984 resultados para security governance
Resumo:
Existing secure software development principles tend to focus on coding vulnerabilities, such as buffer or integer overflows, that apply to individual program statements, or issues associated with the run-time environment, such as component isolation. Here we instead consider software security from the perspective of potential information flow through a program’s object-oriented module structure. In particular, we define a set of quantifiable "security metrics" which allow programmers to quickly and easily assess the overall security of a given source code program or object-oriented design. Although measuring quality attributes of object-oriented programs for properties such as maintainability and performance has been well-covered in the literature, metrics which measure the quality of information security have received little attention. Moreover, existing securityrelevant metrics assess a system either at a very high level, i.e., the whole system, or at a fine level of granularity, i.e., with respect to individual statements. These approaches make it hard and expensive to recognise a secure system from an early stage of development. Instead, our security metrics are based on well-established compositional properties of object-oriented programs (i.e., data encapsulation, cohesion, coupling, composition, extensibility, inheritance and design size), combined with data flow analysis principles that trace potential information flow between high- and low-security system variables. We first define a set of metrics to assess the security quality of a given object-oriented system based on its design artifacts, allowing defects to be detected at an early stage of development. We then extend these metrics to produce a second set applicable to object-oriented program source code. The resulting metrics make it easy to compare the relative security of functionallyequivalent system designs or source code programs so that, for instance, the security of two different revisions of the same system can be compared directly. This capability is further used to study the impact of specific refactoring rules on system security more generally, at both the design and code levels. By measuring the relative security of various programs refactored using different rules, we thus provide guidelines for the safe application of refactoring steps to security-critical programs. Finally, to make it easy and efficient to measure a system design or program’s security, we have also developed a stand-alone software tool which automatically analyses and measures the security of UML designs and Java program code. The tool’s capabilities are demonstrated by applying it to a number of security-critical system designs and Java programs. Notably, the validity of the metrics is demonstrated empirically through measurements that confirm our expectation that program security typically improves as bugs are fixed, but worsens as new functionality is added.
Resumo:
Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach.
Resumo:
Organizations today engage in various forms of alliances to manage their existing business processes or to diversify into new processes to sustain their competitive positions. Many of today’s alliances use the IT resources as their backbone. The results of these alliances are collaborative organizational structures with little or no ownership stakes between the parties. The emergence of Web 2.0 tools is having a profound effect on the nature and form of these alliance structures. These alliances heavily depend on and make radical use of the IT resources in a collaborative environment. This situation requires a deeper understanding of the governance of these IT resources to ensure the sustainability of the collaborative organizational structures. This study reports on the first stage of this initiative. It suggest the types of IT governance structures required for collaborative organizational structures. Semi-structured interviews with senior executives who operate in such alliances reveal that co-created IT governance structures are necessary. Such structures include co-created IT-steering committees, cocreated operational committees, and inter-organizational performance management and communication systems. The findings pave the way for the development of a model for understanding approaches to governing IT and evaluating the effectiveness for such governance mechanisms in today’s IT dependent alliances.
Resumo:
We examine the relationship between the effectiveness of IT steering committee-driven IT governance initiatives and firm’s IT management and IT infrastructure related capabilities. We test these relationships empirically by a field survey of 216 firms. Results of this study suggest that a firms’ effectiveness of IT steering committee-driven IT governance initiatives positively relate to the level of their IT-related capabilities. We also found positive relationships between IT-related capabilities and internal process-level performance, which positively relate to improvement in customer service and firm-level performance. For researchers, we demonstrate that the resourcebased theory provides a more robust explanation of the determinants of firms IT governance initiatives. This would be ideal in evaluating other IT governance initiatives effectiveness in relation to how they contribute to building performance-differentiating IT-related capabilities. For decision makers, we hope our study has reiterated the notion that IT governance is truly a coordinated effort, embracing all levels of human resources.
Resumo:
With increasing recognition of the international market in health professionals and the impact of globalism on regulation, the governance of the health workforce is moving towards greater public engagement and increased transparency. This book discusses the challenges posed by these processes, such as improved access to health services and how structures can be reformed so that good practice is upheld and quality of service and patient safety are ensured.
Resumo:
The pervasive use of IT is prominent amongst organizations in developing economies. However, there is growing evidence that these economies fail to capitalize on their IT investment to transform their organizations to be competitive both locally and globally. IT-related benefits are possible with appropriate governance of the IT-related resources, and we need to broaden our understanding on the IT governance mechanics suitable for organizations in the developing economies. In this study, we adopted an initial interpretive design to obtain a deeper understanding of the IT governance (ITG) environment and conceptions of the stakeholders on effective IT governance structures for the developing economies. We found that the presence of an IT Strategic Planning Committee, Multiple level of authority, and a Forum for informal discussions as the crucial components of an ITG structure in developing economies.
Resumo:
This study examines the occurrence of misappropriation-type fraud within Australian listed firms and the relation between the incidence of this type of fraud and a firm's governance strength. We measure governance strength using factors relating to traditional corporate governance, such as board composition, CEO duality, and audit committee composition, as well as factors relating to information technology governance. In our study, we use actual dollar amount of fraud reported by listed companies responding to the 2004 KPMG Fraud Survey as one of three different misappropriation measures and publicly available firm-specific data to measure the other variables in the model. Our study found that where the chief executive officer (CEO) also holds the position of chairperson of the board of directors, the likelihood of fraud increases. We also find that the greater the number of independent directors on the audit committee, the lower the level of fraud. Taken together, these results are particularly encouraging as they provide support for regulatory bodies such as the Australian Stock Exchange (ASX) and the Australian Securities and Investment Commission (ASIC), which place considerable emphasis on the importance of establishing good corporate governance practices. The study provides empirical evidence that employing good corporate governance reduces the risk of the misappropriation of assets.
Resumo:
Information communication and technology (ICT) systems are almost ubiquitous in the modern world. It is hard to identify any industry, or for that matter any part of society, that is not in some way dependent on these systems and their continued secure operation. Therefore the security of information infrastructures, both on an organisational and societal level, is of critical importance. Information security risk assessment is an essential part of ensuring that these systems are appropriately protected and positioned to deal with a rapidly changing threat environment. The complexity of these systems and their inter-dependencies however, introduces a similar complexity to the information security risk assessment task. This complexity suggests that information security risk assessment cannot, optimally, be undertaken manually. Information security risk assessment for individual components of the information infrastructure can be aided by the use of a software tool, a type of simulation, which concentrates on modelling failure rather than normal operational simulation. Avoiding the modelling of the operational system will once again reduce the level of complexity of the assessment task. The use of such a tool provides the opportunity to reuse information in many different ways by developing a repository of relevant information to aid in both risk assessment and management and governance and compliance activities. Widespread use of such a tool allows the opportunity for the risk models developed for individual information infrastructure components to be connected in order to develop a model of information security exposures across the entire information infrastructure. In this thesis conceptual and practical aspects of risk and its underlying epistemology are analysed to produce a model suitable for application to information security risk assessment. Based on this work prototype software has been developed to explore these concepts for information security risk assessment. Initial work has been carried out to investigate the use of this software for information security compliance and governance activities. Finally, an initial concept for extending the use of this approach across an information infrastructure is presented.
