A Graph-Based Approach for Managing Enterprise Information System Security

An enterprise information system consists of assets and their inter-relationships. These inter-relationships are manifested in the connection of hardware assets in network architecture, or in the installation of software and information assets in hardware. Security policies are used to specify and control access to enterprise assets. Inter-relationships of assets, along with improper specification of policies, can lead to managerial vulnerabilities in the enterprise information system. Threats may exploit these vulnerabilities to breach the security of sensitive assets. This paper discusses a graph-based methodology for the specification of Enterprise Information Systems. The methodology captures enterprise information security requirements, helps specify security policies, and detects managerial vulnerabilities in enterprise information systems.