Yuri Bobbert | University of Antwerp (original) (raw)
Papers by Yuri Bobbert
Business information security has evolved over the years, where it first started as a technique t... more Business information security has evolved over the years, where it first started as a technique to protect critical information assets from the growing use of information technology and its accompanying risks, it now has grown to a topic widely discussed on board level. Cybercrime also has evolved to being much more than an attempt to steal logical, information assets. Hardware assets, networks, servers, employees and even organizations themselves have become targets. Organizations must ensure that they remain viable against the rising and evolving threats of utilizing information technology and its accompanying risks. In order to provide guidance, this research attempts to provide concepts from the Viable System Model, established by Stafford Beer, in order to diagnose the viability and resistance against cyber threats. Using concepts from management cybernetics and this viable system model, this research, furthermore, proposes a new holistic way of looking at business information ...
Advances in Intelligent Systems and Computing, 2021
Adequately informing the board of directors about operational security effectiveness is cumbersom... more Adequately informing the board of directors about operational security effectiveness is cumbersome. How can this effectiveness of technological solutions for cybersecurity and privacy be proven and measured, and how can this technology be aligned with the governance and financial goals at the board level? These are the essential questions for any C-level that is concerned with the wellbeing of the firm. The concept of Zero Trust (ZT) approaches information and cybersecurity from the perspective of the asset, or sets of assets, to be protected, and from the value that it represents. Zero Trust has been around for quite some time. This paper describes the current state of the art in Zero Trust. We investigate the limitations of current approaches and how these are addressed in the Zero Trust Framework developed by ON2IT ‘Zero Trust Innovators’ (1). Furthermore, this paper describes the design and engineering of a Zero Trust artefact (dashboard) that addresses the problems at hand (2), according to Design Science Research (DSR). The last part of this paper outlines the setup of an empirical validation trough practitioner-oriented research, in order to gain a better implementation of Zero Trust strategies (3). The final result is a proposed framework and associated technology which, via Zero Trust principles, addresses multiple layers of the organization to grasp and align cybersecurity risks and understand the readiness and fitness of the organization and its measures to counter cybersecurity risks.
Scientific Journal of Research & Reviews, 2020
How can high-level directives concerning risk, cybersecurity and compliance be operationalized in... more How can high-level directives concerning risk, cybersecurity and compliance be operationalized in the central nervous system of any organization above a certain complexity? How can the effectiveness of technological solutions for security be proven and measured, and how can this technology be aligned with the governance and financial goals at the board level? These are the essential questions for any CEO, CIO or CISO that is concerned with the wellbeing of the firm. The concept of Zero Trust (ZT) approaches information and cybersecurity from the perspective of the asset to be protected, and from the value that asset represents. Zero Trust has been around for quite some time. Most professionals associate Zero Trust with a particular architectural approach to cybersecurity, involving concepts such as segments, resources that are accessed in a secure manner and the maxim "always verify never trust". This paper describes the current state of the art in Zero Trust usage. We investigate the limitations of current approaches and how these are addressed in the form of Critical Success Factors in the Zero Trust Framework developed by ON2IT 'Zero Trust Innovators' (1). Furthermore, this paper describes the design and engineering of a Zero Trust artifact that addresses the problems at hand (2), according to Design Science Research (DSR). The last part of this paper outlines the setup of an empirical validation trough practitioner oriented research, in order to gain a broader acceptance and implementation of Zero Trust strategies (3). The final result is a proposed framework and associated technology which, via Zero Trust principles, addresses multiple layers of the organization to grasp and align cybersecurity risks and understand the readiness and fitness of the organization and its measures to counter cybersecurity risks.
This paper proposes research methods for designing and engineering a Business Information Securit... more This paper proposes research methods for designing and engineering a Business Information Security (BIS) artefact. Defining research methods to establish artefact functions (e.g. dash-boarding, risk register) that reflect the parameters of control for Board of Directors, is the main motivation for this research paper. The ultimate goal is to engineer this BIS artefact and thereby solve the problem of a low level of BIS maturity. We propose a research method that can be used to establish an experimental dashboard with initial parameters of control, based on a Design Science Research (DSR) approach. Group Support System (GSS) research can assist organisations applying the artefact into the organisations with the accompanying collaboration and decision making (fit to purpose) processes.
