2011 IEEE International Conference on Privacy, Security, Risk, and Trust, and IEEE International Conference on Social Computing
eGovernment System Security Model (eGSSM) A multidimensional, risk based approach to eGovernment David C. Edwards, Pavol Zavarsky, Ron Ruhl, Dale Lindskog, Shaun Aghili Information Systems Security Management Concordia University College of Alberta 7128 Ada Boulevard, Edmonton, Alberta, Canada T5B 4E4
[email protected], {dale.lindskog, pavol.zavarsky,ron.ruhl,shaun.aghili}@concordia.ab.ca security related issues. In developing an approach, to address security, we look within the evolutionary stages of the eGMM, to the processes, information architecture [3],[4], required capabilities [4] and security practices [5], as these are the salient variables that define them. This will better inform on the processes and interactions that could potentially introduce vulnerabilities and security risk. Since each stage has its own unique identity, a “silver bullet” approach cannot be employed when integrating security into eGMMs. Rather, a tailored approach should be used that seeks to integrate security into the design. To do this, we propose the eGovernment System Security Model (eGSSM). The eGSSM is a multidimensional risk based approach to eGovernment that addresses security by making it part of the design of eGovernment. This is achieved by integrating security into the measurement of maturity that determines progression to successive stages.
Abstract--eGovernment Maturity Models (eGMMs) are widely used in the implementation and development of eGovernment systems. Motivated in part by legislation, scholarship has contributed significantly to its development with specific organizational agendas or to address narrowly defined areas. However, despite its pervasiveness, there lacks an approach that adequately addresses and integrates security into eGMMs at the various stages. Based on an extensive review of eGMMs, this research seeks to address a void in the available body of knowledge on eGMMs and proposes a model that integrates security into eGMMs at the various stages with an eGovernment System Security Model (eGSSM). The eGSSM is a theoretical framework, which is multidimensional in construct and employs a risk-based approach to integrating security into eGMMs. The key component to this model is the eGovernment Maturity Trigger. This trigger assesses a government’s ability to address Key Domain Areas within the eGovernment Stage Process Maturity (eGSPM) and mitigate security risk using the National Institute of Standards and Technology, Risk Management Framework (NIST RMF) in the eGovernment Security Risk Maturity (eGSRM). Define, Measure, Analyse, Improve and Control (DMAIC) principles are applied for measuring, controlling and reporting process performance, to achieve an optimal capability level that will trigger maturity and onward progression to the successive stages.
II. STRUCTURE According to the aim of this research, this paper is structured as follows: Section II outlines the structure of the paper while Section III gives a background and the value of the contribution. Section IV introduces the eGSSM and details its various phases. Section V details the trigger mechanism that establishes the requirements for progression to successive stages. Section VI concludes the paper. An interested reader can find more details in David C. Edwards MISSM research paper along with the referenced prototype at:http://infosec.concordia.ab.ca/system/files/Edwards2011.p df
Keyword - eGovernment; eGovernment Maturity Models; NIST RMF; Six Sigma DMAIC
I. INTRODUCTION eGovernment Maturity Models (eGMMs) have been used not only to define the stages of development, but also to benchmark and guide its implementation and development. Despite being widely researched, eGMM research in itself has attracted very little study that specifically addresses security in eGovernment. Further, those who did address security mentioned it en passant or focused on the transaction related security risk evident at the higher levels of the maturity stages. This is unfortunate as “privacy and related security issues must be adequately addressed in government IT initiatives” [1]. With the promise of access to government public resources anytime, in any location, the erosion of organizational boundaries are quickly realised and the introduction of security related issues surfaces. Security now becomes “one of the primary challenges and obstacles to successful deployment and operation of eGovernment” [2]. The reality however is that no stage is immune to 978-0-7695-4578-3/11 $26.00 © 2011 IEEE DOI
III.
