A holistic cyber security implementation framework - Semantic Scholar
Recommend Documents
Myra Spiliopoulou received her PhD in Computer Science at the National and. Kapodistrian University of Athens, Greece. She is Professor of Business.
5.3 Hypergraph Representation of the Semantic Association Network . . . . . 80 ... CACTI 6.5 CONFIGURATION EXAMPLE WITH MCPAT . . . 148 ..... considered, and that new methods are required for monitoring, detecting, and responding to.
Source: Fourth Annual Benchmark Study on Pafient Privacy & Data Security. .... systems with minimal security that ar
The present paper focuses on Cyber Security Awareness Campaigns, and aims to ..... For example, a message combined to a photo of a hacker, might prove to.
Cyber Security Analysis using Attack Countermeasure. Trees. Arpan Roy. Department of Electrical and. Computer Engineering. Duke University [email protected].
specific e-Government application, namely car registration (section ..... control the application form .... sense of the appliance of digital signatures is a necessary.
Advanced Research Workshops (ARW) are expert meetings where an intense but ... The Series is published by IOS Press, Amsterdam, and Springer Science and ... Best Practices and Innovative Approaches to Develop Cyber Security and.
Dehradun, India [email protected]. ... Nainital, India ... environment, the protection of Web servers, Web applications, ... distributed GIS application faces and to develop effective ..... commercial tools based on predefined or custom templates.
A Framework of Attacker Centric Cyber Attack. Behavior Analysis. Xuena Peng. Software Center. Northeastern University. Shenyang, China pengxn@neusoft.
Turing Assessor: A New Tool for Cyber Security. Quantification. Huafei Zhu. Institute for Infocomm Research. 21 Heng Mui Keng Terrace. Singapore, 119613.
at:http://www.iol.co.za/scitech/technology/security/top-five- cyberthreats-facing-consumers-1.1009335 [Accessed, April 2
victims of cyber attacks, a cyber security awareness campaign is developed to educate ... information technology degree, and ... For the initial training program, only schools and ... the top five cyber threats require the interaction of the internet
PREDICTIVE CYBER SECURITY ANALYTICS ... Our model is novel as existing research in attack graph analysis do not ... But today, advanced attackers are.
A Cyber Security Situational Awareness Framework ... 1.2 Cyber Security ... or use and detection devices that identify anomalies; policy rules breaks, and ... To steal a management team credential and get access to an internal ring host. 3.
A holistic cyber security implementation framework - Semantic Scholar
Faculty of Computer Science and Information Technology,. University of Malaysia Sarawak, Sarawak, Malaysia. Ahmed Otoom. National Information Technology ...
The current issue and full text archive of this journal is available at www.emeraldinsight.com/0968-5227.htm
A holistic cyber security implementation framework
Cyber security implementation framework
Issa Atoum Faculty of Computer Science and Information Technology, University of Malaysia Sarawak, Sarawak, Malaysia
Ahmed Otoom National Information Technology Center, Amman, Jordan, and
Amer Abu Ali
251 Received 18 February 2013 Revised 1 July 2013 26 August 2013 Accepted 28 August 2013
Department of Information Technology, Philadelphia University, Amman, Jordan Abstract Purpose – The purpose of this paper is to propose a holistic cyber security implementation framework (HCS-IF) that lays out the ground for a conceptual, coherent, systematic, overarching and consolidated approach to implement cyber security strategies (CSSs). Design/methodology/approach – The HCS-IF is conceptually proposed to address the actual needs that are extracted from literature review. The HCS-IF uses and integrates a set of high-level conceptual security controls, solutions, processes, entities, tools, techniques or mechanisms that are already known in the domains of information security management, software engineering and project management to address the identified needs. Findings – The HCS-IF components and controls collectively interact and cooperate to implement CSSs. The proposed framework is compared with other related frameworks, and the results show that the HCS-IF outperforms other frameworks on most of the suggested comparison criteria. Originality/value – From a practical standpoint, governments and practitioners alike stand to gain from the findings of this research. Governments who want to implement CSSs on a national level will find the proposed framework useful in overseeing cyber security implementation. Practitioners will be prepared to address the anticipated cyber security implementation challenges and the required controls needed to facilitate cyber-security implementation in a holistic overarching manner. Keywords Information security management, Cyber security implementation, Holistic cyber security, Security strategic controls, Strategy implementation framework Paper type Research paper
1. Introduction Most countries strive to protect their cyberspace by first formulating their cyber security strategies (CSSs). These strategies usually include some guidelines on how to implement these strategies for each respective country. Generally, a strategy planning has three consecutive processes (David, 2011). These processes are strategy formulation, strategy implementation and strategy evaluation. In this paper, a holistic
The authors are grateful to Eng. Fahd A. Batayneh for his valuable comments and fruitful discussions.
