+1443 776-2705 panelessays@gmail.com

Scenario:

NCU-FSB is in the process of implementing an ERP solution for  administrative process integration. The solution to be implemented will  cover all operations (loans, credit cards, mortgages, IRAs, investments,  and financial counseling services) with administrative operations  (human resources, finances, plant management, procurements, and asset  management, among others). To ensure that a chosen solution meets all  technical and security requirements, the CEO asked the CIO and you as  the CISO to analyze industry solutions and recommend the control  criteria every solution to be developed, either commercial off-the-shelf  (COTS) or in-house development must meet.

Instructions:

For this assignment, you must develop a diagram and a technical  paper, in which you design a control model for secure development. 

Your paper should contain the following:

  • Model with a checklist, outline, or flowchart of all the control  elements needed to review at the time of performing a database or  application for testing.
  • Checklist must be useful for either for usability testing,  certifying completeness and compliance as part of the accreditation  process.  
  • Checklist should contain the criteria to be validated during design,  development, and testing. The criteria will eventually become the  standards for data and application management for all applications to be  updated or developed.  
  • Recommendations for data and application control best practices to control risks
  • Comparison of the waterfall model, spiral model, rapid application  development, reuse model, and extreme programming, as strategies for  secure software best practices.

Length: 7 page technical paper and include a minimum of 5 scholarly articles not more than 5 years 

The completed assignment should demonstrate thoughtful consideration  of the ideas and concepts presented in the course and provide new  thoughts and insights relating directly to this topic. Your response  should reflect scholarly writing and current APA standards. Include a plagiarism report.

1 | P a g e

Designing Your Organization’s

Custom COBIT By Stefanie Grijp

COBIT Focus | 4 March 2019

Governance over a complex and continuously evolving domain such as enterprise information and technology (I&T) requires a multitude of components, including processes, organizational structures, information flows, behaviors, etc. All of these elements must work together in a holistic way to correctly

understand, design and implement a fit -for-purpose enterprise governance system for I&T.

COBIT® 2019 brings these components together in a generic framework of good practices for the achievement of 40 governance and management objectives. However, experience and research have shown there is no such thing as a one-size-fits-all governance system for enterprise I&T. Every enterprise has its own distinc t culture and profile and differs from other organizations in several aspects, including:

• Size of the enterprise • Industry sector • Regulatory landscape • Threat landscape • Role of IT for the organization

• Tactical technology-related choices These differences in external and internal context and strategy are important influencers for the design and implementation of the organization’s governance system. Any COBIT 2019 implementation will, thus,

require tailoring before it can be fit-for-purpose.

To assist with the tailoring of the standard and generic COBIT® framework and allow every organization to maximize value from its use of I&T, the COBIT 2019 design workflow was developed. The purpose of the design workflow is to allow every organization to start from the COBIT core model and, from there, adapt the governance system to the enterprise’s own priorities and specificities. It is difficult to do everything at

once when implementing or improving I&T governance—organizations have limited resources and change capacity. The design workflow helps organizations to identify and focus on the right priorities first. Designing a tailored governance system is an iterative process that is repeated when changes in the

organizational context or strategy (or in any other design factor) occur.

DISCUSS THIS ARTICLE

The purpose of the design workflow is to allow every organization to start from the COBIT core model and, from there, adapt the governance system to its own priorities and specificities.

2 | P a g e

The design workflow takes into consideration a number of design factors (DFs). These are factors that can

influence the design of an enterprise’s governance system (f igure 1).

Figure 1—COBIT Design Factors

Source: ISACA®, COBIT® 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018. Reprinted with permission.

