Toward an Effective Information Security Risk Management of Universities ’ Information Systems Using Multi Agent Systems , Itil , Iso 27002

Universities in the public and private sectors depend on information technology and information systems to successfully carry out their missions and business functions. Information systems are subject to serious threats that can have adverse effects on organizational operations and assets, and individuals by exploiting both known and unknown vulnerabilities to compromise the confidentiality, integrity, or availability of the information being processes, stored or transmitted by those systems. Threats to information systems can include purposeful attacks, environmental disruptions, and human/machine errors, and can result in harm to the integrity of data. Therefore, it is imperative that all the actors at all levels in a university information system understand their responsibilities and are held accountable for managing information security riskthat is the risk associated with the operation and use of information systems that support the missions and business functions of their university. The purpose of this paper is to propose an information security toolkit namely URMIS (University Risk Management Information System) based on multi agent systems and integrating with existing information security frameworks and standards, to enhance the security of universities information systems. Keywords—Information security; information systems; multi agent systems; ITIL V3; ISO 27002; ISO 27005


I. INTRODUCTION
Information systems (ISs) are everywhere.They have a large impact on the everyday lives of universities as well as on individuals.At the heart of information systems, security aspects play a vital role and are thus becoming central issues in those systems' effective usage.
The importance of security technologies and of their enabling technical platforms has been widely recognized and receives continuous attention (e.g., new encryption, algorithms, public key infrastructures, etc.).
For some people, security management issues start with updating an antivirus database, but from a more serious perspective, universities understand that security concerns are the source of important costs, not only in terms of technologies but especially in terms of related management activities.
There are emerging calls for an integrated view of information security, from the technological, human, and organizational aspects, sometimes referred as MTO (Man, Technology, and Organization).
However, there is a lack in the methods for tackling the MTO issues in information security.One of the research focuses on the development of information security checklist and standards in order to capture the best practice.
Another research focuses on risk assessment by identifying the threats and vulnerabilities, and then determining the likelihood and impact for each risk.Risk assessment could either be qualitative, categorizing low, medium and high risks, or be quantitative, calculating the value of "Annualized Loss Expectancy" This paper is presented as follows: after a brief introduction, in section two; a survey of available information security risk management methods and tools will be presented, and then the standards, ISO 27002, ISO 27005, and the framework ITIL will be described.Then, in the third section the toolkit URMIS will be proposed and the multi agent system www.ijacsa.thesai.orgwill be introduced.The fourth section will propose the architecture, before concluding this paper.

A. Risk Management tools and frameworks
An organizational risk is the risk to the organization or to individuals associated with the operation of an information system.The management of organizational risk is a key element in the organization's information security program and provides an effective framework for selecting the appropriate security controls for an information system---the security controls necessary to protect individuals and the operations and assets of the organization.
The common view a Risk Assessment Framework provides helps an organization see which of its systems are at low risk for abuse or attack and which are at high risk.The data an RAF provides is useful for addressing potential threats proactively, planning budgets and creating a culture in which the value of data is understood and appreciated.
There are several risk assessment frameworks and risk management methods that are accepted as industry standards that we can list in the figure below.Risk Management methods and frameworks None of these tools implement the multi agent system approach.
Incorporation of the use of information and communication technology in Moroccan universities, involves the need to secure data in information systems.
There is a very little research related to the applications of multi agent systems (MAS) in information system security.
Besides to that, these tools are difficult to use because they require a certain level of knowledge.Moreover, they don't provide recommendations or immediate solutions to security issues; they just give guidelines to follow in order to ensure an effective security of the information system.
Based on the methodologies aforementioned, and other works described in [4] [5] [6] [10] [11], we propose an integration of the use of ISO 27002, ISO 27005, ITI, and multiagent systems to develop an information security risk management tool of universities information systems named URMIS (Universities Risk Management Information System).

B. ISO 27002
The ISO 27002 standard is a collection of information security guidelines that are intended to help an organization implement, maintain, and improve its information security management.It is a code of good practices that provides hundreds of potential controls that are designed to be implemented with guidance provided within ISO 27001.