BACKGROUND
Extensive review of available eGMMs revealed that in their current form, they operate simply as a classification system and do not consider security as part of their construct. More recent models presented which spoke to security did so en passant and or focused on the actual transaction level. Further, these models do not have a clear system that triggers onward progression from one stage to the other apart from their service offering. We however argue that a defense in depth approach should be employed: 1) That integrates security into the model by assessing the service offerings, processes, interaction, with a view to mitigate the risk these pose to at every stage as it progresses. 2) That, irrespective of the stage or sophistication level of technology, security remains an integral part of the 1273
3) Process Management: This is the facility that allows governments to document and standardize processes to ensure consistent, quality service delivery to its citizens. This facility incorporates the security triad of Confidentiality, Integrity and Availability (CIA). The KDAs are: Business Process Management, Performance Management, Services to Citizens and Business, Interoperability Practices, Norms Compliance (internal and external), Quality Assurance and Information Security Management and Assurance. 4) Organization and People Capabilities: This LD addresses core organizational and Human Resource competencies required to effectively implement eGovernment. The KDAs are: Infrastructure & eGovernment Tools, Knowledge Management, Change Management, and Human Capital. Each KDA has corresponding critical variables which also have capability levels of their own. The average of the resulting variables determines the KDA. The KDAs in turn have their own capability levels and the average of each determine the LD’s overall capability level. The eGSPM expressed as:
process and that a high level of security confidence is attainable at any stage. 3) That rather than simply classifying the government entity based on its offerings, a security risk assessment should be conducted, both internally and externally, as part of a systematic and structured approach for progression to subsequent stages. IV.
EGOVERNMENT SYSTEM SECURITY MODEL (EGSSM)
In presenting the eGSSM we begin by describing the architecture of the model and the information sources considered in its development. A. eGSSM Architecture The eGovernment System Security Model eGSSM has an eGovernment trigger which has two major components and they are the eGSPM and the eGSRM. The model considered several information sources in its formulation: x Capability Maturity Model [6] x Capability Maturity Framework for eGovernment [7] x National Institute of Standards and Technology Risk Management Framework (NIST RMF) 800-60, 53, 30, 37,53A and 64 [8]
eGSPM = Σ (Total Average Capability of LD). C. Phase 2 eGovernment Security Risk Maturity (eGSRM) We will now detail phase 2 of the eGSSM which is the eGSRM. The eGSRM gauges a government’s ability to implement the various steps of the NIST RMF. This step measures a government’s efforts in addressing and mitigating information security risk to ≥ 3 of the eGSRM. It investigates the application of the NIST RMF to the operations of the overall government entity. The NIST RMF provides a structure that underpins the Security Life Cycle, offering an integrated risk approach to the management of information systems security. This framework detailed in several NIST documents speaks to a continuously revolving six (6) step process. These steps include risk-related tasks that identify well-defined key organizational roles and supporting functions along with supplemental guides and references that help explain how these tasks are executed. These processes and tasks illustrated in the prototype are outlined below: 1) Categorize the Information System 2) Identify and select appropriate security controls 3) Implement the appropriate security controls 4) Assess the implemented security controls 5) Authorize the process of the Information System Operation 6) Monitor and report This framework is structured yet flexible in its approach and guides in identifying and mitigating risk to an “acceptable level”. This approach presents broad-based concepts coupled with specific details for assessing risk with appropriate risk mitigation strategies. Described in a sequential manner, government entities may choose to deviate from this sequence and tailor it to that of their
B. Phase 1 eGovernment Stage Process Maturity (eGSPM) Phase 1 of the eGSSM is the (eGSPM). Using the capability model, the eGSPM measures a government’s effort invested in implementing the Leverage Domains (LD), Key Domain Areas (KDA) and Critical variables to support eGovernment capability. Ideally, the government entity would like to achieve a capability score of greater than or equal to three ≥ 3 of the eGSPM. The eGSPM adopted from the Capability Maturity Framework for eGovernment consist of three main elements namely the Leverage Domains, Key Domain Areas (KDA) and Critical variables. There are four (4) Leverage Domains which consist of eighteen (18) Key Domain Areas which in turn is composed of fifty-seven (57) Critical Variables. The four (4) Leverage Domains are the eGovernment Strategy, IT Governance, Process Management and Organization & People Capabilities. The LD and KDA are detailed below. 1) eGovernment Strategy: This leverage domain speaks to a government’s ability to have an IT strategy that is aligned with the business strategy and articulate their willingness to engage in eGovernment initiatives. The KDAs are: Vision, Strategies and Policies, Enterprise Architecture Strategy and IT Management & Organization 2) IT Governance: IT Governance is an important domain particularly in the context of achieving business objectives. It is a framework that aligns IT actions with a defined structure, detailing processes, responsibilities and goals. This will result in a system that assigns accountability to actions and use performance assessment to evaluate how well the government achieves its goals. The KDAs are: IT Architecture, Portfolio and Risk Management, IT Service Delivery and Asset Utilization
