Your search keyword '"Certified Information Systems Security Professional"' showing total 568 results

1. An Interview with Maria Vello: Chief Executive Officer of the Cyber Defence Alliance (CDA)

Author

Virginia Franke Kleist

Subjects

Information Systems and Management, ComputingMilieux_THECOMPUTINGPROFESSION, 05 social sciences, ComputerApplications_COMPUTERSINOTHERSYSTEMS, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Certified Information Systems Security Professional, 02 engineering and technology, Management, Alliance, 020204 information systems, Political science, 0502 economics and business, 0202 electrical engineering, electronic engineering, information engineering, ComputingMilieux_COMPUTERSANDSOCIETY, Chief executive officer, 050203 business & management, Information Systems

Abstract

Maria Vello, CISSP, an international cybersecurity expert, is Chief Executive Officer of the Cyber Defence Alliance (CDA) located in London. The organization is a cyber-defense and anti-fraud group...

Published

2018

2. ASCAA: API‐level security certification of android applications

Author

Jingtao Li, Hang Gao, Peizan Wang, Hengyu Li, and Wengang Pei

Subjects

Engineering, Cloud computing security, Application programming interface, business.industry, 020206 networking & telecommunications, 020207 software engineering, Certified Information Systems Security Professional, 02 engineering and technology, Computer security model, Computer security, computer.software_genre, Computer Graphics and Computer-Aided Design, Security information and event management, Security testing, Security service, 0202 electrical engineering, electronic engineering, information engineering, Security through obscurity, business, computer

Abstract

Android provides a permission declaration and a certification mechanism to detect and report potential security threats of applications. Normally, an application is certified based on its declared permissions, but declared permissions are often coarse-grained or inconsistent with those actually used in the program code. The authors propose application programming interface (API)-level security certification of android applications (ASCAA), a cloud-based framework, which employs a systematic method to identify and analyse security threats at API level. To certify an application, ASCAA examines all permission labels in its manifest and API invocations extracted from its decompiled code based on a set of requirement-dependent security rules. In addition, the authors provide ASCAA Security Language to formalise security rules and the certification process, which makes ASCAA general and scalable. Since it is a cloud-based framework, any potential user could easily make ASCAA work for them, and ASCAA has also been proved to gain high performance. Hitherto, they have analysed over 200 applications with an automated tool based on ASCAA, and discovered that about one-eighth failed to pass part of our sample rules. We find evidence that ASCAA can identify risk factors in a fine-grained way, for example, applications’ being over privileged or the use of some dangerous APIs require no permission declaration.

Published

2017

3. Information Security Management System

Author

Azrilah Abdul Aziz, Manar Al-Sarti, and Sahar Al-Dhahri

Subjects

Knowledge management, Computer science, business.industry, Standard of Good Practice, 05 social sciences, 020206 networking & telecommunications, Certified Information Systems Security Professional, 02 engineering and technology, Information security, Management information systems, 0502 economics and business, 0202 electrical engineering, electronic engineering, information engineering, Information system, business, 050203 business & management, Information security management system

Published

2017

4. INTERNATIONAL STANDARDIZATION AND INFORMATION SECURITY

Author

N. Borisov

Subjects

Standardization, Certified Information Security Manager, Information security management, Information security standards, Standard of Good Practice, Certified Information Systems Security Professional, Information security, Business, Computer security, computer.software_genre, computer, Information security management system

Published

2017

5. Aspects regarding the implementation of information security standards in organizations

Author

Mihai Bârsan

Subjects

Process management, databases, Certified Information Security Manager, information security, Standard of Good Practice, Certified Information Systems Security Professional, General Medicine, Information security, Security policy, Security information and event management, lcsh:Z, lcsh:Bibliography. Library science. Information resources, ISO 27001, security policy, Information security management, Risk analysis (engineering), Information security standards, Business

Abstract

Information security is one of the major challenges of the information and knowledge based society. The preoccupation of organizations to ensure the security of information in the digital environment has led to the emergence of specific standards in the field. Thus, ISO 27000 brings together reference standards in the field. Starting from ISO 27001, which summarizes policies and procedures on physical, legal and technological security risks, this paper looks at the steps the organization must undertake to implement the standards.

Published

2017

6. Standardization in Information Technology Security

Author

O. M. Fal

Subjects

021103 operations research, General Computer Science, Certified Information Security Manager, Computer science, 0211 other engineering and technologies, Certified Information Systems Security Professional, 0102 computer and information sciences, 02 engineering and technology, Information security, Computer security, computer.software_genre, 01 natural sciences, ITIL security management, Information security management, Security service, 010201 computation theory & mathematics, Information security standards, computer, Information security management system

Abstract

The author overviews the international standards developed by SC 27 "IT Security techniques" of the ISO/IEC Joint Technical Committee "Information technologies." The standards include cryptographic mechanisms, evaluation and testing of products and information systems, countermeasures, and security services. Both published standards and those under development are considered.