C. ISO 27005
ISO 27005 is intended to provide guidelines for information security risk management.It is used either autonomously or as a support for ISO 27001.It supports the general concepts specified in ISO 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.It does not specify or recommend any specific risk analysis method, although it specifies a structured, systematic and rigorous process from analyzing risks to creating the risk treatment plan.www.ijacsa.thesai.org The strengths of ISO 27005 are as follows:  Flexible and reusable  Continuous risk management  Highlighting the human factor: the concept of responsibility  Whereas its weaknesses are as follows:  No specific methodology for risk management The figure below gives an overview of the information security risk management process in ISO 27005.Information Security Risk Management process

D. ITIL V3
The Information Technology Infrastructure Library (ITIL) is a framework of best practices that promote quality computing services in IT sector.
ITIL is the most widely accepted approach to IT service management in the world.ITIL provides a cohesive set of best practice, drawn from the public and private sectors internationally.
ITIL presents a broad set of management procedures, which apply to all aspects of IT infrastructure, with which an organization can manage its IT operations (Zegers, 2006, Wegmann, 2008).
The ITIL v3 Core consists of five publications, each providing guidance on a specific phase in the service management lifecycle.
The ITIL Core publications are as follows:  Service strategy  Service design  Service transition  Service operation  Continual service improvement ITIL can help companies assess their risks, and put procedures in place to log and respond to incidents.ITIL, and more specifically the ITIL security management process, is widely used for the implementation of information security within an organization.ITIL v3 has placed the information security management process within the Service Design core practice book.The goal of the information security management process is to align IT security with business security and ensure that information security is effectively managed in all services and service management activities (OGC, 2007;Taylor,2008). Confidentiality (C): All information must be protected according to the degree of privacy of their content, aimed at limiting its access and used only by the people for whom they are intended;  Integrity (I): All information must be kept in the same condition in which it was released by its owners, in order to protect it from tampering, whether intentional or accidental;  Availability (A): All the information generated or acquired by an individual or institution should be available to their users at the time they need them for any purpose;

III. OBJECTIVES AND IMPORTANCE OF THE RESEARCH
The major objective of this work is to design and implement an integrated toolkit for improving risk management of a university information system.This work explores how to promote integration and the establishment of a toolkit that would allow each university to have reliable data on higher education, driving better management and improve their governance and risk management.
Implementing this toolkit involves taking a proactive, strategic and measured approach that is more efficient than the reactive one used in many universities.This can be reached across a strategic integration of appropriate frameworks, models and methods in governance and information security.
Analyzing the relevant frameworks, models and methods, used in the aforementioned domains, and extracting the best practices for implementing them in URMIS, can provide effective security of university IS assets.

A. The proposed toolkit
URMIS (Universities Risk Management Information System) is an information security toolkit that provides guidance policies to achieve an effective information security risk management in universities' information systems.www.ijacsa.thesai.orgWith the intention of implementing the task of information security risk management, URMIS needs to collect data about the status of information asset, recognize kinds of risk, and perform risk management task based on a good defined risk management process.That means the working environment of URMIS consists of knowledge, data, process and strategies.However, knowledge, data, process and strategies are resources in different formalization, and it is a complex work to design interface for each resource.This work is based on the multi agent systems approach, because of its benefits.It encompasses cooperation, resolution of complex problems, modularity, efficiency, reliability and reusability.All these advantages provided by MAS fit these needs.

B. Agent and Multi agent systems (MAS)
Jennings and Wooldridge [Jennings & Wooldridge 1998] have defined an agent as "a computer system located in certain environment which is able to act autonomously in this environment, in order to meet its design goals".Agents have the following main properties and characteristics:  Autonomy : agents encapsulate a state (which is not available to other agents), and make decisions on what to do based on this state, without direct human intervention or other persons;  Social ability: agents interact with other agents (and possibly humans) via some kind of agent communication  Language, and generally have the opportunity to participate in social activities (such as cooperation for solving problems or negotiating) to achieve their goals.
 Reactivity: agents are put in an environment (which may be the physical world, a user via a graphical interface, a collection of other agents, the internet, or perhaps many of these combinations), are able to perceive this environment (through the use of potentially imperfect sensors), and are able to respond to timely changes that occur in it.
 Proactivity: Agents do not simply act in response to their environment; they are able to solve a problem by taking the initiative.
A multi-agent system (MAS) is a system composed of several intelligent agents that interact with each other.They can be used to solve problems that are difficult or impossible to solve for an individual agent or monolithic system.Multi-agent systems are open and scalable systems that enable the implementation of autonomous and proactive software components.They are characterized by the local autonomy, social interaction, adaptability, robustness and scalability, and for these reasons, they are a very promising paradigm to address the challenges facing automation and check systems.

