Abstract
In recent years, the concept of cloud computing has seen a significant growth. The spectrum of available services covers most, if not all, aspects needed in existing business processes, allowing companies to outsource large parts of their IT infrastructure to cloud service providers. While this prospect might offer considerable economic advantages, it is hindered by concerns regarding information security as well as compliance issues. Relevant regulations are imposed by several sources, like legal regulations or standards for information security, amounting to an extend that makes it difficult to identify those aspects relevant for a given company. In order to support the identification of relevant regulations, we developed an approach to represent regulations in the form of ontologies, which can then be used to examine a given system for compliance requirements. Additional tool support is offered to check system models for certain properties that have been found relevant.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bundesamt für Sicherheit in der Informationstechnik: BSI-Grundschutz Katalog (2006)
van der Aalst, W., Reijers, H., Weijters, A., Vandongen, B., Alvesdemedeiros, A., Song, M., Verbeek, H.: Business process mining: an industrial application. Inf. Syst. 32(5), 713–732 (2007)
W3C OWL Working Group: OWL 2 Web Ontology Language: Document Overview (Second Edition). W3C Recommendation, 11 December 2012. http://www.w3.org/TR/owl2-overview/
Baader, F., Calvanese, D., McGuinness, D.L., Nardi, D., Patel-Schneider, P.F. (eds.): The Description Logic Handbook: Theory, Implementation, and Applications. Cambridge University Press, New York (2003)
ISO/IEC: ISO27001: Information Security Management System (ISMS) standard, October 2005. http://www.27000.org/iso-27001.htm
Bundesanstalt für Finanzdienstleistungsaufsicht: Mindestanforderungen an das Risikomanagement - MaRisk, October 2012
Bundesrepublik Deutschland, vertreten durch das Bundesministerium der Justiz.: Bundesdatenschutzgesetz, December 1990
Bundesrepublik Deutschland, vertreten durch das Bundesministerium der Justiz.: Bürgerliches Gesetzbuch, August 1896
SecVolution Webpage: http://www-secse.cs.tu-dortmund.de/secse/pages/research/projects/SecVolution
Jürjens, J., Schneider, K.: Beyond one-shot security. In: Modelling and Quality in Requirements Engineering (Essays Dedicated to Martin Glinz on the Occasion of His 60th Birthday), Verlagshaus Monsenstein und Vannerdat, pp. 131–141 (2012)
Wolter, C., Menzel, M., Meinel, C.: Modelling security goals in business processes. In: Modellierung (2008)
Dixon, J., Jones, T.: Hype cycle for business process management. Technical report, Gartner Study (2011)
BITKOM: Cloud-Computing - Evolution in der Technik. Technical report, BITKOM (2009)
Menzel, M., Thomas, I., Meinel, C.: Security requirements specification in service-oriented business process management. In: ARES (2009)
Gräuler, M., Martens, B.; Teuteberg, F.: IT-Sicherheitsmanagement im Cloud Computing - Entwicklung und Implementierung einer Ontologie. In: Proceedings zur INFORMATIK 2011 (2011)
Tsoumas, B., Gritzalis, D.: Towards an ontology-based security management. In: Proceedings of the 20th International Conference on Advanced Information Networking and Applications (AINA), vol. 1, pp. 985–992. IEEE (2006)
Fenz, S., Ekelhart, A.: Formalizing information security knowledge. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security (ASIACCS ), p. 183. ACM Press, New York (2009)
Peschke, M., Hirsch, M., Jürjens, J., Braun, S.: Werkzeuggestützte Identifikation von IT-Sicherheitsrisiken. In: D-A-CH Security 2011 (2011)
Schneider, K., Knauss, E., Houmb, S., Islam, S., Jürjens, J.: Enhancing security requirements engineering by organizational learning. Requirements Eng., 1–22 (2011). doi:10.1007/s00766-011-0141-0
Knauss, E., Lubke, D., Meyer, S.: Feedback-driven requirements engineering: the heuristic requirements assistant. In: Proceedings of the 31st International Conference on Software Engineering, ICSE ’09, pp. 587–590. IEEE Computer Society, Washington, DC (2009)
ISO/IEC: ISO27005: Information technology - Security techniques - Information security risk management, June 2008. http://www.27000.org/iso-27005.htm
NIST, Aroms, E.: NIST Special Publication 800–39 Managing Information Security Risk. CreateSpace, Paramount, CA (2012)
Acknowledgements
Parts of this research have been funded by the DFG project SecVolution (JU 2734/2-1 and SCHN 1072/4-1) which is part of the priority programme SPP 1593 “Design For Future - Managed Software Evolution”.
Other parts have been funded by BMBF grants 01IS11008C and 01IS11008D (SecureClouds).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Humberg, T., Wessel, C., Poggenpohl, D., Wenzel, S., Ruhroth, T., Jürjens, J. (2014). Using Ontologies to Analyze Compliance Requirements of Cloud-Based Processes. In: Helfert, M., Desprez, F., Ferguson, D., Leymann, F. (eds) Cloud Computing and Services Science. CLOSER 2013. Communications in Computer and Information Science, vol 453. Springer, Cham. https://doi.org/10.1007/978-3-319-11561-0_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-11561-0_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11560-3
Online ISBN: 978-3-319-11561-0
eBook Packages: Computer ScienceComputer Science (R0)