SlideShare ist ein Scribd-Unternehmen logo

Process-oriented Security Risk Analysis and Requirements Engineering

InfinIT - Innovationsnetværket for it
InfinIT - Innovationsnetværket for it

Seminar on Cyber-Physical Security of Critical Processes for Crucial Functions in Society, 2 May 2016

Technologie
1 von 52
Downloaden Sie, um offline zu lesen
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Process-oriented Security Risk Analysis and Requirements Engineering Raimundas Matulevičius University of Tartu, Estonia
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Domain Model for Security Risk Management Dubois et al., 2010 3
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Content 4 Security Risk-aware BPMN Security Risk-oriented Patterns Business Processes and Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Content 5 Security Risk-aware BPMN Security Risk-oriented Patterns Business Processes and Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Business Process Modelling v  Objective Ø  What organisation needs to do to achieve their business objectives? v  Advantages Ø  Reasonably intuitive Ø  Explicit declaration of business activities, processes and sub-processes v  Disadvantages Ø  Captures only a dynamic picture Ø  Not focused on the business support by technology 6
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Business Process Model and Notation 7
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Asset Identification and Security Objective Determination 8
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Asset Identification and Security Objective Determination 9
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Risk Analysis and Assessment 10
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Requirements Definition 11
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-aware BPMN 12 Altuhhova et al., 2013
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Content 13 Security Risk-aware BPMN Security Risk-oriented Patterns Business Processes and Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Patterns 14 v  A security pattern describes Ø  a particular recurring security problem Ø  that arises in a specific security context Ø  presents a well-proven generic scheme for a security solution v  Codify security knowledge in structured and understandable way v  Presentation is familiar to the audience v  Proven solutions improve the integration of security into enterprises where needed [Schumacher et al, 2006]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-oriented Patterns SRP1: Secure data from unauthorized access SRP2: Secure data transmitted between business entities SRP3: Secure business activity after data is submitted SRP4: Secure business services against denial of service attacks SRP5: Secure data stored in / retrieved from the data store 15 [Ahmed and Matulevičius, 2014]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-oriented Patterns SRP1: Secure data from unauthorized access SRP2: Secure data transmitted between business entities SRP3: Secure business activity after data is submitted SRP4: Secure business services against denial of service attacks SRP5: Secure data stored in / retrieved from the data store 16 [Ahmed and Matulevičius, 2014]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-oriented Patterns SRP1: Secure data from unauthorized access SRP2: Secure data transmitted between business entities SRP3: Secure business activity after data is submitted SRP4: Secure business services against denial of service attacks SRP5: Secure data stored in / retrieved from the data store 17 [Ahmed and Matulevičius, 2014]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-oriented Patterns SRP1: Secure data from unauthorized access SRP2: Secure data transmitted between business entities SRP3: Secure business activity after data is submitted SRP4: Secure business services against denial of service attacks SRP5: Secure data stored in / retrieved from the data store 18 [Ahmed and Matulevičius, 2014]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-oriented Patterns SRP1: Secure data from unauthorized access SRP2: Secure data transmitted between business entities SRP3: Secure business activity after data is submitted SRP4: Secure business services against denial of service attacks SRP5: Secure data stored in / retrieved from the data store 19 [Ahmed and Matulevičius, 2014]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-oriented Patterns SRP1: Secure data from unauthorized access SRP2: Secure data transmitted between business entities SRP3: Secure business activity after data is submitted SRP4: Secure business services against denial of service attacks SRP5: Secure data stored in / retrieved from the data store 20 [Ahmed and Matulevičius, 2014]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-oriented Patterns SRP1: Secure data from unauthorized access SRP2: Secure data transmitted between business entities SRP3: Secure business activity after data is submitted SRP4: Secure business services against denial of service attacks SRP5: Secure data stored in / retrieved from the data store 21 [Ahmed and Matulevičius, 2014]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-oriented Patterns SRP1: Secure data from unauthorized access SRP2: Secure data transmitted between business entities SRP3: Secure business activity after data is submitted SRP4: Secure business services against denial of service attacks SRP5: Secure data stored in / retrieved from the data store 22 [Ahmed and Matulevičius, 2014]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-oriented Patterns SRP1: Secure data from unauthorized access SRP2: Secure data transmitted between business entities SRP3: Secure business activity after data is submitted SRP4: Secure business services against denial of service attacks SRP5: Secure data stored in / retrieved from the data store 23 [Ahmed and Matulevičius, 2014]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Content 24 Security Risk-aware BPMN Security Risk-oriented Patterns Business Processes and Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 v  Business process management Ø  Instrument to manage enterprise activities Ø  Ensure consistent outcomes to bring value to customers v  Compliance Ø  A set of activities an organisation does to ensure that its core business does not violate the regulations ü  ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc. 25 Business Process and Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 ISO/IEC 27001:2013 v  Requirements for managing sensitive organisation’s information Ø  risk management Ø  risk assessment Ø  risk treatment means v  Guidance on understanding Ø  Organisation’s context Ø  Leadership Ø  Planning Ø  Operation performance Ø  Physical access Ø  … v  Checklist of objectives and controls 26
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 v  Business process management Ø  Instrument to manage enterprise activities Ø  Ensure consistent outcomes to bring value to customers v  Compliance Ø  A set of activities an organisation does to ensure that its core business does not violate the regulations ü  ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc. 27 To achieve business process compliance with regulations remains rather labour intensive activity Business Process and Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 v  Business process management Ø  Instrument to manage enterprise activities Ø  Ensure consistent outcomes to bring value to customers v  Compliance Ø  A set of activities an organisation does to ensure that its core business does not violate the regulations ü  ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc. 28 To achieve business process compliance with regulations remains rather labour intensive activity Business Process and Compliance Check compliance Apply SRPs Check com- pliance again Compare results Alaküla and Matulevičius, 2015
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 v  Business process management Ø  Instrument to manage enterprise activities Ø  Ensure consistent outcomes to bring value to customers v  Compliance Ø  A set of activities an organisation does to ensure that its core business does not violate the regulations ü  ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc. 29 To achieve business process compliance with regulations remains rather labour intensive activity Business Process and Compliance Check compliance Apply SRPs Check com- pliance again Compare results Alaküla and Matulevičius, 2015
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Insurance Brokerage System 30
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Insurance Brokerage System Accept Offer 31