implementation framework that fits in the strategy-implementation process is proposed; the other two processes are outside the scope of this paper. This paper is motivated by two major factors. The first is the need for holistic consolidated approaches to enforce the implementation of CSSs on the national level (Dasgupta and Rahman, 2011; Broom, 2009; Tagert, 2010; International Telecommunication Union [ITU], 2011a). Current cyber security frameworks defending against cyber attacks have appeared to be generally fragmented and varying widely in effectiveness. Enforcing information security on the national level oversees security implementation from a global point of view, and thus, it is important for many reasons: • to ensure early detection of likely threats and mitigate risks related to government information systems and critical infrastructures; • to enable decision-makers to take necessary actions once needed; and • to be able to implement security solutions that involve vast numbers of stakeholders, including private entities, government entities and citizens. The later factor is the crucial need of governments to create a safe and trustworthy environment for business in cyberspace. As a matter of fact, more than one-third of the world’s population is online and 45 per cent of Internet users are ⬍ 25 years (ITU, 2011b). According to a recent study, telecommunications services revenue on a worldwide basis will grow from $2.1 trillion in 2012 to $2.7 trillion in 2017 at a combined average growth rate of 5.3 per cent (The Insight Research Cooperation, 2012). This paper proposes a holistic cyber security implementation framework (HCS-IF) that lays out the ground for a conceptual, coherent, systematic and consolidated approach to implement CSSs. The HCS-IF proposes a set of adaptable security controls that oversee CSS implementation. The HCS-IF uses and/or integrates a set of high-level conceptual security controls, solutions, entities, tools, techniques or mechanisms to collectively collaborate to implement the CSSs. The framework is holistic in nature because it addresses cyber security at the national level and it attempts to cover all major aspects of cyber security. First, the HCS-IF is introduced. Then, the HCS-IF is compared with other related frameworks. Finally, the related literature is summarized and the paper is concluded. 2. Proposed framework (HCS-IF) The HCS-IF is intended to lay out the ground for an overarching approach to implement CSSs. CSSs are usually developed based on reappraisal of the current information security status. The HCS-IF should help an executing nation to achieve its cyber security objectives outlined in its national CSS. The following subsections will explore the framework development methodology and the framework’s major components in more details. 2.1 HCS-IF development methodology Developing a framework for security implementation might be generally seen as: • an art; there is no manual for implementing security in interconnected systems, • security as a science; faults are resulted from interconnected hardware and software;
• social security; individual actions are major players in security; and • engineering or pattern-based approach. For more details about these approaches, readers might refer to (Haley et al., 2006; Whitman and Mattord, 2011). These approaches alone have some troubles: they may not form a complete or holistic solution to cyber-security strategy implementation, and due to the complexity of the cyber security implementation these approaches cannot be generalized at a national level. The development methodology is designed mainly based on literature review and practical experience. The components of the HCS-IF are built via an iterative process that derives and customises the required components from the related work. Figure 1 shows the methodology used to develop the HCS-IF. This methodology consists of the following steps: • Analyse literature related to cyber-security strategy implementation at the national and the organizational levels: in this step, this paper focuses on cyber-security strategies and guidelines, international security standards and general security implementation frameworks. Related literature is covered in Section 4. • Elicit common security features or components: by keeping an eye on the overall objectives of cyber security, common cyber security components are extracted. The extraction process focuses on the high-level presented security features rather than the technical details. The output of this process is a list of candidate-related security features or components that are related to the proposed framework. • Generalize components: the collected candidate components from the previous step are summarized and filtered; duplicate components are removed and industry-specific components are generalized into new high-level abstract components; some other components are combined. • Develop the framework to achieve security objectives: based on practical experience, the collected components are conceptually integrated into the proposed HCS-IF. This integration resulted in a framework that is analogous to the traditional processing system – “input-process-output-feedback”. 11
22
44
253
33
Elicit Elicit Common Common Security Security Components Components
Analyze Analyze Related Related Works Works
Cyber security implementation framework
Generalize Generalize Components Components
55
Design Design The The Framework Framework
Validate Validate The The Framework Framework
Figure 1. HCS-IF development methodology
IMCS 22,3
254
