An investigation into system security requirements and implementation in an Application Service Provider (ASP) environment

Although the ASP model has been around for over a decade, it has not achieved the expected high level of market uptake. This research project examines the past and present state of ASP adoption and identifies security as a primary factor influencing the uptake of the model. The early chapters of this document examine the ASP model and ASP security in particular. Specifically, the literature and technology review chapter analyses ASP literature, security technologies and best practices with respect to system security in general. Based on this investigation, a prototype to illustrate the range and types of technologies that encompass a security framework was developed and is described in detail. The latter chapters of this document evaluate the practical implementation of system security in an ASP environment. Finally, this document outlines the research outputs, including the conclusions drawn and recommendations with respect to system security in an ASP environment. The primary research output is the recommendation that by following best practices with respect to security, an ASP application can provide the same level of security one would expect from any other n-tier client-server application. In addition, a security evaluation matrix, which could be used to evaluate not only the security of ASP applications but the security of any n-tier application, was developed by the author. This thesis shows that perceptions with regard to fears of inadequate security of ASP solutions and solution data are misguided. Finally, based on the research conducted, the author recommends that ASP solutions should be developed and deployed on tried, tested and trusted infrastructure. Existing Application Programming Interfaces (APIs) should be used where possible and security best practices should be adhered to where feasible.

Socioeconomic status, structural and functional measures of social support, and mortality: The British Whitehall II Cohort Study, 1985-2009.

The authors examined the associations of social support with socioeconomic status (SES) and with mortality, as well as how SES differences in social support might account for SES differences in mortality. Analyses were based on 9,333 participants from the British Whitehall II Study cohort, a longitudinal cohort established in 1985 among London-based civil servants who were 35-55 years of age at baseline. SES was assessed using participant's employment grades at baseline. Social support was assessed 3 times in the 24.4-year period during which participants were monitored for death. In men, marital status, and to a lesser extent network score (but not low perceived support or high negative aspects of close relationships), predicted both all-cause and cardiovascular mortality. Measures of social support were not associated with cancer mortality. Men in the lowest SES category had an increased risk of death compared with those in the highest category (for all-cause mortality, hazard ratio = 1.59, 95% confidence interval: 1.21, 2.08; for cardiovascular mortality, hazard ratio = 2.48, 95% confidence interval: 1.55, 3.92). Network score and marital status combined explained 27% (95% confidence interval: 14, 43) and 29% (95% confidence interval: 17, 52) of the associations between SES and all-cause and cardiovascular mortality, respectively. In women, there was no consistent association between social support indicators and mortality. The present study suggests that in men, social isolation is not only an important risk factor for mortality but is also likely to contribute to differences in mortality by SES.