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 ISO/IEC 27001:2013 32 A.9.4.1 Information access restriction Ø  Access to information and application system functions shall be restricted in accordance with the access control policy A.13.2.1 Information transfer policies and procedures Ø  Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 ISO/IEC 27001:2013 33 A.9.4.1 Information access restriction Ø  Access to information and application system functions shall be restricted in accordance with the access control policy A.13.2.1 Information transfer policies and procedures Ø  Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. Abstract terminology Multiple requirements Not relevant requirements
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 ISO/IEC 27001:2013 34 A.9.4.1 Information access restriction Ø  Access to information and application system functions shall be restricted in accordance with the access control policy A.9.4.1 Information access restriction (i)  Access to Customer data, Relevant quotes, Offer status, and Selected quotes shall be restricted in accordance with the access control policy. (ii)  Access to Get customer contact data, Get relevant quotes, Email offer, Cancel offer, Register customer decision, and Register selected quotes shall be restricted in accordance with the access control policy.
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 35 Check Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 36 A.9.4.1 Information access restriction (i)  Access to Customer data, Relevant quotes, Offer status, and Selected quotes shall be restricted in accordance with the access control policy. (ii)  Access to Get customer contact data, Get relevant quotes, Email offer, Cancel offer, Register customer decision, and Register selected quotes shall be restricted in accordance with the access control policy. Check Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 37 A.9.4.1 Information access restriction (i)  Access to Customer data, Relevant quotes, Offer status, and Selected quotes shall be restricted in accordance with the access control policy. (ii)  Access to Get customer contact data, Get relevant quotes, Email offer, Cancel offer, Register customer decision, and Register selected quotes shall be restricted in accordance with the access control policy. Check Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 v  Business process management Ø  Instrument to manage enterprise activities Ø  Ensure consistent outcomes to bring value to customers v  Compliance Ø  A set of activities an organisation does to ensure that its core business does not violate the regulations ü  ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc. 38 To achieve business process compliance with regulations remains rather labour intensive activity Business Process and Compliance Check compliance Apply SRPs Check com- pliance again Compare results Alaküla and Matulevičius, 2015
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Identify Pattern Occurrences 39
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Derive Security Model 40 1.  Identify resource 2.  Identify roles 3.  (Assign users) 4.  Identify secured operations 5.  Assign permissions
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 41
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 42 SReq.1.1: Only Broker should update offer’s Customer data and Relevant quotes. SReq.1.1.1: Broker should perform Get customer contact data. SReq.1.1.2: Broker should perform Get relevant quotes. SReq.1.2: Only Broker should read offer’s Offer status. SReq.1.2.1: Broker should view Offer status after operation Email offer. SReq.1.2.2: Broker should view Offer status after operation Cancel offer. SReq.1.2.3: Broker should view Offer status after operation Register customer decision SReq.1.3: Customer should read offer’s Customer data and Relevant quotes after operation Email offer SReq.1.4: Only Customer should update offer’s Offer status and Select quotes. SReq.1.4.1: By performing Send response task, Customer should invoke Register customer decision. SReq.1.4.2: By performing Send response task, Customer should invoke Register selected quote if Offer status is “Accepted”.
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Introduction of Security Constraints 43
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 v  Business process management Ø  Instrument to manage enterprise activities Ø  Ensure consistent outcomes to bring value to customers v  Compliance Ø  A set of activities an organisation does to ensure that its core business does not violate the regulations ü  ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc. 44 To achieve business process compliance with regulations remains rather labour intensive activity Business Process and Compliance Check compliance Apply SRPs Check com- pliance again Compare results Alaküla and Matulevičius, 2015
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Check Compliance Again 45 A.9.4.1 Information access restriction (i)  Access to Customer data, Relevant quotes, Offer status, and Selected quotes shall be restricted in accordance with the access control policy. (ii)  Access to Get customer contact data, Get relevant quotes, Email offer, Cancel offer, Register customer decision, and Register selected quotes shall be restricted in accordance with the access control policy.
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 v  Business process management Ø  Instrument to manage enterprise activities Ø  Ensure consistent outcomes to bring value to customers v  Compliance Ø  A set of activities an organisation does to ensure that its core business does not violate the regulations ü  ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc. 46 To achieve business process compliance with regulations remains rather labour intensive activity Business Process and Compliance Check compliance Apply SRPs Check com- pliance again Compare results Alaküla and Matulevičius, 2015
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 47 A.9.4.1 Information access restriction (i)  Access to Customer data, Relevant quotes, Offer status, and Selected quotes shall be restricted in accordance with the access control policy. (ii)  Access to Get customer contact data, Get relevant quotes, Email offer, Cancel offer, Register customer decision, and Register selected quotes shall be restricted in accordance with the access control policy. A.13.2.1 Information transfer policies and procedures (i)  Formal transfer policies shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities. (ii)  Formal transfer procedures shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities. (iii)  Formal transfer controls shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities. A.9.4.1 Information access restriction (i)  Access to Customer data, Relevant quotes, Offer status, and Selected quotes shall be restricted in accordance with the access control policy. (ii)  Access to Get customer contact data, Get relevant quotes, Email offer, Cancel offer, Register customer decision, and Register selected quotes shall be restricted in accordance with the access control policy. A.13.2.1 Information transfer policies and procedures (i)  Formal transfer policies shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities. (ii)  Formal transfer procedures shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities. (iii)  Formal transfer controls shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities.
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Lessons Learnt v  Patterns could systematically guide the compliance manager to achieve compliance v  Future Work Ø  Patterns does not deal with ü  (physical) human resource security, media handling, physical and environmental security, equipment and other 48
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Lessons Learnt v  Patterns could systematically guide the compliance manager to achieve compliance v  Future Work Ø  Patterns does not deal with ü  (physical) human resource security, media handling, physical and environmental security, equipment and other 49
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Lessons Learnt v  Patterns could systematically guide the compliance manager to achieve compliance v  Future Work Ø  Patterns does not deal with ü  (physical) human resource security, media handling, physical and environmental security, equipment and other 50
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Process-oriented Security Risk Analysis and Requirements Engineering 51 Security Risk-aware BPMN Security Risk-oriented Patterns Business Processes and Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 52
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Limitations v  Formal compliance checking is not performed v  Future work v  Business process model is not enriched with security-related activities 53 Compliance checking – “a relationship between the formal representation of a business model and the formal representation of a relevant regulation” [Governatori and Shek, 2012] [Sadiq and Governatori, 2015]

