Abstract
Auditing security of information flows is still considered as one of the challenges in business information systems development. There are different standards and approaches that address information security. However, due to the number of information assets that have to be audited and the frequency of their changes the audit becomes complex and sometimes too subjective. Therefore, to have an opportunity to audit information security at the business process level, we needed to find a method that gives the base structure for the audit activities and supports the choice of information assets for the audit. In this regard, the Security Requirement Elicitation from Business Process approach, which focuses on information security requirements in business processes, provided an idea to ground the audit approach in business processes and information flows in them in order to facilitate integrated consideration of both, business and technology, aspects during the audit.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Schmitt, C., Liggesmeyer, P.: Getting grip on security requirements elicitation by structuring and reusing security requirements sources. In: Complex Systems Informatics and Modeling Quarterly, CSIMQ, 2015, No. 3, pp. 15–34 (2015). http://dx.doi.org/10.7250/csimq.2015-3.02
Information Systems Audit and Control Association, Glossary of Terms (2015). [cited Nov 2015]. http://www.isaca.org/Pages/Glossary.aspx
Ahmed, N., Matulievičius, R.: A taxonomy for assessing security in business process modelling. In: Research Challenges in Information Science (RCIS), IEEE Seventh International Conference, pp. 1–10 (2013)
Ahmed, N., Matulievičius, R.: Securing business processes using security risk-oriented patterns. Comput. Stand. Interfaces 36(4), 723–733 (2013). Elsevier B.V.
Wonnemann, C.: Towards information flow auditing in workflows. In: Software Engineering Workshops (2010)
Office of the Chief Information Officer, Washington State Standard No. 141.10: Securing Information Technology, Washington D.C., USA, August 2013, p. 29 (2013)
U.S. Department of Commerce & National Institute of Standards and Technology. Managing Information Security Risk: Organization, Mission, and Information System View- Information Security, Gaithersburg, p. 88 (2011)
Jarockin, V.: Information Security, 5th edn. (2015) (in Russian)
Gartner Inc., IT Glossary. (2015) http://www.gartner.com/it-glossary/
National Archives, Identifying Information Assets and Business Requirements. http://www.nationalarchives.gov.uk/documents/information-management/identify-information-assets.pdf
IT Governance Institute, Control Objectives for Information and related Technology 4.1, p. 213 (2007)
Sandkuhl, K., Matulevičius, R., Kirikova, M., Ahmed, N.: Integration of it-security aspects into information demand analysis and patterns. In: Proceedings of the BIR 2015 Workshops and Doctoral Consortium Co-located with 14th International Conference on Perspectives in Business Informatics Research (BIR 2015), Tartu, Estonia, 26–28 August 2015, vol. 1420, pp. 36–47 (2015). Ceur-ws.org
ISO/IEC, Common Criteria for Information Technology Security Evaluation. Part 2: Security functional requirements, p. 325 (2005)
ISO/IEC, Common Criteria for Information Technology Security Evaluation. Part 3: Security assurance components, p. 233 (2012)
Rihtikova, N.: Organizational risk analysis and management, FORUM (2009) (in Russian)
Verdina, G.: Possibilities to improve internal control system in educational context, p. 252. Ph.D. Thesis, University of Latvia, Riga, Latvia (2012)
Caralli, R.A., Stevens, J.F., Young, L.R., Wilson, W.R.: Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process, p. 154. Software Engineering Institute, Hanscom (2007). CMU/SEI-2007-TR-012 ESC-TR-2007-012
Nørgaard, H., Kühn, T.: EY Danmark, Presentation: Risikobaseret tilgang til revision (Use of Risk Based Concepts for Financial Statement Assurance), Copenhagen, p. 55 (2013)
Dumas, M., La Rosa, M., Mendling, J., Reijers, H.: Fundamentals of Business Process Management. Springer, Heidelberg (2013)
Accorsi, R., Stocker, T., Muller, G.: On the exploitation of process mining for security audits: the process discovery case. In: SAC 2013, 18–22 March 2013, Coimbra, Portugal (2013)
Information Systems Audit and Control Association. In: IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control (2010). http://www.isaca.org/Knowledge-Center/Standards/Documents/IT-Audit-Assurance-Guidance-1March2010.pdf
Kozlovs, D., Cjaputa, K., Kirikova, M.: Towards continuous information security audit. In: Joint Proceedings of REFSQ-2016 Workshops, Doctoral Symposium, Research Method Track, and Poster Track Co-located with the 22nd International Conference on Requirements Engineering: Foundation for Software Quality (REFSQ) (2016)
German Federal Office for Information Security, Information Security Audit (IS Audit): A guideline for IS audits based on IT-Grundshutz, Bonn, p. 38 (2008)
Information Systems Audit and Control Association. Auditing Global Compliance of Data. Protection Mechanisms. In: ISACA Journal Volume 6 “Emerging and Evolving IT Risk”, pp. 46–49 (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix: Audit Plan Requirements
Appendix: Audit Plan Requirements
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Kozlovs, D., Kirikova, M. (2016). Auditing Security of Information Flows. In: Řepa, V., Bruckner, T. (eds) Perspectives in Business Informatics Research. BIR 2016. Lecture Notes in Business Information Processing, vol 261. Springer, Cham. https://doi.org/10.1007/978-3-319-45321-7_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-45321-7_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-45320-0
Online ISBN: 978-3-319-45321-7
eBook Packages: Business and ManagementBusiness and Management (R0)