Public Policy and Ageing in Northern Ireland: Identifying Levers for Change

Public Policy and Ageing in Northern Ireland: Identifying Levers for Change Judith Cross, Policy Officer with the Centre for Ageing Research Development in Ireland (CARDI)��������Introduction Identifying a broad range of key public policy initiatives as they relate to age can facilitate discussion and create new knowledge within and across government to maximise the opportunities afforded by an ageing population. This article looks at how examining the current public policy frameworks in Northern Ireland can present opportunities for those working in this field for the benefit of older people. Good policy formulation needs to be evidence-based, flexible, innovative and look beyond institutional boundaries. Bringing together architects and occupational therapists, for example, has the potential to create better and more effective ways relevant to health, housing, social services and government departments. Traditional assumptions of social policy towards older people have tended to be medically focused with an emphasis on care and dependency. This in turn has consequences for the design and delivery of services for older people. It is important that these assumptions are challenged as changes in thinking and attitudes can lead to a redefinition of ageing, resulting in policies and practices that benefit older people now and in the future. Older people, their voices and experiences, need to be central to these developments. The Centre for Ageing Research and Development in Ireland The Centre for Ageing Research and Development in Ireland (CARDI) (1) is a not for profit organisation developed by leaders from the ageing field across Ireland (North and South) including age sector focused researchers and academics, statutory and voluntary, and is co-chaired by Professor Robert Stout and Professor Davis Coakley. CARDI has been established to provide a mechanism for greater collaboration among age researchers, for wider dissemination of ageing research information and to advance a research agenda relevant to the needs of older people in Ireland, North and South. Operating at a strategic level and in an advisory capacity, CARDI�۪s work focuses on promoting research co-operation across sectors and disciplines and concentrates on influencing the strategic direction of research into older people and ageing in Ireland. It has been strategically positioned around the following four areas: Identifying and establishing ageing research priorities relevant to policy and practice in Ireland, North and South;Promoting greater collaboration and co-operation on ageing research in order to build an ageing research community in Ireland, North and South;Stimulating research in priority areas that can inform policy and practice relating to ageing and older people in Ireland, North and South;Communicating strategic research issues on ageing to raise the profile of ageing research in Ireland, North and South, and its role in informing policy and practice. Context of Ageing in Ireland Ireland �۪s population is ageing. One million people aged 60 and over now live on the island of Ireland. By 2031, it is expected that Northern Ireland�۪s percentage of older people will increase to 28% and the Republic of Ireland�۪s to 23%. The largest increase will be in the older old; the number aged 80+ is expected to triple by the same date. However while life expectancy has increased, it is not clear that life without disability and ill health has increased to the same extent. A growing number of older people may face the combined effects of a decline in physical and mental function, isolation and poverty. Policymakers, service providers and older people alike recognise the need to create a high quality of life for our ageing population. This challenge can be meet by addressing the problems relating to healthy ageing, reducing inequalities in later life and creating services that are shaped by, and appropriate for, older people. Devolution and Structures of Government in Northern Ireland The Agreement (2) reached in the Multi-Party Negotiations in Belfast 1998 established the Northern Ireland Assembly which has full legislative authority for all transferred matters. The majority of social and economic public policy such as; agriculture, arts, education, health, environment and planning is determined by the Northern Ireland Assembly at Stormont. There are 11 Government Departments covering the main areas of responsibility with 108 elected Members of the Legislative Assembly (MLA�۪s). The powers of the Northern Ireland Assembly do not cover ��� reserved�۪ matters or ��� excepted�۪ matters . These are the responsibility of Westminster and include issues such as, tax, social security, policing, justice, defence, immigration and foreign affairs. Northern Ireland has 18 elected Members of Parliament (MP�۪s) to the House of Commons. Public Policy Context in Northern Ireland The economic, social and political consequence of an ageing population is a challenge for policy makers across government. Considering the complex and diverse causal factors that contribute to ageing in Northern Ireland, there are a number of areas of government policy at regional, national and international levels that are likely to impact in this area. International The Madrid International Plan of Action on Ageing (3) and the Research Agenda on Ageing for the 21st Century (4) provide important mechanisms for furthering research into ageing. The United Kingdom has signed up to these. The Madrid International Plan of Action on Ageing commits member states to a systematic review of the Plan of Action through Regional Implementation Strategies. The United Kingdom�۪s Regional Implementation Strategy covers Northern Ireland. National At National level, pension and social security are high on the agenda. The Pensions Act (5) became law in 2007 and links pensions increases with earnings as opposed to prices from 2012. Additional credits for people raising children and caring for older people to boost their pensions were introduced. Some protections are included for those who lost occupational pensions as a result of underfunded schemes being wound up before April 2005. In relation to State Pensions and benefits, this Act will bring changes to state pensions in future. The Act now places the Pension Credit element which is up-rated in line with or above earnings, on a permanent, statutory footing. Regional At regional level there are a number of age related public policy initiatives that have the potential to impact positively on the lives of older people in Northern Ireland. Some are specific to ageing such as the Ageing in an Inclusive Society (6) and others by their nature are cross-cutting such as Lifetime Opportunities: Governments Anti-Poverty Strategy for Northern Ireland (7). The main public policy framework in Northern Ireland is the Programme for Government: Building a Better Future, 2008-2011(PfG) (8) . The PfG, is the overarching high level policy framework for Northern Ireland and provides useful principles for ageing research and public policy in Northern Ireland. The PfG vision is to build a peaceful, fair and prosperous society in Northern