Published

2017

7. System-Agnostic Security Domains for Understanding and Prioritizing Systems Security Engineering Efforts

Author

John M. Pecarina, Stephen Khou, and Logan O. Mailloux

Subjects

General Computer Science, Computer science, Standard of Good Practice, 0211 other engineering and technologies, Certified Information Systems Security Professional, 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, Security information and event management, Security engineering, Information security management, 0103 physical sciences, General Materials Science, 010301 acoustics, security engineering, Information security management system, systems engineering, Control system security, 021103 operations research, Cloud computing security, business.industry, systems security engineering, General Engineering, Information technology, Information security, Computer security model, Engineering management, ITIL security management, Security service, Information security standards, Software security assurance, Security domains, Security through obscurity, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, lcsh:TK1-9971, computer

Abstract

As modern systems continue to increase in size and complexity, current systems security practices lack an effective approach to prioritize and tailor systems security efforts to successfully develop and field systems in challenging operational environments. This paper uniquely proposes seven system-agnostic security domains, which assist in understanding and prioritizing systems security engineering (SSE) efforts. To familiarize the reader with the state-of-the-art in SSE practices, we first provide a comprehensive discussion of foundational SSE concepts, methodologies, and frameworks. Next, the seven system-agnostic security domains are presented for consideration by researchers and practitioners. The domains are intended to be representative of a holistic SSE approach, which is universally applicable to multiple systems classes and not just a single-system implementation. Finally, three examples are explored to illustrate the utility of the system-agnostic domains for understanding and prioritizing SSE efforts in information technology systems, Department of Defense weapon systems, and cyber-physical systems.

Published

2017

8. The Security Development Lifecycle in the Context of Accreditation Policies and Standards

Author

Ezhil Kalaimannan and Jatinder N. D. Gupta

Subjects

Process management, Computer Networks and Communications, Computer science, Standard of Good Practice, Certified Information Systems Security Professional, Computer security, computer.software_genre, Security information and event management, Software development process, Information security management, Security management, Electrical and Electronic Engineering, Accreditation, Cloud computing security, Certified Information Security Manager, business.industry, Public sector, Software development, Information security, Computer security model, Information assurance, ITIL security management, Security service, Information security standards, Software security assurance, Security through obscurity, Security convergence, Network security policy, business, Law, computer

Abstract

The proposed security development lifecycle (SecDLC) model delivers a perpetual cycle of information security management and refinement. Using real-world examples, the authors show how SecDLC ensures the goals of preserving, monitoring, and improving security practices, policies, and standards in private and public sectors. The authors describe the four phases of SecDLC, comparing and contrasting them to existing security development models.

Published

2017

9. 2020 Ecurity Review: A Year That Shook It

Author

Patrick O'Connor

Subjects

2019-20 coronavirus outbreak, Coronavirus disease 2019 (COVID-19), Severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2), Face (sociological concept), Certified Information Systems Security Professional, Computer security, computer.software_genre, Computer Science Applications, Theoretical Computer Science, Hardware and Architecture, Political science, Security, AcademicSubjects/SCI01640, computer, Software

Abstract

Reviewing IT security incidents in 2020, Patrick O'Connor MBCS CISSP CEH, finds that while society may have slowed to a crawl in the face of Covid-19 the cyber security world is more active than ever.

Published

2020

10. It Is All about Control

Author

Chris Hare

Subjects

Body of knowledge, Certified Information Systems Auditor, Critical security studies, Information security audit, ComputingMilieux_THECOMPUTINGPROFESSION, Certified Information Security Manager, business.industry, Certified Information Systems Security Professional, Security management, Audit, Public relations, business

Abstract

The security professional and the auditor come together around one topic: control. The two professionals may not agree with the methods used to establish control, but their concerns are related. The security professional is there to evaluate the situation, identify the risks and exposures, recommend solutions, and implement corrective actions to reduce the risk. The auditor also evaluates risk, but the primary role is to evaluate the controls implemented by the security professional. This role often puts the security professional and the auditor at odds, but this does not need to be the case. This chapter discusses controls in the context of the Common Body of Knowledge of the Certified Information Systems Security Professional (CISSP), but it also introduces the language and definitions used by the audit profession. This approach will ease some of the concept misconceptions and terminology differences between the security and audit professions. Because both professions are concerned with control, albeit from different perspectives, the security and audit communities should have close interaction and cooperate extensively. Before discussing controls, it is necessary to define some parameters. Audit does not mean security. Think of it this way: the security professional does not often think in control terms. Rather, the security professional is focused on what measures or controls should be put into operation to protect the organization from a variety of threats. The goal of the auditor is not to secure the organization but to evaluate the controls to ensure risk is managed to the satisfaction of management. Two perspectives of the same thing—control.

Published

2019

11. Message from IEEE TrustCom 2019 General Chairs

Author

Ryan K. L. Ko, Liqun Chen, and Liming Zhu

Subjects

Computer science, Emerging technologies, Analytics, business.industry, Library science, Certified Information Systems Security Professional, Review process, Trusted Computing, Computer society, Destinations, Adventure, business, GeneralLiterature_MISCELLANEOUS