Hackers and negative social media hypes have proven able to bring proud organizations to their kn... more Hackers and negative social media hypes have proven able to bring proud organizations to their knees, yet many information and communications technology (ICT) security managers lack a strategy to anticipate and overcome such unpredictable challenges. A survey conducted among key people in the ICT security field reveals how perilously far behind their strategic thinking has fallen and what managers and board members can do to catch up.
Implementing and maintaining Business Information Security (BIS) is cumbersome. Frameworks and mo... more Implementing and maintaining Business Information Security (BIS) is cumbersome. Frameworks and models are used to implement BIS, but these are perceived as complex and hard to maintain. Most companies still use spreadsheets to design, direct and monitor their information security improvement plans. Regulators too use spreadsheets for supervision. This paper reflects on ten years of Design Science Research (DSR) on BIS and describes the design and engineering of an artefact which can emancipate boards from silo-based spreadsheet management and improve their visibility, control and assurance via an integrated dash-boarding and reporting tool. Three cases are presented to illustrate the way the artefact, of which the realisation is called the Securimeter, works. The paper concludes with an in-depth comparison study acknowledging 91% of the core BIS requirements being present in the artefact.
Hackers and negative social media hypes have proven able to bring proud organizations to their kn... more Hackers and negative social media hypes have proven able to bring proud organizations to their knees, yet many information and communications technology (ICT) security managers lack a strategy to anticipate and overcome such unpredictable challenges. A survey conducted among key people in the ICT security field reveals how perilously far behind their strategic thinking has fallen and what managers and board members can do to catch up.
Dedico essa dissertação de mestrado à minha mãe que esteve ao meu lado em cada aula que ouvi, que... more Dedico essa dissertação de mestrado à minha mãe que esteve ao meu lado em cada aula que ouvi, que ficou apreensiva em todo seminário que apresentei e que participou muito mais desse trabalho que uma mãe qualquer poderia. VI AGRADECIMENTOS Agradeço em primeiro lugar ao meu pai, Tullio ScoUi, pois sem o seu incentivo, apoio e dedicação este curso de mestrado não seria possível. Ele, minha mãe, Lélia de Medeiros ScoUi e meu irmão, Marcus Tullius ScoUi, estiveram ao meu lado e me ampararam nos obstáculos que encontrei durante essa trajetória. Quero agradecer a Profa. Ora. Elisabeth Igne Ferreira pelo seu carinho, amizade, auxílio aos meus estudos, esclarecimentos burocráticos e, principalmente, por me mostrar a possibilidade que eu teria de prosseguir na carreira farmacêutica. O curso de mestrado não é só um rico aprendizado, também nos dá a chance de se apaixonar pela profissão; fato nem sempre possível na graduação devido a falta de maturidade. Agradeço a Profa. Ora. Maria Amélia Barata da Silveira por toda a sensibilidade que demontrou ter diante meus limites físicos, tomando mais simples meu cotidiano na Faculdade de Ciências Farmacêuticas e mostrando a sociedade que o maior impedimento para se realizar um projeto é o que reside nas nossas mentes. À minha orientadora e amiga, Profa. Ora. Maria Valéria Robles Velasco, meus etemos agradecimentos por sua compreensão e ajuda em diversos assuntos, por me fazer crescer profissionalmente e auxiliar na elaboração da minha dissertação de mestrado. Meus agradecimentos carinhosos aos Profs. Ors. Teresinha de J.
Advances in Intelligent Systems and Computing, 2020
Implementing and maintaining Information Security (IS) in a digitized ecosystem is cumbersome. Mu... more Implementing and maintaining Information Security (IS) in a digitized ecosystem is cumbersome. Multiple complex frameworks and models are used to implement IS, but these are perceived as hard to implement and maintain in digitized dynamic value chains and platforms. Most companies still use spreadsheets to design, direct and monitor their information security function and demonstrate their compliance. Regulators too use spreadsheets for supervision. This paper reflects on longitudinal Design Science Research (DSR) on IS and describes the design and engineering of an artefact architecture, coined as LockChain, which can emancipate boards from silo-based spreadsheet management and improve their visibility, control and assurance via integrated dash-boarding and a reporting tool. LockChain is not a traditional Information Security Management System (ISMS) but is used for the design and specification of information security requirements and measures and privacy requirements. We elaborate “Why” we used Design Science Research into valorisation of the concept of LockChain, we explain “What” we have established in terms of the technology of LockChain and “How” it is applied and the added value LockChain brings for companies on cost savings, Security and Privacy by Design engineering culture and Digital Assurance.