Ireland, with respect for the rule of law. A number of Public Service Agreements (PSA) aligned to the PfG confirm key actions that will be taken to support the priorities that the Government aim to achieve over the next three years. For example objective 2 of PSA 7: Making Peoples�۪ Lives Better: Drive a programme across Government to reduce poverty and address inequality and disadvantage, refers to taking forward strategic action to promote social inclusion for older people; and to deliver a strong independent voice for older people. The Office of the First Minister and deputy First Minister (OFMDFM) have recently appointed an Interim Older People�۪s Advocate, Dame Joan Harbison to provide a focus for older peoples issues across Government. Ageing in an Inclusive Society is the cross-departmental strategy for older people in Northern Ireland and was launched in March 2005. It sets out the approach to be taken across Government to promote and support the inclusion of older people. The vision coupled with six strategic objectives form the basis of the action plans accompanying the strategy. The vision is: ���To ensure that age related policies and practices create an enabling environment, which offers everyone the opportunity to make informed choices so that they may pursue healthy, active and positive ageing.�۝ (Ageing in an Inclusive Society, Office of the First Minister and Deputy First Minister, 2005) Action planning and maintaining momentum across government in relation to this strategy has proved to be slower than anticipated. It is proposed to refresh this Strategy in line with Opportunity Age ��� meeting the challenges of ageing in the 21st Century (9). There are a number of policy levers elsewhere which can also be used to promote the positive aspects of an ageing society. The Investing for Health (10) and A Healthier Future:A 20 Year Vision for Health and Well-being in Northern Ireland (11), seek to ensure that the overall vision for health and wellbeing is achievable and provides a useful framework for ageing policy and research in the health area. These health initiatives have the potential to positively impact on the quality of life of older people and provide a useful framework for improving current policy and practice. In addition to public policy initiatives, the anti-discrimination frameworks in terms of employment in Northern Ireland cover age as well as a range of other grounds. Goods facilitates and services are currently excluded from the Employment Equality (age) Regulations (NI) 2006 (12). Supplementing the anti-discrimination measures, Section 75 of the Northern Ireland Act 1998 (13), unique to Northern Ireland, places a statutory obligation on public authorities in fulfilling their functions to promote equality of opportunity across nine grounds, one of which is age(14). This positive duty has the potential to make a real difference to the lives of older people in Northern Ireland. Those affected by policy decisions must be consulted and their interests taken into account. This provides an opportunity for older people and their representatives to participate in public policy-making, right from the start of the process. Policy and Research Interface ���Ageing research is vital as decisions in relation to policy and practice and resource allocation will be made on the best available information�۝. (CARDI�۪s Strategic Plan 2008-2011) As outlined earlier, CARDI has been established to bridge the gap to ensure that research reaches those involved in making policy decisions. CARDI is stimulating the ageing research agenda in Ireland through a specific research fund that has a policy and practice focus. My work is presently focusing on helping to build a greater awareness of the key policy levers and providing opportunities for those within research and policy to develop closer links. The development of this shared understanding by establishing these links between researchers and policy makers is seen as the best predictor for research utilization. It is important to acknowledge and recognise that researchers and policy makers operate in different institutional, political and cultural contexts. Research however needs to ���resonate�۪ with the contextual factors in which policy makers operate. Conclusions Those working within the public policy field recognise all too often that the development of government policies and initiatives in respect of age does not guarantee that they will result in changes in actual provision of services, despite Government recommendations and commitments. The identification of public policy initiatives as they relate to age has the potential to highlight persistent and entrenched difficulties that social policy has previously failed to address. Furthermore, the identification of these difficulties can maximise the opportunities for progressing these across government. A focus on developing effective and meaningful targets to ensure measurable outcomes in public policy for older people can assist in this. Access to sound, credible and up-to-date evidence will be vital in this respect. As well as a commitment to working across departmental boundaries to effect change. Further details: If you would like to discuss this paper or for further information about CARDI please contact: Judith Cross, Policy Officer, Centre for Ageing Research and Development in Ireland CARDI). t: +44 (0) 28 9069 0066; m: +353 (0) 867 904 171; e: judith@cardi.ie ; or visit our website at: www.cardi.ie References 1) Centre for Ageing Research and Development in Ireland (2008) Strategic Plan 2008-2011. Belfast. CARDI 2) The Agreement: Agreement Reached in the Multi-Party Negotiations. Belfast 1998 3) Madrid International Plan of Action on Ageing. http://www.un.org/ageing/ 4) UN Programme on Ageing (2007) Research Agenda on Ageing for the 21st Century: 2007 Update. New York. New York. UN Programme on Ageing and the International Association of Gerontology and Geriatrics. 5) The Pensions Act 2007 Chapter 22 6) Office of the First Minister and deputy First Minister (2005). Ageing in an Inclusive Society. Belfast. OFMDFM Central Anti-Poverty Unit. 7) Office of the First Minister and deputy First Minister (2005). Lifetime Opportunities: Government�۪s Anti-Poverty and Social Inclusion Strategy for Northern Ireland. Belfast. OFMDFM Central Anti-Poverty Unit. 8) Northern Ireland Executive (2008) Building a Better Future: Programme for Government 2008-2011. Belfast. OFMDFM Economic Policy Unit. 9) Department for Work and Pensions, (2005) Opportunity Age: Meeting the Challenges of Ageing in the 21 st Century. London. DWP. 10) Department of Health, Social Services and Public Safety (DHSS&PS) (2002) Investing for Health. Belfast. DHSS&PS. 11) Department of Health, Social Services and Public Safety (DHSS&PS) (2005) A Healthier Future:A 20 Year Vision for Health and Well-being in Northern Ireland Belfast. DHSS&PS. �� 12) The Employment Equality (Age) Regulations (Northern Ireland) 2006 SR2006 No.261 13) The Northern Ireland Act 1998, Part VII, S75 14) The nine grounds covered under S75 of the Northern Ireland Act are: gender, religion, race, sexual orientation, those with dependents, disability, political opinion, marital status and age.

