Evaluation of Assurance Case Description Method using ISO 27001 for Merger and Acquisition

  • Nobuyuki Kobayashi Keio University
  • Aki Nakamoto Keio University
  • Maki Kawase Hiroshima University
  • Makoto Ioki Keio University
  • Seiko Shirasaka Keio University
Keywords: M&A, Co-creation, Information security policy, Assurance Case, Dependability Case

Abstract

This study proposes an assurance case description method based on the framework of In-formation Security Management System (ISMS; ISO 27001). The method agrees to information security policies through co-creation of values between a parent company and its merged and acquired subsidiary. Information security policy varies among companies. Parent companies need to agree with their merged or acquired companies on the information security policies. The purpose is to maintain the existing business of the subsidiaries while the parent companies continue to use the current IT infrastructure and network.

This study first structuralizes ISO 27001 by using an assurance case. As a result, this study will: 1) Clarify the range of agreement and disagreement between the two companies’ information security policies; and 2) show how two companies mutually conclude a final agreement for the entire range using the assurance case created. We also present the quantitatively evaluated results from Goal Structuring Notation (GSN) users’ ability to structuralize systems with multiple viewpoints by using GSN. This evaluates the proposed description method. We asked three experts in information security to evaluate the understanding, utility and effectiveness of the proposed assurance case description method. The study participants used the method to create an assurance case.

References

H. Alves, C. Fernandes, M. Raposo, “Value co-creation: Concept and contexts of application and study”, Journal of Business Research, Volume 69, Issue 5, 2016, pp. 1626-1633.

E. Mitleton-Kelly, “Coevolutionary integration: The co-creation of a new organizational form following a merger and acquisition”, EMERGENCE: COMPLEXITY & ORGANIZATION, Issue Vol. 8, No. 2, 2006, pp. 36-47.

ISO 27001-2013, Information technology – Security techniques – Information management systems – Requirements, 2013.

ISO 15026-2-2011, Systems and Software engineering Part2: Assurance case, 2011.

T. Kelly, “Arguing Safety – A Systematic Approach to Managing Safety Case”, Ph.D. Thesis, University of York., 1998.

C. Menon , R. Hawkins, J. McDermid, “Defence Standard 00-56 Issue 4, Towards Evidence-Based Safety Standards”, Proceedings of the Seventeenth Safety-Critical Systems Symposium, 2009, pp. 223-243.

GSN Community., “GSN COMMUNITY STANDARD VERSION 1”, Origin Consulting (York), 2011.

Y. Matsuno, H. Takamura, Y. Ishikawa, “A Dependability Case Editor with Pattern Library”, IEEE 12th International Symposium on High Assurance Systems Engineering, 2010, pp. 170-171.

H. Ying, “Generic security templates for information system security arguments: mapping security arguments within healthcare systems”, Ph.D. thesis, School of Computing Science University of Glasgow. 2014.

K. Kaneko, S. Yamamoto, H. Tanaka, “CC-Case as an Integrated Method of Security Analysis and Assurance over Life-cycle Process”, International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3(1): The Society of Digital Information and Wireless Communications, 2014, pp. 49-62.

N. Kobayashi, A. Nakamoto, M. Kawase, F. Sussan, M. Ioki, S. Shirasaka, “Four-Layered Assurance Case Description Method Using D-Case”, International Journal of Japan Association for Management Systems, Vol. 10 No.1, 2018, pp. 87-93.

N. Kobayashi, A. Nakamoto, M. Kawase, F. Sussan, S. Shirasaka, “What Model(s) of Assurance Cases Will Increase the Feasibility of Accomplishing Both Vision and Strategy?”, Review of Integrative Business and Economics Research, Vol. 7, No.2, 2018, pp. 1-17.

N. Kobayashi, A. Nakamoto, M. Kawase, F. Sussan, M. Ioki, S. Shirasaka, “Managing a monolithic system or a System-of-Systems? An assurance case approach to reach intraorganizational consensus”, proceedings 2018 7th International Congress on Advanced Applied Informatics (IIAI-AAI 2018), 2018, pp. 688-693.

N. Kobayashi, A. Nakamoto, S. Shirasaka, “Proposal of an Assurance Case Description Method Considering External Environment of Systems: Application to Operation of an Ice-Skating Rink”, Review of Integrative Business and Economics Research, Vol. 8(3), 2018, pp. 87-95.

N. Kobayashi, A. Nakamoto and S. Shirasaka: “What is it to structuralize with multiple viewpoints by using Goal Structuring Notation (GSN)?”, International Journal of Japan Association for Management Systems, Vol. 10 No.1, 2018, pp. 125-130.

N. Kobayashi, A. Nakamoto and S. Shirasaka: “A Quantitative Evaluation Method for Evaluating the GSN Users’ Ability to Structuralize Systems with Multiple Viewpoints”, International Journal of Japan Association for Management Systems, Vol. 10 No.1, 2018, pp. 145-150.

N. Kobayashi, K. Tanaka, N. Yoshioka, A. Nakamoto, S. Shirasaka: Challenges of Assurance Case Description Method in Japan, International Journal of Japan Association for Management Systems, Vol.9, No.1, 2017, pp. 43-49.

S. Yamamoto, Y. Matsuno, “A Consideration on Developing Dependability Case”, IEICE Technical Report; KBSE2012-22, Vol.112, No.165, 2012, pp. 61-66.

N. Kobayashi, A. Nakamoto, M. Kawase, S. Shirasaka: Comparison of Two Quantitative Evaluation Methods for Assurance Cases, International Journal of Japan Association for Management Systems, Vol. 8 No.1, 2016, pp. 27-34.

Published
2020-05-30
Section
Theory Papers