Goal. Security Risk-Oriented BPMN

Similar documents
COMPLAINTS HANDLING POLICY

Virgin Australia Holdings Ltd Audit and Risk Management Committee Charter

Part 1 The awarding body 1. Section A Governance 1. Section B The awarding body and Qualifications Wales 8. Section C Third parties 13

Position No. Job Title Supervisor s Position Court Librarian Director, Court Services ( )

INVESTIGATION REPORT

AIA Australia Limited

RISK COMMITTEE OF THE NEX GROUP PLC BOARD

Common Model of Information Security Measures for Government Agencies

Involuntary Resettlement - Overview. Transport Forum Washington, D.C. March 30, 2007

Academic Dishonesty in Online Coursework

DATA PROTECTION LAWS OF THE WORLD. South Korea

Anti-Corruption & Civil Rights Commission Republic of Korea

Dispute Management System (DMS) For ASPSPs and TPPs

office in San Domenico di Fiesole, via dei Roccettini 9, C.F , in the person of the President. (who shall henceforth

Sample Three Column DCJS Rap Sheet And Key

Guidelines to prevent abusive recruitment, exploitative employment and trafficking of migrant workers in the Baltic Sea Region

WTO Research Workshop on BLOCKCHAIN

How s Life in Estonia?

CHAPTER 255. MESSENGER SERVICES. Authority The provisions of this Chapter 255 issued under the Vehicle Code, 75 Pa.C.S. 7501, unless otherwise

HEALTH DATA ETHICS MORE TRUST, MORE DATA, BETTER HEALTH. European Health Forum Gastein 21 September, Robert Madelin, Fipra International Ltd.

E-VERIFY NOTICE (RFP)

Software Agents Behaviour.

C174 Prevention of Major Industrial Accidents Convention, 1993

Ethical Obligations and Responsibilities of Trial and Appellate Attorneys Lyana Hunter UNC Chapel Hill School of Government (August 2015)

IC Chapter 15. Ballot Card and Electronic Voting Systems; Additional Standards and Procedures for Approving System Changes

Residence: Non-permanent workers SNA Update Issue 39c Alessandra Alfieri and Ivo Havinga United Nations Statistics Division

MEMORANDUM OF UNDERSTANDING ON ALBERTA-DESTINED HEALTH CARE PROFESSIONALS

GUIDELINES FOR DRAFTING & IMPLEMENTING INTEGRITY PLANS IN THE JUDICIAL INSTITUTIONS OF BOSNIA AND HERZEGOVINA

PLASTICA. Martin. Levelling Components. Made in Italy

DATA USE AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

BACKGROUND METHODOLOGY FOR STUDYING THE COSTS OF VICTIM ASSISTANCE

Republika e Kosovës Republika Kosovo-Republic of Kosovo Kuvendi - Skupština - Assembly

Framework of engagement with non-state actors: report by the Secretariat to the regional committees

Guidelines for Performance Auditing

RAPE AND SERIOUS SEXUAL OFFENCES INVESTIGATION POLICY

Modelling and Reasoning Languages for Social Networks Policies

PERSONAL INFORMATION PROTECTION ACT

Transitional Relief. The Data Protection (Bailiwick of Guernsey) Law, 2017 came into force on 25 May You can find a copy of the Law here.

CRIMINAL RECORDS CHECK (DBS) POLICY. Author/Reviewer: Date Approved: Jan 2006

STATE OF NORTH CAROLINA

Privacy Policy. Cabcharge will only collect personal information which is necessary for the operation of its business.

Although the Judiciary Act of 1789 (ch. 20, 35, 1 Stat. 73, 92 93) created

Section Existing Language Proposed Language

FRCC REGIONAL RELIABILITY STANDARD DEVELOPMENT PROCESS MANUAL

Law No. 13 of 2016 Promulgating the Protection of the Privacy of Personal Data Law

FIRE SAFETY. The Fire Safety Act. being. Chapter F-15.11* of The Statutes of Saskatchewan, (effective November 2, 2015).