Empfohlen

Fleksibel procesdigitalisering
Fleksibel procesdigitaliseringFleksibel procesdigitalisering
Fleksibel procesdigitalisering
InfinIT - Innovationsnetværket for it
 
Gamification workshop Thomas Hildebrandt
Gamification workshop Thomas HildebrandtGamification workshop Thomas Hildebrandt
Gamification workshop Thomas Hildebrandt
InfinIT - Innovationsnetværket for it
 
Towards Flexible, Adaptable & Compliant Process-Aware Information Systems wit...
Towards Flexible, Adaptable & Compliant Process-Aware Information Systems wit...Towards Flexible, Adaptable & Compliant Process-Aware Information Systems wit...
Towards Flexible, Adaptable & Compliant Process-Aware Information Systems wit...
Thomas Hildebrandt
 
ForMABS 2016 keynote talk, Sept 4th, 2016, Singapore
ForMABS 2016 keynote talk, Sept 4th, 2016, SingaporeForMABS 2016 keynote talk, Sept 4th, 2016, Singapore
ForMABS 2016 keynote talk, Sept 4th, 2016, Singapore
Thomas Hildebrandt
 
Introduktion til udviklingsprocesser og agile processer
Introduktion til udviklingsprocesser og agile processerIntroduktion til udviklingsprocesser og agile processer
Introduktion til udviklingsprocesser og agile processer
InfinIT - Innovationsnetværket for it
 
Udfordringer og veje at gå for virksomheder, som ønsker at inddrage nye it-te...
Udfordringer og veje at gå for virksomheder, som ønsker at inddrage nye it-te...Udfordringer og veje at gå for virksomheder, som ønsker at inddrage nye it-te...
Udfordringer og veje at gå for virksomheder, som ønsker at inddrage nye it-te...
InfinIT - Innovationsnetværket for it
 
Archi mate views_and_viewpoints
Archi mate views_and_viewpointsArchi mate views_and_viewpoints
Archi mate views_and_viewpoints
Igor Igoroshka
 
Foundations of enterprise architecture management and archi mate
Foundations of enterprise architecture management and archi mateFoundations of enterprise architecture management and archi mate
Foundations of enterprise architecture management and archi mate
Stefan Schindewolf
 

Empfohlen

Fleksibel procesdigitalisering
Fleksibel procesdigitaliseringFleksibel procesdigitalisering
Fleksibel procesdigitalisering
InfinIT - Innovationsnetværket for it
 
Gamification workshop Thomas Hildebrandt
Gamification workshop Thomas HildebrandtGamification workshop Thomas Hildebrandt
Gamification workshop Thomas Hildebrandt
InfinIT - Innovationsnetværket for it
 
Towards Flexible, Adaptable & Compliant Process-Aware Information Systems wit...
Towards Flexible, Adaptable & Compliant Process-Aware Information Systems wit...Towards Flexible, Adaptable & Compliant Process-Aware Information Systems wit...
Towards Flexible, Adaptable & Compliant Process-Aware Information Systems wit...
Thomas Hildebrandt
 
ForMABS 2016 keynote talk, Sept 4th, 2016, Singapore
ForMABS 2016 keynote talk, Sept 4th, 2016, SingaporeForMABS 2016 keynote talk, Sept 4th, 2016, Singapore
ForMABS 2016 keynote talk, Sept 4th, 2016, Singapore
Thomas Hildebrandt
 
Introduktion til udviklingsprocesser og agile processer
Introduktion til udviklingsprocesser og agile processerIntroduktion til udviklingsprocesser og agile processer
Introduktion til udviklingsprocesser og agile processer
InfinIT - Innovationsnetværket for it
 
Udfordringer og veje at gå for virksomheder, som ønsker at inddrage nye it-te...
Udfordringer og veje at gå for virksomheder, som ønsker at inddrage nye it-te...Udfordringer og veje at gå for virksomheder, som ønsker at inddrage nye it-te...
Udfordringer og veje at gå for virksomheder, som ønsker at inddrage nye it-te...
InfinIT - Innovationsnetværket for it
 