DFs help the organization describe its context and strategy by proposing a set of values for each design factor. For example, DF 6 Compliance Requirements has 3 possible values—High, Normal or Low—and these values, in turn, are associated with numeric scores. When the enterprise describes its regulatory environment, it chooses one of the 3 values; together, the values and related scores contribute to a finely calibrated design workflow1 and help the organization determine: • Priorities when implementing the 40 governance and management objectives defined in COBIT 2019 • Target capability levels for selected corresponding processes

Additional guidance on specific topics, or focus areas, is in development; focus area content will provide even more tailored guidance specific to digital transformation, cloud, DevOps, small and medium

enterprises, risk, and information security.

When starting an I&T governance implementation project—or when looking to improve the existing I&T governance system—the enterprise’s first step should always be to apply the design workflow and tailor

the COBIT 2019 framework to be fit-for-purpose for the organization at hand.

This tailoring exercise coincides with phases 1 through 4 of the 7-phase workflow described in the COBIT® 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution. The COBIT 2019 Design Guide and COBIT 2019 Implementation Guide are, therefore, complementary, and each provides specific guidance for a subsection of the end-to-end governance implementation process. Together, they form the manual for every organization looking to

implement or improve its governance system for I&T.

The COBIT® 2019 Design Guide and the design workflow enrich the COBIT suite with the potential to support many organizations on their unique paths toward value-add I&T governance. Share your

experiences in the COBIT and F rameworks area of the Engage portal.

Stefanie Grijp Is a consultant on a wide range of governance projects in both the public and private sectors as a senior manager with PricewaterhouseCoopers. Her work has included acting as a consultant for ISACA for almost 10 years. She was actively involved in the development of COBIT 5 and its related publications and again

played a key role in developing the COBIT 2019 series of publications.

3 | P a g e

Endnotes 1 ISACA®, COBIT® 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018

Copyright of COBIT Focus is the property of IT Governance Institute (ITGI), the Information Systems Audit & Control Association (ISACA) and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.

,

2018 International Multi-Conference on Industrial Engineering and Modern Technologies (FarEastCon)

978-1-5386-9535-7/18/$31.00 ©2018 IEEE

Intelligent Software Platform and End-point Software for Risk Management

Senkov A. dept. of Computer Engineering, Smolensk branch of Federal Autonomous Educational Institution of

Higher Education Moscow Power Engineering Institute Smolensk, Russian Federation

[email protected]

Abstract— The article proposes the structure of an intelligent software platform for managing complex risks. It is proposed to divide the platform into a global and local part (end-point software) that provides not only the management of complex risks on the scale of a single system (enterprise, organization) but also the collection, accumulation, synthesis and dissemination of methods and models of integrated risk management that are best practices that have proven effective on practice. Within the local part, the platform provides the ability to build complexes of hybrid intelligent models by a risk management specialist without the participation of a programmer. Examples of using the proposed solution or its parts in projects aimed at risk management are considered.

Keywords— software for managing complex risks; a global software platform; the dissemination of knowledge

I. INTRODUCTION In the modern world, open system development tendencies

are stronger than ever. Increasing capabilities of global networks in terms of the traffic volume and speed of its transmission ensures rapid accumulation and dissemination of best practices. A good example of such practices is dissemination of car dash camera records. Watched and analyzed, compilations of such records allow drivers to draw conclusions about best practices of behavior in emergency situations while driving. It is the approach of gratuitous dissemination and accumulation of best practices that is most promising in terms of risk management.

A number of advantages are obvious related to risk management:

1) as a rule, occurrence of a risk event or, in particular, some risk situation as a complex combination of risk events [1] is a rarity even for large systems, and the number of risk events with specific and rare equipment, such as oil refineries or gasholders, through the whole history of observations is probably a single digit even within the framework of branch makers;

2) generalization of the acquired experience on a larger scale can provide sufficient knowledge for analysis through methods that involve work with inaccurate, uncertain and fuzzy data, for example, [2, 3] and many others.

However, application of such methods requires an integrated global system that combines functions of data collection, generalization, accumulation of knowledge and its further dissemination. A global knowledge base should be the basis of such a system.

