International Conference on Intelligent Information and Network Technology (IC2INT’13)
New model multi-agent systems based for the security of information system Hajar IGUER Sophia FARIS
Hicham MEDROMI
Adil SAYOUTI
ENSEM
EAS Team, LISER Laboratory, ENSEM, Casablanca, Morocco
EAS Team, LISER Laboratory, ENSEM, Casablanca, Morocco
[email protected]
[email protected]
EAS Team, LISER Laboratory, ENSEM Université Internationale de Casablanca, Casablanca, Morocco
[email protected] sophiafaris1989@gmail. com ABSTRACT The governance of the security of information systems became an increasingly important challenge for all the executive levels of every company. The information systems are permanently exposed to a large range of threats, which threaten to compromise the confidentiality, the integrity and the availability of the information. Within the organizations, the security of information system is more and more handled using approaches based on risk’s management solutions. Several organizations lay and implement security policies, sometimes formalized, sometimes empirical. Some go until obtaining SMIS; security managers of information systems have the obligation to control technological risks, but also to contribute in the improvement of the performance of the business processes. So a governance of the information security is essential and mandatory for all organizations. The purpose of this paper is to give an overview of risk management. In this context, we will present a new model of the governance of the security of information (MSIS) based on multi-agent systems and which combines the method of management of risk EBIOS and the standard ISO27001. This is a vision for increasing the efficiency and effectiveness of IT systems.
Keywords Governance, Security of Information Systems, Multi agent Systems, EBIOS, ISO27001, Information Security management
1. INTRODUCTION The organizations are confronted with a world revolution in the governance of their systems which directly affects their practices in information management. There is an increased need to place the emphasis on the global value of the protection and the delivery of information. Because of organizational failures of the last decade, the statutory legislations and authorities created a complex set of laws and regulations aiming at forcing an improvement
regarding the governance of an organization, the security, the control and the transparency. Information and the systems which handle it are essential in the practices of the organization’s operations. Due to its importance, the access to reliable information became a mandatory component for the business continuity. Until recently, the security was focused on the protection of the computer systems which treat and store the majority of information, rather than on information itself. The preceding and new laws on the protection of personal data led to the need for an approach of governance of the information management, protecting the most critical credits from the organization. This need rises owing to the fact that the information systems undergo various significant threats of disturbances such as the illegal access of critical and confidential data through the hacking, from the attacks coming from worms and viruses, the phishing …. Regulatory obligations, legal or financial impact, operational risks associated with the failure of the management information require leaders to review the organization decision making and the level of security of the governance of their systems. There is now a global consensus to consider that is no longer reasonable to assign responsibility only to IT security information held, produced or processed by the company. Information security, as well as managing all the critical resources of the company, is not only a technical problem, it became a trade issue that must be managed at the highest level of an organization. Effective security requires the active participation of executive’s managers and the board to assess emerging threats and response to it. The paper is organized as follows: after a brief introduction we will discuss in the second section a state of the art of information security, risk management and the governance of the security of
1
International Conference on Intelligent Information and Network Technology (IC2INT’13)
information systems, and that a comparative study of existing, then in the third section we present in detail our proposal for a new model of governance of information security MSIS. Finally, the last section concludes our work and draws some perspectives.
2. STATE OF ART To invoke the security of information system is to address the following two key concepts: .information security and risk management that may affect its reliability [1].
associated with a system based on external standards recognized framework and supported by effective tools. When functional, it increases the quality, control and profitability of IT services while ensuring their protection. It also allows a better coordination between the actors involved (shareholders, stakeholders, partners, board of management...). The governance of information security defines a mechanism for regulation and continuous improvement built on the basis of the following five components as shown in the figure 1 below:
2.1 Information Security
Create value by optimizing security investments to contribute to business objectives.
The information security is a major challenge for organizations that are required to resolve as soon as possible. Information can be presented in different forms; its exchange must be protected by a large number of threats that can affect its quality. Four criteria (AICE) [2] must be taken into account in order to preserve the quality of information that can be defined as follows: Availability (A): Information must be available when you need it. Integrity (I): Information must be accurate and complete, unmodified by third parties. Confidentiality (C): Information should be accessible only to authorized third parties. Evidence/control (E): both the non-repudiation (impossible for an actor to deny having received or transmitted information) and “auditability” of information (possibility monitor the success of the process that yielded information).