Summary of Revisions to the ANSI Essential Requirements:

PREPARING FOR DISCOVERY AND DEPOSITIONS/ HOW NOT TO LOSE YOUR CASE BEFORE TRIAL*

CODE OF PRACTICE FOR COMMUNITY- BASED CCTV SYSTEMS

Constitution Amendment # 1 Location ARTICLE XI, SECTION 1, LETTER B

Consultation on International Outreach of ESFRI projects and landmarks. Main findings

Criminal Procedure Code. Surrender

President's introduction

II. CORRUPTION PREVENTION COMMISSION

PRIVACY POLICY DOT DM Corporation Commonwealth of Dominica cctld (.dm)

Canadian Pesticide Compliance and Enforcement Overview

COGNIZANT TECHNOLOGY SOLUTIONS CORPORATION

Minutes: ORDA Audit Committee Meeting March 26, :06am. Attendance:

31) Feature Models and MDA for Product Lines

Telecommunications Information Privacy Code 2003

LIMS IMPLEMENTATION PROJECT HINDSIGHTS How to avoid pitfalls and delays Presented By Kathy Smith Narragansett Bay Commission

PENNSYLVANIA BAR ASSOCIATION LEGAL ETHICS AND PROFESSIONAL RESPONSIBILITY COMMITTEE RESOLUTION

Logic-based Argumentation Systems: An overview

PATENT COOPERATION TREATY (PCT)

Title 20 DEVELOPMENT PERMIT PROCEDURES AND ADMINISTRATION. Title GENERAL PROVISIONS

BOSNA I HERCEGOVINA БOСНA И ХEРЦEГOВИНA

(Acts whose publication is obligatory)

FINANCIAL SERVICES AND MARKETS REGULATIONS 2015

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

InterNational Electrical Testing Association Operating Principles and Procedures

Policy Framework for the Regional Biometric Data Exchange Solution

Estonian National Electoral Committee. E-Voting System. General Overview

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 172 thereof,

Catholic Schools Office Diocese of Lismore

Euroclear Central Securities Depository (CSD) User Committees Terms of Reference (incorporating internal governance practice & procedures)

AUDIT, RISK AND COMPLIANCE COMMITTEE CHARTER

Rulebook. Revised as of: July 27, DTCC Data Repository (U.S.) LLC

DURHAM CONSTABULARY POLICY

Policies and Procedures No. 56

DIVISION E--INFORMATION TECHNOLOGY MANAGEMENT REFORM

Office of the Clerk of Circuit Court Baltimore County, Maryland

11/15/13. Objectives. Review. Our Screen Saver Dependencies. Our Screen Saver Dependencies. Project Deliverables Timeline TEAM FINAL PROJECT

Colloquium organized by Supreme Administrative Court of the Czech Republic and ACA-Europe

DATA SHARING AND PROCESSING

WOMEN AND GIRLS IN EMERGENCIES

Unit 03. Ngo Quy Nham Foreign Trade University

Ad-Hoc Query on Implementation of Council Regulation 380/2008. Requested by FI EMN NCP on 10 th September 2009

FOURTH EVALUATION ROUND. Corruption prevention in respect of members of parliament, judges and prosecutors COMPLIANCE REPORT

National Human Rights Institutions in the EU Member States Strengthening the fundamental rights architecture in the EU I

[To be published in THE GAZETTE OF INDIA, EXTRAORDINARY, Part II, Section 3, Sub-section (i) of dated the , 2011]

SECTION 1. TABLE OF CONTENTS.