Evaluating the probability and the impact of a failure in GMPLS based networks

In this paper, we define a new scheme to develop and evaluate protection strategies for building reliable GMPLS networks. This is based on what we have called the network protection degree (NPD). The NPD consists of an a priori evaluation, the failure sensibility degree (FSD), which provides the failure probability, and an a posteriori evaluation, the failure impact degree (FID), which determines the impact on the network in case of failure, in terms of packet loss and recovery time. Having mathematical formulated these components, experimental results demonstrate the benefits of the utilization of the NPD, when used to enhance some current QoS routing algorithms in order to offer a certain degree of protection

Risks of endemicity, morbidity and perspectives regarding the control of Chagas disease in the Amazon Region

Chagas disease, in the Amazon Region as elsewhere, can be considered an enzootic disease of wild animals or an anthropozoonosis, an accidental disease of humans that is acquired when humans penetrate a wild ecosystem or when wild triatomines invade human dwellings attracted by light or searching for human blood. The risk of endemic Chagas disease in the Amazon Region is associated with the following phenomena: (i) extensive deforestation associated with the displacement of wild mammals, which are the normal sources of blood for triatomines, (ii) adaptation of wild triatomines to human dwellings due to the need for a new source of blood for feeding and (iii) uncontrolled migration of human populations and domestic animals that are already infected with Trypanosoma cruzi from areas endemic for Chagas disease to the Amazon Region. Several outbreaks of severe acute cases of Chagas disease, as well as chronic cases, have been described in the Amazon Region. Control measures targeted to avoiding endemic Chagas disease in the Amazon Region should be the following: improving health education in communities, training public health officials and communities for vector and Chagas disease surveillance and training local physicians to recognise and treat acute and chronic cases of Chagas diseases as soon as possible.

The Farm, the city, and the emergence of social security

We study the social, demographic and economic origins of social security. The data for the U.S. and for a cross section of countries suggest that urbanization and industrialization are associated with the rise of social insurance. We describe an OLG model in which demographics, technology, and social security are linked together in a political economy equilibrium. In the model economy, there are two locations (sectors), the farm (agricultural) and the city (industrial) and the decision to migrate from rural to urban locations is endogenous and linked to productivity differences between the two locations and survival probabilities. Farmers rely on land inheritance for their old age and do not support a pay-as-you-go social security system. With structural change, people migrate to the city, the land loses its importance and support for social security arises. We show that a calibrated version of this economy, where social security taxes are determined by majority voting, is consistent with the historical transformation in the United States.

