Skip to main content
SpringerLink
Log in

Auditing Security of Information Flows

  • Conference paper
  • First Online:
Perspectives in Business Informatics Research (BIR 2016)

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 261))

Included in the following conference series:

Abstract

Auditing security of information flows is still considered as one of the challenges in business information systems development. There are different standards and approaches that address information security. However, due to the number of information assets that have to be audited and the frequency of their changes the audit becomes complex and sometimes too subjective. Therefore, to have an opportunity to audit information security at the business process level, we needed to find a method that gives the base structure for the audit activities and supports the choice of information assets for the audit. In this regard, the Security Requirement Elicitation from Business Process approach, which focuses on information security requirements in business processes, provided an idea to ground the audit approach in business processes and information flows in them in order to facilitate integrated consideration of both, business and technology, aspects during the audit.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Schmitt, C., Liggesmeyer, P.: Getting grip on security requirements elicitation by structuring and reusing security requirements sources. In: Complex Systems Informatics and Modeling Quarterly, CSIMQ, 2015, No. 3, pp. 15–34 (2015). http://dx.doi.org/10.7250/csimq.2015-3.02

  2. Information Systems Audit and Control Association, Glossary of Terms (2015). [cited Nov 2015]. http://www.isaca.org/Pages/Glossary.aspx

  3. Ahmed, N., Matulievičius, R.: A taxonomy for assessing security in business process modelling. In: Research Challenges in Information Science (RCIS), IEEE Seventh International Conference, pp. 1–10 (2013)

    Google Scholar 

  4. Ahmed, N., Matulievičius, R.: Securing business processes using security risk-oriented patterns. Comput. Stand. Interfaces 36(4), 723–733 (2013). Elsevier B.V.

    Article  Google Scholar 

  5. Wonnemann, C.: Towards information flow auditing in workflows. In: Software Engineering Workshops (2010)

    Google Scholar 

  6. Office of the Chief Information Officer, Washington State Standard No. 141.10: Securing Information Technology, Washington D.C., USA, August 2013, p. 29 (2013)

    Google Scholar 

  7. U.S. Department of Commerce & National Institute of Standards and Technology. Managing Information Security Risk: Organization, Mission, and Information System View- Information Security, Gaithersburg, p. 88 (2011)

    Google Scholar 

  8. Jarockin, V.: Information Security, 5th edn. (2015) (in Russian)

    Google Scholar 

  9. Gartner Inc., IT Glossary. (2015) http://www.gartner.com/it-glossary/

  10. National Archives, Identifying Information Assets and Business Requirements. http://www.nationalarchives.gov.uk/documents/information-management/identify-information-assets.pdf

  11. IT Governance Institute, Control Objectives for Information and related Technology 4.1, p. 213 (2007)

    Google Scholar 

  12. Sandkuhl, K., Matulevičius, R., Kirikova, M., Ahmed, N.: Integration of it-security aspects into information demand analysis and patterns. In: Proceedings of the BIR 2015 Workshops and Doctoral Consortium Co-located with 14th International Conference on Perspectives in Business Informatics Research (BIR 2015), Tartu, Estonia, 26–28 August 2015, vol. 1420, pp. 36–47 (2015). Ceur-ws.org

  13. ISO/IEC, Common Criteria for Information Technology Security Evaluation. Part 2: Security functional requirements, p. 325 (2005)

    Google Scholar 

  14. ISO/IEC, Common Criteria for Information Technology Security Evaluation. Part 3: Security assurance components, p. 233 (2012)

    Google Scholar 

  15. Rihtikova, N.: Organizational risk analysis and management, FORUM (2009) (in Russian)

    Google Scholar 

  16. Verdina, G.: Possibilities to improve internal control system in educational context, p. 252. Ph.D. Thesis, University of Latvia, Riga, Latvia (2012)

    Google Scholar 

  17. Caralli, R.A., Stevens, J.F., Young, L.R., Wilson, W.R.: Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process, p. 154. Software Engineering Institute, Hanscom (2007). CMU/SEI-2007-TR-012 ESC-TR-2007-012

    Google Scholar 

  18. Nørgaard, H., Kühn, T.: EY Danmark, Presentation: Risikobaseret tilgang til revision (Use of Risk Based Concepts for Financial Statement Assurance), Copenhagen, p. 55 (2013)

    Google Scholar 

  19. Dumas, M., La Rosa, M., Mendling, J., Reijers, H.: Fundamentals of Business Process Management. Springer, Heidelberg (2013)

    Book  Google Scholar 

  20. Accorsi, R., Stocker, T., Muller, G.: On the exploitation of process mining for security audits: the process discovery case. In: SAC 2013, 18–22 March 2013, Coimbra, Portugal (2013)

    Google Scholar 

  21. Information Systems Audit and Control Association. In: IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control (2010). http://www.isaca.org/Knowledge-Center/Standards/Documents/IT-Audit-Assurance-Guidance-1March2010.pdf

  22. Kozlovs, D., Cjaputa, K., Kirikova, M.: Towards continuous information security audit. In: Joint Proceedings of REFSQ-2016 Workshops, Doctoral Symposium, Research Method Track, and Poster Track Co-located with the 22nd International Conference on Requirements Engineering: Foundation for Software Quality (REFSQ) (2016)

    Google Scholar 

  23. German Federal Office for Information Security, Information Security Audit (IS Audit): A guideline for IS audits based on IT-Grundshutz, Bonn, p. 38 (2008)

    Google Scholar 

  24. Information Systems Audit and Control Association. Auditing Global Compliance of Data. Protection Mechanisms. In: ISACA Journal Volume 6 “Emerging and Evolving IT Risk”, pp. 46–49 (2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Artificial Intelligence and Systems Engineering, Riga Technical University, Riga, Latvia

    Dmitrijs Kozlovs & Marite Kirikova

Authors
  1. Dmitrijs Kozlovs
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marite Kirikova
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marite Kirikova .

Editor information

Editors and Affiliations

  1. Department of Information Technology, University of Economics, Prague 3, Czech Republic

    Václav Řepa

  2. Department of Information Technology, University of Economics, Prague 3, Praha, Czech Republic

    Tomáš Bruckner

Appendix: Audit Plan Requirements

Appendix: Audit Plan Requirements

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Kozlovs, D., Kirikova, M. (2016). Auditing Security of Information Flows. In: Řepa, V., Bruckner, T. (eds) Perspectives in Business Informatics Research. BIR 2016. Lecture Notes in Business Information Processing, vol 261. Springer, Cham. https://doi.org/10.1007/978-3-319-45321-7_15

Download citation

Publish with us

Policies and ethics

Search

Navigation