• Validate the framework: to provide a proof of concept, the HCS-IF is compared with related frameworks (Section 3). Researchers are encouraged to test the proposed HCS-IF in real environment so it can be validated using real-life scenarios. 2.2 HCS-IF The HCS-IF, shown in Figure 2, is intended to lay out the ground for an overarching approach to implement CSSs. The HCS-IF should help an executing nation to achieve its cyber-security objectives outlined in its national CSS. The HCS-IF has the following major core components: CSS, requirement elicitation, strategic moves, controls, security objectives and implementation framework repository. The HCS-IF essentially facilitates transforming the cyber-security level from the current state to the future state. Both current and future states related to cyber security should be directly or indirectly documented in the CSS document. The HCS-IF analyses the CSS and breaks it down into well-defined requirements that will be eventually transformed into strategic moves. These strategic moves are executed under the defined framework controls to achieve the required security objectives. The implementation is guided and managed via the help of a focal implementation framework repository. 2.3 Cyber security strategy (CSS) As an important step towards securing cyberspace, many governments develop CSSs based on assessments to their current information security status in their corresponding countries (The White House, 2011; Government of Australia, 2009; Suid-afrika, 2010; Current Cyber security Level CSS
MoICT, 2011; HM Government, 2010; Estonia Department of Defence, 2008; ITU, 2011a). These CSSs recognize the threats imposed by the unprecedented revolutionary changes in information technology and the cyberspace environment. Moreover, these strategies may include some guidelines of how to deal with cyber security for the respective nation. They should include various information clusters to ensure the inclusion of every aspect of cyber security into consideration (Fielden, 2011). 2.4 Requirement elicitation Requirement elicitation (RE) is a well-known field in software engineering (Sommerville, 2011). In this paper, this concept is used as a component in the HCS-IF to help converting the CSS into a set of business and security requirements. The RE should be performed by interdisciplinary analysis teams who are capable of breaking the CSS into manageable understandable requirements.
Cyber security implementation framework 255
2.5 Cyber security strategic moves Cyber security strategic moves (henceforth referred to as strategic moves) are actions taken to achieve one or more cyber security objectives. Strategic moves are prescriptive and purposeful; they identify exactly what has to be done and directly act to achieve the intended objectives. Strategic moves must not contradict each other, rather they should complement. The strategic moves component has the following five processes (Figure 3): 2.5.1 Convert requirements to goals. Requirements are converted to SMART goals to facilitate measuring achievements (Doran, 1981). CSSs are often written in a natural language. Natural language processing of cyber security documents can help in Project Controls Health Health Check Check
CCB CCB
Projects Projects Quality Quality IT IT Steering Steering Committee Committee
identifying potential goals. However, in many cases in software engineering, this process is a subjective process that takes input from many aspects such as: management, lessons learned, commitment plans, risk plans and professional expert judgement. 2.5.2 Prioritize goals. Goals are prioritized according to their importance. Prioritization is affected by many factors, such as timeline, budget, requirement dependency, management preference among others. One simple way to prioritize goals is to list all prioritizing criteria ordered by importance and weighting each goal against that criterion. 2.5.3 Security valuation. Goals are usually implemented through one or more projects. The security valuation process is used to approve the initiation of these projects. The output of this process will only have projects that the management is committed to implement. 2.5.4 Build/update project road map. The project road-map building process places projects in the optimum possible order. When projects are independent, a comparison between pay off and cost can be implemented. However, for interdependent projects, project evaluation and review technique charts (Schwalbe, 2010) are more suitable. 2.5.5 Place project road map into execution. When projects start execution, they produce deliverables and record measures in the HCS-IF implementation repository for the purpose of managing, monitoring and controlling the implementation. The execution process aims to achieve security objectives. The execution process is performed under a set of project controls, such as Change Control Board (CCB), Steering Committee, Project Management Office, Projects Quality assurance, Project Excellence, etc. 2.6 Controls Controls are used to influence the behaviour of an organization as a means to facilitate cyber-security implementation. It enables decision-makers to take the necessary corrective or predictive actions. These controls are listed in the following sub-sections. 2.6.1 Governance. Governance controls govern the CSS implementation. Implementing the CSS calls for the existence of a governance entity, herein called the Cyber Security Agency (CSA). The CSA is the entity accountable for executing and monitoring the implementation. The CSA makes sure a proper chain of command is enforced among involved entities. The Governance Controls include, but not limited to: CS Performance Management Control, Regulation Regime Control, and International Cooperation Control. The CS Performance Management Control is responsible for maintaining a proper chain of command among involved entities executing different strategic moves. The Regulation Regime Control allows enforcing security policies and application-related legislations. The International Cooperation Control allows tracking threats cooperatively among countries. 2.6.2 Strategic controls. The CSA should deploy a set of applicable strategic controls that are considered in the context of the HCS-IF very significant to the success of the CSS implementation. Strategic controls should allow decision-makers determine whether the CSA is achieving objectives and enable them to make any necessary actions as early as possible during the implementation process. These controls should be adaptable to the culture, and they should evolve with the CSA, i.e. the CSA should be able to add, enhance
or delete controls as needed. The set of strategic controls may include, but are not limited to: quality, monitoring, human resource incentives, performance, evaluation and correctness, vigilance, etc. 2.6.3 Audit controls. Audit controls perform two major functions: (1) check security maturity level; and (2) find gaps in the original CSS document or in the implementation process.