Archi mate views_and_viewpoints
Archi mate views_and_viewpointsArchi mate views_and_viewpoints
Archi mate views_and_viewpoints
Igor Igoroshka
 
Foundations of enterprise architecture management and archi mate
Foundations of enterprise architecture management and archi mateFoundations of enterprise architecture management and archi mate
Foundations of enterprise architecture management and archi mate
Stefan Schindewolf
 
Modelling and Simulation of the response process for an emergency at the Grea...
Modelling and Simulation of the response process for an emergency at the Grea...Modelling and Simulation of the response process for an emergency at the Grea...
Modelling and Simulation of the response process for an emergency at the Grea...
InfinIT - Innovationsnetværket for it
 
Proactive prevention of obligation violations
Proactive prevention of obligation violationsProactive prevention of obligation violations
Proactive prevention of obligation violations
InfinIT - Innovationsnetværket for it
 
Proof of Concept af en fleksibel løsning til små online møder
Proof of Concept af en fleksibel løsning til små online møderProof of Concept af en fleksibel løsning til små online møder
Proof of Concept af en fleksibel løsning til små online møder
InfinIT - Innovationsnetværket for it
 
Udforskning af problem gennem forslag til dets løsning
Udforskning af problem gennem forslag til dets løsningUdforskning af problem gennem forslag til dets løsning
Udforskning af problem gennem forslag til dets løsning
InfinIT - Innovationsnetværket for it
 
Gamification workshop Marianne Hilton
Gamification workshop Marianne HiltonGamification workshop Marianne Hilton
Gamification workshop Marianne Hilton
InfinIT - Innovationsnetværket for it
 
Systematisk brug af pair programming
Systematisk brug af pair programmingSystematisk brug af pair programming
Systematisk brug af pair programming
InfinIT - Innovationsnetværket for it
 
Process modelling at BaneDanmark
Process modelling at BaneDanmarkProcess modelling at BaneDanmark
Process modelling at BaneDanmark
InfinIT - Innovationsnetværket for it
 
Overview of the ProSec project
Overview of the ProSec projectOverview of the ProSec project
Overview of the ProSec project
InfinIT - Innovationsnetværket for it
 
Gamification workshop michelle
Gamification workshop michelleGamification workshop michelle
Gamification workshop michelle
InfinIT - Innovationsnetværket for it
 
Gamification workshop Tine Weirsøe
Gamification workshop Tine WeirsøeGamification workshop Tine Weirsøe
Gamification workshop Tine Weirsøe
InfinIT - Innovationsnetværket for it
 
Projektledelse og softwareinnovation
Projektledelse og softwareinnovationProjektledelse og softwareinnovation
Projektledelse og softwareinnovation
InfinIT - Innovationsnetværket for it
 
Procesarbejdet i Nykredit, John Nielsen, Nykredit
Procesarbejdet i Nykredit, John Nielsen, NykreditProcesarbejdet i Nykredit, John Nielsen, Nykredit
Procesarbejdet i Nykredit, John Nielsen, Nykredit
InfinIT - Innovationsnetværket for it
 
Di sc workplace profile infinit clean
Di sc workplace profile infinit cleanDi sc workplace profile infinit clean
Di sc workplace profile infinit clean
InfinIT - Innovationsnetværket for it
 
Værdiskabelse i projekter
Værdiskabelse i projekterVærdiskabelse i projekter
Værdiskabelse i projekter
InfinIT - Innovationsnetværket for it
 
Agilitet i hurtigt voksende softwarevirksomheder
Agilitet i hurtigt voksende softwarevirksomhederAgilitet i hurtigt voksende softwarevirksomheder
Agilitet i hurtigt voksende softwarevirksomheder
InfinIT - Innovationsnetværket for it
 
Produktudvikling hos Grundfos igennem underleverandør
Produktudvikling hos Grundfos igennem underleverandørProduktudvikling hos Grundfos igennem underleverandør
Produktudvikling hos Grundfos igennem underleverandør
InfinIT - Innovationsnetværket for it
 
Value Creation in SaaS Development
Value Creation in SaaS DevelopmentValue Creation in SaaS Development
Value Creation in SaaS Development
InfinIT - Innovationsnetværket for it
 
Formålsorienteret procesmodellering
Formålsorienteret procesmodelleringFormålsorienteret procesmodellering
Formålsorienteret procesmodellering
InfinIT - Innovationsnetværket for it
 
Oplæg v Focus Advokater: Ny EU persondataforordning
Oplæg v Focus Advokater: Ny EU persondataforordningOplæg v Focus Advokater: Ny EU persondataforordning
Oplæg v Focus Advokater: Ny EU persondataforordning
InfinIT - Innovationsnetværket for it
 
Devoteam indlæg - Ny forordning - hvordan skal man bære sig ad?
Devoteam indlæg - Ny forordning - hvordan skal man bære sig ad?Devoteam indlæg - Ny forordning - hvordan skal man bære sig ad?
Devoteam indlæg - Ny forordning - hvordan skal man bære sig ad?
InfinIT - Innovationsnetværket for it
 
Enterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20securityEnterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20security
wardell henley
 
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...
HPCC Systems
 

Weitere ähnliche Inhalte

Andere mochten auch

Andere mochten auch (20)

Modelling and Simulation of the response process for an emergency at the Grea...
Modelling and Simulation of the response process for an emergency at the Grea...Modelling and Simulation of the response process for an emergency at the Grea...
Modelling and Simulation of the response process for an emergency at the Grea...
 