A. Model-View-Controller (MVC)
URMIS is based upon the widely used Model-View-Controller (MVC) architecture common in interactive web based applications.MVC separates the layers; presentation layer (UI: User Interface), business (BLL: Business Logic Layer) and data access (DAL: Data Access Layer).The goal is to have a minimum length between the different layers of the application; and changes made to any layer of the application do not affect other layers.

B. URMIS architecture
URMIS is composed of five layers: client layer, mediator layer, service layer, risk management layer and resource layer.The system is based on the following multi agent systems: client agents, mediator agent, service agents, risk agents, incident agent and internet agent.The figure 4 below represents the architecture of URMIS Fig. 3.

URMIS architecture
Client agent: They consist of all agents on the client layer, namely agent teacher, agent student, and agent administrative body.They manage the interaction between the users (teachers, students and administrative body) and the system.They allow users to connect to the system by specifying their names, email addresses and id.Every user has a unique id; this field differentiates between the user if it is a teacher, a student or an administrative body.
The id is composed of eight alphanumeric characters; id' teacher starts with the character "t", id's student starts with "s", and id's administrative body starts with "ab".Client agents communicate with the mediator agent by sending users' information of connection.
In case of an incident of connection (password or id forgotten), the user can ask for a solution by sending his request to the risk multi agent system.www.ijacsa.thesai.org Mediator agent: This agent acts like a security checker.
It checks the identities of the users so it can allow them to access to the service layer.It also performs a permission check of the user's access rights and, thereafter, allows him to exploit the service for which he's authorized.
In order to have their needs processed a user requests a service from the mediator agent which then forwards the messages to the destination (service agents) if the access is granted or drops the message and returns a FAILURE message to the sender otherwise.To guarantee a high level of performance several Mediator agents can be triggered to distribute the work among them.
To distinguish between the requesting agents, it is necessary for the mediator agent to link between the user and its category (teacher, student or administrative body).Therefore, the Mediator consults the database which in are stored the users, their corresponding category, and the types of services they can access.
Service agent: These agents communicate with the resource layer to accomplish their tasks.

Risk agents:
In the risk management layer we have four agents namely risk identification agent, risk estimation agent, risk evaluation agent and risk treatment agent.Incident agent: It contains in its knowledge base solutions to similar incidents which occur frequently.This agent stores scenarios of solutions to incidents and make it available for other agents.With this information, other agents are able to take the right decisions in the right moment.
Internet agent: Its role is to store in the knowledge base all the threat and vulnerabilities that it receives from internet.
V. CONCLUSION AND PERSPECTIVES Risk management techniques used before were inappropriate to avoid risks before their occurrence.These approaches were in a reactive perspective.It has therefore become necessary to run into for an integrated approach with a proactive perspective to avoid risks and treat them without compromising the information systems.
In this paper, we describe how information security activities can contribute to the protection of information and infrastructure assets against the risks of loss, bad use or destruction.
In a future work, we will detail the architecture of each agent and the communication between them in URMIS.We will also integrate the processes of the method OCTAVE, in order to quantify risks that can affect URMIS.


The strengths of ISO 2700 are listed below:  Optimize the costs of ISS by associating with ISO 27001 Increased knowledge of risk management  Does not require a technical solution Whereas its weaknesses are listed below: Optimize the costs of ISS by associating with ISO 27001 Increased knowledge of risk management  Does not require a technical solution In the current version published 2013, ISO 27002:2013 contains 114 controls, as opposed to the 133 documented within the 2005 version.However for additional granularity, these are presented in fourteen sections, rather than the original eleven.