II. A GLOBAL KNOWLEDGE BASE FOR MANAGING COMPLEX RISKS

According to [4], knowledge is divided into facts and rules. In terms of working with facts, the tasks of the global knowledge base should be:

1) collection of data on risk events and risk situations that have occurred in a formalized form;

2) generalization and analysis of such data; 3) assessment of data validity and its transformation into

knowledge; 4) collection of data on risk management measures; 5) assessment of efficiency of such measures; 6) generalization of knowledge of best practices. To determine the scheme of work of the global knowledge

base with rules, it is first necessary to describe the structure of the rules. We will not consider the rules individually (as we could consider fuzzy productions [5], for example), but in aggregate. The aggregate of rules will be presented by a separate intelligent mathematical model (supporting work with inaccurate, fuzzy and uncertain data). In order for the model to disseminate, we will single out the rules that form the model or facts within the rules, as well as some procedures that allow us to "animate" this model on the basis of such facts. Thus, the rules in the store have the following structure:

1) facts that determine the settings of rules; 2) rules for constructing intelligent models based on facts

designed to construct models; 3) rules for application of intelligent models based on facts

intended for application of models. In terms of risk management, the facts for constructing and

applying models have the same structure, presented in [6] in the form of a graphical notation. For storing and transmitting such information a universal format of data storage and transmission can be used [7], which ensures filling the store

The reported study was funded by RFBR, according to the research

project No. 16-37-60059 mol_a_dk..

Authorized licensed use limited to: Northcentral University. Downloaded on December 16,2021 at 14:36:18 UTC from IEEE Xplore. Restrictions apply.

2018 International Multi-Conference on Industrial Engineering and Modern Technologies (FarEastCon)

978-1-5386-9535-7/18/$31.00 ©2018 IEEE

Pl at

fo rm

fo r w

or ki

ng w

it h

IM o

f d ec

is io

n su

pp or

t

End-point software

DSS in preliminarily risk management

DSS in case risk management

Risk modeling system

Knowledge base

Hard real-time risk management system

Preliminarily management in

HRT

Case management in

HRT

Global platform

Knowledge Base

Methods and ways of IM operation

Operational database

G at

ew ay

Accumulated knowledge

Accumulated data

O b

je ct

o f

m a

n a

g em

en t

Fig. 1. Structure of the intelligent software platform for complex risk management

both with facts for model construction and with facts for model application.

For dissemination of best practices in the form of models, a unified format for interaction of such models and an interface (in the sense of object-oriented programming) of their implementation must be defined. As the format for dissemination of rules of model construction and application the format of dll-libraries can be chosen. This matter will be considered separately.

III. INTELLIGENT SOFTWARE PLATFORM FOR MANAGING COMPLEX RISKS

The availability of the above-mentioned method of transferring knowledge in the field of risk management, the need to divide risk management into preliminary and case management[1], as well as the existence of a cognitive gap that does not allow users to develop intelligent systems, and programmers to work out the developed systems in detail required by the end user, determine the necessity and possibility of creating an intelligent software platform for managing complex risks. Figure 1 presents the structure of such a platform.

In general, the platform is divided into 2 components.

1) A global part, which is a knowledge base in the field of risk management.

2) An end-point solution used to manage on-site risks. The local solution is based on a platform for working with

intelligent decision support models. Such a platform meets the following requirements:

• it should be the core ensuring the launch of intelligent models derived from the global part of the platform;

• it should allow to arrange intelligent models into cascades of arbitrary complexity, to hybridize intelligent models without a programmer.

The local solution itself has the following basic elements:

• decision support system (DSS) for preliminary risk management;

• DSS for case risk management;

• hard real-time risk management system;

• risk modeling system;

Authorized licensed use limited to: Northcentral University. Downloaded on December 16,2021 at 14:36:18 UTC from IEEE Xplore. Restrictions apply.

2018 International Multi-Conference on Industrial Engineering and Modern Technologies (FarEastCon)

978-1-5386-9535-7/18/$31.00 ©2018 IEEE

• knowledge base;

• data base.