2.2 Risk Management Risk management is a strategic area of governance of information systems. Indeed, expressing risk is describing its impact and its probability [3]. Analysis and risk management identify the security objectives of an information system. These objectives are to protect the assets of value (data or information stored, processed, shared, transmitted or retrieved from electronic media) against the threats that lead to the loss, inaccessibility, alteration or inappropriate disclosure. The security of information systems is therefore at the operational and tactical level, in response to the risks identified at the strategic level.
2.3 Information Security Governance The concept of governance is to first determine the information system objectives related to business strategy. Governance oversees the organizational structure of the company by defining the roles and responsibilities and introducing the concept of accountability. Integral part of corporate governance, the governance of information security should fit with business needs while taking into account the constraints and technological risks, economic or operational ones. [4] For this, it relies on an organization
Oversee, measure and monitor the performance of security services in relation to the objectives of the company.
Pillars of IT Governance
Manage risk through implementation of security reduces the risk to an acceptable level for the company.
Align the security strategy of the company to support the objectives.
Manage the efficiency of human and technological resources dedicated to information security.
Fig 1: Information systems security governance Considering the scope and scale of activities of governance, it is important that they are supervised by a management system, usually called management system of information security (MSIS). The term “system” involves much more than a simple application. It integrates and centralizes the management of elements of governance such as the normative documents, planning and operational results, and monitoring of projects and processes. The MSIS is also an active and should therefore also benefit from protection measures such as the classification of information or access control. In addition, the realistic requirement of such a system requires centralization and restructure of all running information associated with capabilities of electronic document management. These elements facilitate information retrieval, reuse of components of the legal framework, as well as the control and the monitoring of the levels of security and compliance.
2.4 Comparative Study of existing The probability and impact of threats and damage related to the confidentiality, integrity and availability of data and IT assets have never been higher. For many reasons, the implementation of a framework for the governance of information security can significantly improve the ability of the organization to use security programs effective and robust information. To guide the process of implementation of the governance of information security, several benchmarks, with specific approaches are needed.
2
International Conference on Intelligent Information and Network Technology (IC2INT’13)
In this section, we will compare the different methods of risk management that exist on the market. We can mention EBIOS, Mehari, OCTAVE, CRAMM, SP80030, the ISF methods, Australian IT Security Handbook and Dutch A & K analysis. It is time to give IT managers of information systems keys to choose between all of these methods [5]. There are methods other than those presented in this section which do not have a reputation or a strong potential for risk management as the methods presented. The table below briefly describes the advantages and drawbacks of all methods of risk management that exist on the market. It should be noted that this table is based on a number of attribute values corresponding models used to describe methods. These attributes were considered the most representative for this brief description. Table 1.Comparison of different standards
We realized that in terms of risk management practices, EBIOS aligned with ISO27001 are the most efficient in terms of risk management and widely used in the IT community approach. We present in the next paragraph, the EBIOS method that is recognized for its treatment of risk method for information systems. EBIOS is the response of the NASIS (National Agency for the Security of Information Systems) to the risk management of the information systems. Since its first release in 2004, it was able to develop and improve its processes. The final version appeared in 2010 and has undergone several improvements. The NASIS publishes methodological free guides to contribute to the improvement of information security organizations in the public or private sector systems. Among these guides, it has produced a comprehensive, open and equipped approach with the collaboration of experts in the field of information systems. The aim of this method is the formalization of objectives and safety requirements adapted to the system studied in its context while taking into account the management process. The EBIOS approach consists of five steps with the different to be addressed in the context of risk analysis. The main steps in the process interacting EBIOS are as follow: Study Context Expression of security needs Study threats Identification of security objectives Expression of security requirements
