Journal of Cybersecurity and Information Management

Journal DOI

https://doi.org/10.54216/JCIM

Submit Your Paper

2690-6775ISSN (Online) 2769-7851ISSN (Print)

Volume 7 , Issue 1 , PP: 22-50, 2021 | Cite this article as | XML | Html | PDF | Full Length Article

Audit, Validation, Verification and Assessment for Safety and Security Standards

Robert Kemp 1 * , Richard Smith 2

  • 1 De Montfort University, Leicester, UK - (p2548837@my365.dmu.ac.uk)
  • 2 De Montfort University, Leicester, UK - (rgs@dmu.ac.uk)
  • Doi: ttps://doi.org/10.54216/JCIM.070103

    Received: February 21, 2021 Accepted: August 01, 2021
    Abstract

    Internal auditing is important for ensuring compliance to multiple safety and security standards. The problem is that although safety and security have similarities when it comes to auditing, they also have differences that makes auditing both areas under the same process difficult. This paper has shown how to overcome those differences and leverage the similarities to create one auditing process for both safety and security. The paper has harmonized the different terminology between safety and security and showed how the new auditing process can allow compliance to IEC 61508, ISO 27001 and IEC 62443.

    Keywords :

    audit , security , safety , critical infrastructure, standards , assessment

    References

    [1] K. Mearns, S.M, Whitaker and R. Flin, Safety climate, safety management practice and safety performance in offshore environments. Safety Sci. 41, 641–680, 2003.

    [2] M. Petterson, The keys to effective IT auditing. Journal of Corporate Accounting & Finance, 2005.

    [3] Public Summary of Sector Security and Resilience Plans, 2017, Cabinet Office, Accessed 2020, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/678927/Public_Summary_of_Sector_Security_and_Resilience_Plans_2017__FINAL_pdf___002_.pdf

    [4] H. Hemantha and H. Tejaswini, IT security auditing: A performance evaluation decision model. Decision Support Systems, 2014.

    [5] United States Department of Homeland Security, ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure, Access 2019, https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-056-01

    [6] F. Mcintyre, Learning from Failure | Oroville Dam spillway, 2017, Accessed 2019, https://www.newcivilengineer.com/archive/learning-from-failure-oroville-dam-spillway-14-11-2017/

    [7] A. Waring, Towards a reconceptualization of safety and security, their interactions, and policy requirements in a 21st century context. Safety Science. 132, 2020. 104942. 10.1016/j.ssci.2020.104942.

    [8] J. Rajamäki, Challenges to a Smooth-Running Data Security Audits. Case: A Finnish National Security Auditing Criteria KATAKRI, Proceedings - 2014 IEEE Joint Intelligence and Security Informatics Conference, JISIC 2014. 240-243. 10.1109/JISIC.2014.45.

    [9] I. Livshitz, K. Nikiforova, P. Lontsikh, E. Drolova and N. Lontsikh, The optimization of the integrated management system audit program. 121-124, 2016.  10.1109/ITMQIS.2016.7751919.

    [10] R. Sabillon, J. Serra-Ruiz, V. Cavaller and J. Cano M, A Comprehensive Cybersecurity Audit Model to Improve Cybersecurity Assurance: The CyberSecurity Audit Model (CSAM), 2017. 253-259. 10.1109/INCISCOS.2017.20.

    [11] B. Duncan and M. Whittington, Compliance with standards, assurance and audit: Does this equal security?. ACM International Conference Proceeding Series. 2014. 10.1145/2659651.2659711.

    [12] T. Pereira and H. Santos, A Security Framework for Audit and Manage Information System Security. 3. 29 – 32, 2010. 10.1109/WI-IAT.2010.244.

    [13] L. Allford,The auditing of process safety. Journal of Loss Prevention in the Process Industries, 2016. 43. 10.1016/j.jlp.2016.07.001.

    [14] S. Kriaa, M. Bouissou, L. Piètre-Cambacedes and Y. Halgand, A Survey of Approaches Combining Safety and Security for Industrial Control Systems. Reliability Engineering System Safety, 2013. 139. 156-178. 10.1016/j.ress.2015.02.008.

    [15] International Electrotechnical Commission, 61508-1 2010 Functional safety of electrical electronic programmable electronic safety-related systems, 2010.

    [16] International Organization for Standardization, Information technology — Security techniques — Information security management systems — Requirements, Second edition, 2013.

    [17] International Electrotechnical Commission, 62443-2-1:2010 Industrial communication networks. Network and system security. Establishing an industrial automation and control system security program.

    [18] K. G. L. Simpson and D. J. Smith, The Safety Critical Systems Handbook : A Straightforwrd Guide to Functional Safety : IEC 61508 Guidance, 2016,  Elsevier Science & Technology, Oxford. Available from: ProQuest Ebook Central.

