Spanish Tax Agency

La Línea de la Concepción, Spain

Spanish Tax Agency

La Línea de la Concepción, Spain
SEARCH FILTERS
Time filter
Source Type

Alcaniz L.M.,National Competition Commission | Rosado D.G.,University of Castilla - La Mancha | Mellado D.,Spanish Tax Agency | Fernandez-Medina E.,University of Castilla - La Mancha
Proceedings of the 11th International Workshop on Security in Information Systems, WOSIS 2014 - In Conjunction with ICEIS 2014 | Year: 2014

While cloud computing emerges as a major trend in IT industry, early providers and adopters are paving the path with concerns and solutions. One of the most worrisome challenges that face the corporate clients of this new form of IT provision is how to maintain the security of their most important every day apps in the new environment, that is how to migrate securely their legacy systems that run on data centres fully controlled by the organization's IT department to a less clearly controlled infrastructure that is managed at least partly outside the scope of the clients premises and even completely off-shore. This paper presents a Systematic Mapping Study on the issue as the first step to analyze the different existing approaches in the literature about migration process to Cloud computing where taking into account the security aspects that have to be also moved to Cloud. We propose four research questions dealing with the existing strategies to migrate legacy, how they relate to common security issues as well as security issues specific to the cloud environment, and how the proposals are aligned with security standards.


Marquez L.,Spanish National Authority for Markets and Competition CNMC | Rosado D.G.,University of Castilla - La Mancha | Mouratidis H.,University of Brighton | Mellado D.,Spanish Tax Agency | Fernandez-Medina E.,University of Castilla - La Mancha
Lecture Notes in Business Information Processing | Year: 2015

The emergence of cloud computing as a major trend in the IT industry signifies that corporate users of this paradigm are confronted with the challenge of securing their systems in this new environment. An important aspect of that, includes the secure migration of an organization’s legacy systems, which run in data centers that are completely controlled by the organization, to a cloud infrastructure, which is managed outside the scope of the client’s premises and may even be to-tally off-shore. This paper makes two important contributions. Firstly, it presents a process (SMiLe2Cloud) and a framework that supports secure migration of corporate legacy systems to the cloud. We propose a process based on a continuous improvement cycle that starts with a Knowledge Discovery Meta-Model (KDM) set of models from which a security model for legacy system migration to the cloud is derived. Secondly, it provides a set of clauses (derived from the models) for security cloud providers and custom security cloud controls. © Springer International Publishing Switzerland 2015.


Mellado D.,Spanish Tax Agency | Mouratidis H.,University of East London
Proceedings of the 9th International Workshop on Security in Information Systems, WOSIS 2012, in Conjunction with ICEIS 2012 | Year: 2012

The elicitation of security requirements for Software Product Lines (SPL) is a challenging task, mainly due to the varying security properties required in different products, for the diversity of market segments, and the constraint of simultaneously maintaining the cost-effective principle of the SPL paradigm. Goal-driven security requirements engineering approaches, such as Secure Tropos, have been proposed in the literature as a suitable paradigm for elicitation of security requirements and their analysis on both a social and a technical dimension. Nevertheless, on one hand, security requirements engineering methodologies are not appropriately tailored to the specific demands of SPL, while on the other hand specific proposals of SPL engineering have traditionally ignored security requirements. This paper presents work that fills this gap by proposing an extension to the Secure Tropos language to support SPL.


Gomez R.,Spanish Tax Agency | Rosado D.G.,University of Castilla - La Mancha | Mellado D.,Spanish Tax Agency | Fernandez-Medina E.,University of Castilla - La Mancha
Proceedings of the 9th International Workshop on Security in Information Systems, WOSIS 2012, in Conjunction with ICEIS 2012 | Year: 2012

Cloud computing is setting trend in IT world. As it evolves, providers and clients claim their concern about their pros and cons. Some proposals have been made on the methodologies to assess criteria for benefits and risks of the different cloud models. How these proposals deal with security issues (that most IT executives point out as their top concern)? In this paper we go into the issue of how we can incorporate security requirements to a decision making process for whether to migrate legacy systems to the cloud and how to do it. From systems in control of the firms' data centers to systems working partially, if not totally out of their control.


Rebollo O.,Ministry of Labour and Social Security | Mellado D.,Spanish Tax Agency | Fernandez-Medina E.,University of Castilla - La Mancha | Mouratidis H.,University of Brighton
Information and Software Technology | Year: 2015