3
International Conference on Intelligent Information and Network Technology (IC2INT’13)
While the ISO27001 standard published in October 2005 succeeded to the BS 7799-2 BSI (British Standards Institution) standard. It is open to all types of organizations (business, NGOs, government…) ISO/IEC 27001 describes the requirements for the implementation of a management system of information security (MSIS). The MSIS is recognized for choosing security measures to protect sensitive company assets for a defined perimeter. This is the quality model PDCA (PlanDo-Check-Act), which is recommended for establishing a MSIS to ensure continuous improvement of the security of the information system. The standard also dictates the requirements in respect of security measures specific to each organization, that is to say that the measures are not the same from one organization to another. The measures must be appropriate and proportionate to the body not to be too lax or too strict. ISO27001 also includes the fact that the implementation of a MSIS and tools has security measures intended to ensure the protection of information assets. The aim is to protect information from a loss, a theft or damage, and computer systems from intrusion. This will bring the confidence of stakeholders. The ISO/CEI 27001 defines the set of controls performed to ensure the relevance of the MSIS, to exploit and make it evolve. Specifically, the series ISO2700X focuses on the governance of information security. The following list shows the ISO frames provided in this category: ISO-27000 : Vocabulary ISO-27001 : Requirements for a management system of information security ISO-27002 : Code of good practices for the information security management ISO-27003 : Implementation guide ISO-27004 : Metrics ISO-27005 : Risk management ISO-27006 : Accreditation bodies ISO-27007 : Auditor guide
3. A new model for the information systems security The market for the governance of information security is full of models and solutions of security management. However, these models do not combine EBIOS method and the standard ISO27001 using the multi-agents approach. [6] The objective of this paper is to propose a new model (MSIS) for safety information governance, which introduces the processes of EBIOS method and follows the recommendations of the ISO27001 standard for effective security management. Today, data processing goes through PCs, PDAs, displays and other mobile phones. These facilities allow, in any place and at any time to connect to any source of information to know, decide, react and make the rightful decisions. To align all of these needs, our MSIS model must be an intelligent, adaptive, modular, autonomous model and must implement a distributed architecture.
We chose the multi-agent systems approach to meet these requirements and enhance its capabilities. When using multiagent systems (MAS), we must use its actors ;the entity agent and MAS.
3.1 Agents & MAS Jennings and Wooldridge [Jennings & Wooldridge 1998] have defined an agent as "a computer system located in certain environment which is able to act autonomously in this environment, in order to meet its design goals". Agents have the following main properties and characteristics: [7] Autonomy : agents encapsulate a state (which is not available to other agents), and make decisions on what to do based on this state, without direct human intervention or other persons; Social ability: agents interact with other agents (and possibly humans) via some kind of agent communication language, and generally have the opportunity to participate in social activities (such as cooperation for solving problems or negotiating) to achieve their goals. Reactivity :agents are put in an environment (which may be the physical world, a user via a graphical interface, a collection of other agents, the internet, or perhaps many of these combinations), are able to perceive this environment (through the use of potentially imperfect sensors), and are able to respond to timely changes that occur in it; Proactivity: Agents do not simply act in response to their environment; they are able to solve a problem by taking the initiative. A multi-agent system (MAS) is a system composed of several intelligent agents that interact with each other. Multi-agent systems can be used to solve problems that are difficult or impossible to solve for an individual agent or monolithic system. Multi-agent systems are open and scalable systems that enable the implementation of autonomous and proactive software components. Multi-agent systems have been developed and used in several application areas. They are characterized by the local autonomy, social interaction, adaptability, robustness and scalability, and for these reasons, they are a very promising paradigm to address the challenges facing automation and check systems. [8]
3.2 Our proposed model Data protection for the organization is provided by the information security, so a framework of governance of information security should be extended to address issues of security of information systems. [9] The figure below describes our model for the governance of information security (MSIS).