Social security and democracy

Many political economic theories use and emphasize the process of votingin their explanation of the growth of Social Security, governmentspending, and other public policies. But is there an empirical connectionbetween democracy and Social Security program size or design? Using somenew international data sets to produce both country-panel econometricestimates as well as case studies of South American and southern Europeancountries, we find that Social Security policy varies according toeconomic and demographic factors, but that very different politicalhistories can result in the same Social Security policy. We find littlepartial effect of democracy on the size of Social Security budgets, onhow those budgets are allocated, or how economic and demographic factorsaffect Social Security. If there is any observed difference, democraciesspend a little less of their GDP on Social Security, grow their budgetsa bit more slowly, and cap their payroll tax more often, than doeconomically and demographically similar nondemocracies. Democracies andnondemocracies are equally likely to have benefit formulas inducingretirement and, conditional on GDP per capita, equally likely to induceretirement with a retirement test vs. an earnings test.

Pay-as-you-go social security and the distribution of bequests

This paper studies the impact of an unfunded social security system on the distribution of bequests in a framework where savings are due both by life cycle and by random altruistic motivations. We show that the impact of social security on the distribution of bequests depends crucially on the importance of the bequest motive in explaining savings behavior. If the bequest motive is strong, then an increase in the social security tax raises the bequests left by altruistic parents. On the other hand, when the importance of bequests in motivating savings is sufficiently low, theincrease in the social security tax could result in a reduction of the bequests left by altruistic parents under some conditions on the attitude of individuals toward risk and on the relative returns associated with private saving and social security. Some implications concerning the transitional effects of introducing an unfunded social security scheme are also discussed.

New IPERS Members Iowa Public Employees’ Retirement System, February 2012

The IPERS plan is a defined benefit pension plan. The lifetime monthly benefit you receive is predictable and stable because it is calculated using a formula. Your benefits grow with you throughout your IPERS-covered employment. As your years of service and salary increase, your IPERS benefits grow too. IPERS, a public agency, was established for the sole purpose of providing a retirement plan to public employees throughout Iowa. As a public agency, IPERS’ goals are aligned with members’. IPERS benefits are designed to supplement personal savings and Social Security benefits in retirement. Benefits also offer financial protection for families in the event of death or disability.

Investigation of Earlham Community School District Employee’s Personal Use of a School Vehicle, July 6, 2012

We received a complaint in late September 2011 that an Earlham School District employee had borrowed a school vehicle for her personal use for one month, with the Superintendent’s permission. The school board had discussed the circumstances of the borrowed district vehicle in closed session. The complainant believed this was contrary to Iowa law and also believed no action had been taken against the school employee who borrowed the vehicle or the superintendent who allowed the personal use of the vehicle. He was aware the school district’s attorney reviewed the matter and determined the employee and superintendent violated no law or district policies. Since the school board discussed the matter only in closed session, it was unknown what, if any, discipline was taken against the employees and whether such actions were condoned by the district. We agreed to investigate to determine if the actions of school officials or employees violated Iowa law and if the response from the school board was appropriate.

Stream Stabilization in Western Iowa: Structure Evaluation and Design Manual, HR-385, 1998

Stream degradation is the action of deepening the stream bed and widening the banks due to the increasing velocity of water flow. Degradation is pervasive in channeled streams found within the deep to moderately deep loess regions of the central United States. Of all the streams, however, the most severe and widespread entrenchment occurs in western Iowa streams that are tributaries to the Missouri River. In September 1995 the Iowa Department of Transportation awarded a grant to Golden Hills Resource Conservation and Development, Inc. The purpose of the grant, HR-385 "Stream Stabilization in Western Iowa: Structure Evaluation and Design Manual", was to provide an assessment of the effectiveness and costs of various stabilization structures in controlling erosion on channeled streams. A review of literature, a survey of professionals, field observations and an analysis of the data recorded on fifty-two selected structures led to the conclusions presented in the project's publication, Design Manual, Streambed Degradation and Streambank Widening in Western Iowa. Technical standards and specifications for the design and construction of stream channel stabilization structures are included in the manual. Additional information on non-structural measures, monitoring and evaluation of structures, various permit requirements and further resources are also included. Findings of the research project and use and applications of the Design Manual were presented at two workshops in the Loess Hills region. Participants in these workshops included county engineers, private contractors, state and federal agency personnel, elected officials and others. The Design Manual continues to be available through Golden Hills Resource Conservation and Development.