Cyber security implementation framework 257
Figure 4 shows the security maturity level check and gap finder processes. To achieve the first function, the current CSS implementation efforts are audited according to a set of chosen security standards and security maturity models. The CSA will have the ability to select the audit security standard of their preference. This selected standard is used to carry out the audit process, and therefore the output will be standard dependant. The output of this functionality will be a report on the current cyber-security level. To achieve the second function, the gap finder compares the current maturity level to the targeted maturity level using strategic moves and annual objectives as inputs. The gap finder reports if the ongoing implementation is not able to achieve the targeted security level. In this case, either the CSS has got original flaws or the implementation process is not being executed as planned. The Gap report should help implementers suggest corrective actions to global project roadmap by adding/updating strategic moves or further review on the current CSS document. 2.6.4 Framework controls. The HCS-IF suggests a methodology to implement cyber-security strategies. This methodology should be updated and enhanced over time. Therefore, the HCS-IF controls are presented to provide a means to manage the framework itself. The HCS-IF controls include these controls: configuration, version control, framework repository, universal compliance framework (UCF) database, as implemented by UCF company (Unified Compliance FrameworkTM [UCF], 2012), resilience, access control and recovery control. The framework configuration control and the version control are used to manage framework properties and to track customized versions of HCS-IF. The UCF ensures compliance with national and
Figure 4. The HCS-IF security level and gap finder processes
IMCS 22,3
258
international standards. The resilience control manages the unknowns while implementing the CSS. The access control can be used to manage security aspects among parties involved in the implementation. The recovery control enables to recover the HCS-IF and its supporting tools in case of a failure. The framework controls will be particularly more important if the implementation of CSS is automated using the HCS-IF embedded within a Computer-Aided Software Engineering (CASE) tool. 2.7 Business controls Business controls collaborate with other controls to ensure operational activities execution. The business controls include but is not limited to regulation management, international cooperation management, recovery management, incident management, human resource management, vendor management, commitment plan, change plans, annual objectives, awareness and capability building, etc. Although, business controls are very essential to the success of cyber-security implementation, they are mentioned here quickly for the sake of completeness; however, they are outside the scope of this paper. 2.8 Cyber-security objectives As discussed in Section 2.6.2, the CSA must deploy all necessary controls to achieve the objectives identified in the CSS (long-term objectives). Annual objectives help measure performance of HCS-IF on a yearly basis. Long-term objectives should be broken down into annual objectives to measure and assess the implementation. During the execution of strategic moves, achieved objectives are compared with annual objectives using the gap finder illustrated in Section 2.6.3. 3. Validating the proposed HCS-IF Although many security frameworks have been adopted to secure cyberspace, most of them target a specific domain or being developed for specific entities. To our knowledge, there is no complete CSS implementation framework at the national level except for few ones, illustrated in Sections (4.3), that are limited to specific domains. Related Frameworks are grouped into 6 categories listed in Sections 4.1 through 4.6. These categories include a well-known list of international frameworks that have been implemented in various organizations. Despite of the scope and limitations of these frameworks, they intersect with the HCS-IF in common objectives that aim to enhance security level and help in the implementation efforts. The HCS-IF is an overarching holistic approach to implement cyber security and it is not intended to replace any other frameworks that are compared with. 3.1 Comparison criteria Comparison is carried out against the following list of features. These features are either extracted from literature review or suggested by this research. The suggested features enable the HCS-IF to overcome the limitations of the existing frameworks; in fact, most of those features were the original motives to this research from the first place. Each feature is subjectively rated against each framework category listed in Sections 4.1 through 4.6, respectively: • Resilience: Means the ability of the framework to be agile, flexible and be able to deal with unseen changes in technology, environment, attack methods, etc. (Erol et al. 2010;
• •
• •
•
The White House, 2011). Resilient management systems and processes will provide greater protection against multidimensional attacks (Trim and Lee, 2010a). Measure performance: Means the ability to measure performance of security initiatives effectively at various organization levels. Compliance: Follows a known standard or best practice and let the cyber security implementation framework manage differences between different standards. (IsecT Ltd, 2011) . Measure security level: To measure the level of security an implementer has achieved at a particular point of time. Refer to Audit Controls Section 2.6.3. Identify gaps in CSS document: The framework should be able to detect if CSS needs further modification in case it does not guarantee the achievement of the required security level. Refer to Section 2.6.3. Implementation level: In the context of this paper, the implementation level shows the need of a framework that can be implemented at the national level. Trim and Lee (2010a) indicate that security should be placed in a holistic setting. Dasgupta and Rahman (2011) point out that cyber security require a holistic approach.
