Abstract
Confidentiality is an important property that organizations relying on information technology have to preserve. The purpose of this work is to provide a structured approach for identifying confidentiality requirements. A key step in the information security risk management process is the determination of the impact level arisen from a loss of confidentiality, integrity or availability. We deal here with impact level determination regarding confidentiality by proposing a method to calculate impact levels based on the different kind of consequences typically arisen from threats. The proposed approach assesses the impact arisen from confidentiality losses on different areas separately and uses a parameterized model that allows organizations to adjust it according to their specific needs. A validation of the developed approach has been conducted in a small software development company.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Accorsi, R., Wonnemann, C.: InDico: Information flow analysis of business processes for confidentiality requirements. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 194–209. Springer, Heidelberg (2011)
Accorsi, R., Wonnemann, C.: Strong non-leak guarantees for workflow models. In: Proceedings of the 2011 ACM Symposium on Applied Computing, New York, USA, pp. 308–314 (2011)
Accorsi, R., Lehmann, A.: Automatic information flow analysis of business process models. In: Barros, A., Gal, A., Kindler, E. (eds.) BPM 2012. LNCS, vol. 7481, pp. 172–187. Springer, Heidelberg (2012)
Barker W., Stine K., Kissel R., Fahlsing J., Gulick J.: Volume I: Guide for mapping types of information and information systems to security categories. In: NIST Special Publication 800-60 Volume I Revision 1, NIST, Gaithersburg, MD 20899-8930 (2008a)
Barker, W., Stine, K., Kissel, R., Fahlsing, J., Lee, A.: Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories” in NIST Special Publication 800-60 Volume II Revision 1, Gaithersburg, MD 20899-8930 (2008b)
Club for the Security of Information in France (CLUSIF). Method for Harmonized Analysis of Risk (Mehari) (2010)
Department for business innovation and skills, United Kingdom. Information security breaches survey.Technical report (2013)
Fenz, S., Ekelhart, A., Neubauer, T.: Business process-based resource importance determination. In: Dayal, U., Eder, J., Koehler, J., Reijers, H.A. (eds.) BPM 2009. LNCS, vol. 5701, pp. 113–127. Springer, Heidelberg (2009)
ISO/IEC, ISO/IEC 27001:2013, Information technology - Security techniques -Information security risk management (2013)
Lehmann, A., Fahland, D.: Information flow security for business process models -just one click away. In: Lohmann, N., Moser, S. (eds.) Proceedings of the Demo Track of the 10th International Conference on Business Process Management 2012, Tallinn, Estonia (2012)
Lehmann, A., Lohmann, N.: Modeling wizard for confidential business processes. In: La Rosa, M., Soffer, P. (eds.) BPM Workshops 2012. LNBIP, vol. 132, pp. 675–688. Springer, Heidelberg (2013)
Lohmann, N., Verbeek, E., Dijkman, R.: Petri net transformations for business processes – A survey. In: Jensen, K., van der Aalst, W.M.P. (eds.) ToPNaC II. LNCS, vol. 5460, pp. 46–63. Springer, Heidelberg (2009)
McCallister, E., Grance, T., Scarfone, K.: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) in NIST Special Publication 800-122, NIST Gaithersburg, MD 20899-8930 (2010)
National Institute of Standards and Technology, Standards for Security Categorization of Federal Information and Information Systems. In: Federal Information Processing Standards Publication 199, NIST, Gaithersburg, MD 20899-8930 (2004)
National Institute of Standards and Technology, Guide for conducting risk assessment in NIST Special Publication 800-30 Revision 1, NIST, Gaithersburg, MD 20899-8930 (2012)
Spanish Ministry for Public Administrations, Methodology for Information Systems Risk Analysis and Management (MAGERIT) v2 (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Cervantes, G.V., Fenz, S. (2014). How to Assess Confidentiality Requirements of Corporate Assets?. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds) ICT Systems Security and Privacy Protection. SEC 2014. IFIP Advances in Information and Communication Technology, vol 428. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-55415-5_19
Download citation
DOI: https://doi.org/10.1007/978-3-642-55415-5_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-55414-8
Online ISBN: 978-3-642-55415-5
eBook Packages: Computer ScienceComputer Science (R0)