An assurance-based model to holistically assess the information security posture

EXECUTIVE SUMMARY : Evaluating Information Security Posture within an organization is becoming a very complex task. Currently, the evaluation and assessment of Information Security are commonly performed using frameworks, methodologies and standards which often consider the various aspects of security independently. Unfortunately this is ineffective because it does not take into consideration the necessity of having a global and systemic multidimensional approach to Information Security evaluation. At the same time the overall security level is globally considered to be only as strong as its weakest link. This thesis proposes a model aiming to holistically assess all dimensions of security in order to minimize the likelihood that a given threat will exploit the weakest link. A formalized structure taking into account all security elements is presented; this is based on a methodological evaluation framework in which Information Security is evaluated from a global perspective. This dissertation is divided into three parts. Part One: Information Security Evaluation issues consists of four chapters. Chapter 1 is an introduction to the purpose of this research purpose and the Model that will be proposed. In this chapter we raise some questions with respect to "traditional evaluation methods" as well as identifying the principal elements to be addressed in this direction. Then we introduce the baseline attributes of our model and set out the expected result of evaluations according to our model. Chapter 2 is focused on the definition of Information Security to be used as a reference point for our evaluation model. The inherent concepts of the contents of a holistic and baseline Information Security Program are defined. Based on this, the most common roots-of-trust in Information Security are identified. Chapter 3 focuses on an analysis of the difference and the relationship between the concepts of Information Risk and Security Management. Comparing these two concepts allows us to identify the most relevant elements to be included within our evaluation model, while clearing situating these two notions within a defined framework is of the utmost importance for the results that will be obtained from the evaluation process. Chapter 4 sets out our evaluation model and the way it addresses issues relating to the evaluation of Information Security. Within this Chapter the underlying concepts of assurance and trust are discussed. Based on these two concepts, the structure of the model is developed in order to provide an assurance related platform as well as three evaluation attributes: "assurance structure", "quality issues", and "requirements achievement". Issues relating to each of these evaluation attributes are analysed with reference to sources such as methodologies, standards and published research papers. Then the operation of the model is discussed. Assurance levels, quality levels and maturity levels are defined in order to perform the evaluation according to the model. Part Two: Implementation of the Information Security Assurance Assessment Model (ISAAM) according to the Information Security Domains consists of four chapters. This is the section where our evaluation model is put into a welldefined context with respect to the four pre-defined Information Security dimensions: the Organizational dimension, Functional dimension, Human dimension, and Legal dimension. Each Information Security dimension is discussed in a separate chapter. For each dimension, the following two-phase evaluation path is followed. The first phase concerns the identification of the elements which will constitute the basis of the evaluation: ? Identification of the key elements within the dimension; ? Identification of the Focus Areas for each dimension, consisting of the security issues identified for each dimension; ? Identification of the Specific Factors for each dimension, consisting of the security measures or control addressing the security issues identified for each dimension. The second phase concerns the evaluation of each Information Security dimension by: ? The implementation of the evaluation model, based on the elements identified for each dimension within the first phase, by identifying the security tasks, processes, procedures, and actions that should have been performed by the organization to reach the desired level of protection; ? The maturity model for each dimension as a basis for reliance on security. For each dimension we propose a generic maturity model that could be used by every organization in order to define its own security requirements. Part three of this dissertation contains the Final Remarks, Supporting Resources and Annexes. With reference to the objectives of our thesis, the Final Remarks briefly analyse whether these objectives were achieved and suggest directions for future related research. Supporting