Cyber security implementation framework 259
Table I lists a summary of the compared frameworks. The proposed HCS-IF succeeds other frameworks mainly because it is designed to implement cyber security with a holistic approach. The HCS-IF is not intended to replace any other frameworks; in fact, the HCS-IF should be able to integrate and/or reuse other frameworks, standards or techniques to achieve a successful cyber-security implementation in a holistic manner. 4. Related works The gathered related literature is grouped into the following logical categories to facilitate a structured reading and analysis, though these categories are highly interconnected. 4.1 Management and governance frameworks Information security frameworks usually target the management perspective of information security. For example, Nnolim (Nnolim, 2007) has suggested a conceptual framework for the information security management meta model. Another similar management framework is suggested by Zuccato (2007) to manage security of an enterprise using a set of defined activities mapped with the system security engineering maturity model. Measure Criterion/framework Measure security Identify Implementation level category Resilience performance Compliance level gaps (i.e. is holistic?) Management and Governance Guidelines Dedicated Generic Provider specific Open architectures HCS-IF
✓
⫻
⫻
⫻
⫻
⫻
✓ ⫻ ⫻ ✓ ✓ ✓
⫻ ⫻ ✓ ✓ ✓ ✓
⫻ ✓ ⫻ ✓ ✓ ✓
✓ ⫻ ⫻ ✓ ✓ ✓
⫻ ⫻ ⫻ ⫻ ⫻ ✓
✓ ✓ ✓ ⫻ ⫻ ✓
Table I. Cyber security frameworks comparison
IMCS 22,3
260
Janssen and Hjort-Madsen (Janssen and Hjort-Madsen, 2007) suggested the national enterprise architecture framework to compare architecture of Denmark and The Netherlands. Janssen’s research identifies the need for taking a broader governance perspective in enterprise architecture. In the same category, proper controlling is suggested to ensure security governance (Von Solms et al., 2011), aligning the Taiwanese national policy with standards of ISO/ IEC 27001 and BS 7799 (Ku et al., 2009) and the Information Security Management System evaluation (Jo et al., 2011) are being continually explored to their crucial importance to cyber security. 4.2 Guidelines Most of the international information security strategies include guidelines to facilitate their implementation (The White House, 2009; US DoD, 2011; Government of Australia, 2009; HM Government, 2010; Suid-afrika, 2010). Phahlamohlaka et al. (2011) suggest an awareness toolkit as an approach to implement the strategy of South Africa. Estonia Department of Defence (Estonia Department of Defence, 2008) has suggested the implementation of strategy in phases to be executed by security implementation vendors coordinating with various related government organizations. 4.3 Dedicated frameworks There are many dedicated frameworks that are developed to implement security solutions for specific entities or countries; here, two examples are given to illustrate the point. A suggested implementation framework for Jordan CSS is presented by Otoom and Atoum (Otoom and Atoum, 2013). The Integrated Governance, Risk And Compliance (iGRC) Consortium is doing an ongoing research programme to protect UK (IGRC, 2011). The goal of iGRC is to automatize threat level and control status changes in real time. 4.4 Generic frameworks A generic framework for strategy implementation is suggested in (Barnat, 2005) online book “Strategy Management”. This framework is more suitable to business-strategy implementation rather than IT cyber-security strategy implementation. Trim and Lee (Trim and Lee, 2010b) suggest a generic cyber-security framework consisting of a cyber security management framework overseen by a security framework for protecting business, government and society. The main goal of Trim’s work is to allow mangers to incorporate counter intelligence and to place risk in a manageable context. 4.5 Provider specific frameworks There are several provider-specific frameworks; here are two popular frameworks: the IBM® security framework and the IBM blueprint which use the components of IT security management and IT security infrastructure capabilities (Buecker et al., 2010). Oracle® has a set of library guidelines and reference architectures called Oracle Reference Architecture (ORA). ORA suggests a conceptual architecture to show how architectural concepts are associated with information security within the ORA (Oracle®, 2011). 4.6 Open architectures frameworks There are various available enterprise architecture (EA) frameworks that vary in completeness, visual aspects, simplification and representation, such as Zachman,
Federal Enterprise Architecture Framework, Open Group Architecture Forum, Sherwood Applied Business Security Architecture, and Gartner Enterprise Information Security Architecture (EISA) framework. EA frameworks help to answer “what” questions not “how” questions as indicated by EA consultant company EAdirections (2013). Readers may refer to other frameworks and their relationship with security from frameworks websites or research works such as the Jalaliniya thesis (Jalaliniya, 2011).
