• PDF / 592,996 Bytes
• 9 Pages / 439.37 x 666.142 pts Page_size
• 68 Downloads / 294 Views

DOWNLOAD

REPORT

Abstract. Risk management is today a major steering tool for any organization wanting to deal with Information System (IS) security. However, IS Security Risk Management (ISSRM) remains difficult to establish and maintain, mainly in a context of multi-regulations with complex and inter-connected IS. We claim that a connection with Enterprise Architecture Management (EAM) contributes to deal with these issues. According to our research agenda, a first step towards a better integration of both domains is to define an EAM-ISSRM conceptual integrated model. To build such a model, we will improve the ISSRM domain model, a conceptual model depicting the domain of ISSRM, with the concepts of EAM. The contribution of this paper is focused on the improvement of the ISSRM domain model with the concepts of TOGAF, a well-known EAM standard. Keywords: Information security
Risk management
Enterprise architecture
TOGAF
Compliance

1 Introduction Nowadays, Information System (IS) security and Risk Management (RM) are required for every organization that wishes to survive in this networked world. Whether for purely compliance purposes, business development opportunities, or even governance improvement, organizations tend to implement a security strategy based on an IS Security RM (ISSRM) approach. However, organizations have to deal with pressures that increase the complexity of managing security risks: regulatory pressure involving ISSRM requirements [1–3], increasing number of threats and complexity of current IS [6, 7], lack of efficiency in the process followed [1], or difficulty to have a clear and manageable documentation of ISSRM activities [1]. Due to this complexity, new solutions are required to address security risks. Classical ISSRM methods [1, 2] are indeed not suitable to deal with the complexity of organizations and associated risks, in a context of compliance and governance. © IFIP International Federation for Information Processing 2016 Published by Springer International Publishing Switzerland 2016. All Rights Reserved J. Horkoff et al. (Eds.): PoEM 2016, LNBIP 267, pp. 353–361, 2016. DOI: 10.1007/978-3-319-48393-1_27

354

N. Mayer et al.

Enterprise Architecture Management (EAM) has shown to be a valuable and engaging instrument to face enterprise complexity and the necessary enterprise transformation [3, 4]. EAM offers means to govern complex enterprises, such as, for example, an explicit representation of the enterprise facets, a sound and informed decisional framework, a continuous alignment between business and IT, and so forth [5]. By integrating EAM with ISSRM, we aim to be able to deal with the preceding listed issues related to the complexity of organizations and associated risks. In earlier work, we have integrated the concepts of existing ISSRM standards and methods into a domain model, that we called the ISSRM domain model [6]. The goal of our research is to improve this model by extending it to a framework (modelling language, method, and tool) that incorporates results from EAM research [7] and

Recommend Documents

Implementing an Information Security Management System Security Mana

202 28 7MB

Enterprise Risk Management Models

184 95 4MB

Enterprise Risk Management Models

187 16 5MB

Enterprise Risk Management Models

204 63 5MB

Enterprise Risk Management (ERM) and Quantitative Risk Management (QRM)

215 111 7MB

Information Security Emergency Plan Management System

205 66 259KB

Security and Risk Management

192 2 4MB

Integrating Enterprise Architecture and IT Service Management

230 89 251KB

Strategic Enterprise Architecture Management Challenges, Best Practi

201 78 3MB

Integrated Emergency Management System

228 97 2MB

Integrated project management system

227 79 282KB

Project Planning and Management An Integrated System for Improving P

380 72 29MB