Proactive prevention of obligation violations
Proactive prevention of obligation violationsProactive prevention of obligation violations
Proactive prevention of obligation violations
 
Proof of Concept af en fleksibel løsning til små online møder
Proof of Concept af en fleksibel løsning til små online møderProof of Concept af en fleksibel løsning til små online møder
Proof of Concept af en fleksibel løsning til små online møder
 
Udforskning af problem gennem forslag til dets løsning
Udforskning af problem gennem forslag til dets løsningUdforskning af problem gennem forslag til dets løsning
Udforskning af problem gennem forslag til dets løsning
 
Gamification workshop Marianne Hilton
Gamification workshop Marianne HiltonGamification workshop Marianne Hilton
Gamification workshop Marianne Hilton
 
Systematisk brug af pair programming
Systematisk brug af pair programmingSystematisk brug af pair programming
Systematisk brug af pair programming
 
Process modelling at BaneDanmark
Process modelling at BaneDanmarkProcess modelling at BaneDanmark
Process modelling at BaneDanmark
 
Overview of the ProSec project
Overview of the ProSec projectOverview of the ProSec project
Overview of the ProSec project
 
Gamification workshop michelle
Gamification workshop michelleGamification workshop michelle
Gamification workshop michelle
 
Gamification workshop Tine Weirsøe
Gamification workshop Tine WeirsøeGamification workshop Tine Weirsøe
Gamification workshop Tine Weirsøe
 
Projektledelse og softwareinnovation
Projektledelse og softwareinnovationProjektledelse og softwareinnovation
Projektledelse og softwareinnovation
 
Procesarbejdet i Nykredit, John Nielsen, Nykredit
Procesarbejdet i Nykredit, John Nielsen, NykreditProcesarbejdet i Nykredit, John Nielsen, Nykredit
Procesarbejdet i Nykredit, John Nielsen, Nykredit
 
Di sc workplace profile infinit clean
Di sc workplace profile infinit cleanDi sc workplace profile infinit clean
Di sc workplace profile infinit clean
 
Værdiskabelse i projekter
Værdiskabelse i projekterVærdiskabelse i projekter
Værdiskabelse i projekter
 
Agilitet i hurtigt voksende softwarevirksomheder
Agilitet i hurtigt voksende softwarevirksomhederAgilitet i hurtigt voksende softwarevirksomheder
Agilitet i hurtigt voksende softwarevirksomheder
 
Produktudvikling hos Grundfos igennem underleverandør
Produktudvikling hos Grundfos igennem underleverandørProduktudvikling hos Grundfos igennem underleverandør
Produktudvikling hos Grundfos igennem underleverandør
 
Value Creation in SaaS Development
Value Creation in SaaS DevelopmentValue Creation in SaaS Development
Value Creation in SaaS Development
 
Formålsorienteret procesmodellering
Formålsorienteret procesmodelleringFormålsorienteret procesmodellering
Formålsorienteret procesmodellering
 
Oplæg v Focus Advokater: Ny EU persondataforordning
Oplæg v Focus Advokater: Ny EU persondataforordningOplæg v Focus Advokater: Ny EU persondataforordning
Oplæg v Focus Advokater: Ny EU persondataforordning
 
Devoteam indlæg - Ny forordning - hvordan skal man bære sig ad?
Devoteam indlæg - Ny forordning - hvordan skal man bære sig ad?Devoteam indlæg - Ny forordning - hvordan skal man bære sig ad?
Devoteam indlæg - Ny forordning - hvordan skal man bære sig ad?
 

Ähnlich wie Process-oriented Security Risk Analysis and Requirements Engineering

Enterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20securityEnterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20security
wardell henley
 
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...
HPCC Systems
 
[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPR[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPR
OWASP
 
The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...
PECB
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISA
Ishita Kundu
 
Saikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedSaikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updated
konchada
 
Saikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedSaikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updated
konchada
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
Taiye Lambo
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
PECB
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity model
nooralmousa
 
Assocham conf grc sept 13
Assocham conf grc sept 13Assocham conf grc sept 13
Assocham conf grc sept 13
subramanian K
 

Ähnlich wie Process-oriented Security Risk Analysis and Requirements Engineering (20)

Enterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20securityEnterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20security
 
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...
 
Securing Your Digital Transformation: Cybersecurity and You
Securing Your Digital Transformation: Cybersecurity and YouSecuring Your Digital Transformation: Cybersecurity and You
Securing Your Digital Transformation: Cybersecurity and You
 
[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPR[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPR
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
 
Iso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaIso27001- Nashwan Mustafa
Iso27001- Nashwan Mustafa
 
The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISA
 
MSOR 2016 Seminar 3rd presentation
MSOR 2016 Seminar 3rd presentationMSOR 2016 Seminar 3rd presentation
MSOR 2016 Seminar 3rd presentation
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
How to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approachHow to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approach
 
Microsoft Next 2014 - Keynote2 - ISS and Cloud, v. Henrik Trepka 291014
Microsoft Next 2014 - Keynote2 - ISS and Cloud, v. Henrik Trepka 291014Microsoft Next 2014 - Keynote2 - ISS and Cloud, v. Henrik Trepka 291014
Microsoft Next 2014 - Keynote2 - ISS and Cloud, v. Henrik Trepka 291014
 
Securing Your Digital Transformation: Cybersecurity and You
Securing Your Digital Transformation: Cybersecurity and YouSecuring Your Digital Transformation: Cybersecurity and You
Securing Your Digital Transformation: Cybersecurity and You
 
Saikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedSaikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updated
 
Saikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedSaikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updated
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity model
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - Deloitte
 
Assocham conf grc sept 13
Assocham conf grc sept 13Assocham conf grc sept 13
Assocham conf grc sept 13
 

Mehr von InfinIT - Innovationsnetværket for it

Mehr von InfinIT - Innovationsnetværket for it (20)

Erfaringer med-c kurt-noermark
Erfaringer med-c kurt-noermarkErfaringer med-c kurt-noermark
Erfaringer med-c kurt-noermark
 
Object orientering, test driven development og c
Object orientering, test driven development og cObject orientering, test driven development og c
Object orientering, test driven development og c
 
Embedded softwaredevelopment hcs
Embedded softwaredevelopment hcsEmbedded softwaredevelopment hcs
Embedded softwaredevelopment hcs
 
C og c++-jens lund jensen
C og c++-jens lund jensenC og c++-jens lund jensen
C og c++-jens lund jensen
 
201811xx foredrag c_cpp
201811xx foredrag c_cpp201811xx foredrag c_cpp
201811xx foredrag c_cpp
 
C som-programmeringssprog-bt
C som-programmeringssprog-btC som-programmeringssprog-bt
C som-programmeringssprog-bt
 
Infinit seminar 060918
Infinit seminar 060918Infinit seminar 060918
Infinit seminar 060918
 
DCR solutions
DCR solutionsDCR solutions
DCR solutions
 
Not your grandfathers BPM
Not your grandfathers BPMNot your grandfathers BPM
Not your grandfathers BPM
 
Kmd workzone - an evolutionary approach to revolution
Kmd workzone - an evolutionary approach to revolutionKmd workzone - an evolutionary approach to revolution
Kmd workzone - an evolutionary approach to revolution
 
EcoKnow - oplæg
EcoKnow - oplægEcoKnow - oplæg
EcoKnow - oplæg
 
Martin Wickins Chatbots i fronten
Martin Wickins Chatbots i frontenMartin Wickins Chatbots i fronten
Martin Wickins Chatbots i fronten
 
Marie Fenger ai kundeservice
Marie Fenger ai kundeserviceMarie Fenger ai kundeservice
Marie Fenger ai kundeservice
 
Mads Kaysen SupWiz
Mads Kaysen SupWizMads Kaysen SupWiz
Mads Kaysen SupWiz
 
Leif Howalt NNIT Service Support Center
Leif Howalt NNIT Service Support CenterLeif Howalt NNIT Service Support Center
Leif Howalt NNIT Service Support Center
 
Jan Neerbek NLP og Chatbots
Jan Neerbek NLP og ChatbotsJan Neerbek NLP og Chatbots
Jan Neerbek NLP og Chatbots
 
Anders Soegaard NLP for Customer Support
Anders Soegaard NLP for Customer SupportAnders Soegaard NLP for Customer Support
Anders Soegaard NLP for Customer Support
 
Stephen Alstrup infinit august 2018
Stephen Alstrup infinit august 2018Stephen Alstrup infinit august 2018
Stephen Alstrup infinit august 2018
 
Innovation og værdiskabelse i it-projekter
Innovation og værdiskabelse i it-projekterInnovation og værdiskabelse i it-projekter
Innovation og værdiskabelse i it-projekter
 
Rokoko infin it presentation
Rokoko infin it presentation Rokoko infin it presentation
Rokoko infin it presentation
 

