Emergent Needs in Assuring Security-Relevant Compliance of Information Systems

Emergent Needs in Assuring Security-Relevant Compliance of Information Systems

연구 분야: Verification

학회: EICC '24: Proceedings of the 2024 European Interdisciplinary Cybersecurity Conference

Establishing and assuring compliance of information systems is a difficult task with potentially critical impact to the security of those same systems. Ambiguously worded laws such as the Digital Operational Resilience Act make it difficult for organizations to determine which actions to undertake in pursuit of compliance. This ambiguity prompts auditors, compliance officers and other involved roles to interpret the meaning and implement measures according to best judgment, resulting in an intricate back-and-forth process with remaining uncertainties. In a qualitative case study involving a multinational financial corporation and its information systems, we explore the needs of stakeholders that emerge from the interpretations and uncertainties in the process. We model the complex interconnections in a figure from a deeper look in the subcase on establishing and assuring compliance of identity and access management (IAM) procedures. Finally, we discuss potential avenues for resolving these problems.