    [19] International Electrotechnical Commission, Functional safety Essential to overall safety, 2015.

    [20] International Organization for Standardization, 03. ISO/IEC 27001 - data per country and sector 2006 to 2017 Functions, https://isotc.iso.org/livelink/livelink?func=ll&objId=21413346&objAction=browse&viewType=1 Accessed 2020.

    [21] International Electrotechnical Commission, Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers, 2019.

    [22] Thales UK, Thales Report Department of Energy & Climate Change Cyber Security: IACS Product Assurance, 2016.

    [23] International Electrotechnical Commission, 61508-4 2010 Functional safety of electrical/electronic/programmable electronic safety-related systems — Part 4: Definitions and abbreviations, 2010.

    [24] A. Kornecki, N. Subramanian and J. Zalewski, Studying interrelationships of safety and security for software assurance in cyber-physical systems: approach based on Bayesian belief networks,  Proceedings of the federated conference on computer science and information systems (FedCSIS), p.1393–9, 2013.

    [25] J. Chen and L. Lin, Modeling Team Member Characteristics for the Formation of a Multifunctional Team in Concurrent Engineering. Engineering Management, IEEE Transactions on, 2014.

    [26] S. Yaakob and S. Kawata,. Workers' placement in an industrial environment. Fuzzy Sets and Systems, 1999.

    [27] C. Tian, H. Li, S. Tian and T. Fangyuan,. Risk Assessment of Safety Management Audit Based on Fuzzy TOPSIS Method. Mathematical Problems in Engineering. 2020.

    [28] T. Dereli, A. Baykasoglu and G. Daş, Fuzzy quality-team formation for value added auditing: A case study. Journal of Engineering and Technology Management, 2007.

    [29] B. Dodin, A. Elimam and E. Rolland, Tabu search in audit scheduling, European Journal of Operational Research, 1998.

    [30] J. Broderick, ISMS, security standards and security regulations. Information Security Technical Report, 2006. 11. 26-31. 10.1016/j.istr.2005.12.001.

    [31] A Calder, Nine Steps to Success - An ISO 27001: 2013 Implementation Overview, IT Governance; 3rd edition, 2016.

    [32] E. Lomas, Information governance: Information security and access within a UK context. Records Management Journal, 2010.

    [33] M. Othman, Effectiveness of Safety Management System (SMS) by Malaysian shipping companies in compliance to the International Safety Management (ISM) code, 2021.   

    [34] E. Akyuz, and M. Celik,. A hybrid decision-making approach to measure effectiveness of safety management system implementations on-board ships. Safety Science. 68. 169–179, 2014.

    [35] P. Saha, I. Bose,, P. Ray, A. Mahanti and B. Bhushan, A risk scorecard framework for E-auditing in Indian banking sector, AIS Journals Joint Author Workshop in PACIS 2013, 2013.

    [36] M. Bradbury and P. Rouse, An Application of Data Envelopment Analysis to the Evaluation of Audit Risk. Abacus, 2002.

    [37] Z. Hajiha, Fuzzy audit risk modelling algorithm. Management Science Letters, 2011.

    Cite This Article As :
    Kemp, Robert. , Smith, Richard. Audit, Validation, Verification and Assessment for Safety and Security Standards. Journal of Cybersecurity and Information Management, vol. , no. , 2021, pp. 22-50. DOI: ttps://doi.org/10.54216/JCIM.070103
    Kemp, R. Smith, R. (2021). Audit, Validation, Verification and Assessment for Safety and Security Standards. Journal of Cybersecurity and Information Management, (), 22-50. DOI: ttps://doi.org/10.54216/JCIM.070103
    Kemp, Robert. Smith, Richard. Audit, Validation, Verification and Assessment for Safety and Security Standards. Journal of Cybersecurity and Information Management , no. (2021): 22-50. DOI: ttps://doi.org/10.54216/JCIM.070103
    Kemp, R. , Smith, R. (2021) . Audit, Validation, Verification and Assessment for Safety and Security Standards. Journal of Cybersecurity and Information Management , () , 22-50 . DOI: ttps://doi.org/10.54216/JCIM.070103
    Kemp R. , Smith R. [2021]. Audit, Validation, Verification and Assessment for Safety and Security Standards. Journal of Cybersecurity and Information Management. (): 22-50. DOI: ttps://doi.org/10.54216/JCIM.070103
    Kemp, R. Smith, R. "Audit, Validation, Verification and Assessment for Safety and Security Standards," Journal of Cybersecurity and Information Management, vol. , no. , pp. 22-50, 2021. DOI: ttps://doi.org/10.54216/JCIM.070103