A. Decision support system DSSs for preliminary and case risk management

implement functions of prior and subsequent risk management respectively in accordance with the approach proposed in [1]. In this case, in accordance with the approach, each system should have 2 components: a hard real-time system [8], [9] and a non-time-critical system (planning system).

Before the occurrence of an undesirable event (risk implementation), one can try to create conditions preventing the occurrence of such an event. As a rule, such actions can be performed without tight timing constraints. The sooner the occurrence of this event, the faster the DSS must work, decisions be made and implemented. As a result, the DSS may become a decision-making system (DMS), or, for example, a multi-agent system with intelligent agents which are reviewed in [10]. The transition from DSS to DMS is conditioned by a human's inability to constantly increase the speed of decision- making. After all, the speed of decision-making is limited by a human's physiological abilities of environmental perception and reaction.

After an undesirable event has occurred, for its elimination or leveling its consequences it is necessary to keep a sufficiently high rate of decision-making for a certain time in the course of the case risk management (for example, fire suppression). After a short intensive hard real-time action, steps should be taken to eliminate the consequences and prevent the implementation of similar risks.

Therefore, a certain time period around an undesirable event requires a special type of system: a hard real-time risk management system. Such a system combines features of preliminary and case management that allows it both to eliminate consequences of an undesirable event and, at the same time, to prevent other undesirable events. An example of the system is given in [11], that proposes a hard real time fire suppression system. Further to this, a system was proposed to implement fire fighting with a special mechanism of targeted fire fighting (case management), and, at the same time, to organize a safe corridor for evacuation of people from the fire zone (preliminarily management).

B. Risk modeling system The modeling system is optional within the local solution

and is intended for modeling an object of risk management. In works [12] such a system is built on the basis of growing Petri nets, which allow to describe the behavior of individual elements of the system, their interactions, as well as change in the structure and / or order of the system operation in case of a certain situation (including a risk situation).

The risk modeling system can be used both to simulate application of various measures to the object of risk management (for example, at the stage of preliminarily risk management) and to predict consequences of the occurrence of risk events (at the stage of case risk management).

C. Knowledge base The knowledge base in the local solution structurally

doesn't differ much from the knowledge base in the global part of the platform. It serves for the primary acquisition of knowledge, its actualization, accumulation of new knowledge and its transfer to the global part of the platform.

D. Operational database It contains structured data received from external sources

of information, as well as data obtained in the course of operation of the local solution.

E. Gateway The gateway is designed to receive data from the external

environment (from the object where the risk management is performed). For example, if we consider production risk management, the gateway can provide access to ERP systems (1C, SAP, Oracle, Microsoft) to obtain data required for risk management in a mode that does not require real-time reaction. Besides, the gateway can provide access to industrial control systems to implement hard real-time risk management. It should be noted that in this case the data exchange may be not one-way (from the external environment to the local solution), but two-way (obtaining data about the situation from the external environment and forwarding the decisions for execution).

IV. IMPLEMENTATION EXAMPLES OF SYSTEMS BUILT ON THE PROPOSED ARCHITECTURE

During the period from 2008 to 2018, with the involvement of the author, a number of software systems were developed, to a degree aimed on risk management in complex organizational and technical systems. Among the customers of such systems there are large industry enterprises, such as PAO Gazprom, PJSC INTER RAOUES, T-Platforms and others.

Due to peculiar requirements of the Customers, the software products were implemented in various ways and did not fully cover the functions of risk management systems.

Table 1 reflects functions of risk management systems of the most large-scale developed systems in detail.

Despite the fact that none of the systems developed has implemented all the functions of an intelligent software platform for risk management, in general, it can be stated that the proposed architecture is operable and can be used to build intelligent risk management systems of various classes. In addition, it is obvious that the platform can be implemented using various technology stacks.

