Strongly and Weakly Coupled Managemnt Systems
需积分: 0 66 浏览量
2014-05-04
07:21:18
上传
评论
收藏 448KB PDF 举报
Analysis of Strongly and Weakly Coupled
Management Systems in Information Security
Wolfgang Boehmer
∗
∗
Technische Universität Darmstadt, Morneweg Str. 30, CASED building, 64293 Darmstadt, Germany
Email: wboehmer@cdc.informatik.tu-darmstadt.de
Abstract—In an effort to enhance enterprise security, three
standard management systems have been established as applica-
tions of the Deming cycle: the Information Security Management
System (ISMS) in accordance with the ISO 27001 standard, the
Business Continuity Management System (BCM) in accordance
with the BS 25999 standard and the Information Technology
Service Management System (ITSM) in accordance with the
ISO 20000 standard. These three management systems have been
developed to operate independent of one another, but are often
used together within a given company. It can be shown that
management systems modeled after the Deming cycle behave
as bisimulations with dynamic feedback policies and can be
expressed formally as control circuits within the Discrete Event
Systems (DES) theory. In this article, we present an analytical
description of the optimal structure through which the three
management systems (ISMS, BCMS, and ITSM) should be linked
in a company. We define a coupling parameter and, using an
equation for the discrete control loop, show that ISMS and ITSM
should ideally be strongly coupled, and ISMS and BCMS should
be weakly coupled.
Index Terms—dynamic policies; control loop; bisimulation;
coupled management systems; strong/weak coupling; control
systems engineering.
I. I
In computer science, system-wide policies have far-reaching
implications and have been the subject of many investiga-
tions. For example, policies define firewall configurations,
authentication protocols, and network management. Initially,
policies are static in character, and they separate the allow-
able states of a system or process and dictate control over
unacceptable states. Over the years, it has become obvious
that static policies do not meet the requirements of companies
or electronic communication protocols. Dynamic policies have
been developed to accommodate these requirements and have
been made flexible in terms of responding to changes over
time. Detailed flexibility strategies can be found, for exam-
ple, in [1]. The foundations for dynamic policies were first
formulated by Meyden in 1996 [2]. The gains in flexibility
meet the needs of businesses, and dynamic policies have been
widely applied in a range of systems. From the perspective of
enterprise security, both static and dynamic policies have one
common disadvantage in that they do not provide feedback
and, therefore, lack a master control option for enterprise
management.
Policies with feedback have, in general, been under-
appreciated in computer science research. In contrast, con-
trol system engineering research regularly implements control
loops with built-in feedback capabilities to monitor technical
systems, and these loops can be modeled by the framework of
discrete event systems (DES) theory. In general, control system
engineering is a discipline that mathematically models diverse
systems in nature by analyzing their dynamic behavior. Control
theory is applied to create a controller mechanism that shifts
the system behavior in a desired manner. Control loops have
gained far-reaching significance because they are not purely
technical models; the control loops define general organizing
principles that incorporate concepts of self-regulation observed
in biology, sociology/psychology, and general systems theory.
An extensive body of literature discusses control loops, and
the reader is referred, e.g., to [3]. In the realm of control
system engineering, the task of control loops can be defined
as follows:
Def.: Control circuits maintain a process’ time-dependent
parameters within a predetermined range of values,
particularly in response to disturbances.
Management systems in accordance with the ISO 27001,
BS25999, and ISO 20000 standards are most frequently used
to protect companies. The rising rates of international certifi-
cation attest to the widespread employment of these manage-
ment systems. The ISO 27001 standard provides requirements
for an Information Security Management System (ISMS),
the BS 25999 describes a Business Continuity Management
System (BCMS), and the ISO 20000 describes an IT Service
Management System (ITSM). These management systems are
designed to follow a Deming Cycle structured process (Plan-
Do-Check-Act) that consists of a closed loop. However, no
formal descriptions for these management systems have been
presented.
This paper examines the extent to which the theory of con-
trol loops can be transferred to management systems, including
socio-technical systems, that can be described by a Deming
cycle. Furthermore, this work investigates the importance and
strength of coupling between management systems designed in
accordance with the ISO 27001 (ISMS), BS 25999 (BCMS),
and ISO 20000 (ITSM) standards. To this end, the theory of
control loops is applied within the context of DES theory.
This paper is divided into five sections. The second sec-
tion discusses control loops applied to technical systems,
2010 Fourth International Conference on Emerging Security Information, Systems and Technologies
978-0-7695-4095-5/10 $26.00 © 2010 IEEE
DOI 10.1109/SECURWARE.2010.12
104
2010 Fourth International Conference on Emerging Security Information, Systems and Technologies
978-0-7695-4095-5/10 $26.00 © 2010 IEEE
DOI 10.1109/SECURWARE.2010.26
109
资源评论
上天才能入地
- 粉丝: 0
- 资源: 2
