Managing Security in Services - a Goal & Process Approach

By Yudistira Asnar and Fabio Massacci

Lecture Notes. FOSAD' 2011. Springer Verlag.


This tutorial is targeted researchers, practitioners, and regulators that work on the area of security, IT risk, and IT GRC (Governance, Risk, and Compliance)

This tutorial introduces the GRC SI* Framework to analyze IT-related risks for managing the security of business processes in service oriented and outsourcing scenarios centred on the goal and process concept. By analysing business goals and their supporting processes, one can identify which services need to be controlled and monitored so the organization can ensure the security and continuity of its business.

The GRC SI* framework assists us to elicit and analyse control objectives using a risk model as the guidance. Later, the framework provides methodological steps to operationalize the control objectives into series of control processes and mechanisms. The tutorial will outlines a set of analysis techniques that can be used during the analysis and design. In particular, the SI* CASE tool supports business analysts in assessing the risk level and evaluate whether they need to employ more controls in such an environment. The framework will be explained and demonstrated using an industry-specific scenario.

  • Overview on Challenges on managing Security in a business process outsourcing, and review of state of the art and state of practice in IT GRC and Information Security Management
  • Explain the GRC SI* Framework
  • A tool demonstration and together with participants try out through a“real-life” scenario

The 1st and 2nd session are formatted as a lecture, while 3 rd session is conducted as a case study workshop where participants experience as designers of a GRC program using the proposed methodology. We encourage participants to perform the methodology (manually or using the tool) using their own scenario/problem.

The work of this tutorial is supported by the integrated project EU-FP7-IST-IP-ANIKETOS (http://www.aniketos.eu/), the network of execellence EU-FP7-IST-NOE-NESSOS (http://www.nessos-project.eu/), and the integrated project EU-FP7-FET-IP-SECURECHANGE (http://www.securechange.eu)

About the Presenters

Fabio Massacci received a M.Eng. in 1993 and Ph.D. in Computer Science and Engineering at University of Rome “La Sapienza” in 1998. He visited Cambridge University in 1996-1997. He joined University of Siena as Assistant Professor in 1999 and was visiting researcher at IRIT Toulouse in 2000. In 2001 he joined the University of Trento where is now a full professor. In 2001 he received the Intelligenza Artificiale award from the Italian Association for Artificial Intelligence. He is member of AAAI, ACM, IEEE Computer society and a chartered engineer.

His research interests are in security requirements engineering, formal methods and computer security.

For 7 years he was deputy rector for ICT procurements supervising 70+ IT staff members and a yearly budget of 3+MEuros of IT service and outsourcing contracts. Currently he is coordinator of the SecureChange R&D project, responsible for scientific excellence of the EU Network of Excellence NESSOS, works for modelling trust & security of services in the ANIKETOS project and was scientific coordinator of the MASTER EU project on security and compliance

Yudistira Asnar received PhD in Computer Science and Information Engineering at University of Trento, Italy in 2009. His research interests include the areas of requirement engineering, agent systems, security-dependability governance-risk-compliance management, and information assurance. The main focus of his research is on modeling and analyzing governance, risk and compliance of IT services. He involves in several EU R&D Projects on the area security and compliance.