The proposed structure of an intelligent software platform for risk management, first, is notable for the ability to accumulate, generalize and disseminate best practices in risk management.

Second, it provides the ability to build hybrid intelligent models of various complexity levels by a risk management expert without the participation of programmers.

Authorized licensed use limited to: Northcentral University. Downloaded on December 16,2021 at 14:36:18 UTC from IEEE Xplore. Restrictions apply.

2018 International Multi-Conference on Industrial Engineering and Modern Technologies (FarEastCon)

978-1-5386-9535-7/18/$31.00 ©2018 IEEE

TABLE I. FUNCTIONS OF RISK MANAGEMENT SYSTEMS

Intelligent software platform / end-point

software function AIS AR AIS Control

Risk management

software environment

Intelligent platform functions Collection of data on risk events and risk situations that have occurred in a formalized form

+ On over 400 organizations

+ +

Generalization and analysis of such data

+ With involvement of an expert

+ With involvement of an expert

Assessment of data validity and its transformation into knowledge

+ With involvement of an expert

– –

Collection of data on risk management measures

+ + +

Assessment of efficiency of such measures

+ With involvement of an expert

– –

Generalization of knowledge of best practices

+ With involvement of an expert

– –

Integration with external systems

± Data upload only

+ Flexible two- way integration with products on the Platform 1C: Enterprise

+ Integration with software

End-point software Decision support system (DSS) for preliminary risk management

+ Based on internal regulations of PAO Gazprom

+ Based on internal regulations of PJSC INTER RAOUES

+ Based on original methods of intelligent decision support

DSS for case risk management

+ Automation of standard processes defined by law

+ Automation of standard processes defined by law

Hard real-time risk management system

– – + Allows to make decisions on managing risks of equipment failure with a responsiveness not exceeding 0.1 sec

Risk modeling system – – + For solving problems of evaluating and comparing the effectiveness of the proposed solutions

Intelligent methods and models

Fuzzy clustering[13], Fuzzy inference [14], [15] Fuzzy cognitive maps [16]

– Fuzzy Bayesian networks [17], [18] Fuzzy cognitive maps, Fuzzy fault trees [19], [20] Fuzzy inference Fuzzy Petri Nets [21], [22]

Technology stack Development environment and sets of libraries

Borland Delphi

1С: Enterprise 8.2

MS VS, .Net framework

DBMS ORACLE / FireBird

1С: Enterprise 8.2 / MSSQLServer

MySQL

Third, it is applicable for systems of different scale: corporate, regional, federal, international.

Fourth, it provides the harmonization of knowledge in the field of risk management owing both to application of a unified knowledge exchange format as a graphical risk notation (formal language), and to unified interfaces of intelligent models, supporting construction of hybrid intelligent systems of various levels of complexity.

Practical implementability of the principles and approaches to building an intelligent platform and end-point software has been proven in the course of implementing a number of projects of various levels. Practical implementation of the software is possible using various technological stacks.

Acknowledgment The reported study was funded by RFBR, according to the

research project No. 16-37-60059 mol_a_dk.

References [1] Senkov A.V., Risk management: intelligent models, methods, software.

– Smolensk: Universum, p. 284, 2016.

[2] Shang, K., Kossen, Z., Applying Fuzzy Logic to Risk Assessment and Decision-Making. Casualty Actuarial Society. Canadian Institute of Actuaries, Society of Actuaries p. 59, 2013.

[3] Zeidler, J., Schlosser, M., Ittner, A., Posthoff, C., “Fuzzy decision trees and numerical attributes. Fuzzy Systems”, Proceedings of the Fifth IEEE International Conference on Vol. 2, pp. 985-990, 1996.

[4] Artificial intelligence, Models and Metgods: Guide, D. A. Pospelov, M., Radio isvjaz', p. 304, 1990.

[5] Borisov V.V., Kruglov V.V., Fedulov A.S. Fuzzy models and nets, M., Gorjachaja linija-Telekom, p. 284, 2012.