Abstract

As the General Chairs and on behalf of the Organizing Committee of the 18th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom-2019), we would like to express our warmest welcome to all participants that attend the conference and associated workshops/symposia at Rotorua, New Zealand, 5 - 8 August, 2019. Rotorua is world-renowned for its geysers, bubbling mud pools, natural hot springs, adventure sports, and its showcase of the Māori culture. It is also located near other picturesque destinations such as Lake Taupo, Tongariro National Park and the skiing fields at Mount Ruapehu. We are pleased that the TrustCom conference is held in Rotorua this year. A top-ranked conference, IEEE TrustCom has become a premier international conference in the trust, security and privacy areas, aiming at bringing together researchers and practitioners working on trusted computing and communications to present and discuss emerging ideas and trends in this highly challenging research field. IEEE TrustCom 2019 has attracted many high-quality research papers which highlight the foundational work that strives to push beyond limits of existing and emerging technologies, including experimental efforts, innovative systems, and investigations that identify weaknesses in the existing trust, security and privacy services. TrustCom-2019 is sponsored by IEEE, IEEE Computer Society, IEEE Technical Committee on Scalable Computing (TCSC), STRATUS, and the University of Waikato. TrustCom-2019 consists of the main conference, the IEEE BigDataSE conference, a (ISC)2 CISSP training workshop, and 4 international workshop/symposia. We are privileged to have Prof. Corey Schou from Idaho State University, USA, Dr Silvio Cesare from Infosect, Australia, Dr Daisuke Inoue from NICT, Japan, Dr Jonathan Oliver from Trend Micro, Australia, and Assoc. Prof. Joseph Liu from Monash University, Australia, deliver this conference's keynote speeches. Many individuals have contributed to the success of this high calibre international conference. We would like to express our special appreciation to Prof. Guojun Wang and Prof. Laurence T. Yang, the Steering Committee Chairs, for giving us this opportunity to hold this prestigious conference and for their guidance on the conference organization. Special thanks to the Program Chairs, Dr. Surya Nepal, Prof. Willy Susilo, Dr Chandramouli Ramaswamy, and Prof Yang Xiang, for their outstanding work on the technical program. We would also like to thank all Track Chairs for assisting the Program Chairs with the large number of submissions and ensuring a high-quality and fair review process. Thanks also to the Workshop Chair, Dr Panos Patros, and Journal Special Issue Chairs Prof Ruili Wang, and Dr Yulei Wu for attracting high quality special issues for the top-ranked papers in this conference. We would like to give our thanks to all the members of the Organizing Committee and Program Committee members for their efforts and support. We truly appreciate the efforts of all authors who submitted their papers to the TrustCom-2019 conference and workshops/symposia. We truly hope all the participants find the conference stimulating and constructive and at the same time enjoy the stay in Roturua.

Published

2019

12. CISSP: Certified Information Systems Security Professional

Author

John Warsinkse

Subjects

Certified Information Systems Security Professional, Business, Computer security, computer.software_genre, computer

Published

2019

13. Cybersecurity Certification: Certified Information Systems Security Professional (CISSP)

Author

Hubert D’Cruze and Ping Wang

Subjects

Training curriculum, Engineering, ComputingMilieux_THECOMPUTINGPROFESSION, business.industry, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Certified Information Systems Security Professional, Certification, Computer security, computer.software_genre, Cyber Space, Work (electrical), Workforce, business, Curriculum, computer

Abstract

There is a large and fast growing demand for cybersecurity professionals who are well prepared and qualified to perform the challenging work of defending the cyber space. This paper explores and discusses the significant value and benchmark role of the Certified Information Systems Security Professional (CISSP) certification in the competency development for cybersecurity workforce by analyzing the CISSP certification requirements and objectives and mapping them to the US cybersecurity industry model of competencies and the US national cybersecurity workforce framework (NCWF). This paper also discusses the value and implications of the CISSP certification on cybersecurity education and training curriculum.

Published

2019

14. An Information Security Model for Implementing the New ISO 27001

Author

Margareth Stoll

Subjects

ITIL security management, Security service, Standard of Good Practice, Certified Information Systems Security Professional, Business, Information security, Computer security, computer.software_genre, computer, Information security management system

Abstract

The importance of data privacy, information availability, and integrity is increasingly recognized. Sharpened legal requirements and increasing data leakages have further promoted data privacy. In order to implement the different requirements in an effective, efficient, and sustainable way, the authors integrate different governance frameworks to their holistic information security and data privacy model. More than 1.5 million organizations worldwide are implementing a standard-based management system. In order to promote the integration of different standards, the International Standard Organization (ISO) released a common structure. ISO/IEC 27001 for information security management was changed accordingly in October 2013. The holistic model fulfills all requirements of the new version. Its implementation in several organizations and the study's results are described. In that way data privacy and security are part of all strategic, tactical, and operational business processes, promote corporate governance and living security, as well as the fulfillment of all standard requirements.

Published

2019

15. Implementing Practical Risk Control Using U.S. Government Standards

Author

Dan Shoemaker

Subjects

Certified Information Security Manager, Computer Networks and Communications, business.industry, Standard of Good Practice, NIST Special Publication 800-53, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Accounting, Certified Information Systems Security Professional, Information security, Computer security, computer.software_genre, Federal Information Security Management Act of 2002, Information security management, Information security standards, business, Safety Research, computer, Software

Abstract

This article presents the standard basis for implementing the information security control structures recommended by the U.S. Federal Government for compliance with the Federal Information Security Management Act of 2002 FISMA. The process recommendations contained here create a detailed baseline of practical controls for any information security application in both government and industry.