resources comprise the bibliographic resources that were used to elaborate and justify our approach. Annexes include all the relevant topics identified within the literature to illustrate certain aspects of our approach. Our Information Security evaluation model is based on and integrates different Information Security best practices, standards, methodologies and research expertise which can be combined in order to define an reliable categorization of Information Security. After the definition of terms and requirements, an evaluation process should be performed in order to obtain evidence that the Information Security within the organization in question is adequately managed. We have specifically integrated into our model the most useful elements of these sources of information in order to provide a generic model able to be implemented in all kinds of organizations. The value added by our evaluation model is that it is easy to implement and operate and answers concrete needs in terms of reliance upon an efficient and dynamic evaluation tool through a coherent evaluation system. On that basis, our model could be implemented internally within organizations, allowing them to govern better their Information Security. RÉSUMÉ : Contexte général de la thèse L'évaluation de la sécurité en général, et plus particulièrement, celle de la sécurité de l'information, est devenue pour les organisations non seulement une mission cruciale à réaliser, mais aussi de plus en plus complexe. A l'heure actuelle, cette évaluation se base principalement sur des méthodologies, des bonnes pratiques, des normes ou des standards qui appréhendent séparément les différents aspects qui composent la sécurité de l'information. Nous pensons que cette manière d'évaluer la sécurité est inefficiente, car elle ne tient pas compte de l'interaction des différentes dimensions et composantes de la sécurité entre elles, bien qu'il soit admis depuis longtemps que le niveau de sécurité globale d'une organisation est toujours celui du maillon le plus faible de la chaîne sécuritaire. Nous avons identifié le besoin d'une approche globale, intégrée, systémique et multidimensionnelle de l'évaluation de la sécurité de l'information. En effet, et c'est le point de départ de notre thèse, nous démontrons que seule une prise en compte globale de la sécurité permettra de répondre aux exigences de sécurité optimale ainsi qu'aux besoins de protection spécifiques d'une organisation. Ainsi, notre thèse propose un nouveau paradigme d'évaluation de la sécurité afin de satisfaire aux besoins d'efficacité et d'efficience d'une organisation donnée. Nous proposons alors un modèle qui vise à évaluer d'une manière holistique toutes les dimensions de la sécurité, afin de minimiser la probabilité qu'une menace potentielle puisse exploiter des vulnérabilités et engendrer des dommages directs ou indirects. Ce modèle se base sur une structure formalisée qui prend en compte tous les éléments d'un système ou programme de sécurité. Ainsi, nous proposons un cadre méthodologique d'évaluation qui considère la sécurité de l'information à partir d'une perspective globale. Structure de la thèse et thèmes abordés Notre document est structuré en trois parties. La première intitulée : « La problématique de l'évaluation de la sécurité de l'information » est composée de quatre chapitres. Le chapitre 1 introduit l'objet de la recherche ainsi que les concepts de base du modèle d'évaluation proposé. La maniéré traditionnelle de l'évaluation de la sécurité fait l'objet d'une analyse critique pour identifier les éléments principaux et invariants à prendre en compte dans notre approche holistique. Les éléments de base de notre modèle d'évaluation ainsi que son fonctionnement attendu sont ensuite présentés pour pouvoir tracer les résultats attendus de ce modèle. Le chapitre 2 se focalise sur la définition de la notion de Sécurité de l'Information. Il ne s'agit pas d'une redéfinition de la notion de la sécurité, mais d'une mise en perspectives des dimensions, critères, indicateurs à utiliser comme base de référence, afin de déterminer l'objet de l'évaluation qui sera utilisé tout au long de notre travail. Les concepts inhérents de ce qui constitue le caractère holistique de la sécurité ainsi que les éléments constitutifs d'un niveau de référence de sécurité sont définis en conséquence. Ceci permet d'identifier ceux que nous avons dénommés « les racines de confiance ». Le chapitre 3 présente et analyse la différence et les relations qui existent entre les processus de la Gestion des Risques et de la Gestion de la Sécurité, afin d'identifier les éléments constitutifs du cadre de protection à inclure dans notre modèle d'évaluation. Le chapitre 4 est consacré à la présentation de notre modèle d'évaluation Information Security Assurance Assessment Model (ISAAM) et la manière dont il répond aux exigences de l'évaluation telle que nous les avons préalablement présentées. Dans ce