1274
weighted more than the Processes (eGSPM) that support the eGovernment initiatives. This is the case because it can be argued that processes bring security, however processes does not guarantee security. As a result, security of the eGovernment entity has to be addressed separately and weighted greater than processes. The formula is constructed to ensure that the lesser value is the value itself and the efficiency is indicated by a plus or minus (+/-). Plus (+) is produced if security risk mitigation (eGSRM) is greater than process maturity (eGSPM) and minus (-) if security risk is less than process maturity. However, if the (eGSPM) is identical to (eGSRM) then the value is either value save the efficiency indicator. Ideally the government entity would want to get “+” rather than “-”. The formula is expressed as follows: eGSPM +eGSRM = TeGM (1) M* K1+ R*K2 = T (where K1 =1.0 – K2) M = eGSPM*K1 (eGovernment Key Domain Process Maturity) R = eGSRM*K2 (eGovernment Security Risk Maturity) K1, K2 = Weighted values for eGSPM and eGSRM T= TeGM (Total eGovernment Maturity) If (M > R) {Value = R AND “-” ;} (e.g. 4*0.3 + 2*0.7 = 2 AND “-”) Else if (R > M) {Value = M AND “+” ;} (e.g. 2*0.3 + 4*0.7 = 2 AND “+”) Else (Value = R OR M) (e.g. 2 *0.3 + 2*0.7 = 2) The eGSSM sample prototype accessed at http://infosec.concordia.ab.ca/system/files/Edwards2011.pdf, illustrates the correlation between the fifty-seven (57) Critical variables and that of the eighteen (18) Key Domain areas to give the resulting four (4) leverage domains in the eGSPM. The same is true with the eGSRM showing how the mitigation of security risk to a capability level of ≥ 3 to positively or negatively affect the overall eGSSM capability level. Weighted 0.3 for the eGSPM and 0.7 for the eGSRM, example 1 shows an overall capability level of 3.2- . While this entity is eligible to progress to the next successive stage, the negative indicator is prescriptive in that it highlights that security is lacking and should be addressed. Example 2 also weighted 0.3 for the eGSPM and 0.7 for the eGSRM show an overall capability level of 3.1+. This positive capability indicates that, security is adequately addressed throughout the various aspects of the related eGovernment related activities and has a better security posture than example 1.
established organizational system development life cycle processes. Irrespective of the sequence, it is important to address all aspects of the framework in order to mitigate security risk to the predefined acceptable level. These steps, critical tasks and Key Performance Indicators are encompassed within the eGSRM and expressed as: eGSRM = Σ (Total Average Capability of NIST RMF). Application of the eGSPM and the eGSRM results in Total eGovernment Maturity (TeGM). Assessing the maturity of the eGSPM and the eGSRM however cannot be conducted arbitrarily or in isolation of each other. In fact, this evaluation has to be carried out in a systematic structured manner. D. Structured Security based maturity process The NIST RMF, though comprehensive in its construct, the degree of effectiveness, in security risk mitigation effort is subject to the understanding of “acceptable level”. The conception of “acceptable” by the custodian of the eGovernment system would be heavily influenced by their discretion, skill, experience and qualification. This introduces an element of subjectivity to the system and could erode the trust in that system. Further, this subjectivity does not foster the development of a common framework that custodians can use to gauge their progress. The eGSSM therefore suggests a common criterion for quantifying and measuring of risk mitigation efforts and performance over a period of time. Assessing capabilities of processes within the eGSSM A government’s ability to address the Capability Levels (CL) of the Critical Variables, KDA and LD in the eGSPM and the effort invested in mitigating security risk in the eGSRM is adopted from the capability maturity model (CMM). The CMM is a well known model used in software development and engineering and is based on a number of dimensions arranged in a progressive format that is often used to identify weak areas and foster process improvement. This would result in scoring processes within the eGSSM on six (6) progressive levels ranging from “none”, identified by the value (0) zero, to “optimized” capabilities, identified by the value (5) five are as follows: Level 0: None; Level 1 Initial - Adhoc, reactively and individually approached, Level 2 Developing - regular intuitive pattern; Level 3 Defined - defined, documented and communicated; Level 4 Quantitatively Managed - established standards and norms; Level 5 Optimizing - Best practice procedures and process improvement focus E.