Kürzlich hochgeladen

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 

Kürzlich hochgeladen (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

Process-oriented Security Risk Analysis and Requirements Engineering

  • 1. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Process-oriented Security Risk Analysis and Requirements Engineering Raimundas Matulevičius University of Tartu, Estonia
  • 2. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Domain Model for Security Risk Management Dubois et al., 2010 3
  • 3. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Content 4 Security Risk-aware BPMN Security Risk-oriented Patterns Business Processes and Compliance
  • 4. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Content 5 Security Risk-aware BPMN Security Risk-oriented Patterns Business Processes and Compliance
  • 5. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Business Process Modelling v  Objective Ø  What organisation needs to do to achieve their business objectives? v  Advantages Ø  Reasonably intuitive Ø  Explicit declaration of business activities, processes and sub-processes v  Disadvantages Ø  Captures only a dynamic picture Ø  Not focused on the business support by technology 6
  • 6. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Business Process Model and Notation 7
  • 7. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Asset Identification and Security Objective Determination 8
  • 8. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Asset Identification and Security Objective Determination 9
  • 9. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Risk Analysis and Assessment 10
  • 10. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Requirements Definition 11
  • 11. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-aware BPMN 12 Altuhhova et al., 2013
  • 12. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Content 13 Security Risk-aware BPMN Security Risk-oriented Patterns Business Processes and Compliance
  • 13. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Patterns 14 v  A security pattern describes Ø  a particular recurring security problem Ø  that arises in a specific security context Ø  presents a well-proven generic scheme for a security solution v  Codify security knowledge in structured and understandable way v  Presentation is familiar to the audience v  Proven solutions improve the integration of security into enterprises where needed [Schumacher et al, 2006]
  • 14. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-oriented Patterns SRP1: Secure data from unauthorized access SRP2: Secure data transmitted between business entities SRP3: Secure business activity after data is submitted SRP4: Secure business services against denial of service attacks SRP5: Secure data stored in / retrieved from the data store 15 [Ahmed and Matulevičius, 2014]
  • 15. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-oriented Patterns SRP1: Secure data from unauthorized access SRP2: Secure data transmitted between business entities SRP3: Secure business activity after data is submitted SRP4: Secure business services against denial of service attacks SRP5: Secure data stored in / retrieved from the data store 16 [Ahmed and Matulevičius, 2014]
  • 16. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-oriented Patterns SRP1: Secure data from unauthorized access SRP2: Secure data transmitted between business entities SRP3: Secure business activity after data is submitted SRP4: Secure business services against denial of service attacks SRP5: Secure data stored in / retrieved from the data store 17 [Ahmed and Matulevičius, 2014]
  • 17. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-oriented Patterns SRP1: Secure data from unauthorized access SRP2: Secure data transmitted between business entities SRP3: Secure business activity after data is submitted SRP4: Secure business services against denial of service attacks SRP5: Secure data stored in / retrieved from the data store 18 [Ahmed and Matulevičius, 2014]
  • 18. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-oriented Patterns SRP1: Secure data from unauthorized access SRP2: Secure data transmitted between business entities SRP3: Secure business activity after data is submitted SRP4: Secure business services against denial of service attacks SRP5: Secure data stored in / retrieved from the data store 19 [Ahmed and Matulevičius, 2014]
  • 19. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-oriented Patterns SRP1: Secure data from unauthorized access SRP2: Secure data transmitted between business entities SRP3: Secure business activity after data is submitted SRP4: Secure business services against denial of service attacks SRP5: Secure data stored in / retrieved from the data store 20 [Ahmed and Matulevičius, 2014]
  • 20. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-oriented Patterns SRP1: Secure data from unauthorized access SRP2: Secure data transmitted between business entities SRP3: Secure business activity after data is submitted SRP4: Secure business services against denial of service attacks SRP5: Secure data stored in / retrieved from the data store 21 [Ahmed and Matulevičius, 2014]
  • 21. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-oriented Patterns SRP1: Secure data from unauthorized access SRP2: Secure data transmitted between business entities SRP3: Secure business activity after data is submitted SRP4: Secure business services against denial of service attacks SRP5: Secure data stored in / retrieved from the data store 22 [Ahmed and Matulevičius, 2014]
  • 22. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Security Risk-oriented Patterns SRP1: Secure data from unauthorized access SRP2: Secure data transmitted between business entities SRP3: Secure business activity after data is submitted SRP4: Secure business services against denial of service attacks SRP5: Secure data stored in / retrieved from the data store 23 [Ahmed and Matulevičius, 2014]
  • 23. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Content 24 Security Risk-aware BPMN Security Risk-oriented Patterns Business Processes and Compliance
  • 24. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 v  Business process management Ø  Instrument to manage enterprise activities Ø  Ensure consistent outcomes to bring value to customers v  Compliance Ø  A set of activities an organisation does to ensure that its core business does not violate the regulations ü  ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc. 25 Business Process and Compliance
  • 25. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 ISO/IEC 27001:2013 v  Requirements for managing sensitive organisation’s information Ø  risk management Ø  risk assessment Ø  risk treatment means v  Guidance on understanding Ø  Organisation’s context Ø  Leadership Ø  Planning Ø  Operation performance Ø  Physical access Ø  … v  Checklist of objectives and controls 26
  • 26. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 v  Business process management Ø  Instrument to manage enterprise activities Ø  Ensure consistent outcomes to bring value to customers v  Compliance Ø  A set of activities an organisation does to ensure that its core business does not violate the regulations ü  ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc. 27 To achieve business process compliance with regulations remains rather labour intensive activity Business Process and Compliance
  • 27. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 v  Business process management Ø  Instrument to manage enterprise activities Ø  Ensure consistent outcomes to bring value to customers v  Compliance Ø  A set of activities an organisation does to ensure that its core business does not violate the regulations ü  ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc. 28 To achieve business process compliance with regulations remains rather labour intensive activity Business Process and Compliance Check compliance Apply SRPs Check com- pliance again Compare results Alaküla and Matulevičius, 2015
  • 28. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 v  Business process management Ø  Instrument to manage enterprise activities Ø  Ensure consistent outcomes to bring value to customers v  Compliance Ø  A set of activities an organisation does to ensure that its core business does not violate the regulations ü  ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc. 29 To achieve business process compliance with regulations remains rather labour intensive activity Business Process and Compliance Check compliance Apply SRPs Check com- pliance again Compare results Alaküla and Matulevičius, 2015
  • 29. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Insurance Brokerage System 30
  • 30. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Insurance Brokerage System Accept Offer 31
  • 31. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 ISO/IEC 27001:2013 32 A.9.4.1 Information access restriction Ø  Access to information and application system functions shall be restricted in accordance with the access control policy A.13.2.1 Information transfer policies and procedures Ø  Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.