Strategic Approaches to Digital Platform Security Assurance, 2021
In this chapter, the authors describe the findings and conclusions on “The SecDevOps Capability A... more In this chapter, the authors describe the findings and conclusions on “The SecDevOps Capability Artifact.” It is validated by means of an extensive academic literature review and interviews with multiple domain experts and practitioners. An additional validation was performed by comparing the findings of this study with high-level implementation and operational guidance of the DoD enterprise DevSecOps reference design report. The report has as a purpose to describe the DevSecOps lifecycle and supporting pillars, in line with NIST cybersecurity framework, which is a high-level framework building upon specific controls and processes defined by NIST SP 800-53, COBIT 5, and ISO 27000 series. This chapter is concluded with a pragmatic set of core practices academics, and practitioners can use them to ensure security compliance in CI/CD pipelines that ultimately enable teams to work agile on digital platforms.
Strategic Approaches to Digital Platform Security Assurance, 2021
This chapter studies the mapping of governance and security control objectives impacted by DevOps... more This chapter studies the mapping of governance and security control objectives impacted by DevOps to the corresponding DevOps control objectives. These DevOps objectives introduce either an opportunity or a risk for the achievement of the security and governance control objectives. Finally, the artifact defines a list of SecDevOps controls that have proven to be effective in combining the agility of the DevOps paradigm with the security compliance assurance. The authors examine in collaboration with experts the multiple frameworks to be suitable. The authors define SecDevOps controls that have proven to be effective in combining the agility of the DevOps paradigm with the security compliance assurance. To design this artefact, four widely-used frameworks/standards (COBIT 5, NIST cybersecurity framework, NIST SP 800-53, and ISO 27002) were reviewed for sufficiently detailed security and privacy control objectives and controls. Based on these criteria, NIST SP 800-53 and ISO 27002 sta...
Strategic Approaches to Digital Platform Security Assurance, 2021
In this chapter, the authors describe the findings and conclusions on “The SecDevOps Capability A... more In this chapter, the authors describe the findings and conclusions on “The SecDevOps Capability Artifact.” It is validated by means of an extensive academic literature review and interviews with multiple domain experts and practitioners. An additional validation was performed by comparing the findings of this study with high-level implementation and operational guidance of the DoD enterprise DevSecOps reference design report. The report has as a purpose to describe the DevSecOps lifecycle and supporting pillars, in line with NIST cybersecurity framework, which is a high-level framework building upon specific controls and processes defined by NIST SP 800-53, COBIT 5, and ISO 27000 series. This chapter is concluded with a pragmatic set of core practices academics, and practitioners can use them to ensure security compliance in CI/CD pipelines that ultimately enable teams to work agile on digital platforms.
Implementing and maintaining Business Information Security (BIS) is cumbersome. Frameworks and mo... more Implementing and maintaining Business Information Security (BIS) is cumbersome. Frameworks and models are used to implement BIS, but these are perceived as complex and hard to maintain. Most companies still use spreadsheets to design, direct and monitor their information security improvement plans. Regulators too use spreadsheets for supervision. This paper reflects on ten years of Design Science Research (DSR) on BIS and describes the design and engineering of an artefact which can emancipate boards from silo-based spreadsheet management and improve their visibility, control and assurance via an integrated dash-boarding and reporting tool. Three cases are presented to illustrate the way the artefact, of which the realisation is called the Securimeter, works. The paper concludes with an in-depth comparison study acknowledging 91% of the core BIS requirements being present in the artefact.