Published

2016

16. Research Trends in Economic Effects of Information Security Certification: Focused on the ISMS (Information Security Management System)

Author

Hyo-Jung Jun, Tae-Sung Kim, Hee-Kyung Kong, Min-Seong Kang, and Song-Ha Lee

Subjects

030506 rehabilitation, Certified Information Security Manager, Computer science, Standard of Good Practice, Certified Information Systems Security Professional, 02 engineering and technology, Information security, Certification, Computer security, computer.software_genre, Security information and event management, 03 medical and health sciences, Information security management, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0305 other medical science, computer, Information security management system

Published

2016

17. A Maturity Level Framework for Measurement of Information Security Performance

Author

Imam Riadi, Yudi Prayudi, and Rosmiati

Subjects

Knowledge management, ITIL security management, Information security management, Certified Information Security Manager, Information security standards, business.industry, Computer science, Standard of Good Practice, Information technology, Certified Information Systems Security Professional, Information security, business, Information security management system

Abstract

is one of the most important assets of the company. With the development of information technology is very rapid, the possibility of ever increasing information security disorder. This research was conducted to find out the level of information security in organization to give recommendations improvements in information security management at the company. This research uses the ISO 27001 by involving the entire clause that exists in ISO 27001 checklist. The source of the data used in this study was a detailed questionnaire and interview. The respondents in this study are all the employees are in the Office of the Bureau of information technology as many as 14 peoples. The results showed maturity level of information security in the Office of the Bureau of information technology is at level 2. The value of the gap between the value of the maturity level of the current and expected level of maturity value is 2.79. Recommendations for improvement are given requires an understanding of the company and also required coordination with the internal company.

Published

2016

18. Improvement of the Certification Model for Enhancing Information Security Management Efficiency for the Financial Sector

Author

Tae-Hee Cho, Tae-Sung Kim, and Eun Oh

Subjects

Certified Information Security Manager, Computer science, 05 social sciences, 050109 social psychology, Certified Information Systems Security Professional, 04 agricultural and veterinary sciences, Certification, Environmental economics, Computer security, computer.software_genre, Security information and event management, Information security management, Security service, 040103 agronomy & agriculture, 0401 agriculture, forestry, and fisheries, 0501 psychology and cognitive sciences, Security management, computer, Information security management system

Published

2016

19. A Study on Quantitative Method of Certificate for Information Security Education Course in the Private Sector

Author

Sung-woo Cho, Dong-young Yoo, and Joo-hee Kim

Subjects

Information security audit, Certified Information Security Manager, Information security management, Computer science, Security management, Certified Information Systems Security Professional, Information security, Self-signed certificate, Certificate, Computer security, computer.software_genre, computer

Published

2016

20. Rethinking the Role of Security in Undergraduate Education

Author

Sarah Zatko

Subjects

Critical security studies, Computer Networks and Communications, Computer science, Undergraduate education, Certified Information Systems Security Professional, Information security, Data breach, Science education, ComputingMilieux_COMPUTERSANDEDUCATION, Engineering ethics, Electrical and Electronic Engineering, Law, Curriculum, Accreditation

Abstract

Security tends to be an afterthought in undergraduate computer science education. Given the increasing prevalence of data breaches, applied security content should be integrated throughout the curriculum. Such integration can be achieved through subtle but consistent changes to existing courses.

Published

2016

21. Four Software Security Findings

Author

Gary McGraw

Subjects

General Computer Science, Computer science, Standard of Good Practice, 0211 other engineering and technologies, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Certified Information Systems Security Professional, 02 engineering and technology, Computer security, computer.software_genre, Asset (computer security), Security information and event management, Information security audit, Software, 0202 electrical engineering, electronic engineering, information engineering, Security management, 021110 strategic, defence & security studies, Cloud computing security, Certified Information Security Manager, business.industry, 020206 networking & telecommunications, Information security, Computer security model, Capability Maturity Model, Security service, Software security assurance, Security through obscurity, Security convergence, Network security policy, business, computer

Abstract

Analyzing data from 78 firms using the Building Security In Maturity Model (BSIMM) revealed four truths about software security that will help firms protect and secure their assets.

Published

2016

22. CISSP, Eighth Edition

Author

James Michael Stewart, Darril Gibson, and Mike Chapple

Subjects

Engineering management, Study guide, Certified Information Systems Security Professional, Business

Published

2018

23. International Security in the Asia-Pacific

Author

Alan Chong

Subjects

Cloud computing security, Certified Information Security Manager, Security convergence, International security, Network security policy, Certified Information Systems Security Professional, Information security, Business, Computer security, computer.software_genre, computer, Corporate security

Published

2018

24. Study on the Connection with Public Authentication and Bio Authentication

Author

Gab-Sang Ryu

Subjects

World Wide Web, Computer science, Certified Information Systems Security Professional, Computer security, computer.software_genre, computer, Authentication (law), Connection (mathematics)

Published

2015

25. Analysis of Standard Security Technology for Security of the Network

Author

Bong-Han Kim

Subjects

Engineering, Cloud computing security, business.industry, Standard of Good Practice, Certified Information Systems Security Professional, Information security, Computer security, computer.software_genre, ITIL security management, Security service, Software security assurance, business, computer, Information security management system

Abstract

The development of the security solutions that can provide a variety of security services is needed urgently. For development of the security solutions, analysis of international standard security technology is the key. In this paper, international organizations' standardization(ISO/IEC JTC1 SC27, ITU-T SG-17, IETF Security Area, etc.) and the current trend of the standard security technology are mainly analyzed. The core of the latest security technology(Application Bridging, DNS-based Authentication, HTTP Authentication, IP Security, Javascript Security, Authentication Technology Next Generation, Managed Incident, Web Authorization Protocol, Security Automation, Transport Layer Security, etc.) is analyzed focusing on 18 working groups of the IETF.

