemented by an organization with such frameworks is a complex task. The assessment is mainly manually performed and requires much effort in the analysis and evaluation. In this paper, we first propose a taxonomy of compliance deviations to classify and prioritize the impacts of non-compliant causes. We combine trace alignment techniques with a new proposed cost model for the analysis of process deviations rather than process traces to prioritize interventions. We put these contributions into use in a system that automatically assesses the IM process compliance with a reference process model (e.g., the one described in the chosen security framework). It supports the auditor with increased awareness of process issues to make more focused decisions and improve the process's effectiveness. We propose a benchmark validation for the model, and we show the system's capability through a usage scenario based on a publicly available dataset of a real IM log. The source code of all components, including the code used for benchmarking, is publicly available as open source on GitHub.

computer science, information systems

Oluwatosin Ilori,Nelly Tochi Nwosu,Henry Nwapali Ndidi Naiho

DOI: https://doi.org/10.30574/wjarr.2024.22.3.1728

2024-06-30

World Journal of Advanced Research and Reviews

Abstract:The Sarbanes-Oxley Act (SOX) of 2002 was enacted to enhance corporate governance and strengthen financial disclosures, thereby improving the accuracy and reliability of corporate financial statements. Despite its crucial role in safeguarding financial integrity, compliance with SOX requirements presents significant challenges for organizations due to its stringent and comprehensive mandates. This review explores strategic approaches and best practices for optimizing SOX compliance, focusing on the intersection of regulatory adherence and operational efficiency. SOX compliance primarily revolves around internal control over financial reporting (ICFR), auditor independence, corporate responsibility, and enhanced financial disclosures. The complexity of these requirements often leads to substantial compliance costs, increased administrative burdens, and potential operational disruptions. Identifying and mitigating these challenges is essential for maintaining financial integrity and organizational resilience. Implementing a risk-based approach to prioritize compliance efforts on areas with the highest risk of material misstatements. Conducting thorough risk assessments to identify and address vulnerabilities in financial reporting processes. Leveraging automation and advanced technologies, such as artificial intelligence and machine learning, to streamline compliance processes and enhance accuracy. Utilizing data analytics to monitor and assess control effectiveness continuously. Establishing and maintaining robust internal controls tailored to the organization's specific risk profile and operational environment. Regularly reviewing and updating controls to adapt to evolving regulatory requirements and business changes. Providing comprehensive training programs for employees at all levels to ensure awareness and understanding of SOX requirements and their roles in compliance. Promoting a culture of ethical behavior and accountability throughout the organization. Engaging independent third-party auditors to conduct objective assessments of compliance efforts and provide recommendations for improvement. Implementing continuous monitoring mechanisms to detect and address compliance issues proactively. The review highlights several best practices for achieving and maintaining SOX compliance, including integrating compliance into the broader corporate governance framework, fostering collaboration between internal audit and compliance functions, and adopting a proactive rather than reactive compliance mindset. Optimizing SOX compliance is pivotal for ensuring financial integrity and corporate accountability. By adopting strategic approaches and best practices, organizations can navigate the complexities of SOX requirements effectively, mitigate compliance risks, and reinforce stakeholder trust in their financial disclosures. In this review paper, I discuss the strategic approaches, challenges, and best practices in ensuring robust SOX compliance. I emphasize how meticulous internal audits and effective internal controls can enhance financial reporting accuracy and organizational integrity, drawing from my extensive experience in the field.

Xusheng Xiao,Amit M. Paradkar,Suresh Thummalapenta,Tao Xie

DOI: https://doi.org/10.1145/2393596.2393608

2012-01-01

Abstract:ABSTRACTAccess Control Policies (ACP) specify which principals such as users have access to which resources. Ensuring the correctness and consistency of ACPs is crucial to prevent security vulnerabilities. However, in practice, ACPs are commonly written in Natural Language (NL) and buried in large documents such as requirements documents, not amenable for automated techniques to check for correctness and consistency. It is tedious to manually extract ACPs from these NL documents and validate NL functional requirements such as use cases against ACPs for detecting inconsistencies. To address these issues, we propose an approach, called Text2Policy, to automatically extract ACPs from NL software documents and resource-access information from NL scenario-based functional requirements. We conducted three evaluations on the collected ACP sentences from publicly available sources along with use cases from both open source and proprietary projects. The results show that Text2Policy effectively identifies ACP sentences with the precision of 88.7% and the recall of 89.4%, extracts ACP rules with the accuracy of 86.3%, and extracts action steps with the accuracy of 81.9%.

Cataldo Basile,Gabriele Gatti,Francesco Settanni

2024-05-06

Abstract:Enforcing security requirements in networked information systems relies on security controls to mitigate the risks from increasingly dangerous threats. Configuring security controls is challenging; even nowadays, administrators must perform it without adequate tool support. Hence, this process is plagued by errors that translate to insecure postures, security incidents, and a lack of promptness in answering threats. This paper presents the Security Capability Model (SCM), a formal model that abstracts the features that security controls offer for enforcing security policies, which includes an Information Model that depicts the basic concepts related to rules (i.e., conditions, actions, events) and policies (i.e., conditions' evaluation, resolution strategies, default actions), and a Data Model that covers the capabilities needed to describe different types of filtering and channel protection controls. Following state-of-the-art design patterns, the model allows for generating abstract versions of the security controls' languages and a model-driven approach for translating abstract policies into device-specific configuration settings. By validating its effectiveness in real-world scenarios, we show that SCM enables the automation of different and complex security tasks, i.e., accurate and granular security control comparison, policy refinement, and incident response. Lastly, we present opportunities for extensions and integration with other frameworks and models.

Cryptography and Security