Ontology Based Multi Agent Modelling for Information Security Measurement

Abstract

IT security governance bridges the gap between corporate governance and information security which is defined as the protection of information and other valuable assets in the organization from a wide range of threats in order to maximize ROI (Return On Investment) and minimize risk. These risks emanate from multiple sources like espionage, sabotage, malicious code, computer hacking, sophisticated denial of service attacks, vandalism, fire, flood, and other natural or manmade calamities. Information security in an organization is achieved by implementing suitable sets of safeguards or controls, including policies, processes, procedures etc. These controls need to be established, monitored, and suitably implemented across organization to ensure smooth functioning of business. There are existing sets of internationally recognized standards like CobiT, ISO17799, and others available, which are country and industry specific. These standards include a set of specific controls. Organizations operating in a particular country should be compliant of these standards, and as often these are legal obligations. Stakeholders and auditors are concerned with discrepancies that accrue in the implementation phases of implementation of these standards in any organization. Compliance Auditing (CA) is the process that identifies and analyses any misalignment of the organization’s rules and policies with respect to government regulations/industry best practices, which they are supposed to implement. A distinct challenge in compliance auditing is the measurement of discrepancies between company policies, controls, and industry standards vis-a-vis actual organizational practices.