  • 32. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 ISO/IEC 27001:2013 33 A.9.4.1 Information access restriction Ø  Access to information and application system functions shall be restricted in accordance with the access control policy A.13.2.1 Information transfer policies and procedures Ø  Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. Abstract terminology Multiple requirements Not relevant requirements
  • 33. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 ISO/IEC 27001:2013 34 A.9.4.1 Information access restriction Ø  Access to information and application system functions shall be restricted in accordance with the access control policy A.9.4.1 Information access restriction (i)  Access to Customer data, Relevant quotes, Offer status, and Selected quotes shall be restricted in accordance with the access control policy. (ii)  Access to Get customer contact data, Get relevant quotes, Email offer, Cancel offer, Register customer decision, and Register selected quotes shall be restricted in accordance with the access control policy.
  • 34. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 35 Check Compliance
  • 35. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 36 A.9.4.1 Information access restriction (i)  Access to Customer data, Relevant quotes, Offer status, and Selected quotes shall be restricted in accordance with the access control policy. (ii)  Access to Get customer contact data, Get relevant quotes, Email offer, Cancel offer, Register customer decision, and Register selected quotes shall be restricted in accordance with the access control policy. Check Compliance
  • 36. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 37 A.9.4.1 Information access restriction (i)  Access to Customer data, Relevant quotes, Offer status, and Selected quotes shall be restricted in accordance with the access control policy. (ii)  Access to Get customer contact data, Get relevant quotes, Email offer, Cancel offer, Register customer decision, and Register selected quotes shall be restricted in accordance with the access control policy. Check Compliance
  • 37. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 v  Business process management Ø  Instrument to manage enterprise activities Ø  Ensure consistent outcomes to bring value to customers v  Compliance Ø  A set of activities an organisation does to ensure that its core business does not violate the regulations ü  ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc. 38 To achieve business process compliance with regulations remains rather labour intensive activity Business Process and Compliance Check compliance Apply SRPs Check com- pliance again Compare results Alaküla and Matulevičius, 2015
  • 38. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Identify Pattern Occurrences 39
  • 39. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Derive Security Model 40 1.  Identify resource 2.  Identify roles 3.  (Assign users) 4.  Identify secured operations 5.  Assign permissions
  • 40. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 41
  • 41. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 42 SReq.1.1: Only Broker should update offer’s Customer data and Relevant quotes. SReq.1.1.1: Broker should perform Get customer contact data. SReq.1.1.2: Broker should perform Get relevant quotes. SReq.1.2: Only Broker should read offer’s Offer status. SReq.1.2.1: Broker should view Offer status after operation Email offer. SReq.1.2.2: Broker should view Offer status after operation Cancel offer. SReq.1.2.3: Broker should view Offer status after operation Register customer decision SReq.1.3: Customer should read offer’s Customer data and Relevant quotes after operation Email offer SReq.1.4: Only Customer should update offer’s Offer status and Select quotes. SReq.1.4.1: By performing Send response task, Customer should invoke Register customer decision. SReq.1.4.2: By performing Send response task, Customer should invoke Register selected quote if Offer status is “Accepted”.
  • 42. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Introduction of Security Constraints 43
  • 43. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 v  Business process management Ø  Instrument to manage enterprise activities Ø  Ensure consistent outcomes to bring value to customers v  Compliance Ø  A set of activities an organisation does to ensure that its core business does not violate the regulations ü  ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc. 44 To achieve business process compliance with regulations remains rather labour intensive activity Business Process and Compliance Check compliance Apply SRPs Check com- pliance again Compare results Alaküla and Matulevičius, 2015
  • 44. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Check Compliance Again 45 A.9.4.1 Information access restriction (i)  Access to Customer data, Relevant quotes, Offer status, and Selected quotes shall be restricted in accordance with the access control policy. (ii)  Access to Get customer contact data, Get relevant quotes, Email offer, Cancel offer, Register customer decision, and Register selected quotes shall be restricted in accordance with the access control policy.
  • 45. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 v  Business process management Ø  Instrument to manage enterprise activities Ø  Ensure consistent outcomes to bring value to customers v  Compliance Ø  A set of activities an organisation does to ensure that its core business does not violate the regulations ü  ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc. 46 To achieve business process compliance with regulations remains rather labour intensive activity Business Process and Compliance Check compliance Apply SRPs Check com- pliance again Compare results Alaküla and Matulevičius, 2015
  • 46. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 47 A.9.4.1 Information access restriction (i)  Access to Customer data, Relevant quotes, Offer status, and Selected quotes shall be restricted in accordance with the access control policy. (ii)  Access to Get customer contact data, Get relevant quotes, Email offer, Cancel offer, Register customer decision, and Register selected quotes shall be restricted in accordance with the access control policy. A.13.2.1 Information transfer policies and procedures (i)  Formal transfer policies shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities. (ii)  Formal transfer procedures shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities. (iii)  Formal transfer controls shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities. A.9.4.1 Information access restriction (i)  Access to Customer data, Relevant quotes, Offer status, and Selected quotes shall be restricted in accordance with the access control policy. (ii)  Access to Get customer contact data, Get relevant quotes, Email offer, Cancel offer, Register customer decision, and Register selected quotes shall be restricted in accordance with the access control policy. A.13.2.1 Information transfer policies and procedures (i)  Formal transfer policies shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities. (ii)  Formal transfer procedures shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities. (iii)  Formal transfer controls shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities.
  • 47. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Lessons Learnt v  Patterns could systematically guide the compliance manager to achieve compliance v  Future Work Ø  Patterns does not deal with ü  (physical) human resource security, media handling, physical and environmental security, equipment and other 48
  • 48. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Lessons Learnt v  Patterns could systematically guide the compliance manager to achieve compliance v  Future Work Ø  Patterns does not deal with ü  (physical) human resource security, media handling, physical and environmental security, equipment and other 49
  • 49. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Lessons Learnt v  Patterns could systematically guide the compliance manager to achieve compliance v  Future Work Ø  Patterns does not deal with ü  (physical) human resource security, media handling, physical and environmental security, equipment and other 50
  • 50. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Process-oriented Security Risk Analysis and Requirements Engineering 51 Security Risk-aware BPMN Security Risk-oriented Patterns Business Processes and Compliance
  • 51. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 52
  • 52. Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016 Limitations v  Formal compliance checking is not performed v  Future work v  Business process model is not enriched with security-related activities 53 Compliance checking – “a relationship between the formal representation of a business model and the formal representation of a relevant regulation” [Governatori and Shek, 2012] [Sadiq and Governatori, 2015]