Dedico essa dissertação de mestrado à minha mãe que esteve ao meu lado em cada aula que ouvi, que... more Dedico essa dissertação de mestrado à minha mãe que esteve ao meu lado em cada aula que ouvi, que ficou apreensiva em todo seminário que apresentei e que participou muito mais desse trabalho que uma mãe qualquer poderia. VI AGRADECIMENTOS Agradeço em primeiro lugar ao meu pai, Tullio ScoUi, pois sem o seu incentivo, apoio e dedicação este curso de mestrado não seria possível. Ele, minha mãe, Lélia de Medeiros ScoUi e meu irmão, Marcus Tullius ScoUi, estiveram ao meu lado e me ampararam nos obstáculos que encontrei durante essa trajetória. Quero agradecer a Profa. Ora. Elisabeth Igne Ferreira pelo seu carinho, amizade, auxílio aos meus estudos, esclarecimentos burocráticos e, principalmente, por me mostrar a possibilidade que eu teria de prosseguir na carreira farmacêutica. O curso de mestrado não é só um rico aprendizado, também nos dá a chance de se apaixonar pela profissão; fato nem sempre possível na graduação devido a falta de maturidade. Agradeço a Profa. Ora. Maria Amélia Barata da Silveira por toda a sensibilidade que demontrou ter diante meus limites físicos, tomando mais simples meu cotidiano na Faculdade de Ciências Farmacêuticas e mostrando a sociedade que o maior impedimento para se realizar um projeto é o que reside nas nossas mentes. À minha orientadora e amiga, Profa. Ora. Maria Valéria Robles Velasco, meus etemos agradecimentos por sua compreensão e ajuda em diversos assuntos, por me fazer crescer profissionalmente e auxiliar na elaboração da minha dissertação de mestrado. Meus agradecimentos carinhosos aos Profs. Ors. Teresinha de J.
Strategic Approaches to Digital Platform Security Assurance, 2021
This chapter studies the mapping of governance and security control objectives impacted by DevOps... more This chapter studies the mapping of governance and security control objectives impacted by DevOps to the corresponding DevOps control objectives. These DevOps objectives introduce either an opportunity or a risk for the achievement of the security and governance control objectives. Finally, the artifact defines a list of SecDevOps controls that have proven to be effective in combining the agility of the DevOps paradigm with the security compliance assurance. The authors examine in collaboration with experts the multiple frameworks to be suitable. The authors define SecDevOps controls that have proven to be effective in combining the agility of the DevOps paradigm with the security compliance assurance. To design this artefact, four widely-used frameworks/standards (COBIT 5, NIST cybersecurity framework, NIST SP 800-53, and ISO 27002) were reviewed for sufficiently detailed security and privacy control objectives and controls. Based on these criteria, NIST SP 800-53 and ISO 27002 sta...
Strategic Approaches to Digital Platform Security Assurance, 2021
In this chapter, the authors define the main problems when working on products in DevOps Teams an... more In this chapter, the authors define the main problems when working on products in DevOps Teams and on CI/CD pipelines with regard to security and risk management. It focusses on the regulatory requirements and cyberthreats that have impact on organisations. Regulator requirements vary from industry and country. Working with multiple teams on products requires proper alignment in frameworks, controls, and architecture principles in order to be end-to-end protected throughout the connected platforms. This chapter examines the multiple compliance frameworks and architectural principles that can be applied to agile way of working and more precise to CICD pipelines. It defines the main problem statement and questions the authors wanted to answer. The authors looked with a lens of regulated industry since this industry suffers the most and therefore has the biggest benefit from this research project.
Strategic Approaches to Digital Platform Security Assurance, 2021
In this chapter, the authors define the main problems when working on products in DevOps Teams an... more In this chapter, the authors define the main problems when working on products in DevOps Teams and on CI/CD pipelines with regard to security and risk management. It focusses on the regulatory requirements and cyberthreats that have impact on organisations. Regulator requirements vary from industry and country. Working with multiple teams on products requires proper alignment in frameworks, controls, and architecture principles in order to be end-to-end protected throughout the connected platforms. This chapter examines the multiple compliance frameworks and architectural principles that can be applied to agile way of working and more precise to CICD pipelines. It defines the main problem statement and questions the authors wanted to answer. The authors looked with a lens of regulated industry since this industry suffers the most and therefore has the biggest benefit from this research project.