chapitre les concepts sous-jacents relatifs aux notions d'assurance et de confiance sont analysés. En se basant sur ces deux concepts, la structure du modèle d'évaluation est développée pour obtenir une plateforme qui offre un certain niveau de garantie en s'appuyant sur trois attributs d'évaluation, à savoir : « la structure de confiance », « la qualité du processus », et « la réalisation des exigences et des objectifs ». Les problématiques liées à chacun de ces attributs d'évaluation sont analysées en se basant sur l'état de l'art de la recherche et de la littérature, sur les différentes méthodes existantes ainsi que sur les normes et les standards les plus courants dans le domaine de la sécurité. Sur cette base, trois différents niveaux d'évaluation sont construits, à savoir : le niveau d'assurance, le niveau de qualité et le niveau de maturité qui constituent la base de l'évaluation de l'état global de la sécurité d'une organisation. La deuxième partie: « L'application du Modèle d'évaluation de l'assurance de la sécurité de l'information par domaine de sécurité » est elle aussi composée de quatre chapitres. Le modèle d'évaluation déjà construit et analysé est, dans cette partie, mis dans un contexte spécifique selon les quatre dimensions prédéfinies de sécurité qui sont: la dimension Organisationnelle, la dimension Fonctionnelle, la dimension Humaine, et la dimension Légale. Chacune de ces dimensions et son évaluation spécifique fait l'objet d'un chapitre distinct. Pour chacune des dimensions, une évaluation en deux phases est construite comme suit. La première phase concerne l'identification des éléments qui constituent la base de l'évaluation: ? Identification des éléments clés de l'évaluation ; ? Identification des « Focus Area » pour chaque dimension qui représentent les problématiques se trouvant dans la dimension ; ? Identification des « Specific Factors » pour chaque Focus Area qui représentent les mesures de sécurité et de contrôle qui contribuent à résoudre ou à diminuer les impacts des risques. La deuxième phase concerne l'évaluation de chaque dimension précédemment présentées. Elle est constituée d'une part, de l'implémentation du modèle général d'évaluation à la dimension concernée en : ? Se basant sur les éléments spécifiés lors de la première phase ; ? Identifiant les taches sécuritaires spécifiques, les processus, les procédures qui auraient dû être effectués pour atteindre le niveau de protection souhaité. D'autre part, l'évaluation de chaque dimension est complétée par la proposition d'un modèle de maturité spécifique à chaque dimension, qui est à considérer comme une base de référence pour le niveau global de sécurité. Pour chaque dimension nous proposons un modèle de maturité générique qui peut être utilisé par chaque organisation, afin de spécifier ses propres exigences en matière de sécurité. Cela constitue une innovation dans le domaine de l'évaluation, que nous justifions pour chaque dimension et dont nous mettons systématiquement en avant la plus value apportée. La troisième partie de notre document est relative à la validation globale de notre proposition et contient en guise de conclusion, une mise en perspective critique de notre travail et des remarques finales. Cette dernière partie est complétée par une bibliographie et des annexes. Notre modèle d'évaluation de la sécurité intègre et se base sur de nombreuses sources d'expertise, telles que les bonnes pratiques, les normes, les standards, les méthodes et l'expertise de la recherche scientifique du domaine. Notre proposition constructive répond à un véritable problème non encore résolu, auquel doivent faire face toutes les organisations, indépendamment de la taille et du profil. Cela permettrait à ces dernières de spécifier leurs exigences particulières en matière du niveau de sécurité à satisfaire, d'instancier un processus d'évaluation spécifique à leurs besoins afin qu'elles puissent s'assurer que leur sécurité de l'information soit gérée d'une manière appropriée, offrant ainsi un certain niveau de confiance dans le degré de protection fourni. Nous avons intégré dans notre modèle le meilleur du savoir faire, de l'expérience et de l'expertise disponible actuellement au niveau international, dans le but de fournir un modèle d'évaluation simple, générique et applicable à un grand nombre d'organisations publiques ou privées. La valeur ajoutée de notre modèle d'évaluation réside précisément dans le fait qu'il est suffisamment générique et facile à implémenter tout en apportant des réponses sur les besoins concrets des organisations. Ainsi notre proposition constitue un outil d'évaluation fiable, efficient et dynamique découlant d'une approche d'évaluation cohérente. De ce fait, notre système d'évaluation peut être implémenté à l'interne par l'entreprise elle-même, sans recourir à des ressources supplémentaires et lui donne également ainsi la possibilité de mieux gouverner sa sécurité de l'information.