Context and motivation: In an ever-changing post COVID-19 world, more and more businesses are adopting teleworking models, making it essential to use Cloud technology to facilitate collaboration and data accessibility. However, this transition to teleworking and the Cloud poses major challenges in terms of the security of organization’s information systems. Protecting sensitive data and IT systems is becoming an absolute priority to guarantee business continuity and prevent potential cyber threats and attacks. Security policies need to be put in place. Problem: Within a Hybrid Zachman-TOGAF Framework for an Enterprise Architecture exploiting Cloud technology in a teleworking context, several problems arise, including: How can the confidentiality, integrity and availability of the company’s critical data be ensured in a teleworking environment using Cloud solutions? Objective and methodology: With this in mind, this article proposes a systemic approach based on a mathematical optimization model to identify, assess and manage information security risks under budgetary constraints to ensure adequate protection of confidential data. The aim is to create a secure, reliable and resilient working environment, where employees can access the necessary resources with confidence, even outside the organization’s premises. Results: The approach proposed in this article shows how a mathematical model can be used to optimize security decisions in a cloud environment within a dedicated teleworking enterprise architecture. By integrating these results into a hybrid Zachman-TOGAF Framework, the organization can align its security strategies with its business objectives, while respecting budgetary constraints and minimizing risk. In addition, Monte Carlo simulations over 10,000 iterations to assess variations in residual risk as a function of fluctuations in threat probabilities and the costs of security measures in the same mathematical model show a trade-off between the cost of implementing the security measure, budget availability and residual risk, which is an aid to decision-making and strategic choices for the system operating in the organization in terms of information system security.
References
[1]
Cybersector (2024) Data Breach, What Cost, Impact and Mitigation Measures for Your Business in 2024. https://cyberspector.com/violation-des-donnees-quel-cout-impact-et-mesures-dattenuation-pour-votre-entreprise-en-2024/
[2]
Donald, L.P. (2000) Information Systems Security, Global Corporate Protection. Campus Press.
[3]
Barbara, G and Edward, R. (1995) An Introduction to Computer Security: The NIST Handbook. https://doi.org/10.6028/NIST.SP.800-1
Biba, K.J. (1977) Integrity Consideration for Secure Computer Systems. The MITRE Corporation, Technical Report ESD-TR-76-372 & MTR-3153.
[6]
Clark, D.D. and Wilson, D.R. (1987) A Comparison of Commercial and Military Computer Security Policies. 1987 IEEE Symposium on Security and Privacy, Oakland, 27-29 April 1987, 184. https://doi.org/10.1109/sp.1987.10001
[7]
Brewer, D.F.C. and Nash, M.J. (1989) The Chinese Wall Security Policy. Proceedings 1989 IEEE Symposium on Security and Privacy, Oakland, 1-3 May 1989, 206-214. https://doi.org/10.1109/secpri.1989.36295
[8]
Ismail, W.B.W., Widyarto, S., Adiyarta, K., Syafrullah, M. and Tajuddin, L.M. (2022) An Information Security Policy Development Process in Higher Education Institution: A Case Study Approach. 2022 9th International Conference on Electrical Engineering, Computer Science and Informatics (EECSI), Jakarta, 6-7 October 2022, 147-152. https://doi.org/10.23919/eecsi56542.2022.9946593
[9]
Angraini, Alinda Alias, R. and Okfalisa, O. (2019) Need for Compliance with Information Security Policy in Universities: A Preliminary Survey. 2019 Fourth International Conference on Informatics and Computing (ICIC), Semarang, 16-17 October 2019, 1-6. https://doi.org/10.1109/icic47613.2019.8985949
[10]
Mohammed, A., Kumar, S., Mu'Azu, H.G., Kumar, R., Shah, P., Memoria, M., et al. (2022) Data Security and Protection: A Mechanism for Managing Data Theft and Cybercrime in Online Platforms of Educational Institutions. 2022 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COM-IT-CON), Faridabad, 26-27 May 2022, 758-761. https://doi.org/10.1109/com-it-con54601.2022.9850702
[11]
Almubayedh, D., khalis, M.A., Alazman, G., Alabdali, M., Al-Refai, R. and Nagy, N. (2018) Security Related Issues in Saudi Arabia Small Organizations: A Saudi Case Study. 2018 21st Saudi Computer Society National Computer Conference (NCC), Riyadh, 25-26 April 2018, 1-6. https://doi.org/10.1109/ncg.2018.8593058
[12]
Zhang, J., Yuan, W. and Qi, W. (2011) Research on Security Management and Control System of Information System in IT Governance. 2011 International Conference on Computer Science and Service System (CSSS), Nanjing, 27-29 June 2011, 668-673. https://doi.org/10.1109/csss.2011.5974703
[13]
Jin, J. and Shen, M. (2012) Analysis of Security Models Based on Multilevel Security Policy. 2012 International Conference on Management of e-Commerce and e-Government, Beijing, 20-21 October 2012, 95-97. https://doi.org/10.1109/icmecg.2012.72
[14]
Musa, N. (2018) A Conceptual Framework of IT Security Governance and Internal Controls. 2018 Cyber Resilience Conference (CRC), Putrajaya, 13-15 November 2018, 1-4. https://doi.org/10.1109/cr.2018.8626831
[15]
Yang, J. and Jeong, J.P. (2018) An Automata-Based Security Policy Translation for Network Security Functions. 2018 International Conference on Information and Communication Technology Convergence (ICTC), Jeju, 17-19 October 2018, 268-272. https://doi.org/10.1109/ictc.2018.8539702
[16]
Lingga, P., Kim, J., Bartolome, J.D.I. and Jeong, J. (2021) Automatic Data Model Mapper for Security Policy Translation in Interface to Network Security Functions Framework. 2021 International Conference on Information and Communication Technology Convergence (ICTC), Jeju Island, 20-22 October 2021, 882-887. https://doi.org/10.1109/ictc52510.2021.9620979
[17]
Livshitz, I.I., Lontsikh, P.A., Tatarnikova, L.I., Safonova, O.M. and Kozhukhova, V.V. (2020) Evaluation of It-Security Assurance in a Credit Organization. 2020 International Conference Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS), Yaroslavl, 7-11 September 2020, 114-118. https://doi.org/10.1109/itqmis51053.2020.9322950
[18]
Kalinin, M. and Poltavtseva, M. (2024) Big Data Security Evaluation by Bidirectional Analysis of Access Control Policy. 2024 International Russian Smart Industry Conference (SmartIndustryCon), Sochi, 25-29 March 2024, 98-103. https://doi.org/10.1109/smartindustrycon61328.2024.10515459
[19]
Fatemi Moghaddam, F., Emadinia, T., Wieder, P. and Yahyapour, R. (2018) A Sequence-Based Access Control Framework for Reliable Security Management in Clouds. 2018 IEEE 6th International Conference on Future Internet of Things and Cloud (FiCloud), Barcelona, 6-8 August 2018, 108-113. https://doi.org/10.1109/ficloud.2018.00023
[20]
Toyeer-E-Ferdoush, Ghosh, B.K. and Taher, K.A. (2021) Security Policy Based Network Infrastructure for Effective Digital Service. 2021 International Conference on Information and Communication Technology for Sustainable Development (ICICT4SD), Dhaka, 27-28 February 2021, 136-140. https://doi.org/10.1109/icict4sd50815.2021.9396907
