Advances in Enterprise Engineering XII by David Aveiro & Giancarlo Guizzardi & Sérgio Guerreiro & Wided Guédria

Author:David Aveiro & Giancarlo Guizzardi & Sérgio Guerreiro & Wided Guédria
Language: eng
Format: epub
ISBN: 9783030060978
Publisher: Springer International Publishing

4.1 Government Case

The governmental organisation must comply with the BIR [29]. This norm is based on the ISO 27000 series and the 12 domains match the domains of the ISO such as; Information Security Policy, Information Security management organisation, Asset management, Personnel security, Access management etc. In order to frequently report on the status of BIR maturity, this actor requires a periodical status overview on the effectiveness of controls. This customer request starts a process which extracts the status of the key controls in the organisation within the BIR. These controls are implemented within for example IT operations, via processes and technology. The effectiveness of these controls can be measured and expressed in numbers, for example via maturity models with predefined scales (e.g. ISO 15504). Within this, a 0% score refers to Non-existent (N), everything in between is partially achieved (P) or largely achieved (L), and 100% represents fully achieved (F). This NPLF scoring leaves room for multiple criteria per maturity level of the control. By testing and scoring each control on its design and effectiveness, this can be reflected in a dashboard. In an ideal situation, there is an automated scripted process of proofing the design and effectiveness of most of these controls. The figure below shows a dashboard of the key BIR domains. Every domain reflects multiple controls that are weighted and collectively express, via NPLF scores, into the dashboard with meters per domain. The improvement values per domain are expressed in green or in red, if there is a decrease in maturity level. The overall colour of the meter shows the progression compared to the predefined desired state.

When an organisation is subject to multiple regulators (e.g. Authoriteit Persoonsgegevens) or internal control frameworks (e.g. ISO), it is desirable that all of these baselines are mapped on the existing baseline (BIR). This cross-referencing of models, labelled as ‘x-ref’ in the upper left in the meta-model, and their controls, is needed in order to establish a collective set of the existing controls in an exhaustive framework, in order to avoid double work on identical controls. In this case, the actor requests only to report on the BIR status via a reflection of control effectiveness via an NPLF score expressed in a dashboard with meters. See Fig. 3 for the Dutch dashboard, the domains mentioned in Dutch match the English translation of 5 = Information Security Policy, 6 = Information Security management organisation, 7 = Asset management, 8 = personnel security, 11 = Access management 12 = Acquisition and development of Systems, 13 = Incident management and 14 = Business Continuity Management.

Fig. 3.Artefact dashboard displaying BIR status per domain

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.