Cyber security implementation framework 261
5. Conclusion and future research This paper proposes a holistic, coherent and systematic cyber security implementation framework (HCS-IF) that essentially lays the ground to implement CSSs in an overarching holistic manner. The HCS-IF major core components are: CSS, requirement elicitation, security strategic moves, strategic controls, security objectives and framework repository. The CSS requirements are transformed into strategic moves that are eventually executed under the defined framework controls to achieve the required security objectives. During the execution, a set of metrics will be exposed into and imported from the implementation framework repository which will help in guiding and managing the implementation. Finally, the set of achieved security objectives will be compared to the targeted objectives to enable setting corrective or proactive actions. The HCS-IF is compared with six suggested framework categories. The HCS-IF outperforms other frameworks in the six suggested comparison criteria mainly because it is designed to implement cyber security in an overarching holistic approach. The HCS-IF is not intended to replace any other frameworks; in fact, it will provide a room to incorporate other related security solutions to help in the implementation of CSSs. One of the main contributions of this paper is that it opens the following areas for future research: • enrich the framework in other related dimensions such as human resource, organization structures, global governance, regulation regimes, awareness programs and thus provide a more detailed framework; • investigate governance alternatives. As an alternative to the CSA, the governance entity, other options, such as outsourcing of cyber-security implementation to other entities could be investigated; • the HCS-IF has not got the chance to be tested in practice which may limit its trustworthiness. Therefore, further researches are encouraged in this regard; and • build a CASE tool. This paper suggests a methodology to implement CSSs using the proposed HCS-IF. A future research may investigate the feasibility of developing a CASE tool that utilizes the HCS-IF as a core component. References Barnat, R. (2005), “Strategic management: the nature of strategy implementation”, available at: www.strategy-implementation.24xls.com/en100 (accessed 3 February 2012). Broom, A. (2009), “Security consolidation and optimisation: gaining the most from your IT assets”, Computer Fraud and Security, Vol. 2009 No. 5, pp. 15-17, available at: http://linkinghub.elsevier.com/retrieve/pii/S1361372309700612 (accessed 25 February 2012). Buecker, A., Borrett, M., Lorenz, C. and Powers, C. (2010), “Introducing the IBM security framework and IBM security blueprint to realize business-driven security”, IBM Redpaper, Vol. 4528 No. 1, pp. 1-96.
IMCS 22,3
262
Dasgupta, D. and Rahman, M. (2011), “A framework for estimating security coverage for cloud service insurance”. In Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research, ACM Press, New York, New York, USA, p. 40, available at: http://dl.acm.org/citation.cfm?doid⫽2179298.2179342 (accessed 20 April 2012). David, F. (2011), Strategic Management: Concepts and Cases, 13th ed, Prentice Hall, available at: www.malone.edu/media/1/39/480/MMP405_Online_Corporate_Strategy.pdf (accessed 12 February 2012). Doran, G.T. (1981), “There’s a SMART way to write management’s goals and objectives”, Management Review, Vol. 70 No. 11, pp. 35-36. EAdirections (2013), EA Frameworks: Pros and Cons – Inventory and Insights. Report EA-7004, available at: www.eadirections.com/uploads/EA_Frameworks_Pros_and_Cons.pdf Erol, O., Sauser, B.J. and Mansouri, M. (2010), “A framework for investigation into extended enterprise resilience”, Enterprise Information Systems, Vol. 4 No. 2, pp. 111-136, available at: www.tandfonline.com/doi/abs/10.1080/17517570903474304 Estonia Department of Defence (2008), Cyber Security Strategy-Estonia, available at: www.mod. gov.ee/files/kmin/img/files/Kuberjulgeoleku_strateegia_2008-2013_ENG.pdf (accessed 1 February 2012). Fielden, K. (2011), “An holistic view of information security: a proposed framework”, International Journal, Vol. 4 No. 1, pp. 427-434. Government of Australia (2009), “Cyber SeCurity Strategy”, available at: www.ag.gov. au/RightsAndProtections/CyberSecurity/Documents/AG Cyber Security Strategy - for website.pdf (accessed 2 July 2014). Haley, C.B., Moffett, J.D. and Laney, R. (2006), “A framework for security requirements engineering”, in Proceedings of the 