ISO 27001 Compliance via Artificial Neural Network

Ankur Kumar Shrivastava Abhinav Kumar Anant Kumar Rai Nitisha Payal Amod Tiwari Department of IT Information Security Consultant Information Security Engineer Department of CSE Department of CSE MIET, Meerut Aujas Networks L&T Infotech MIET, Meerut PSIT, Kanpur U.P., India Delhi, India Mumbai, India U.P., India U.P., India ankurshrivastava16@gmail.com er.abhinav.iiita@gmail.com anantrai6feb@gmail.com nitishapayal@gmail.com amodtiwari@gmail.com

Abstract—In this modern world of computerization, lots of data is stored in Computer System & hence requirement to save this data increase day by day. There are lots of Standards which organization can follow to make all the information within their organization safe, but to implement an standard is not easy for every organization, especially with organization which are in the stage of evolution. In this Research Paper we will be presenting a solution using Artificial Intelligence Techniques with the help of which small organization can implement these standards at comparatively low price as well as it will also help organization in Information System Risk Management. Keywords- Artificial Intelligence, Artificial Neural Network, Risk Assessment, ISO 27001.

I. INTRODUCTION

An information system (IS) – is compromise of information technology and people’s events associated with technology to help organization achieving their operational objective by making right decision. IS providing all possible support to organization in taking decision in an effective & efficient way. As we all know there is lots of vulnerability present in our system, which increase the chances of our system being expose to some kind of threat very easily, thus effecting the organization plans to achieve their objectives. To overcome this problem organization started Risk Management practices. Risk Assessment is a part of Risk Management process. Risk Assessment is a continuously improving process [1]. Risk Assessment can be performed in two ways: -

A. Quantitative: - Quantitative risk assessment involves computing the degree of probable loss ‘ L’ & the probability ‘Pro’ which is consider to be the two component of Risk Assessment.

B. Qualitative: - Qualitative risk assessments are illustrative against calculable. Qualitative Risk Assessment is performing by those companies that are running out of time or they don’t have the expertise to perform complex mathematical & financial risk assessment.

Even after covering all the dimensions for eliminating risk from any organization, still every day many organization face challenge in term of securing their data. The main reason behind is the dynamic environment as well as the uncertainties associated with Information Systems. Every day new challenges are coming in front of companies & it’s not possible to monitor the so rapidly changing environment manually. So we need Computer base system, which can ease our work. To create system which can monitor any organization as well as help in taking correct decision & most importantly implementing controls to secure system we need system, which can take decision on their own depending upon the information saved by humans to trained the system. In terms of following standards we will be following ISO/IEC 27001 family of standards that talk about an management system that is build to bring information security entire control in the hand of Management of an organization. We will be implementing 11 domains of information security as mention by ISO/IEC family of standards. Artificial Intelligence (AI) is a combination of science & engineering of building an intelligent computer, mainly codes, which can take decision [2]. It is a job of making computers recognizes human intelligence.

II. ARTIFICIAL INTELLIGENCE METHODS

In the recent past AI is mainly broken into two domains: -

A. KNOWLEDGE BASE SYSTEM

Knowledge based systems are artificial intelligent technique, that help in taking smart decision with validation for every decision. In this we first collect all the information related to a particular field (this information is from expert in that specific field) & then we create a repository of all this information using various techniques of representation (such as frames or scripts). The best use of these systems is that the decision taken by them comes along a huge database of

2013 5th International Conference on Computational Intelligence and Communication Networks

978-0-7695-5069-5/13 $26.00 © 2013 IEEE

DOI 10.1109/CICN.2013.77

339

knowledge, smart backing of intelligent judgment, self-learning, reasoning and explanation.

Knowledge bases are principally closed or open

information database and can be classified in two main titles: � Machine-readable knowledge bases: - in this

system all information is save in a computer readable form. The main reason behind doing so is that the system can take self-validated decisions.it contain a set of data, mostly in the form of rules, so that it can be explain in standard logic.

� Human-readable knowledge bases: - these

systems are building to help people in saving their knowledge base on their real time experience. This type of system is mainly use by organization to share information among their employees, thus reducing the task of a help desk.

B. ARTIFICIAL NEURAL NETWORKS

Artificial neural networks may either be used to gain an understanding of biological neural networks, or for solving artificial intelligence problems without necessarily creating a model of a real biological system. It is composed of interconnecting artificial neurons (programming constructs that mimic the properties of biological neurons). By adjusting the weights of the network, ANNs can be “trained” to approximate virtually any nonlinear function to a required degree of accuracy. ANNs typically are provided with a set of input and output exemplars. A learning algorithm (such as back propagation) would then be used to adjust the weights in the network so that the network would give the desired output, in a type of learning commonly called supervised learning. The multilayer networks are mostly use in ANN for default prediction [3].

There are two main phase in building artificial neural

networks:-

1. Training:-In this phase we trained the system so that it can take decision base on the formed network & can also validate those decision.

2. Testing: - In this phase we perform to make sure that the decision taken by the artificial neural network is correct.

Instead of building an artificial neural network we can also create a decision tree. A decision tree is a flow-chart like tree structure, where each internal node (non-leaf

node) denotes a text on attribute, each branch represent an outcome of the test, & each leaf node (or terminal node) holds a class label [4].