Published

2015

26. Security Information and Risk Management Assessment

Author

Nicolae Anton and Anișor Nedelcu

Subjects

IT risk management, Engineering, ITIL security management, Risk analysis (engineering), business.industry, Standard of Good Practice, Certified Information Systems Security Professional, General Medicine, Information security, business, Risk management, Information security management system, ISO/IEC 27002

Abstract

This work approaches the assessment of the security and information risks in order to find the optimal values of the risks by applying and comparing different methods to measure and assess the security risks. By describing structural characteristics of standards and methods implemented in the information security management system (ISMS), this paper underlines the necessity, means and effectiveness of information security modeling. The conclusions of this paper highlights the importance of standards and methods of risk management assessment.

Published

2015

27. The principles of classified Information Security Management System organisation within the realisation of European Defence Agency research projects (personnel and facility security aspects)

Author

Karol Listewnik and Tomasz Sobczyński

Subjects

Engineering management, Certified Information Security Manager, Realisation, Agency (sociology), Security management, Certified Information Systems Security Professional, Business, Computer security, computer.software_genre, computer, Classified information

Published

2015

28. Security experts’ capability design for future internet of things platform

Author

Onechul Na, Minkyung Kang, and Hangbae Chang

Subjects

Knowledge management, Computer science, Standard of Good Practice, 050109 social psychology, Certified Information Systems Security Professional, 02 engineering and technology, Security information and event management, Security culture, Theoretical Computer Science, Security engineering, Information security audit, 0202 electrical engineering, electronic engineering, information engineering, 0501 psychology and cognitive sciences, Security management, 020203 distributed computing, Cloud computing security, ComputingMilieux_THECOMPUTINGPROFESSION, Certified Information Security Manager, business.industry, 05 social sciences, Information security, Security service, Hardware and Architecture, Security through obscurity, business, Software, Information Systems

Abstract

Security-related accidents have been occurring frequently in the last few years despite the focus on training security personnel with technical capabilities. Although it is important to be equipped with a technical security system, what is also urgently needed is to cultivate integrative and managerial security personnel. Adept management can not only prevent information and technology leakage caused by their own employees but also establish a security culture. However, in-depth studies on the competency system of personnel suitable for the security field are currently lacking. Accordingly, this paper defined security personnel and various security occupation-specific competencies. In addition, 36 security occupations were classified according to the US NICE classification system. Accordingly, various occupations were evaluated in regards to their suitability to be labeled security jobs, and core competencies were described for each occupation. Specifically, nine security job competencies and three general job competencies were described as core competencies. How the required core competencies vary according to the occupational cluster is also described.

Published

2015

29. A Concise Model to Evaluate Security of SCADA Systems based on Security Standards

Author

Nasser Aghajanzadeh and Alireza Keshavarz-Haddad

Subjects

Control system security, Cyber security standards, SCADA, Computer science, Economic security, Production (economics), ComputerApplications_COMPUTERSINOTHERSYSTEMS, Certified Information Systems Security Professional, Electric power, Information security, Computer security, computer.software_genre, computer

Abstract

SCADA systems are essential for the critical infrastructures, such as electric power, oil, and gas production and distribution systems. Hence, incapacitation or destruction of SCADAs would have a debilitating impact on the defence or economic security of organizations and states. In this paper, we study fifteen SCADA cyber security standards and also assess the security of ten widely-used SCADA systems. Our investigation leads to a comprehensive categorized list of security solutions for SCADAs. This list is used to evaluate and compare security of the SCADA systems; also it will be used as model to improve the security of new SCADA systems.

Published

2015

30. Cryptography Basics: Becoming a CISSP

Author

Alexey Markov and Valentin Tsirlov

Subjects

Computer science, business.industry, Certified Information Systems Security Professional, Cryptography, Computer security, computer.software_genre, business, computer

Published

2015

31. Information Security Access: Becoming a CISSP

Author

Alexey Markov and Valentin Tsirlov

Subjects

Computer science, Certified Information Systems Security Professional, Information security, Computer security, computer.software_genre, computer

Published

2015

32. NIST Bases Flagship Security Engineering Publication on ISO/IEC/IEEE 15288:2015

Author

Kenneth M. Zemrowski

Subjects

Security engineering, Engineering management, General Computer Science, business.industry, Computer science, NIST Special Publication 800-53, NIST, Certified Information Systems Security Professional, Software engineering, business

Abstract

Systems engineers have worked with NIST in their efforts to produce a standards-based approach for interaction of the systems engineering and security engineering disciplines.