2006 International Workshop on Software Engineering for Secure Systems, ACM, pp. 35-42, available at: http://dl.acm.org/citation.cfm?id⫽ 1137634 (accessed 21 February 2012). HM Government (2010), A Strong Britain in an Age of Uncertainty: The National Security Strategy, The Stationery Office, available at: www.official-documents.gov.uk/ (accessed 23 December 2011). International Telecommunication Union (ITU) (2011a), “ICT and telecommunications in least developed countries: review of progress made during the decade 2000-2010”, In Fourth United Nations Conference on the Least Developed Countries (UNLDC-IV), Istanbul. International Telecommunication Union (ITU) (2011b), ICT Facts and Figures, available at: www.itu.int/ITU-D/ict/facts/2011/material/ICTFactsFigures2011.pdf (accessed 1 December 2013). IsecT Ltd (2011), “Information security compliance”, Information Security Awareness Service (NoticeBored), pp. 1-10, available at: www.isect.com/html/white_papers.html Jalaliniya, S. (2011), Enterprise Architecture and Security Architecture Development, Lund University, Lund, Scania. Janssen, M. and Hjort-Madsen, K. (2007), “Analyzing enterprise architecture in national governments: the cases of Denmark and the Netherlands”, in System Sciences, 2007. HICSS 2007, 40th Annual Hawaii International Conference on IEEE, p. 218a, available at: http:// ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber⫽4076820 (accessed 27 February, 2012). Jo, H., Kim, S. and Won, D. (2011), “Advanced information security management evaluation system”, KSII Transactions on Internet and Information Systems, Vol. 5 No. 6, pp. 1192-1213, available at: www.itiis.org/tiis/download.jsp?filename⫽TIIS_Vol5No6P6June2011.pdf (accessed 23 August 2011). Ku, C.-Y., Chang, Y.-W. and Yen, D.C. (2009), “National information security policy and its implementation: a case study in Taiwan”, Telecommunications Policy, Vol. 33 No. 7,
pp. 371-384, available at: http://linkinghub.elsevier.com/retrieve/pii/S0308596109000263 (accessed 17 August 2011). MoICT (2011), “National information assurance and cyber security strategy (NIACSS)”, Ministry of Information and Communications Technology, available at: www.moict.gov.jo/pdf_files/ NIACSS Draft-Public Consultation.pdf. Nnolim, A.L. (2007), A Framework and Methodology for Information Security Management, Lawrence Technological University, Southfield, MI. Otoom, A. and Atoum, I. (2013), “An implementation framework (IF) for the national information assurance and cyber security strategy (NIACSS) of Jordan”, The International Arab Journal of Information Technology, Vol. 10 No. 4. Phahlamohlaka, L., Jansen van Vuuren, J. and Coetzee, A. (2011), “Cyber security awareness toolkit for national security: an approach to South Africa’s cyber security policy implementation”, in Proceedings of the first IFIP TC9/TC11 South African Cyber Security Awareness Workshop (SACSAW), Gaborone, Botswana, pp. 1-14, available at: http://hdl.handle.net/10204/5162 (accessed 28 January 2012). Schwalbe, K. (2010), Information Technology Project Management, 6th ed, Course Technology PTR. Sommerville, I. (2011), “Requirements engineering”, in Horton, M., Hirsch, M. and Goldstein, M. (Eds), Software Engineering, Addison Wesley, Boston, MA, pp. 82-118. Suid-afrika, R.V.A.N. (2010), South African National Cybersecurity Policy, available at: South African National Cybersecurity Policy. Tagert, A. (2010), Cybersecurity Challenges in Developing Nations, Carnegie Mellon University, available at: http://repository.cmu.edu/dissertations/22/ (accessed 25 February 2012). The Insight Research Cooperation (2012), Worldwide Telecommunications Industry Revenue, available at: www.insight-corp.com/pr/1_2_12.asp (accessed 1 May 2012). The White House (2009), The Comprehensive National Cybersecurity Initiative, available at: www.whitehouse.gov/sites/default/files/cybersecurity.pdf The White House (2011), Cyberspace Policy Review, Assuring a Trusted and Resilient Information, available at: www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf Oracle® (2011), “Information Security: A Conceptual Architecture Approach [White Paper]”, retrieved from www.oracle.com/technetwork/articles/entarch/arch-approach-inf-sec-360705.pdf Trim, P.R.J. and Lee, Y.-I. (2010a), “A security framework for protecting business, government and society from cyber attacks”, in 2010 5th International Conference on System of Systems Engineering, Loughborough, pp. 1-6. Trim, P.R.J. and Lee, Y.