III. PROPOSED NEURAL NETWORK ARCHITECTURE

Artificial Neural network are connection are developed by connecting hundred or thousand of simple processing system, connected in parallel & feeding forward in several layers [5]. Artificial Neural network is now designed for implementing ISO/IEC 27001 family of standards as well as Risk Management. For training us our artificial neural networks we will be using questionnaire base on ISO27001 family of standards [6]. The questionnaire will be covering all the 133controls objective which is broadly divided into 11 domains & only experts will fill this questionnaire that have relevant real time experience of implementing this standard. The questionnaire will look like the following: -

A. SAMPLE QUESTIONNAIRE: -

1. Does there exist an Information Security Policy? 2. Does the owner report to senior management after

making changes in the presently implemented Information Security Policy?

3. Does there exit an authorization process for information processing facilities that include hardware & software?

4. Does there exist an inventory of assets associated with each information system?

5. Does the verification checks on permanent staff were carried out at the time of job applications?

6. Does there exist any potential threat from Neighbouring premises?

7. Does the operational procedure & responsibilities are documented?

8. Does the allocation and reallocation of passwords is controlled through a formal management process?

9. Does the risk assessments are completed prior to Commencement of system development?

10. Does the events that could cause interruptions to business process were identified?

11. Does proprietary software products are supplied? There will be 4 answers, which an expert can opt for. The options are: -

1. YES 2. NO

340

3. NOT AWARE 4. COMMENT

B. The questionnaire will be prepared keeping in mind the following 11 domains of ISO/IEC 27001 which are:-

1. Information Security Policy 2. Organization of Information Security 3. Asset Management 4. Human Resource Security 5. Physical & Environmental Security 6. Communication & Operation Management 7. Access Control 8. Information System acquisition, development and

maintenance 9. Information Security Incident Management 10. Business Continuity Management 11. Compliance

Fig 1. Artificial Neural Network Diagram for the

Compliance of ISO/IEC 27001

In figure 1, the input for the artificial neural network will be the control objectives implemented in the organization or if the company is first time want to get the certification then it will be the requirement mention in ISO/IEC 27001. The output of the artificial neural network will be 1 if the organization complies with the standard & if the organization fails to comply with the standard. In figure 2, the artificial neural network for risk management is drawn. Input for figure 2 will be Scope Matrix of Information Security Policy & Asset Matrix. Hidden layer is comprised of various sub-process of Risk Management. The output will be either 1 (for Risk to be accepted) or 0 (for Risk not accepted). Risk Management is divided into three processes [7]: -

1. Risk Identification 2. Risk Estimation 3. Risk Evaluation.

Fig 2: Artificial Neural Network Diagram for Risk Management

341

NOTE: - Abbreviations used in Figure 2 are as follows: - SMISP- Scope Matrix of Information Security Policy RI- Risk Identification RE-Risk Estimation Rev-Risk Evaluation IOA-Identification of Asset IOT- Identification of Threat IOV- Identification of Vulnerability IOEC- Identification of Existing Control QL- Qualitative Estimation QT- Quantitative Estimation AR-Asset Register TR- Threat Register VR- Vulnerability Register ECR- Existing Control Register D- Degree NV- Numerical Value RR-Risk Register P- Priority RT-Risk Treatment RA-Risk Acceptance

In Fig 2. In Qualitative risk Assessment we give Degree to Risk. It can be sub divided into either 3 or more then 5 subcategories. For example the degree can be:-

1. High 2. Medium 3. Low

IV. CONCLUSION

With the involvement of Artificial Intelligence with Information Security, we will be helping those small scale companies who lost important data on daily basis due to lack of Information Security. They were unable to follow Information Security because of financial problems they face if they want to comply with ISO/IEC 27001 family of standard. This paper will also help organization to perform Risk Management at a very reasonable cost.

V. FUTURE WORK

We use Artificial Neural Network for supervise type learning but we can also create a decision tree, based on available industrial dataset because data will give us degree of compliance for a standard as well as degree of Risk Acceptance.

REFERENCES

[1] Iraj Zandi, Use of Artificial Neural Network as a Risk Assessment tool in preventing child abuse, Neural Network 2001-IJCNN’01, IEEE.

[2] Hamadi Matoussi and Aida Krichene, Credit Risk

Assessment using Multilayer Network Model-Case of a Tunisian Bank.

[3] Data Mining Concepts & Techniques by Jiawei Han &

Micheline Kamber, Second Edition, Elsevier, page no. 291-296..

[4] Axay J Mehta, Heema A Mehta, T.C.Mnajunath, C.Ardil,

A Multi-Layer Artificial Neural Network Architecture Design for Load Forecasting in Power Systems, International Journal of Mathematical & Computer Science 4, 2008.

[5] www.fvc.com/FVC/FVCWEB/files/ISO27001%20Intro

duction.pdf, ISO 27001 Brief Introduction. (17/5/2013 at 9 pm).

[6] http://smart-ra.com/News/Uploads/

100511122641_ISACA_CPE%20Meet_May%202011_1.pdf, Risk Assessment as Par as ISO 27005. (2035/2013 at 5pm).

[7] http://wwwformal.stanford.edu/jmc/whatisai/node1.html.

(19/5/2013 at 2:42pm). [8] en.wikipedia.org/wiki/Artificial intelligence (20/5/2013

at 4pm).

342