[6] Senkov A.V., “Complex Risks Management Notation”, Sovremennye naukoemkie tehnologii, vol. 12-1, pp. 72-81, 2016. URL: https://www.top-technologies.ru/ru/article/view?id=36479 (data obrashhenija: 07.11.2017).

[7] Senkov A.V., “Knowledge Base Format of the Decision-Making Support System for Intelligent Management of Integrated Risks in Complex Organizational and Technical Systems”, Mezhdunarodnyj zhurnal informacionnyh tehnologij i energojeffektivnosti, T.2, vol. 3(5) pp. 23-34, 2017.

Authorized licensed use limited to: Northcentral University. Downloaded on December 16,2021 at 14:36:18 UTC from IEEE Xplore. Restrictions apply.

2018 International Multi-Conference on Industrial Engineering and Modern Technologies (FarEastCon)

978-1-5386-9535-7/18/$31.00 ©2018 IEEE

[8] Kopetz, H., Real-Time Systems, Design Principles for Distributed Embedded Applications, Klower Academic Publishers, 1997.

[9] N.C. Audsley, A. Burns, M.F. Richardson and A.J. Wellings, “Hard Real-Time Scheduling: The Deadline Monotonic Approach”, Proceedings 8th IEEE Workshop on Real-Time Operating Systems and Software, Atlanta, GA, USA (15–17 May 1991)

[10] Tarasov V.B., From multi-agent systems to intelligent ensembles, M., Jeditorial URSS, p. 352, 2002.

[11] Senkov A.V., Andreeva O.N., “Approach to Creation of Intelligent System for Control of the Fires, Accidents and Incidents at the Industrial Enterprises on The Basis of the Theory of Multi-Agent Systems”, Fundamental'nye issledovanija, vol. 10-3, pp. 560-565, 2016. URL: https://www.fundamental-research.ru/ru/article/view?id=40895

[12] E V Sorokin, A V Senkov, “Application of growing nested Petri nets for modeling robotic systems operating under risk”, IOP Conf. Series: Earth and Environmental Science, vol. 87, 082046, 2017 doi :10.1088/1755- 1315/87/8/082046

[13] Krishnapuram R., Keller J.M., “A possibilistic approach to clustering”, IEEE Transactions on Fuzzy Systems, vol. 1, No. 2, pp. 98–110, 1993.

[14] Sugeno M., “Fuzzy identification of systems and its applications to modeling and control”, IEEE Transactions on Systems, Man, and Cybernetics. SMC-15(1), pp. 116-132, 1985.

[15] Mamdani EH., “Application of Fuzzy Logic to Approximate Reasoning Using Linguistic systems”, IEEE Transactions on Computers, vol.26(12), pp.1182-1191, 1978.

[16] Styblinski MA, Meyer BD., “Fuzzy cognitive maps, signal flow graphs, and qualitative circuit analysis”, Neural Networks, pp. 549 – 556, 1988.

[17] Pan H, Liu L., “Fuzzy Bayesian networks – a general formalism for representation, inference and learning with hybrid Bayesian networks”, IJPRAI, vol. 14 – 7, pp. 941–962, 2000.

[18] Senkov A.V., Zaharov A.S., Borisov V.V., “Accident Risks Assessment by Temporal Fuzzy Bayesian Network”, International Journal of Applied Engineering Research, Vol. 11, Number 22, pp 10731-10736, 2016.

[19] Tanaka H, Fan LT, Lai FS, Toguchi K., “Fault-Tree Analysis by Fuzzy Probability”, IEEE Transactions on Reliability, vol. 32-5, pp. 453-457, 1983.

[20] Gmytrasiewicz P, Hassberger JA, Lee JC, “Fault tree based diagnostics using fuzzy logic”, IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 12-11, pp. 1115-1119, 1990.

[21] Pedrycz W, Gomide F., “A generalized fuzzy Petri net model”,