Advances in Information Security, Privacy, and Ethics, 2021
Advances in Information Security, Privacy, and Ethics, 2021
Business information security has evolved over the years, where it first started as a technique t... more Business information security has evolved over the years, where it first started as a technique to protect critical information assets from the growing use of information technology and its accompanying risks, it now has grown to a topic widely discussed on board level. Cybercrime also has evolved to being much more than an attempt to steal logical, information assets. Hardware assets, networks, servers, employees and even organizations themselves have become targets. Organizations must ensure that they remain viable against the rising and evolving threats of utilizing information technology and its accompanying risks. In order to provide guidance, this research attempts to provide concepts from the Viable System Model, established by Stafford Beer, in order to diagnose the viability and resistance against cyber threats. Using concepts from management cybernetics and this viable system model, this research, furthermore, proposes a new holistic way of looking at business information ...
Advances in Intelligent Systems and Computing, 2021
Adequately informing the board of directors about operational security effectiveness is cumbersom... more Adequately informing the board of directors about operational security effectiveness is cumbersome. How can this effectiveness of technological solutions for cybersecurity and privacy be proven and measured, and how can this technology be aligned with the governance and financial goals at the board level? These are the essential questions for any C-level that is concerned with the wellbeing of the firm. The concept of Zero Trust (ZT) approaches information and cybersecurity from the perspective of the asset, or sets of assets, to be protected, and from the value that it represents. Zero Trust has been around for quite some time. This paper describes the current state of the art in Zero Trust. We investigate the limitations of current approaches and how these are addressed in the Zero Trust Framework developed by ON2IT ‘Zero Trust Innovators’ (1). Furthermore, this paper describes the design and engineering of a Zero Trust artefact (dashboard) that addresses the problems at hand (2), according to Design Science Research (DSR). The last part of this paper outlines the setup of an empirical validation trough practitioner-oriented research, in order to gain a better implementation of Zero Trust strategies (3). The final result is a proposed framework and associated technology which, via Zero Trust principles, addresses multiple layers of the organization to grasp and align cybersecurity risks and understand the readiness and fitness of the organization and its measures to counter cybersecurity risks.
Scientific Journal of Research & Reviews, 2020
How can high-level directives concerning risk, cybersecurity and compliance be operationalized in... more How can high-level directives concerning risk, cybersecurity and compliance be operationalized in the central nervous system of any organization above a certain complexity? How can the effectiveness of technological solutions for security be proven and measured, and how can this technology be aligned with the governance and financial goals at the board level? These are the essential questions for any CEO, CIO or CISO that is concerned with the wellbeing of the firm. The concept of Zero Trust (ZT) approaches information and cybersecurity from the perspective of the asset to be protected, and from the value that asset represents. Zero Trust has been around for quite some time. Most professionals associate Zero Trust with a particular architectural approach to cybersecurity, involving concepts such as segments, resources that are accessed in a secure manner and the maxim "always verify never trust". This paper describes the current state of the art in Zero Trust usage. We investigate the limitations of current approaches and how these are addressed in the form of Critical Success Factors in the Zero Trust Framework developed by ON2IT 'Zero Trust Innovators' (1). Furthermore, this paper describes the design and engineering of a Zero Trust artifact that addresses the problems at hand (2), according to Design Science Research (DSR). The last part of this paper outlines the setup of an empirical validation trough practitioner oriented research, in order to gain a broader acceptance and implementation of Zero Trust strategies (3). The final result is a proposed framework and associated technology which, via Zero Trust principles, addresses multiple layers of the organization to grasp and align cybersecurity risks and understand the readiness and fitness of the organization and its measures to counter cybersecurity risks.
This paper proposes research methods for designing and engineering a Business Information Securit... more This paper proposes research methods for designing and engineering a Business Information Security (BIS) artefact. Defining research methods to establish artefact functions (e.g. dash-boarding, risk register) that reflect the parameters of control for Board of Directors, is the main motivation for this research paper. The ultimate goal is to engineer this BIS artefact and thereby solve the problem of a low level of BIS maturity. We propose a research method that can be used to establish an experimental dashboard with initial parameters of control, based on a Design Science Research (DSR) approach. Group Support System (GSS) research can assist organisations applying the artefact into the organisations with the accompanying collaboration and decision making (fit to purpose) processes.
Hackers and negative social media hypes have proven able to bring proud organizations to their kn... more Hackers and negative social media hypes have proven able to bring proud organizations to their knees, yet many information and communications technology (ICT) security managers lack a strategy to anticipate and overcome such unpredictable challenges. A survey conducted among key people in the ICT security field reveals how perilously far behind their strategic thinking has fallen and what managers and board members can do to catch up.
Implementing and maintaining Business Information Security (BIS) is cumbersome. Frameworks and mo... more Implementing and maintaining Business Information Security (BIS) is cumbersome. Frameworks and models are used to implement BIS, but these are perceived as complex and hard to maintain. Most companies still use spreadsheets to design, direct and monitor their information security improvement plans. Regulators too use spreadsheets for supervision. This paper reflects on ten years of Design Science Research (DSR) on BIS and describes the design and engineering of an artefact which can emancipate boards from silo-based spreadsheet management and improve their visibility, control and assurance via an integrated dash-boarding and reporting tool. Three cases are presented to illustrate the way the artefact, of which the realisation is called the Securimeter, works. The paper concludes with an in-depth comparison study acknowledging 91% of the core BIS requirements being present in the artefact.
Hackers and negative social media hypes have proven able to bring proud organizations to their kn... more Hackers and negative social media hypes have proven able to bring proud organizations to their knees, yet many information and communications technology (ICT) security managers lack a strategy to anticipate and overcome such unpredictable challenges. A survey conducted among key people in the ICT security field reveals how perilously far behind their strategic thinking has fallen and what managers and board members can do to catch up.
Dedico essa dissertação de mestrado à minha mãe que esteve ao meu lado em cada aula que ouvi, que... more Dedico essa dissertação de mestrado à minha mãe que esteve ao meu lado em cada aula que ouvi, que ficou apreensiva em todo seminário que apresentei e que participou muito mais desse trabalho que uma mãe qualquer poderia. VI AGRADECIMENTOS Agradeço em primeiro lugar ao meu pai, Tullio ScoUi, pois sem o seu incentivo, apoio e dedicação este curso de mestrado não seria possível. Ele, minha mãe, Lélia de Medeiros ScoUi e meu irmão, Marcus Tullius ScoUi, estiveram ao meu lado e me ampararam nos obstáculos que encontrei durante essa trajetória. Quero agradecer a Profa. Ora. Elisabeth Igne Ferreira pelo seu carinho, amizade, auxílio aos meus estudos, esclarecimentos burocráticos e, principalmente, por me mostrar a possibilidade que eu teria de prosseguir na carreira farmacêutica. O curso de mestrado não é só um rico aprendizado, também nos dá a chance de se apaixonar pela profissão; fato nem sempre possível na graduação devido a falta de maturidade. Agradeço a Profa. Ora. Maria Amélia Barata da Silveira por toda a sensibilidade que demontrou ter diante meus limites físicos, tomando mais simples meu cotidiano na Faculdade de Ciências Farmacêuticas e mostrando a sociedade que o maior impedimento para se realizar um projeto é o que reside nas nossas mentes. À minha orientadora e amiga, Profa. Ora. Maria Valéria Robles Velasco, meus etemos agradecimentos por sua compreensão e ajuda em diversos assuntos, por me fazer crescer profissionalmente e auxiliar na elaboração da minha dissertação de mestrado. Meus agradecimentos carinhosos aos Profs. Ors. Teresinha de J.
Advances in Intelligent Systems and Computing, 2020
Implementing and maintaining Information Security (IS) in a digitized ecosystem is cumbersome. Mu... more Implementing and maintaining Information Security (IS) in a digitized ecosystem is cumbersome. Multiple complex frameworks and models are used to implement IS, but these are perceived as hard to implement and maintain in digitized dynamic value chains and platforms. Most companies still use spreadsheets to design, direct and monitor their information security function and demonstrate their compliance. Regulators too use spreadsheets for supervision. This paper reflects on longitudinal Design Science Research (DSR) on IS and describes the design and engineering of an artefact architecture, coined as LockChain, which can emancipate boards from silo-based spreadsheet management and improve their visibility, control and assurance via integrated dash-boarding and a reporting tool. LockChain is not a traditional Information Security Management System (ISMS) but is used for the design and specification of information security requirements and measures and privacy requirements. We elaborate “Why” we used Design Science Research into valorisation of the concept of LockChain, we explain “What” we have established in terms of the technology of LockChain and “How” it is applied and the added value LockChain brings for companies on cost savings, Security and Privacy by Design engineering culture and Digital Assurance.
Strategic Approaches to Digital Platform Security Assurance, 2021
In this chapter, the authors describe the findings and conclusions on “The SecDevOps Capability A... more In this chapter, the authors describe the findings and conclusions on “The SecDevOps Capability Artifact.” It is validated by means of an extensive academic literature review and interviews with multiple domain experts and practitioners. An additional validation was performed by comparing the findings of this study with high-level implementation and operational guidance of the DoD enterprise DevSecOps reference design report. The report has as a purpose to describe the DevSecOps lifecycle and supporting pillars, in line with NIST cybersecurity framework, which is a high-level framework building upon specific controls and processes defined by NIST SP 800-53, COBIT 5, and ISO 27000 series. This chapter is concluded with a pragmatic set of core practices academics, and practitioners can use them to ensure security compliance in CI/CD pipelines that ultimately enable teams to work agile on digital platforms.
Strategic Approaches to Digital Platform Security Assurance, 2021
This chapter studies the mapping of governance and security control objectives impacted by DevOps... more This chapter studies the mapping of governance and security control objectives impacted by DevOps to the corresponding DevOps control objectives. These DevOps objectives introduce either an opportunity or a risk for the achievement of the security and governance control objectives. Finally, the artifact defines a list of SecDevOps controls that have proven to be effective in combining the agility of the DevOps paradigm with the security compliance assurance. The authors examine in collaboration with experts the multiple frameworks to be suitable. The authors define SecDevOps controls that have proven to be effective in combining the agility of the DevOps paradigm with the security compliance assurance. To design this artefact, four widely-used frameworks/standards (COBIT 5, NIST cybersecurity framework, NIST SP 800-53, and ISO 27002) were reviewed for sufficiently detailed security and privacy control objectives and controls. Based on these criteria, NIST SP 800-53 and ISO 27002 sta...
Strategic Approaches to Digital Platform Security Assurance, 2021
In this chapter, the authors describe the findings and conclusions on “The SecDevOps Capability A... more In this chapter, the authors describe the findings and conclusions on “The SecDevOps Capability Artifact.” It is validated by means of an extensive academic literature review and interviews with multiple domain experts and practitioners. An additional validation was performed by comparing the findings of this study with high-level implementation and operational guidance of the DoD enterprise DevSecOps reference design report. The report has as a purpose to describe the DevSecOps lifecycle and supporting pillars, in line with NIST cybersecurity framework, which is a high-level framework building upon specific controls and processes defined by NIST SP 800-53, COBIT 5, and ISO 27000 series. This chapter is concluded with a pragmatic set of core practices academics, and practitioners can use them to ensure security compliance in CI/CD pipelines that ultimately enable teams to work agile on digital platforms.
Implementing and maintaining Business Information Security (BIS) is cumbersome. Frameworks and mo... more Implementing and maintaining Business Information Security (BIS) is cumbersome. Frameworks and models are used to implement BIS, but these are perceived as complex and hard to maintain. Most companies still use spreadsheets to design, direct and monitor their information security improvement plans. Regulators too use spreadsheets for supervision. This paper reflects on ten years of Design Science Research (DSR) on BIS and describes the design and engineering of an artefact which can emancipate boards from silo-based spreadsheet management and improve their visibility, control and assurance via an integrated dash-boarding and reporting tool. Three cases are presented to illustrate the way the artefact, of which the realisation is called the Securimeter, works. The paper concludes with an in-depth comparison study acknowledging 91% of the core BIS requirements being present in the artefact.
