Emergent Needs in Assuring Security-Relevant Compliance of Information Systems

Tomas Bueno Momčilović and Dian Balta

EICC 2024: European Interdisciplinary Cybersecurity Conference, pp. 46–49

June 2024 · Xanthi, Greece · doi: 10.1145/3655693.3655708

abstract

Establishing and assuring compliance of information systems is a difficult task with potentially critical impact to the security of those same systems. Ambiguously worded laws such as the Digital Operational Resilience Act make it difficult for organizations to determine which actions to undertake in pursuit of compliance. This ambiguity prompts auditors, compliance officers and other involved roles to interpret the meaning and implement measures according to best judgment, resulting in an intricate back-and-forth process with remaining uncertainties. In a qualitative case study involving a multinational financial corporation and its information systems, we explore the needs of stakeholders that emerge from the interpretations and uncertainties in the process. We model the complex interconnections in a figure from a deeper look in the subcase on establishing and assuring compliance of identity and access management (IAM) procedures. Finally, we discuss potential avenues for resolving these problems.

subject terms: peng, Assurance, Identity and Access Management, Knowledge Modeling, Regulatory Compliance