Risk Management in the context of Information Security: a Model-Driven approach

Information security is concerned with the requirements of availability, integrity, and confidentiality of information’s assets, which are fundamental to the long-term survival of an organization. Information security relies in risk management for security risks identification, evaluation and treatment, according to the ISO 31000. The methodologies supporting information security implementation, such the ones based on the ISO 27000 set of standards, are holistic approaches that deals with corporate systems, as well as an extended network that includes business partners, vendors, customers and other stakeholders. This paper uses the model-driven approach for addressing information security systems conception and design, deemed to be compliant with the ISO/IEC 27000 and the ISO 31000 set of standards. A domain level model (computation independent model) based on the information security and risk management vocabulary present in the standards was built. This CIM model serves as a meta-model for platform independent models of information security systems compliant with the information security and risk management standards. This model is the baseline for conceiving, implementing and testing actual information security systems, allowing users from different organizational, functional, and technical levels to use a common language when embedding information security and risk management in their processes. Key-Words: information security, risk management, model-driven architecture, MDA. WSEAS TRANSACTIONS on INFORMATION SCIENCE and APPLICATIONS Anacleto Correia, António Gonçalves, M. Filomena Teodoro E-ISSN: 2224-3402 10 Volume 14, 2017