-I. (2010b), “A security framework for protecting business, government and society from cyber attacks”, in 2010 5th International Conference on System of Systems Engineering, pp. 1-6, available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper. htm?arnumber⫽5544085 Unified Compliance FrameworkTM (UCF) (2012), The Unified Compliance FrameworkTM. available at: www.unifiedcompliance.com/ (accessed 2 April 2012). US DoD (2011), Department of Defense Strategy for Operating in Cyberspace, available at: www.defense.gov/news/d20110714cyber.pdf (accessed 1 April 2012). Von Solms, R., Thomson, K.L. and Maninjwa, P.M. (2011), “Information security governance control through comprehensive policy architectures”, in Information Security South Africa (ISSA), 2011, IEEE, Johannesburg, pp. 1-6, available at: http://ieeexplore.ieee.org/xpls/ abs_all.jsp?arnumber⫽6027522 (accessed 28 January 2012). Whitman, M.E. and Mattord, H.J. (2011), Principles of information security, Course Technology PTR. Zuccato, A. (2007), “Holistic security management framework applied in electronic commerce”, Computers and Security, Vol. 26 No. 3, pp. 256-265, available at: http://linkinghub.elsevier.com/ retrieve/pii/S016740480600188X (accessed 29 February 2012).
Cyber security implementation framework 263
IMCS 22,3
264
Further reading Herath, T., Herath, H. and Bremser, W.G. (2010), “Balanced scorecard implementation of security strategies: a framework for IT security performance management”, Information Systems Management, Vol. 27 No. 1, pp. 72-81, available at: www.tandfonline.com/doi/abs/10.1080/ 10580530903455247 (accessed 11 August 2011). IGRC (2011), “The integrated governance, risk and compliance (iGRC) Consortium”, available at: http://www.informationsecurityprotection.com/ (accessed 1 April 2012). Kaplan, R.S. and Norton, D.P. (2004), “Measuring the strategic readiness of intangible assets”, Harvard Business Review, Vol. 82 No. 2, pp. 52-63. Klein, N. et al. (1999), Chemical Bank: Implementing the Balanced Scorecard, Harvard Business School. Nudurupati, S.S., Bititci, U.S., Kumar, V., and Chan, F.T.S. (2011), “State of the art literature review on performance measurement”, Computers and Industrial Engineering, Vol. 60 No. 2, pp. 279-290, available at: http://linkinghub.elsevier.com/retrieve/pii/S0360835210002937 (accessed 1 March 2012). Taticchi, P., Tonelli, F. and Cagnazzo, L. (2010), “Performance measurement and management: a literature review and a research agenda”, Measuring Business Excellence, Vol. 14 No. 1, pp. 4-18, available at: www.emeraldinsight.com/10.1108/13683041011027418 (accessed 19 March 2012). About the authors Issa Atoum is a PhD student at UNIMAS University, Malaysia. He has more than 15 years of professional experience in IT services, project management and quality assurance. He is a certified Project Manager Professional, ITIL®V3 and ISO/IEC 20000. He worked as a project manager for the Government of Abu Dhabi and Dubai, UAE, for mid- and large-scale projects in the domain of security and IT services. His major areas of interest are: computer security, semantic web, e-government and natural language processing. Ahmed Otoom is the DG’s Advisor for the Implementation of the E-Gov Information Strategies and Policies, National Information Technology Center, Jordan. He received a PhD degree in Computer Science from Amman Arab University in 2007, dual MS degrees in Computer Science and Information Technology Management from the Naval Postgraduate School, USA, in 2000, and a BS degree in Computer Science from Mutah University, in 1992. Otoom has more than 20 years of experience in project management and IT-related projects. During 1992-2010, he worked as a system analyst, developer and researcher for the IT Directorate in Royal Jordanian Air Force. During the same period, he also taught many computer science classes in the Prince Feisal Technical College and Alzaytoonah University of Jordan, respectively. His major areas of interest are computer security, operating systems and interoperability in large heterogeneous information system. Ahmed Otoom is the corresponding author and can be contacted at: [email protected] Amer Abu Ali, Associate Professor in CIS Department, Faculty of Information Technology, Philadelphia University. He has more than 19 years of teaching, projects supervision and research experience. He attended and participated in many international conferences, has been peer reviewer for many conference and journal papers and has got more than 50 papers published.
To purchase reprints of this article please e-mail: [email protected] Or visit our web site for further details: www.emeraldinsight.com/reprints