GOLDEN RAIN FOUNDATION OF WALNUT CREEK BYLAWS ARTICLE I GENERAL PURPOSES AND OFFICES

Extensional Equality in Intensional Type Theory

30 Transformational Design with Essential Aspect Decomposition: Model-Driven Architecture (MDA)

Aspect Decomposition: Model-Driven Architecture (MDA) 30 Transformational Design with Essential. References. Ø Optional: Ø Obligatory:

INFORMATION DISSEMINATION POLICY STATEMENT

I.E. Canada Controlled Export Webinar Series. Session 3 Defence Trade Controls: Canada s Controlled Goods Program and its Interaction with US ITAR

Alberta Records Management Committee: Terms of Reference

National Programme for Estonian Language Technology: a Pre-final Summary

AUTOMATED CONTRACT REVIEW

Transcription:

Fundamentals of Secure System Modelling Springer, 2017 Chapter 5: Security Risk-Oriented BPMN Raimundas Matulevičius University of Tartu, Estonia, rma@ut.ee Goal Explain how security risks are managed at the organisational business processes Understand how security risk management could be performed using business process model and notation 2

Outline Business process model and notation Security risk management using BPMN Abstract and Concrete syntax Semantics Example Further reading 3 Outline Business process model and notation Security risk management Abstract and Concrete syntax Semantics Example Further reading 4

Business Process Model and Notation 5 Business Process Model and Notation Approach What organisation needs to do to achieve their business objectives? Advantages Reasonably intuitive Explicit declaration of business activities, processes and sub-processes Disadvantages Captures only a dynamic picture Not focussed on the business support by technology 6

Outline Business process model and notation Security risk management Abstract and Concrete syntax Semantics Example Further reading 7 Abstract and Concrete syntax Concept classification 8

Abstract and Concrete syntax Concept classification 9 Abstract and Concrete syntax Concept classification 10

Abstract and Concrete syntax Concept classification 11 Abstract and Concrete syntax Concept classification 12

Abstract and Concrete syntax Concept classification 13 Abstract and Concrete syntax Concept classification 14

Abstract and Concrete syntax Concept classification 15 Abstract and Concrete syntax Relationships 16

Abstract and Concrete syntax Relationships 17 Abstract and Concrete syntax Relationships 18

Abstract and Concrete syntax Relationships 19 Abstract and Concrete syntax Relationships 20

Abstract and Concrete syntax Relationships 21 Outline Business process model and notation Security risk management using BPMN Abstract and Concrete syntax Semantics Example Further reading 22

Asset-related concepts 23 Risk-related concepts 24

Risk treatment-related concepts 25 Outline Business process model and notation Security risk management using BPMN Abstract and Concrete syntax Semantics Example Further reading 26

Security risk management process 27 Asset identification // Security objectives determination 28 28

Risk Analysis 29 29 Risk Treatment Decisions Risk treatment decisions Avoiding risk Transferring risk Retaining risk Reducing risk Definition Decision not to be involved in, or to withdraw from a risk Sharing with another party the burden of loss for a risk Accepting the burden of loss from a risk Action to lessen the probability, negative consequences, or both, associated with a risk 30 30

Security Requirements Definition Security requirements - security solutions to mitigate the risks 31 If security requirements are unsatisfactory Revise the risk treatment step Revise all of the preceding steps 31 Control Selection and Implementation 32 32

Outline Business process model and notation Security risk management using BPMN Abstract and Concrete syntax Semantics Example Further reading 33 Further reading Risk handling [Marcinkowski and Kuciapski, 2012] Ø Risk, risk factor, occurrence probability and impact Ø Risk type and risk handler concepts Modelling of secure business processes through security requirements [Rodriguez et al., 2007] Ø Nonreputation, attack harm detection, integrity, privacy, access control, security role, and security permission Security constraints and security-specific user involvement [Mülle et al., 2011] Ø Security units are represented as structured text annotations 34

Further reading Enhancements towards trust modelling [Menzel et al, 2009] Ø Annotating trustworthy interactions, organisational trust, and security intensions Information assurance and security modelling capabilities [Cherdantseva et al., 2012] Compliance to restrict certain areas of a business process [Schleicher et al., 2010] Security and compliance requirements [Brucker et al., 2012] Ø Access control, separation of duty, binding of duty and need to know principles 35 Summary Business process model and notation Security risk management using BPMN Abstract and Concrete syntax Semantics Example Further reading 36

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback