Security analysis of Internet technology components enabling globally distributed workplaces

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Security analysis of Internet technology components enabling globally distributed workplaces—a framework

Full text

Pdf (1.60 MB)

Source

ACM Transactions on Internet Technology (TOIT) archive
Volume 8 , Issue 4 (September 2008) table of contents

Article No. 17

Year of Publication: 2008

ISSN:1533-5399

Authors

Manish Gupta	M&T Bank Corporation, Buffalo, NY
Shamik Banerjee	Conagra Foods Inc., Omaha, NB
Manish Agrawal	University of South Florida, Tampa, FL
H. Raghav Rao	State University of New York, Buffalo, NY

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 99, Downloads (12 Months): 955, Citation Count: 0

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1391949.1391951 What is a DOI?

ABSTRACT

As organizations increasingly operate, compete, and cooperate in a global context, business processes are also becoming global to propagate the benefits from coordination and standardization across geographical boundaries. In this context, security has gained significance due to increased threats, as well as legislation and compliance issues. This article presents a framework for assessing the security of Internet technology components that support a globally distributed workplace. Four distinct information flow and design architectures are identified based on location sensitivities and placements of the infrastructure components. Using a combination of scenarios, architectures, and technologies, the article presents the framework of a development tool for information security officers to evaluate the security posture of an information system. To aid managers in better understanding their options to improve security of the system, we also propose a three-dimensional representation, based on the framework, for embedding solution alternatives. To demonstrate its use in a real-world context, the article also applies the framework to assess a globally distributed workforce application at a northeast financial institution.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Agrawal, M., Kuo, C.-J., Nam, K., and Rao, H. R. 2003. Electronic commerce infrastructure. Encyclopedia of Information Systems, H. Bidgoli, ed. Academic Press, 29--46.
	2	Ahituv, N. 1980. A systematic approach toward assessing the value of an information system. MIS Q. 4, 61--75.
	3	Christopher J. Alberts , Audrey Dorofee, Managing Information Security Risks: The Octave Approach, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 2002
	4	Axelrod, W. 2007. Analyzing risks to determine a new return on security investment. Managing Information Assurance in Financial Services, H.R. Rao et al. eds., Idea Group, Hershey, PA, 6--36.
	5	Paul Clements , Rick Kazman, Software Architecture in Practices, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 2003
	6	Marianne Broadbent , Peter Weill , Don St. Clair, The implications of information technology infrastructure for business process redesign, MIS Quarterly, v.23 n.2, p.159-182, June 1999 [doi>10.2307/249750]
	7	Campbell, H. 1998. Risk assessment: Subjective or objective? Eng. Sci. Edu. J. 7, 57--63.
	8	Department of Defense. 1984. Procedures for performing failure mode effects and criticality analysis. http://www.fmeainfocentre.com/handbooks/milstd1629.pdf.
	9	Department of Homeland Security. 2006. Homeland Security Advisory System.
	10	Earl, M. J. 2002. The risks of outsourcing IT. Sloan Manag. Rev. 37, 26--32.
	11	Ekanayaka, Y., Currie, W., and Seltsikas, P. 2002. Delivering enterprise resource planning systems through ASPs. J. Logistics Inf. Manag. 15, 192--203.
	12	Elky, S. 2006. An introduction to information system risk management. SANS Institute, 16.
	13	Wolfgang Emmerich, Distributed component technologies and their software engineering implications, Proceedings of the 24th International Conference on Software Engineering, May 19-25, 2002, Orlando, Florida [doi>10.1145/581339.581405]
	14	Feller, W. 1950. An Introduction to Probability Theory and its Applications. John Wiley and Sons, New York.
	15	Felten, E. W., Balfanz, D., Dean, D., and Wallach, D. S. 1997. Web spoofing: An Internet con game. In Proceedings of the 20th National Information Systems Security Conference, Baltimore, MD.
	16	J. W. Freeman , T. C. Darr , R. B. Neely, Risk assessment for large heterogeneous systems, Proceedings of the 13th Annual Computer Security Applications Conference, p.44, December 08-12, 1997
	17	Swapna S. Gokhale , Kishor S. Trivedi, Reliability Prediction and Sensitivity Analysis Based on Software Architecture, Proceedings of the 13th International Symposium on Software Reliability Engineering (ISSRE'02), p.64, November 12-15, 2002
