Article: An audit framework to support information system security management Journal: International Journal of Electronic Security and Digital Forensics (IJESDF) 2010 Vol.3 No.3 pp.265 - 277 Abstract: The widespread adoption of information and communication technology has promoted an increase dependency of organisations from the performance of their information systems. As a result, adequate security procedures to properly manage information security must be established by the organisations, in order to protect their valued or critical resources from accidental or intentional attacks, and ensure their normal activity. A conceptual security framework to manage and audit information system security is proposed and discussed. The proposed framework intends to assist organisations firstly, to understand what assets precisely need to be protect and what are their weaknesses (vulnerabilities), enabling to perform an adequate security management. Secondly, enabling a simple security auditing process to support the organisation to assess the efficiency of the controls and policy adopted to prevent or mitigate attacks, threats and vulnerabilities, promoted by the advances of new technologies and new internet-enabled services. The presented framework is based on a conceptual model approach, comprising the semantic description of the concepts defined in information security domain, based on the ISO/IEC_JCT1 standards. Inderscience Publishers - linking academia, business and industry through research

Title: An audit framework to support information system security management

Authors: Teresa Pereira, Henrique M. Dinis Santos

Addresses: School of Business Studies, Politechnic Institute of Viana do Castelo, Valenca, Portugal. ' Department of Information System, School of Engineering, University of Minho, Campus de Azurem, Guimaraes 4800-058, Portugal

Abstract: The widespread adoption of information and communication technology has promoted an increase dependency of organisations from the performance of their information systems. As a result, adequate security procedures to properly manage information security must be established by the organisations, in order to protect their valued or critical resources from accidental or intentional attacks, and ensure their normal activity. A conceptual security framework to manage and audit information system security is proposed and discussed. The proposed framework intends to assist organisations firstly, to understand what assets precisely need to be protect and what are their weaknesses (vulnerabilities), enabling to perform an adequate security management. Secondly, enabling a simple security auditing process to support the organisation to assess the efficiency of the controls and policy adopted to prevent or mitigate attacks, threats and vulnerabilities, promoted by the advances of new technologies and new internet-enabled services. The presented framework is based on a conceptual model approach, comprising the semantic description of the concepts defined in information security domain, based on the ISO/IEC_JCT1 standards.

Keywords: information security; security management; information systems; audit information systems; ontology; conceptual modelling; information management; ICT; attacks; threats; vulnerabilities.

DOI: 10.1504/IJESDF.2010.038288

International Journal of Electronic Security and Digital Forensics, 2010 Vol.3 No.3, pp.265 - 277

Published online: 27 Jan 2011 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article

Title: An audit framework to support information system security management

Keep up-to-date