[KSCI] Korea Science Citation Index Service

http://dx.doi.org/10.3745/JIPS.2014.10.1.132

How to Manage Cloud Risks Based on the BMIS Model

Song, Youjin (Dept. of Information Management, Dongguk University)
Pang, Yasheng (Dept. of Information Management, Dongguk University)

Publication Information

Journal of Information Processing Systems / v.10, no.1, 2014 , pp. 132-144 More about this Journal

Abstract

Information always comes with security and risk problems. There is the saying that, "The tall tree catches much wind," and the risks from cloud services will absolutely be more varied and more severe. Nowadays, handling these risks is no longer just a technology problem. So far, a good deal of literature that focuses on risk or security management and frameworks in information systems has already been submitted. This paper analyzes the causal risk factors in cloud environments through critical success factors, from a business perspective. We then integrated these critical success factors into a business model for information security by mapping out 10 principles related to cloud risks. Thus, we were able to figure out which aspects should be given more consideration in the actual transactions of cloud services, and were able to make a business-level and general-risk control model for cloud computing.

Keywords

Cloud Risk; Risk Control; Cloud Computing; BMIS; CSFs;

Citations & Related Records

Reference

1	Antonio Colella, Clara Colombini, "Security Paradigm in Ubiquitous Computing", 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, pp 634-638, available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6296928
2	Office of the Comptroller of the Currency, "Management Information Systems", 1995, available at: http://www.occ.gov/publications/publications-by-type/comptrollers-handbook/mis.pdf
3	Wikipedia, available at: http://en.wikipedia.org/wiki/Management_information_system
4	Mohammed Alhamad, Tharam Dillon, Elizabeth Chang, "Conceptual SLA Framework for Cloud Computing", 4th IEEE International Conference on Digital Ecosystems and Technologies, 2010, pp 606-610, available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5610586
5	Zhitao Huang, Pavol Zavarsky, Ron Ruhl, "An Efficient Framework for IT Controls of Bill 198 (Canada Sarbanes-Oxley) Compliance by Aligning COBIT 4.1, ITIL v3 and ISO/IEC 27002", International Conference on Computational Science and Engineering, 2009, pp 386-391, available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5283287
6	Shamsul Sahibudin, Mohammad Sharifi, Masarat Ayat, "Combining ITIL, COBIT and ISO/IEC 27002 in Order to Design a Comprehensive IT Framework in Organizations", Second Asia International Conference on Modelling & Simulatio, 2008, pp 749-753, available at: http://ieeexplore. ieee.org/stamp/stamp.jsp?tp=&arnumber=4530569
7	Gang Zhao, "Holistic Framework of Security Management for Cloud Service Providers", 10th IEEE International Conference, 2012, pp 852-856, available at: http://ieeexplore.ieee.org/ stamp/stamp.jsp? tp=&arnumber=6301237
8	Zhiyun Guo, Meina Song, Junde Song, "A Governance Model for Cloud Computing", Management and Service Science (MASS), 2010 International Conference, available at: http://ieeexplore.ieee.org/ stamp/stamp.jsp?tp=&arnumber=5576281
9	Jing-Jang Hwang, Hung-Kai Chuang, Yi-Chang Hsu, Chien-Hsing Wu, "A Business Model for Cloud Computing Based on a Separate Encryption and Decryption Service", Information Science and Applications (ICISA), 2011 International Conference, available at: http://ieeexplore.ieee.org/stamp/ stamp.jsp?tp=&arnumber=5772349
10	Chiao-chun Lo, "Information Security and Its Impact on Business", 2006, available at: http://www.iim.ncku.edu.tw/download.php?filename=180_acdf887c.ppt&dir=news&title=%E6%AA %94%E6%A1%88%E4%B8%8B%E8%BC%89
11	Ramgovind S, Eloff MM, Smith E, "The Management of Security in Cloud Computing", 2010, available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5588290
12	ISACA, 2010, available at: http://www.isaca.org/About-ISACA/Press-room/News- Releases/2010/ Pages/ISACA-Issues-New-Comprehensive-Business-Model-for-Information-Security.aspx
13	Daniel, D. Ronald, "Management Information Crisis," Harvard Business Review, Sept.-Oct., 1961.
14	ISACA, "An Introduction to the Business Model for Information Security", available at: http://www.isaca.org/Knowledge-Center/BMIS/Documents/IntrotoBMIS.pdf
15	Wikipedia, available at: http://en.wikipedia.org/wiki/Critical_success_factor#cite_note-4
16	Wikipedia, available at: http://en.wikipedia.org/wiki/Critical_success_factor#cite_note-4
17	CSA, "Top Threats to Cloud Computing V1.0", 2010, available at: https://cloudsecurityalliance.org/ topthreats/csathreats.v1.0.pdf
18	Rockart, John F. "Chief Executives Define their Own Data Needs", published in "Harvard Business Review", March 1979, available at: http://www.ope.co.kr/nbuilder/include/download.php?name=%C 3%D6%B0%ED%B0%E6%BF%B5%C0%DA%B0%A1+%BF%F8%C7%CF%B4%C2+%C1%A4 %BA%B8.pdf&key=53&dir=board_data/tb_ib_2541&mode=DOWN
19	Rockart, John F. "A Primer on Critical Success Factors", published by the Center for Information Systems Research, 1981, available at: http://mit.dspace.org/bitstream/handle/1721.1/1988/SWP-1220- 08368993-CISR-069.pdf?sequence=1
20	Richard A. Caralli , "The Critical Success Factor Method: Establishing a Foundation for Enterprise Security Management", published by Carnegie Mellon University, 2004, available at: http://www.sei.cmu.edu/reports/04tr010.pdf
21	JenSheng Wang, CheHung Liu, Grace TR Lin, "How to Manage Information Security in Cloud Computing", Systems, Man, and Cybernetics (SMC), 2011 IEEE International Conference, pp 1405- 1410, available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6083866
22	David Vohradsky, "Cloud Risk-10 Principles and a Framework for Assessment", ISACA JOURNAL VOLUME 5, 2012, pp. 31-41, available at: http://www.candorsolutions.co.za/wp-content/ uploads/2012/09/12v5-Cloud-Risk-10-Principles.pdf
23	Iliana Iankoulova, Maya Daneva, "Cloud Computing Security Requirements:a Systematic Review", Research Challenges in Information Science (RCIS), 2012 Sixth International Conference, available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6240421
24	Prasad Saripalli, Ben Walters, "QUIRC: A Quantitative Impact and Risk Assessment Framework for Cloud Security", 2010 IEEE 3rd International Conference on Cloud Computing, pp. 280-288.
25	Donald Firesmith, "Specifying Reusable Security Requirements", JOURNAL OF OBJECT TECHNOLOGY, Vol.3, No.1, 2004, pp. 61-75. DOI
26	Rolf Von Rossing, "Applying BMIS to Cloud Security", ISSE 2010 Securing Electronic Business Processes, 2011, pp. 101-112, available at: http://link.springer.com/chapter/10.1007%2F978-3-8348- 9788-6_10
27	PwC, "2010 Global state of information security", available at: http://www.pwc.com/us/en/view/ issue-12/securing-information-downturn.jhtml

2	Su-Wan Park. (2015) International Journal of Distributed Sensor Networks A Secure Storage System for Sensitive Data Protection Based on Mobile Virtualization / 11 (2) , 929380
5	Soojin Park. (2015) Sustainability A Generic Software Development Process Refined from Best Practices for Cloud Computing / 7 (5) , 5321
20	(2018) Soft Computing Social control through deterrence on the compliance with information security policy / 22 (20) , 6765