	18	Kateriana Goýeva-Popstojanova , Aditya Mathur P. , Kishor Trivedi S., Many architecture-based software reliability modelsComparison of Architecture-Based Software Reliability Models, Proceedings of the 12th International Symposium on Software Reliability Engineering (ISSRE'01), p.22, November 27-30, 2001
	19	Architecture-based approach to reliability assessment of software systems, Performance Evaluation, v.45 n.2-3, p.179-204, July 1 2001 [doi>10.1016/S0166-5316(01)00034-7]
	20	Gupta, M., Rao, H. R., and Upadhyaya, S. 2004. Electronic banking and information assurance issues: Survey and synthesis. J. Organiz. End User Comput. 16, 1--21.
	21	Hagel III, J. and Brown, J. S. 2001. Your next IT strategy. Harvard Bus. Rev., 105--113.
	22	Ghi Paul Im , Richard L. Baskerville, A longitudinal study of information system threat categories: the enduring problem of human error, ACM SIGMIS Database, v.36 n.4, p.68-79, Fall 2005 [doi>10.1145/1104004.1104010]
	23	International Security Technology (IST Inc) 2000. Managing risks using CORA.
	24	Sirkka L. Jarvenpaa , Dorothy E. Leidner, Communication and Trust in Global Virtual Teams, Organization Science, v.10 n.6, p.791-815, June 1999 [doi>10.1287/orsc.10.6.791]
	25	Karabacak, B. and Sogukpinar, I. ISRAM: Information security risk analysis method. Comput. Secur. 24, 147--159.
	26	Kumamoto, H. and Henley, E., 1996. Probabilistic Risk Assessment for Engineers and Scientists. IEEE.
	27	D. Dumitriu , E. Knightly , A. Kuzmanovic , I. Stoica , W. Zwaenepoel, Denial-of-service resilience in peer-to-peer file sharing systems, Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, June 06-10, 2005, Banff, Alberta, Canada
	28	Lao, G. and Wang, L. 2007. Security risk management strategy of financial services institutions. Managing Information Assurance in Financial Services, In H. R. Rao et al. eds. Idea Group, Hershey, PA.
	29	Markowitz, H. M. 1991. Portfolio Selection: Efficient Diversification of Investments. Blackwell.
	30	McIlroy, M. D. 1968. Mass-Produced software components. In Proceedings of the North Atlantic Treaty Organisation (NATO) Conference on Software Engineering, Garmisch-Partenkirchen, NATO Science Commitee, 138--150.
	31	Microsoft. 2006. Security Risk Management Guide. Microsoft, Redmond, WA.
	32	Peter G. Neumann, Computer related risks, ACM Press/Addison-Wesley Publishing Co., New York, NY, 1995
	33	Suzanne D. Pawlowski , Dan Robey , Arjan Raven, Supporting shared information systems: boundary objects, communities, and brokering, Proceedings of the twenty first international conference on Information systems, p.329-338, December 2000, Brisbane, Queensland, Australia
	34	Sahajpal, G., Agrawal, M., Kishore, R., and Rao, H. R. 2006. Business process offshoring to India: An overview. Outsourcing, In A. Heinzl et al. eds.
	35	Seshasai, S., Malter, A. J., and Gupta, A. 2006. The use of information systems in collocated and distributed teams: A test of the 24-hour knowledge factory. In Proceedings of the SSRN eLibrary, SSRN.
	36	Vibhu Saujanya Sharma , Kishor S. Trivedi, Architecture based analysis of performance, reliability and security of software systems, Proceedings of the 5th international workshop on Software and performance, p.217-227, July 12-14, 2005, Palma, Illes Balears, Spain [doi>10.1145/1071021.1071046]
	37	Mary Shaw , David Garlan, Software architecture: perspectives on an emerging discipline, Prentice-Hall, Inc., Upper Saddle River, NJ, 1996
	38	Sitkin, S. B. and Pablo, A. L. Reconceptualizing the determinants of risk behavior. Academ. Manag. Rev. 17, 9--38.
	39	Stolen, K., Braber, D., F, L., and Aagedal, J. 2002. Model-Based risk assessment—The CORAS approach.
	40	Stoneburner, G., Goguen, A., and Feringa, A. 2002. Risk management guide for information technology systems, National Institute for Standards and Technology, Gaithersburg, MD, 55.
	41	G. B. Tanna , M. Gupta , H. R. Rao , S. Upadhyaya, Information assurance metric development framework for electronic bill presentment and payment systems using transaction and workflow analysis, Decision Support Systems, v.41 n.1, p.242-261, November 2005 [doi>10.1016/j.dss.2004.06.013]
	42	J. D. Tygar , Alma Whitten, WWW electronic commerce and java trojan horses, Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce, p.15-15, November 18-21, 1996, Oakland, California
	43	Klaus Weidenhaupt , Klaus Pohl , Matthias Jarke , Peter Haumer, Scenarios in System Development: Current Practice, IEEE Software, v.15 n.2, p.34-45, March 1998 [doi>10.1109/52.663783]