1st International Workshop on Secure and Privacy-Aware Information Management in eHealth

Information security and privacy in the healthcare domain is a complex and challenging problem for computer scientists, social scientists, law experts and policy makers. Appropriate healthcare provision requires specialized knowledge, is information intensive and much patient information is of a particularly sensitive nature. Electronic health record systems provide opportunities for information sharing which may enhance healthcare services, for both individuals and populations. However, appropriate information management measures are essential for privacy preservation...

The security and privacy of usage policies and provenance logs in an Information Accountability Framework

The potential benefits of shared eHealth records systems are promising for the future of improved healthcare. However, the uptake of such systems is hindered by concerns over the security and privacy of patient information. The use of Information Accountability and so called Accountable-eHealth (AeH) systems has been proposed to balance the privacy concerns of patients with the information needs of healthcare professionals. However, a number of challenges remain before AeH systems can become a reality. Among these is the need to protect the information stored in the usage policies and provenance logs used by AeH systems to define appropriate use of information and hold users accountable for their actions. In this paper, we discuss the privacy and security issues surrounding these accountability mechanisms, define valid access to the information they contain, discuss solutions to protect them, and verify and model an implementation of the access requirements as part of an Information Accountability Framework.

2nd International Workshop on Secure and Privacy-Aware Information Management in eHealth

Information security and privacy in the healthcare domain is a complex and challenging problem for computer scientists, social scientists, law experts and policy makers. Appropriate healthcare provision requires specialized knowledge, is information intensive and much patient information is of a particularly sensitive nature. Electronic health record systems provide opportunities for information sharing which may enhance healthcare services, for both individuals and populations. However, appropriate information management measures are essential for privacy preservation...

Assessment of existing information on Atlantic coastal fish habitats: development of a web-based spatial bibliography, query tools, and data summaries

The primary objective of this project, “the Assessment of Existing Information on Atlantic Coastal Fish Habitat”, is to inform conservation planning for the Atlantic Coastal Fish Habitat Partnership (ACFHP). ACFHP is recognized as a Partnership by the National Fish Habitat Action Plan (NFHAP), whose overall mission is to protect, restore, and enhance the nation’s fish and aquatic communities through partnerships that foster fish habitat conservation. This project is a cooperative effort of NOAA/NOS Center for Coastal Monitoring and Assessment (CCMA) Biogeography Branch and ACFHP. The Assessment includes three components; 1. a representative bibliographic and assessment database, 2. a Geographical Information System (GIS) spatial framework, and 3. a summary document with description of methods, analyses of habitat assessment information, and recommendations for further work. The spatial bibliography was created by linking the bibliographic table developed in Microsoft Excel and exported to SQL Server, with the spatial framework developed in ArcGIS and exported to GoogleMaps. The bibliography is a comprehensive, searchable database of over 500 selected documents and data sources on Atlantic coastal fish species and habitats. Key information captured for each entry includes basic bibliographic data, spatial footprint (e.g. waterbody or watershed), species and habitats covered, and electronic availability. Information on habitat condition indicators, threats, and conservation recommendations are extracted from each entry and recorded in a separate linked table. The spatial framework is a functional digital map based on polygon layers of watersheds, estuarine and marine waterbodies derived from NOAA’s Coastal Assessment Framework, MMS/NOAA’s Multipurpose Marine Cadastre, and other sources, providing spatial reference for all of the documents cited in the bibliography. Together, the bibliography and assessment tables and their spatial framework provide a powerful tool to query and assess available information through a publicly available web interface. They were designed to support the development of priorities for ACFHP’s conservation efforts within a geographic area extending from Maine to Florida, and from coastal watersheds seaward to the edge of the continental shelf. The Atlantic Coastal Fish Habitat Partnership has made initial use of the Assessment of Existing Information. Though it has not yet applied the AEI in a systematic or structured manner, it expects to find further uses as the draft conservation strategic plan is refined, and as regional action plans are developed. It also provides a means to move beyond an “assessment of existing information” towards an “assessment of fish habitat”, and is being applied towards the National Fish Habitat Action Plan (NFHAP) 2010 Assessment. Beyond the scope of the current project, there may be application to broader initiatives such as Integrated Ecosystem Assessments (IEAs), Ecosystem Based Management (EBM), and Marine Spatial Planning (MSP).

Conceptual information systems discussed through an IT-security tool

Conceptual Information Systems are based on a formalization of the concept of "concept" as it is discussed in traditional philosophical logic. This formalization supports a human-centered approach to the development of Information Systems. We discuss this approach by means of an implemented Conceptual Information System for supporting IT security management in companies and organizations.

Definition of an it project portfolio management methodology for a pharmaceutical company

Con la creciente popularidad de las soluciones de IT como factor clave para aumentar la competitividad y la creación de valor para las empresas, la necesidad de invertir en proyectos de IT se incrementa considerablemente. La limitación de los recursos como un obstáculo para invertir ha obligado a las empresas a buscar metodologías para seleccionar y priorizar proyectos, asegurándose de que las decisiones que se toman son aquellas que van alineadas con las estrategias corporativas para asegurar la creación de valor y la maximización de los beneficios. Esta tesis proporciona los fundamentos para la implementación del Portafolio de dirección de Proyectos de IT (IT PPM) como una metodología eficaz para la gestión de proyectos basados en IT, y una herramienta para proporcionar criterios claros para los directores ejecutivos para la toma de decisiones. El documento proporciona la información acerca de cómo implementar el IT PPM en siete pasos, el análisis de los procesos y las funciones necesarias para su ejecución exitosa. Además, proporciona diferentes métodos y criterios para la selección y priorización de proyectos. Después de la parte teórica donde se describe el IT PPM, la tesis aporta un análisis del estudio de caso de una empresa farmacéutica. La empresa ya cuenta con un departamento de gestión de proyectos, pero se encontró la necesidad de implementar el IT PPM debido a su amplia cobertura de procesos End-to-End en Proyectos de IT, y la manera de asegurar la maximización de los beneficios. Con la investigación teórica y el análisis del estudio de caso, la tesis concluye con una definición práctica de un modelo aproximado IT PPM como una recomendación para su implementación en el Departamento de Gestión de Proyectos.

Formal validation of automated policy refinement in the management of network security systems

Policy hierarchies and automated policy refinement are powerful approaches to simplify administration of security services in complex network environments. A crucial issue for the practical use of these approaches is to ensure the validity of the policy hierarchy, i.e. since the policy sets for the lower levels are automatically derived from the abstract policies (defined by the modeller), we must be sure that the derived policies uphold the high-level ones. This paper builds upon previous work on Model-based Management, particularly on the Diagram of Abstract Subsystems approach, and goes further to propose a formal validation approach for the policy hierarchies yielded by the automated policy refinement process. We establish general validation conditions for a multi-layered policy model, i.e. necessary and sufficient conditions that a policy hierarchy must satisfy so that the lower-level policy sets are valid refinements of the higher-level policies according to the criteria of consistency and completeness. Relying upon the validation conditions and upon axioms about the model representativeness, two theorems are proved to ensure compliance between the resulting system behaviour and the abstract policies that are modelled.

A conceptual approach to information warfare : security risk analysis

With information warfare (IW) becoming a reality, the need for a new security methodology to deal with the new and unique attack threats and vulnerabilities associated with the new information technology security paradigm. With the shift from computer security to information warfare, logical transformation models (LTMS) were looked at as a solution to quantifying information system requirements. The paper will introduce the concepts involved with fourth generational models and it's application to IW. The basic advantages and disadvantages will also be discussed and presented.

A retail supply chain risk assessment conceptual model

Supply chains are increasingly relying on information and communications technologies and in particular electronic commerce to facilitate transactions between supply chain partners. The adoption of these enabling technologies brings several enhancements to the conduct of business including gains in efficiency. However there are also drawbacks inherent in these technologies that include threats that are imposed on businesses that use them. This paper presents a study on retail supply chains and the risks and vulnerabilities that cooperating supply chain partners are exposed to when adopting these technologies. In particular, the paper discusses the various threats and vulnerabilities of retail supply and presents a conceptual model of such risks.

CIIP-RAM - a step-wise security risk analysis methodology for critical information infrastructure protection

Wilh the protection of critical information infrastructure becoming a priority for all levels of management. there is a need for a new security methodology to deal with the new and unique attack threats and vulnerabilities associated with the new information technology security paradigm. The fourth generation security risk analysis melhod which copes wilh the shift from computer/information security to critical information iinfrastructure protectionl is lhe next step toward handling security risk at all levels. The paper will present the methodology of
fourth generation models and their application to critical information infrastructure protection and the associated advantagess of this methodology.