Published

2016

33. Formal Specification of Security Guidelines for Program Certification

Author

Yves Roudier, Rabea Ameur-Boulifa, Zeineb Zhioua, SAP Labs France, Laboratoire d'Informatique, Signaux, et Systèmes de Sophia Antipolis (I3S), Université Nice Sophia Antipolis (... - 2019) (UNS), COMUE Université Côte d'Azur (2015-2019) (COMUE UCA)-COMUE Université Côte d'Azur (2015-2019) (COMUE UCA)-Centre National de la Recherche Scientifique (CNRS)-Université Côte d'Azur (UCA), and Télécom ParisTech

Subjects

Model checking, Certified Information Security Manager, Computer science, business.industry, Certified Information Systems Security Professional, 02 engineering and technology, Certification, [INFO.INFO-SE]Computer Science [cs]/Software Engineering [cs.SE], Computer security, computer.software_genre, Secure by design, Global Information Assurance Certification, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], 020204 information systems, Formal specification, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, [INFO]Computer Science [cs], Information flow (information theory), Software engineering, business, computer, ComputingMilieux_MISCELLANEOUS

Abstract

Secure software can be obtained out of two distinct processes: security by design, and security by certification. The former approach has been quite extensively formalized as it builds upon models, which are verified to ensure security properties are attained and from which software is then derived manually or automatically. In contrast, the latter approach has always been quite informal in both specifying security best practices and verifying that the code produced conforms to them. In this paper, we focus on the latter approach and describe how security guidelines might be captured by security experts and verified formally by developers. Our technique relies on abstracting actions in a program based on modularity, and on combining model checking together with information flow analysis. Our goal is to formalize the existing body of knowledge in security best practices using formulas in the MCL language and to conduct formal verifications of the conformance of programs with such security guidelines. We also discuss our first results in creating a methodology for the formalization of security guidelines.

Published

2017

34. Security compliance of test systems — A practical approach

Author

Robert Mixer

Subjects

Engineering, business.industry, Information technology, Security compliance, Certified Information Systems Security Professional, Computer security, computer.software_genre, Test (assessment), Security service, Risk analysis (engineering), Information system, NIST, business, computer

Abstract

Increased interest in security has resulted in greater demand for automated test systems to comply with security standards. Automated test systems have traditionally been operated in isolated environments because of their unique characteristics. However, changes in United States defense acquisition regulations require that defense contractors bring these test systems into compliance with National Institute of Standards and Technology Special Publication 800-171, a standard that makes no distinction between general-purpose information technology (IT) systems and special-purpose test systems. Applying modern IT security technologies to satisfy the standard's requirements is not so easy because the technologies have been designed with assumptions that are often not true of test systems. We propose that a useful strategy for compliance to this standard must address actual risks, be practical, use multi-dimensional solutions, and improve over time given test systems' unique characteristics.

Published

2017

35. Information security evaluation using KAMI index for security improvement in BMKG

Author

H Suprapto, Deki Satria, R Wirawan, Dana Indra Sensuse, Normandia Y, and M Syarif

Subjects

Engineering management, ITIL security management, Information security management, Certified Information Security Manager, Information security standards, Standard of Good Practice, Political science, Certified Information Systems Security Professional, Information security, Computer security, computer.software_genre, computer, Information security management system

Abstract

Information is a valuable asset for the Governments institution, especially when the organization is carrying most important information, such as weather and natural disaster. The need for safeguards against information becomes very necessary issue for such organization. One standard that can be used to measure the maturity level of information security in an organization is the KAMI index developed by The Ministry of Informatics and Communications standards refer to ISO standard ISO / IEC 27001. This assessment is used to see how far the maturity level of information security in The Meteorology, Climatology and Geophysics Agency (BMKG), which results can be used as a medium for evaluation in order to improve the information security of the organization in the future.

Published

2017

36. Towards an Integrated Model for Safety and Security Requirements of Cyber-Physical Systems

Author

Clemens Sauerwein, Ruth Breu, Michael Huber, and Michael Brunner

Subjects

Engineering, Context model, 021103 operations research, business.industry, 0211 other engineering and technologies, Cyber-physical system, 020207 software engineering, Certified Information Systems Security Professional, 02 engineering and technology, Certification, Computer security model, Interconnectedness, Security service, Risk analysis (engineering), Software security assurance, 0202 electrical engineering, electronic engineering, information engineering, Systems engineering, business

Abstract

Increasing interest in cyber-physical systems with integrated computational and physical capabilities that can interact with humans can be identified in research and practice. Since these systems can be classified as safety- and security-critical systems the need for safety and security assurance and certification will grow. Moreover, these systems are typically characterized by fragmentation, interconnectedness, heterogeneity, short release cycles, cross organizational nature and high interference between safety and security requirements. These properties combined with the assurance of compliance to multiple standards, carrying out certification and re-certification, and the lack of an approach to model, document and integrate safety and security requirements represent a major challenge. In order to address this gap we developed a domain agnostic approach to model security and safety requirements in an integrated view to support certification processes during design and run-time phases of cyber-physical systems.

Published

2017

37. Cloud Standards in Comparison: Are New Security Frameworks Improving Cloud Security?

Author

Roy H. Campbell, Carlo Di Giulio, Charles A. Kamhoua, Read Sprabery, Kevin Kwiat, and Masooda Bashir

Subjects

021110 strategic, defence & security studies, Government, Cloud computing security, Computer science, business.industry, Standard of Good Practice, 0211 other engineering and technologies, Vulnerability, Information technology, Certified Information Systems Security Professional, Cloud computing, 02 engineering and technology, Certification, Information security, Computer security, computer.software_genre, Information assurance, ITIL security management, Risk analysis (engineering), Information security standards, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, business, computer, Information security management system

Abstract

The increasing relevance of information assurance in cloud computing has forced governments and stakeholders to turn their attention to Information Technology (IT) security certifications and standards. The introduction of new frameworks such as FedRAMP in the US and C5 in Germany is aimed to raise the level of protection against threats and vulnerabilities unique to cloud computing. However, our in-depth and systematic analyses reveals that these new standards do not bring a radical change in the realm of certifications. Results also shows that the newly developed standards share much of their basis with older, more consolidated standards such as the ISO/IEC 27001 and hence the need for determining the added value. In this study, we provide an overview of ISO/IEC 27001, C5, and FedRAMP while examining their completeness and adequacy in addressing current threats to cloud assurance. We question the level of protection they offer by comparing these three certifications alongside each other. We identify weaknesses in the three frameworks and highlight necessary improvements to meet the security requirements indispensable in relation to the current threat landscape.