Dedico essa dissertação de mestrado à minha mãe que esteve ao meu lado em cada aula que ouvi, que... more Dedico essa dissertação de mestrado à minha mãe que esteve ao meu lado em cada aula que ouvi, que ficou apreensiva em todo seminário que apresentei e que participou muito mais desse trabalho que uma mãe qualquer poderia. VI AGRADECIMENTOS Agradeço em primeiro lugar ao meu pai, Tullio ScoUi, pois sem o seu incentivo, apoio e dedicação este curso de mestrado não seria possível. Ele, minha mãe, Lélia de Medeiros ScoUi e meu irmão, Marcus Tullius ScoUi, estiveram ao meu lado e me ampararam nos obstáculos que encontrei durante essa trajetória. Quero agradecer a Profa. Ora. Elisabeth Igne Ferreira pelo seu carinho, amizade, auxílio aos meus estudos, esclarecimentos burocráticos e, principalmente, por me mostrar a possibilidade que eu teria de prosseguir na carreira farmacêutica. O curso de mestrado não é só um rico aprendizado, também nos dá a chance de se apaixonar pela profissão; fato nem sempre possível na graduação devido a falta de maturidade. Agradeço a Profa. Ora. Maria Amélia Barata da Silveira por toda a sensibilidade que demontrou ter diante meus limites físicos, tomando mais simples meu cotidiano na Faculdade de Ciências Farmacêuticas e mostrando a sociedade que o maior impedimento para se realizar um projeto é o que reside nas nossas mentes. À minha orientadora e amiga, Profa. Ora. Maria Valéria Robles Velasco, meus etemos agradecimentos por sua compreensão e ajuda em diversos assuntos, por me fazer crescer profissionalmente e auxiliar na elaboração da minha dissertação de mestrado. Meus agradecimentos carinhosos aos Profs. Ors. Teresinha de J.
Strategic Approaches to Digital Platform Security Assurance, 2021
This chapter studies the mapping of governance and security control objectives impacted by DevOps... more This chapter studies the mapping of governance and security control objectives impacted by DevOps to the corresponding DevOps control objectives. These DevOps objectives introduce either an opportunity or a risk for the achievement of the security and governance control objectives. Finally, the artifact defines a list of SecDevOps controls that have proven to be effective in combining the agility of the DevOps paradigm with the security compliance assurance. The authors examine in collaboration with experts the multiple frameworks to be suitable. The authors define SecDevOps controls that have proven to be effective in combining the agility of the DevOps paradigm with the security compliance assurance. To design this artefact, four widely-used frameworks/standards (COBIT 5, NIST cybersecurity framework, NIST SP 800-53, and ISO 27002) were reviewed for sufficiently detailed security and privacy control objectives and controls. Based on these criteria, NIST SP 800-53 and ISO 27002 sta...
Strategic Approaches to Digital Platform Security Assurance, 2021
In this chapter, the authors define the main problems when working on products in DevOps Teams an... more In this chapter, the authors define the main problems when working on products in DevOps Teams and on CI/CD pipelines with regard to security and risk management. It focusses on the regulatory requirements and cyberthreats that have impact on organisations. Regulator requirements vary from industry and country. Working with multiple teams on products requires proper alignment in frameworks, controls, and architecture principles in order to be end-to-end protected throughout the connected platforms. This chapter examines the multiple compliance frameworks and architectural principles that can be applied to agile way of working and more precise to CICD pipelines. It defines the main problem statement and questions the authors wanted to answer. The authors looked with a lens of regulated industry since this industry suffers the most and therefore has the biggest benefit from this research project.
Strategic Approaches to Digital Platform Security Assurance, 2021
In this chapter, the authors define the main problems when working on products in DevOps Teams an... more In this chapter, the authors define the main problems when working on products in DevOps Teams and on CI/CD pipelines with regard to security and risk management. It focusses on the regulatory requirements and cyberthreats that have impact on organisations. Regulator requirements vary from industry and country. Working with multiple teams on products requires proper alignment in frameworks, controls, and architecture principles in order to be end-to-end protected throughout the connected platforms. This chapter examines the multiple compliance frameworks and architectural principles that can be applied to agile way of working and more precise to CICD pipelines. It defines the main problem statement and questions the authors wanted to answer. The authors looked with a lens of regulated industry since this industry suffers the most and therefore has the biggest benefit from this research project.
Advances in Information Security, Privacy, and Ethics, 2021
Advances in Information Security, Privacy, and Ethics, 2021
Implementing and maintaining Information Security (IS) is cumbersome. Frameworks and models are u... more Implementing and maintaining Information Security (IS) is cumbersome. Frameworks and models are used to implement IS, but these are perceived as complex and hard to maintain. Most companies still use spreadsheets to design, direct and monitor their information security improvement plans. Regulators too use spreadsheets for supervision. This paper reflects on nine years of Design Science Research (DSR) on IS and describes the design and engineering of an artefact architecture which can emancipate boards from silo-based spreadsheet management and improve their visibility, control and assurance via integrated dash-boarding and a reporting tool. Three examples are presented to illustrate the way the artefact works.