Supply chain management security : the weak link of Australian critical infrastructure protection

Secure management of Australia’s commercial Critical Infrastructure presents ongoing challenges to both the owners of this infrastructure as well as to the Australian Federal government. The security management process is currently managed through high-level information sharing via collaboration, but does this situation suit the commercial sector? One of the issues facing Australia is that the majority of critical infrastructure resides under the control of the business sector and certain aspects such of the critical infrastructure such as Supply Chain Management (SCM) systems are distributed entities that span a number of commercial organisations. Another issue is that these SCM systems can be used for the transportation of varied items, such as retail items or food. This paper will explore the security issue related to food SCM systems and their relationship to critical infrastructure. The paper will focuses upon the security and risk issues associated with SCM system protection within the realms of critical infrastructure protection. The paper will review the security standard ISO 28000 - Supply Chain Security Management Standard. The paper will propose a new conceptual security risk analysis approach that will form the basis of a future Security Risk Analysis approach. This new approach will be aimed at protecting SCM systems.

Development of a supply chain management security risk management method : a conceptual model

This paper continues the prior research undertaken by Warren and Leitch (2009), in which a series of initial research findings were presented. These findings identified that in Australia, Supply Chain Management (SCM) systems were the weak link of Australian critical infrastructure. This paper focuses upon the security and risk issues associated with SCM systems and puts forward a new SCM Security Risk Management method, continuing the research presented at the European Conference of Information Warfare in 2009.This paper proposes a new Security Risk Analysis model that deals with the complexity of protecting SCM critical infrastructure systems and also introduces a new approach that organisations can apply to protect their SCM systems. The paper describes the importance of SCM systems from a critical infrastructure protection perspective. The paper then discusses the importance of SCM systems in relation to supporting centres of populations and gives examples of the impact of failure. The paper proposes a new SCM security risk analysis method that deals with the security issues related to SCM security and the security issues associated with Information Security. The paper will also discuss a risk framework that can be used to protect against high and low level associated security risks using a new SCM security risk analysis method.

Incorporating a knowledge perspective into security risk assessments

Purpose – Many methodologies exist to assess the security risks associated with unauthorized leakage, modification and interruption of information used by organisations. This paper argues that these methodologies have a traditional orientation towards the identification and assessment of technical information assets. This obscures key risks associated with the cultivation and deployment of organisational knowledge. The purpose of this paper is to explore how security risk assessment methods can more effectively identify and treat the knowledge associated with business processes.

Design/methodology/approach – The argument was developed through an illustrative case study in which a well-documented traditional methodology is applied to a complex data backup process. Follow-up interviews were conducted with the organisation’s security managers to explore the results of the assessment and the nature of knowledge “assets” within a business process.

Findings – It was discovered that the backup process depended, in subtle and often informal ways, on tacit knowledge to sustain operational complexity, handle exceptions and make frequent interventions. Although typical information security methodologies identify people as critical assets, this study suggests a new approach might draw on more detailed accounts of individual knowledge, collective knowledge and their relationship to organisational processes.

Originality/value – Drawing on the knowledge management literature, the paper suggests mechanisms to incorporate these knowledge-based considerations into the scope of information security risk methodologies. A knowledge protection model is presented as a result of this research. This model outlines ways in which organisations can effectively identify and treat risks around process knowledge critical to the business.

An agile IT security model for project risk assessment

There are two fundamental challenges in effectively performing security risk assessment in today's IT projects.The first is the project manager's need to know what IT security risks face the project before the project begins. At this stage IT security staff are unable to answer this question without first knowing the system requirements for the project which are yet to be defined. Second organisations that deal with a large project throughput each year find the current IT security risk assessment process to be tedious and expensive, especially when the same process has to be repeated for each individual project. This also makes it difficult for an organisation to prioritise which projects require more investment in IT security in order to fit within budget constraints. This paper presents a conceptual model that is based on an agile approach to alleviate these challenges. We do this by first analysing two online database resources of vulnerabilities by comparing them to each other, and then compare them to the agile criteria of the conceptual model which we define. The conceptual model is then presented and an example is given of how it can be applied to an actual project. We then briefly discuss what further work needs to be done to implement the conceptual model and validate it against an existing IT project.