Published

2017

38. Software Certification in Practice: How Are Standards Being Applied?

Author

Gabriel Ferreira

Subjects

ComputingMilieux_THECOMPUTINGPROFESSION, Computer science, business.industry, 05 social sciences, 020207 software engineering, Certified Information Systems Security Professional, 02 engineering and technology, Certification, 050905 science studies, Software, Common Criteria, 0202 electrical engineering, electronic engineering, information engineering, Software certification, Software system, 0509 other social sciences, Software engineering, business, Reusability

Abstract

Certification schemes exist to regulate software systems and prevent them from being deployed before they are judged fit to use. However, practitioners are often unsatisfied with the efficiency of certification standards and processes. In this study, we analyzed two certification standards, Common Criteria and DO-178C, and collected insights from literature and from interviews with subject-matter experts to identify concepts affecting the efficiency of certification processes. Our results show that evaluation time, reusability of evaluation artifacts, and composition of systems and certified artifacts are barriers to achieve efficient certification.

Published

2017

39. IT Security and Privacy Standards in Comparison: Improving FedRAMP Authorization for Cloud Service Providers

Author

Read Sprabery, Charles A. Kamhoua, Carlo Di Giulio, Kevin Kwiat, Roy H. Campbell, and Masooda Bashir

Subjects

021110 strategic, defence & security studies, Cloud computing security, Computer science, Standard of Good Practice, 0211 other engineering and technologies, Certified Information Systems Security Professional, 02 engineering and technology, Information security, Information assurance, Computer security, computer.software_genre, Security service, Information security standards, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, computer, Information security management system

Abstract

To demonstrate compliance with privacy and security principles, information technology (IT) service providers often rely on security standards and certifications. However, the appearance of new service models such as cloud computing has brought new threats to information assurance, weakening the protection that existing standards can provide. In this study, we analyze four highly regarded IT security standards used to assess, improve, and demonstrate information systems assurance and cloud security. ISO/IEC 27001, SOC 2, C5, and FedRAMP are standards adopted worldwide and constantly updated and improved since the first release of ISO in 2005. We examine their adequacy in addressing current threats to cloud security, and provide an overview of the evolution over the years of their ability to cope with threats and vulnerabilities. By comparing the standards alongside each other, we investigate their complementarity, their redundancies, and the level of protection they offer to information stored in cloud systems. We unveil vulnerabilities left unaddressed in the four frameworks, thus questioning the necessity of multiple standards to assess cloud assurance. We suggest necessary improvements to meet the security requirements made indispensable by the current threat landscape.

Published

2017

40. MTCS for Healthcare

Author

Hing-Yan Lee and Yao-Sing Tao

Subjects

Cloud computing security, Certified Information Security Manager, business.industry, Computer science, Standard of Good Practice, Information technology, Cloud computing, Certified Information Systems Security Professional, Certification, Information security, Security policy, Computer security, computer.software_genre, Information security management, Security service, International security, business, computer

Abstract

We have developed a multi-tiered cloud security framework to facilitate cloud users’ need to match their security requirements with security provisions of cloud service providers (CSPs).Since the launch of Multi-Tiered Cloud Security Singapore standard (MTCS SS584) [1] in Oct 2013, the standard has been harmonized with several international security framework and standards [2] such as Cloud Security Alliance’s Open Certification Framework [3] and ISO/IEC 27001 [4] to enable cross-certification for greater adoption. This paper reports on research that studies the gaps in bridging MTCS and Singapore’s Healthcare IT Security Policy (HITSecP) so that CSPs who have been certified to MTCS, can know how well and best they could meet the security requirements of IT systems for healthcare industry in Singapore.

Published

2017

41. Information Security Policy Projects

Author

Douglas J. Landoll

Subjects

Finance, Cloud computing security, Certified Information Security Manager, business.industry, Standard of Good Practice, Certified Information Systems Security Professional, Information security, Computer security, computer.software_genre, Security information and event management, Information security audit, Security service, Information security management, Risk analysis (engineering), Information security standards, Network security policy, Business, computer

Published

2017

42. Information Security Maturity Model for Nist Cyber Security Framework

Author

Majeed Alsaleh and Sultan Almuhammadi

Subjects

Security analysis, business.industry, Computer science, 010401 analytical chemistry, Internet privacy, 020206 networking & telecommunications, Certified Information Systems Security Professional, 02 engineering and technology, Information security, Computer security, computer.software_genre, 01 natural sciences, 0104 chemical sciences, Capability Maturity Model, Security service, 0202 electrical engineering, electronic engineering, information engineering, NIST, business, computer

Published

2017

43. Establishing an Identification Program for Employees, Business Partners, Customers, and Other Visitors

Author

Michael Erbschloe

Subjects

Cloud computing security, Security service, Certified Information Security Manager, Software security assurance, Security through obscurity, Certified Information Systems Security Professional, Business, Asset (computer security), Computer security, computer.software_genre, Security information and event management, computer

