I am planning to work on the topic, Security policy update framework for cloud users. The aim of the research to develop a framework that use to update a security policy for cloud user as a research sub-question I will also focus, how organizations analyse the security threats they face and if there is a gap between security requirements and security policy that is a cause for security threats. What research methods would you suggest me?
Hi Jafar
Good to see you have chosen a very challenging topic.
I would start with a very thorough literature review. You will need to understand conventional distributed computing, and how security relates to that (much of the security literature, particularly early works, evolved to address the security of conventional computing systems), and how this differs to the special challenges that cloud brings to the equation. You will need to consider legislative, regulatory, corporate governance and standards compliance and how these issues affect corporate decision making. You will need to understand cloud and other relevant standards, to ensure you understand all the weaknesses in both the standards setting process, and the implementation of compliance auditing. You should also understand risk, particularly IT risk, with particular regards to identification, quantification and possibile mitigation thereof.
Once you are comfortable with these areas, you can start to think about policies, procedures, requirements and so on. Policies are determined by management to show the declarative position of the company towards a particular topic. This work will be informed by understanding precisely what is needed to meet various legislative, regulatory, corporate governance and compliance objectives. The top management of the company should then assign sufficiently capable and competent people to compile procedures manuals, which are intended to provide a clear methodology for ensuring the day to day practicalities of achieving the corporate policies can be achieved. Generally policies should be principles based, with a low level of detail, to express the general concepts of the approach the company wants to take, whereas, procedures will, of necessity, be more rules based, also providing a far higher level of detail to ensure proper implementation can be achieved. Generally, the policies should be flexible enough to cope with the changing external environment, whereas, procedures will need to be reviewed frequently to ensure they are always up to date.
When we consider requirements, we must be clear about what we are intending to refer to. The word requirements can be applied to a wide range of areas, particularly within computing, so care will be needed to ensure clarity. We can talk about legislative, regulatory, governance, compliance, software and a great many other requirements, so clarity will be needed to ensure no confusion arises.
However, when thinking about requirements, one of the major areas you will need to consider is the threat environment. You will need to examine threat reports to understand the trends of adversaries, and do some research on what methords they use to attack and breach corporate defences.
Once you get to this stage, you will be well placed to produce a properl list of questions to ask, if you want to undertake some quailtative research. But, remember, people from companies may not always tell you the truth, or even be prepared to talk to you , as corporate breaches are a highly sensitive area due to the possibility of adverse impact of company share price. However, you will at least understand the right questions you should be asking, so that will certainly help.
Regarding your framework, especially if you intend to develop software with which to run it, should have the capability for easy input of the general guiding principles of management, it needs to be able to drill down to provide for the operational procedures, it should be able to handle change management, and you will certainly want to have some means of monitoring how effective it will be in operation. If you can find a small firm willing to run a small pilot study, even on part of the system, this would be another route to validation of your framework. If you do go this way, you should ensure the firm has someone competent in IT within the organisation, otherwise you will end up having to do all the work.
Hopefully this will get you thinking along the right direction. If you check out my publications on ResearchGate, you will find many of these will be well suited to what you are intending to work on.
Regards
Bob
Hi Jafar
I have added some reference lists for the following categories:
assurance models;
cloud accountability;
cloud computing;
cloud privacy;
cloud risk;
cloud security;
corporate governance;
distributed computing;
legislative;
regulatory;
security policy;
standards compliance;
threat environment;
threat reports.
That should help you work something out.
Regards
Bob
enc
- Badges
- Science topic
- Similar topics
- Engineering
- Modeling