V. EGOVERNMENT MATURITY TRIGGER SYSTEM Six Sigma defined by H. Wang is a statistical unit of measurement which measures the capability of a process to achieve a defect free performance [9]. Six Sigma is a Total Quality Management (TQM) methodology that acts as a catalyst for what K. Daniel calls, “horizontal growth” [10]. Horizontal growth is a type of learning through a system of problem solving to identify performance deviations from established standards within an organization or system. This type of learning or growth is built upon the principles of efficiency and effectiveness. The DMAIC methodology entails five steps, namely Define, Measure, Analyze, Improve and Control. This
F. eGSSM Formula The eGSSM formula is the mechanism within the eGovernment Maturity Trigger System that triggers Total eGovernment Maturity (TeGM) for onward progression to successive stages. Developed on the concepts of “Defense in depth” and “you are as strong as your weakest link”, the formula allows for Security Risk Mitigation efforts (eGSRM) of the government entity as a whole to be
1275
3) Analyze - This step is very important as it helps determine the correlation between the cause and the effect. Having ensured that the measurement instruments are accurate, the government entity can now begin collecting good quality data sets. This data will give feedback on the entities capabilities in the various processes within the eGSSM. Multiple assessment cycles can be implemented to gauge trends that will form the basis for establishing the “Upper and Lower Control Limits” [11]. These are calculated by adding or subtracting three (3) times the standard deviation from the mean. Government units can then identify trends and associate them with various actions. This will form the beginnings of standards of which predictions can be made about entities and expected performance. Once these processes are refined, an industry base average and mean can be determined. Governments can analyze how their performance varies from the industry average, isolating the vital influencing factors and establish best practice solutions. In problem solving, a number of tools can be employed, exploratory data analysis, Pareto charts, CTQ-flow downs, failure mode and Effect Analysis (FEMA), Brainstorming, Fishbone Diagram, Priority Matrix and Root Cause Analysis. These tools will help identify the possible factors that influence particular trends. 4) Improve – Continuous improvements to processes increases efficiency which result in a reduction of defects. This section asks the “why” and attempt to convert cause, effect and solutions into an equation. Having identified and documented the possible influencing factors, they need to be systematically analysed to develop and document a causal effect hypothesis. These causal effects are then tested and the relevant ones become part of a list of important influencing factors that could be used to predict behaviour. A mathematical equation can then be formulated to model the effects on the Int CTQ. (e.g. Ext CTQ = Int CTQ = f(X1; X2; X3; Xn-1; Xn) 5) Every X signifies a vital influencing factor while the “f” denotes the function in which it influences the Int CTQ. This will allow for identifying and measuring the outcome of influencing factors. The government entity can then manage and adapt its processes as it seeks to continuously improve them. 6) Control - This is the final step in the DMAIC process. Control is a continuous process of monitoring that looks for variation in processes that could adversely affect progress. This measurement and analysis will ensure that the process variances are detected early and the likelihood of defect mitigated. Having adapted the processes for continuous improvement, the government entity would explore ways of controlling these processes with a system that measures the Int CTQ and the various factors that influence it. There are a number of tools available that can be used to help increase control over processes which may be entirely new or contain aspects that have changed. Some of these tools are, OCAP (Out of Control Action Plan), Poka-Yoke or Mistake Proofing, and control loops and control charts. 7) Internal Assessment Audit – Having applied all the steps of DMAIC methodology to improve processes, the
DMAIC approach is applicable to all processes within the eGovernment entity in its quest towards (TQM). In the eGSPM it is applied to the critical variables which results in the improvement of the KDAs. The average is collected and monitored at each cycle and is repeated to improve the processes. It should be noted that repeating the process cycles are essential towards refining the processes therein. These cycles are tabulated and monitored for variance and establishing tolerance like “Lower Specification Limits” (LSL) [11] and the “Upper Specification limits” (USL) [11]. This is also applicable to the eGSRM and the various tasks within the six (6) steps of the NIST RMF that contribute to reducing the organizational security risk and improving the overall risk mitigation average. Application of the DMAIC methodology can be likened to conducting a scientific research as it defines the problem, following a sequential process to the point of documenting the findings. The various steps of the Total eGovernment Maturity Stage process are: 1) Define - is the first step of the process that defines the specific goals of achieving outcomes in keeping with the customers’ demands and the organizations business strategy. In this step the government entity would seek to determine the “External CTQ (Critical to Quality)” variables [11]. This term defines the broad goals of the government organization which is security confidence. A more secure system would in turn give end users, namely, citizens and businesses alike greater confidence in the eGovernment system and its processes. x The Internal CTQ (Int CTQ)is applicable to the eGSPM and the eGSRM. For the eGSPM, it is security confidence in the structure and processes that support eGovernment to an average capability of ≥ 3. For the eGSRM it is the security confidence and assurance of the overall government entity deploying and managing security risk to an average capability of ≥ 3. x Unit of measurement is the application of the capability rating system ranging from 0 to 5 x Opportunities and defects - Opportunities are the frequency to which the internal assessment cycles are conducted. While the defects need an opportunity to occur, defects are the failures to meet the optimal average score. x Population – encompass all opportunities including the various processes that directly or indirectly contribute to the overall eGovernment delivery. 2) Measure – This is to gauge process improvements or whether defects have been reduced. There needs to be a base against which to measure deviations. Within this step the Internal CTQ and the unit of measurements are translated into processes. It is important at this stage not to overlook potential problems with the measurement instruments and ensure that they are accurate and dependable in providing data to be analysed. To ensure that the measurement instruments are valid, a series of test should be applied namely, Validity, Bias, Stability, Resolution, Linearity, Repeatability and Reproducibility.