4
International Conference on Intelligent Information and Network Technology (IC2INT’13)
Fig 2: New model of information security governance The model consists of two distinct parts - the cycle of governance of information security (1) and the framework of the governance of information security (2). The life cycle of security governance (1) consists of five phases. Its dynamic nature ensures that the governance model for the security of information is continuously updated to address emerging safety problems. [10] Six pillars (2) support the MAS-GSIS (governance of the security of information systems). These pillars, such as retention and data recovery, security of personal data, and so on, are the main areas to be managed to ensure security and privacy in an information system. It is imperative for any governance framework for information security to cover these areas because they are essential to maintaining data security throughout the organization. In a generic sense, these six pillars are needed to build the model of governance of information security. [11] - [12]. We modeled these six pillars agents: [13] Agent Procedure and Regulations of Information Security (PRIS): This is a reactive type that contains the regulations and procedures and compliance defined within the company while taking into account those determined locally.
Agent Design and Architecture Data (DAD): This is a kind of cognitive agent which includes in its knowledge base models, rules, and standards that indicate what data is collected and how it is stored, sorted, integrated and used at the system level. Agent Management Evaluation and Governance (MEG): This is a reactive agent type handles the evaluation of performance data for the good governance of the information system. Agent Security of Personal Data (SPD): This is a reactive type that is connected to the database of the Official Bulletin. Whenever a new law is created, it takes care of updating the system. Agent Review of Security Operations and Incident Management (RSOIM): This is a kind of cognitive agent that deals with control of all operations in the information system and to solve the various incidents which may occur in the information system. It is provided with a knowledge base containing different solutions to incidents. Agent Retention and Retrieving Data (RRD): is a reactive type that allows data recovery in case of a malfunction or failure of the system. It allows the
5
International Conference on Intelligent Information and Network Technology (IC2INT’13)
backup of all the states of the system throughout its use. The third part of our model (3) contains some specific solutions that must be includes for MAS-GSIS in order to address rightfully the security of information systems. It contains a non-exhaustive list of solutions that can be applied to secure information system and ensure its proper functioning.
Software (I.R.E.CO.S), Vol 3,N.6,pp. 666 – 671,November 2008 [12] J. Ferber, “Les systèmes multi-agents, vers une intelligence collective”.InterEditions, 1995, pp. 63144.
4. Conclusion In this paper, we introduced a new model of governance for the security of information systems MSIS for actors (RSIS) to control and manage the security of their systems. Indeed, the combination of a method of risk management with ISO, internationally recognized, provides the ability to secure and protect a system that represents the image of organizations. If the system is misused by the dramatic attempts of accessing restricted information by employees ,it can harm its interests and the achievement of its business objectives. In future articles, we will detail the role and functioning of agents who support our MSIS model.
5. References [1] http://www.isaca.org/KnowledgeCenter/Research/Documents/InfoSecGuidanceDirector sExcecMgt.pdf [2] http://eduscol.education.fr/ecogest/si/SSI/risk_conf [3] http://www.losangeinformatique.com/security/Gouver nance/Gouvernance.pdf [4] H. Iguer, H.Medromi. S.Faris and A.Sayouti,”A new architecture multi-agents based combining EBIOS and ISO 27001 in IT risk management,” in Proc. ICEER’13, 2013, paper 126. [5] http://www.xmco.fr/article-livre-blanc-comissionbancaire- rmt.html [6] M. Wooldridge. Agents and software engineering. In AI*IA Notizie XI(3), pages 31-37, September 1998 [7] I.Antonova, I.Batchkova “Development of MultiAgent Control Systems using UML/SysML”, InTech, DOI: 10.5772/14602, 2011 [8] http://sites.tcs.com/insights/perspectives/enterprisemobilityorganization-data-protection-safeguardingmobiledata#.UX0X26KePKh [9] Y. B. Khoo1, M. Zhou1, B. Kayis2, S. Savci3, A. Ahmed 2, and R.Kusumo1S.H. Bokhari, “An agent based risk management tool for concurrent engineering projects”, Complexity International, Vol. 12,2005. [10] A.Sayouti, H.Medromi, “Autonomous and intelligent Mobile Systems based on Multi-agent Systems” Book Chapter in the book “Multi-Agent Systems Modeling, Control, Programming, Simulations and Applications “April4, 2011. [11] .Sayouti,F.Qrichi Aniba,H.Medromi. “Remote Control Architecture over Internet Based on Multi egents systems”.International Review on Computers and
6
