Click here for full text:
Model-Based Assurance of Security Controls
Beres, Yolanta; Baldwin, Adrian; Shiu, Simon
Keyword(s): compliance, assurance, security, audit, metrics
Abstract: The paper presents an innovative way to assess the effectiveness of security controls where measurable aspects of controls are first captured in the models and then the models are used to analyse the security data gathered from the IT environment. The aim is to lift the risk and security control management lifecycle from a series of people based processes to one where model based technology enhances, connects and where appropriate automates the process. Modelling in such an approach means capturing the relationship between controls and the way the controls should be measured for effectiveness and compliance to regulations and internal policies. This paper also describes how the model based assurance approach has been applied to automate the analysis of critical security controls during several IT application audits. We show advantages both in time savings due to automation of audit testing and in improvement of the control coverage due to the reduction in sampling.
Back to Index