1276
custodian of the eGovernment system would assess their overall performance. Based on the results of the assessment, they would decide if they are ready for an external audit. The external audit, as the name suggests will be conducted by a neutral party external to the government entity. The findings of the audit are reported to the owners of the system along with their individual rating comparing them to the industry average. The results of the audit will determine movement to a new stage. The entity would need to have achieved an average capability score of ≥ 3 in both the eGSPM and the eGSRM in order to trigger Total eGovernment Maturity (TeGM) and onward progression to the next successive stage. The motivation to progress to successive stages depends entirely on the political will and available resources of the eGovernment system owners. The owners may be interested in offering eGovernment services at one stage only but motivated to offer these services at an above average security confidence which will be articulated when the Int CTQ is being defined. Ideally, the entity would want to achieve an overall average that carries (+) after it, as this is an indication that security is adequately addressed in their security risk mitigation efforts. 8) Reporting - Although reporting is done to some degree in the control phase to document how the processes are controlled, it is singled out as a phase of its own. Overall reporting as a phase of its own is important to document lessons learnt, handing over, facilitate succession planning and be used to develop industry best practice and standards. This report includes two major components: (1) Report on the Int CTQ and (2) Report on the significant factors that impact it and on the cost benefit of an improved and efficient process within the entity.
[3]
M. Janssen & A. F. Van Veenstra., “Stages of growth in egovernment: An architectural approach”. Electronic Journal of eGovernment, 3(4), 193−200. (2005).
[4]
B. Klievink and M. Janssen., “Realizing joined-up government — Dynamic capabilities and stage models for transformation”, Government Information Quarterly 26 275–284 (2009).
[5]
A. Shayan, et al., “Identification of the Required Security Practices during e-Government maturity” (2010) Software Engineering Institute: CMMI for Development v1.2. USA (2006).
[6] [7]
M. Iribarren Concha, et al., “A.: Capability Maturity Framework for e-Government: A Multi-dimensional Model and Assessing Tool. In: Wimmer, M.A., Scholl, H.J., Ferro, E. (eds.) EGOV 2008. LNCS, vol. 5184, pp. 136–147. Springer, Heidelberg (2008) [8] NIST Website., “National Institute of Standards and Technology (NIST) Risk Management Framework”, http://csrc.nist.gov/groups/ SMA/fisma/framework.html#footnote4 (Last accessed November 1, 2010). [9] H. Wong., “A Review of the Six Sigma Approach: Methodology, Implementation and Future Research”. (2008) [10] K. Daniel., "The Link between Individual and Organizational Learning." Sloan Management Review 35:1. (1993) [11] S. Den Boer et al., “Six Sigma for It Management” 1st ed. Van Haren Publishing, Amerfort: Wilco, 2006, pp.30-4
VI. CONCLUSION In this paper, we presented a structured approach to integrating security into eGMM with the eGSSM. Using Sigma DMAIC principles this model seeks to quantify the processes that support eGovernment and security risk mitigation efforts. This is established on the premise that if you do not measure processes and security risk mitigation efforts, then you cannot control it and if you cannot control it, then you cannot be improved. ACKNOWLEDGMENT This research was supported by the Concordia Faculty of Professional Education and Faculty of Graduate Studies. The first author is inordinately thankful to his supervisors, Pavol Zavarsky, Ron Ruhl, Dale Lindskog and Shaun Aghili for their encouragement, guidance and support in scoping and crafting this research. Also, special mention to Sandrine Jon Baptiste and Zachary D. Edwards for their encouragement and support. REFERENCES [1]
[2]
G. Dias., R. Alo Paiva., A. José., “A simple model and a distributed architecture for realizing one-stop e-government”. Electronic Commerce Research and Applications 6, 81–90 (2006) M. Hwang, et. al., “Challenges in e-Government Security of information in Information & Security”. vol. 15, no.1, (2004)
1277
