BT Technology Journal

, Volume 25, Issue 1, pp 128–140 | Cite as

Using assurance models to aid the risk and governance life cycle

  • A. Baldwin
  • Y. Beres
  • S. Shiu


In this paper we describe an enterprise assurance model allowing many layers of the enterprise architecture, from the business processes, supporting applications and the IT infrastructure and operational processes, to be represented and related from a control and risk perspective. This provides a consistent way of capturing and relating the risk views for the various stakeholders within the organisation. At the lower level we use assurance models to provide automated testing of controls and policies, and at the higher level these results are related across the enterprise architecture. This enables a repository for manual and automated test results that can be used to derive different (but consistent) views for the various stakeholders.


Business Process Control Objective Enterprise Architecture Control Architecture Internal Audit 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Spewak S H and Hill S C: ’Enterprise architecture planning: developing a blueprint for data, applications and technology’, QED Information Sciences (1993).Google Scholar
  2. 2.
    Armour F J, Kaisler S H and Liu S Y: ’Building an Enterprise Architecture Step by Step’, IT Professional, 1, No 4, pp 31–39 (July/August 1999).CrossRefGoogle Scholar
  3. 3.
    Jonkers H, Burren van, Arbab R, Boer F de, Bonsangue F, Bosma M, Doest H ter, Groenewegen H, Scholten L, Hoppenbrouwers J G, Iacob S, Janssen M E, Lankhorst W, Leeuwen M van, Proper D, Stam E, Torre A van der and Zanten L van (Eds): ‘Seventh IEEE International Enterprise Distributed Object Computing Conference’, Proceedings (2003).Google Scholar
  4. 4.
    Broder J F: ’Risk Analysis and the Security Survey’, Elsevier (1999).Google Scholar
  5. 5.
    ITGI, Control Objectives for Information and Related Technologies (COBIT), 3rd edition (1998).Google Scholar
  6. 6.
    Sarbanes Oxley Act — www.sarbanes-oxley.comGoogle Scholar
  7. 7.
    Lloyd V: ’Planning to implement service management (IT Infrastructure Library)’, The Stationery Office Books —
  8. 8.
    HP, The HP IT Service Management (ITSM) Reference Model (2003).Google Scholar
  9. 9.
    ’Continuous Control Monitoring: Enabling rapid response to control breakdowns’, in Research findings of Audit Director Roundtable (2004) —
  10. 10.
    Braber F den, Hogganvik I, Lund M, Stølen K and Vraalsen F: ’Model-based security analysis in seven steps — a guided tour to the CORAS method’, BT Technol J, 25, No 1, pp 101–117 (January 2007).Google Scholar
  11. 11.
    Giorgini P, Massacci F, Mylopoulos J and Zannone N: ’Requirements Engineering Meets Trust Management: Model, Methodology and Reasoning’, in Proceedings 2nd International Conference on Trust Management, IETF, 2995 (2004).Google Scholar
  12. 12.
    Baldwin A, Beres Y, Shiu S and Kearney P: ’A model-based approach to trust, security and assurance’, BT Technol J, 24, No 4, pp 53–68 (October 2006).CrossRefGoogle Scholar
  13. 13.
    Kallahalla M, Uysal M, Sqaminathan R, Lowell D E, Wray M, Christian T, Edwards N, Dalton C I and Gittler F: ’SoftUDC a software based data centre for utility computing’, Computer, pp 38–46 (November 2004).Google Scholar
  14. 14.
    ’Framing the Future of the Service Centric Economy’, NESSI Strategic Research Agenda, Vol 1 Public Draft —
  15. 15.
    OASIS, Web Services Security (WSS) —
  16. 16.
    Baldwin A, Shiu S and Casassa Mont M: ’Trust Services: A Framework for Service based Solutions’, in Proceedings of the 26th IEEE COMPSAC (2002).Google Scholar
  17. 17.
    Baldwin A, Beres Y and Shiu S: ’Assurance management in service centric computing’, HP Labs Technical Report (2006).Google Scholar
  18. 18.
    Baldwin A and Shiu S: ’Enabling Shared Audit Data’, in International Journal of Information Security, Volume 4 (2005).Google Scholar
  19. 19.
    Schneier B and Kelsey J: ’Cryptographic Support for Secure Logs on Untrusted Machines’, 7th USENIX Security Symposium Proceedings, USENIX Press (1998).Google Scholar
  20. 20.
    Murison N and Baldwin A: ’Secure distributed audit for shared customer environments’, HP Technical Report (2006).Google Scholar

Copyright information

© Springer Science+Business Media, Inc. 2007

Authors and Affiliations

  • A. Baldwin
  • Y. Beres
  • S. Shiu

There are no affiliations available

Personalised recommendations