Published

2017

44. Standards and Security

Author

Rick Krohn, Patricia Salber, and David Metcalf

Subjects

Control system security, Security analysis, Security service, Certified Information Security Manager, Information security standards, Standard of Good Practice, Certified Information Systems Security Professional, Business, Information security, Computer security, computer.software_genre, computer

Published

2017

45. A model-driven approach to information security compliance

Author

M. Filomena Teodoro, Anacleto Correia, and António Pereira Gonçalves

Subjects

business.industry, Computer science, Standard of Good Practice, Certified Information Systems Security Professional, Information security, Computer security, computer.software_genre, ITIL security management, Information security management, Information security standards, Common Management Information Service, Software engineering, business, computer, Information security management system

Abstract

The availability, integrity and confidentiality of information are fundamental to the long-term survival of any organization. Information security is a complex issue that must be holistically approached, combining assets that support corporate systems, in an extended network of business partners, vendors, customers and other stakeholders. This paper addresses the conception and implementation of information security systems, conform the ISO/IEC 27000 set of standards, using the model-driven approach. The process begins with the conception of a domain level model (computation independent model) based on information security vocabulary present in the ISO/IEC 27001 standard. Based on this model, after embedding in the model mandatory rules for attaining ISO/IEC 27001 conformance, a platform independent model is derived. Finally, a platform specific model serves the base for testing the compliance of information security systems with the ISO/IEC 27000 set of standards.The availability, integrity and confidentiality of information are fundamental to the long-term survival of any organization. Information security is a complex issue that must be holistically approached, combining assets that support corporate systems, in an extended network of business partners, vendors, customers and other stakeholders. This paper addresses the conception and implementation of information security systems, conform the ISO/IEC 27000 set of standards, using the model-driven approach. The process begins with the conception of a domain level model (computation independent model) based on information security vocabulary present in the ISO/IEC 27001 standard. Based on this model, after embedding in the model mandatory rules for attaining ISO/IEC 27001 conformance, a platform independent model is derived. Finally, a platform specific model serves the base for testing the compliance of information security systems with the ISO/IEC 27000 set of standards.

Published

2017

46. Technical Security Systems

Author

Edward P. Halibozek and Gerald L. Kovacich

Subjects

Control system security, Flowchart, Information security audit, law, Computer science, Certified Information Systems Security Professional, Computer security, computer.software_genre, computer, Security information and event management, law.invention

Abstract

This chapter on technical security systems will discuss: ▪ Technical security systems flowcharts ▪ Technical security systems metrics ▪ Surveillance systems ▪ Technical security systems case study

Published

2017

47. How Women Can Succeed in the Security Industry?

Author

Inge S. Black

Subjects

ComputingMilieux_GENERAL, Engineering, ComputingMilieux_THECOMPUTINGPROFESSION, business.industry, Field (Bourdieu), Professional development, Security industry, Certified Information Systems Security Professional, Certification, Public relations, business, Variety (cybernetics)

Abstract

Security is one of the fastest growing professional careers and women are moving into the field rapidly as there is a wide variety of security positions attracting them. In this chapter, Inge Sebyan Black discusses ways to navigate this ever changing and evolving career for women. Discussions involve leveraging mentors, displaying confidence, continued professional development on your own in addition to development offered by your current employer, and certifications.

Published

2017

48. ISO/IEC Competence Requirements for Information Security Professionals

Author

Natalia Miloslavskaya and Alexander Tolstoy

Subjects

Information Technology Infrastructure Library, Engineering, Engineering management, ITIL security management, business.industry, Standard of Good Practice, Systems engineering, Certified Information Systems Security Professional, Information security, business, Competence (human resources), Information security management system

Abstract

In the modern interconnected world, the requirements for competencies for information security (IS) professionals are needed as never before. The peculiarities of the European approach to the development of IS professional competencies are discussed using the example of the European e-Competence Framework e-CF 3.0. Bases on this, two short content predictions for new ISO/IEC 27021 and ISO/IEC 19896 international standards are proposed.

Published

2017

49. Security Certification and Standards Implementation

Author

Keith Lewis

Subjects

Government, Cloud computing security, Certified Information Security Manager, business.industry, Best practice, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Certified Information Systems Security Professional, Accounting, Certification, Public relations, Private sector, Political science, business, Personally identifiable information

Abstract

This chapter covers the foundation frameworks for the latest Security Certification and Standards best practices for both commercial industry and government agencies. The institutes and governmental mandates required ensure public and private sector privacy and safety concerns for the modern digital age.

Published

2017

50. The Power of Certification

Author

Inge Sebyan Black, Ann Y. Trinca, and Christopher A. Hertig

Subjects

Professional certification (business), Product certification, Global Information Assurance Certification, ComputingMilieux_THECOMPUTINGPROFESSION, business.industry, Political science, Professional association, Certified Information Systems Security Professional, Certification, eLearnSecurity, Public relations, business, Certification and Accreditation

Abstract

Professional certifications play an important role in achieving success in the security industry. Here, several authors share their perspectives on the importance of certification, particularly for women working in this male-dominated field. This chapter highlights the power of certification to level the playing field, the benefits of certification to both individual and society, the professional organizations offering security certifications, and the factors to consider when choosing and studying for a certification.

Published

2017