A Pattern-Based and Tool-Supported Risk Analysis Method Compliant to ISO 27001 for Cloud Systems

نویسندگان

  • Azadeh Alebrahim
  • Denis Hatebur
  • Stephan Faßbender
  • Ludger Goeke
  • Isabelle Côté
چکیده

To benefit from cloud computing and the advantages it offers, obstacles regarding the usage and acceptance of clouds have to be cleared. For cloud providers, one way to obtain customers’ confidence is to establish security mechanisms when using clouds. The ISO 27001 standard provides general concepts for establishing information security in an organization. Risk analysis is an essential part in the ISO 27001 standard for achieving information security. This standard, however, contains ambiguous descriptions. In addition, it does not stipulate any method to identify assets, threats, and vulnerabilities. In this paper, the authors present a method for cloud computing systems to perform risk analysis according to the ISO 27001. The authors’ structured method is tailored to SMEs. It relies upon patterns to describe context and structure of a cloud computing system, elicit security requirements, identify threats, and select controls, which ease the effort for these activities. The authors’ method guides companies through the process of risk analysis in a structured manner. Furthermore, the authors provide a model-based tool for supporting the ISO 27001 standard certification. The authors’ tool consists of various plug-ins for conducting different steps of their method. Azadeh Alebrahim University of Duisburg-Essen, Germany Denis Hatebur University of Duisburg-Essen, Germany Stephan Fassbender University of Duisburg-Essen, Germany Ludger Goeke ITESYS Inst. f. tech. Sys. GmbH, Germany Isabelle Côté ITESYS Inst. f. tech. Sys. GmbH, Germany

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

A Pattern-based Method for Establishing a Cloud-specific Information Security Management System Establishing Information Security Management Systems for Clouds Considering Security, Privacy, and Legal Compliance

Assembling an Information Security Management System (ISMS) according to the ISO 27001 standard is difficult, because the standard provides only very sparse support for system development and documentation. Assembling an ISMS consists of several difficult tasks, e.g., asset identification, threat and risk analysis and security reasoning. Moreover, the standard demands consideration of laws and ...

متن کامل

ISMS-CORAS: A Structured Method for Establishing an ISO 27001 Compliant Information Security Management System

Established standards on security and risk management provide guidelines and advice to organizations and other stakeholders on how to fulfill their security needs. However, realizing and ensuring compliance with such standards may be challenging. This is partly because the descriptions are very generic and have to be refined and interpreted by security experts, and partly because they lack tech...

متن کامل

Standard Compliant Hazard and Threat Analysis for the Automotive Domain

The automotive industry has successfully collaborated to release the ISO 26262 standard for developing safe software for cars. The standard describes in detail how to conduct hazard analysis and risk assessments to determine the necessary safety measures for each feature. However, the standard does not concern threat analysis for malicious attackers or how to select appropriate security counter...

متن کامل

Cloud Computing Security in Business Information Systems

Cloud computing providers‘ and customers‘ services are not only exposed to existing security risks, but, due to multi-tenancy, outsourcing the application and data, and virtualization, they are exposed to the emergent, as well. Therefore, both the cloud providers and customers must establish information security system and trustworthiness each other, as well as end users. In this paper we analy...

متن کامل

A Gap Analysis Tool for SMEs Targeting ISO/IEC 27001 Compliance

Current trends indicate that information security is critical for today’s enterprises. As managers realise they cannot ignore the potential security risks, they tend to turn to the ISO/IEC 27001 standard, in order to implement an Information Security Management System (ISMS). While being adopted by large companies, ISMS are still considered as out of range by numerous smaller entities. To help ...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:
  • IJSSE

دوره 6  شماره 

صفحات  -

تاریخ انتشار 2015