Context: Cloud computing is a thriving paradigm that supports an efficient way to provide IT services by introducing on-demand services and flexible computing resources. However, significant adoption of cloud services is being hindered by security issues that are inherent to this new paradigm. In previous work, we have proposed ISGcloud, a security governance framework to tackle cloud security matters in a comprehensive manner whilst being aligned with an enterprise's strategy. Objective: Although a significant body of literature has started to build up related to security aspects of cloud computing, the literature fails to report on evidence and real applications of security governance frameworks designed for cloud computing environments. This paper introduces a detailed application of ISGCloud into a real life case study of a Spanish public organisation, which utilises a cloud storage service in a critical security deployment. Method: The empirical evaluation has followed a formal process, which includes the definition of research questions previously to the framework's application. We describe ISGcloud process and attempt to answer these questions gathering results through direct observation and from interviews with related personnel. Results: The novelty of the paper is twofold: on the one hand, it presents one of the first applications, in the literature, of a cloud security governance framework to a real-life case study along with an empirical evaluation of the framework that proves its validity; on the other hand, it demonstrates the usefulness of the framework and its impact to the organisation. Conclusion: As discussed on the paper, the application of ISGCloud has resulted in the organisation in question achieving its security governance objectives, minimising the security risks of its storage service and increasing security awareness among its users. © 2014 Elsevier B.V. All rights reserved.


Mellado D.,Spanish Tax Agency | Fernandez-Medina E.,University of Castilla - La Mancha | Piattini M.,University of Castilla - La Mancha
Information and Software Technology | Year: 2010

Context: The correct analysis and understanding of security requirements are important because they assist in the discovery of any security or requirement defects or mistakes during the early stages of development. Security requirements engineering is therefore both a central task and a critical success factor in product line development owing to the complexity and extensive nature of software product lines (SPL). However, most of the current SPL practices in requirements engineering do not adequately address security requirements engineering. Objective: The aim of this approach is to describe a holistic security requirements engineering framework with which to facilitate the development of secure SPLs and their derived products. It will conform with the most relevant security standards with regard to the management of security requirements, such as ISO/IEC 27001 and ISO/IEC 15408. Results: This framework is composed of: a security requirements engineering process for SPL (SREPPLine) driven by security standards; a Security Reference Meta Model to manage the variability of those SPL artefacts related to security requirements; and a tool (SREPPLineTool) which implements the meta-model and supports the process. Method: A complete explanation of the framework will be provided. The process will be formally specified with SPEM 2.0 and the repository will be formally specified with an XML grammar. The application of SREPPLine and SREPPLineTool will be illustrated through a description of a simple example as a preliminary validation. Conclusion: Although there have been several attempts to fill the gap between requirements engineering and SPL requirements engineering, no systematic approach with which to define security quality requirements and to manage their variability and their related security artefacts in SPL models is, as yet, available. The contribution of this work is that of providing a systematic approach for the management of the security requirements and their variability from the early stages of product line development in order to facilitate the conformance of SPL products with the most relevant security standards. © 2010 Elsevier B.V. All rights reserved.


Rebollo O.,Ministry of Labour and Immigration | Mellado D.,Spanish Tax Agency | Eduardo F.-M.,University of Castilla - La Mancha
Proceedings of WOSIS 2013: 10th International Workshop on Security in Information Systems - In Conjunction with the 15th International Conference on Enterprise Information Systems, ICEIS 2013 | Year: 2013

The cloud computing paradigm provides a more efficient way in which to provide IT services, introducing on-demand services and flexible computing resources. The adoption of these cloud services is being hindered by the security issues that arise with this new environment. A global security solution, which deals with the specific particularities of the cloud paradigm, is therefore needed, and literature fails to report on such a solution. As a consequence, in this paper we propose a novel security governance framework focused on the cloud computing environment (ISGcloud). This framework is founded upon two main standards: on the one hand, we implement the core governance principles of the ISO/IEC 38500 governance standard; and on the other hand, we propose a cloud service lifecycle based on the ISO/IEC 27036 outsourcing security draft. The paper includes an overview of the framework and the description of a collection of activities and their related tasks. Copyright © 2013 SCITEPRESS.


Rebollo O.,Ministry of Labour and Immigration | Mellado D.,Spanish Tax Agency | Fernandez-Medina E.,University of Castilla - La Mancha
Computer Journal | Year: 2014

Security risks to organizations' information assets are hindering the development of cloud computing services. A comprehensive security governance process is needed to foster the massive adoption of cloud services and to facilitate the deployment of a security culture within any company. In this paper, we present a framework focused on the security governance of the cloud computing environment (ISGcloud), which has been built upon standards. Its principal components are based on the ISO/IEC 38500 governance standard and on the ISO/IEC 27036 outsourcing security draft. We propose a systematic collection of activities and their related tasks which detail how security governance can be deployed during the entire cloud service lifecycle. Furthermore, the whole framework is formally modelled following the SPEM 2.0 specification that provides a standardized interface with which to automate and integrate our proposed process. The theoretical definition of our proposal is also accompanied by a practical example of its application, which provides specific details of ISGcloud framework's implementation. © 2014 The British Computer Society 2014. All rights reserved.


Mellado D.,Spanish Tax Agency | Mouratidis H.,University of East London | Fernandez-Medina E.,University of Castilla - La Mancha
Computer Standards and Interfaces | Year: 2014

Security and requirements engineering are two of the most important factors of success in the development of a software product line (SPL). Goal-driven security requirements engineering approaches, such as Secure Tropos, have been proposed as a suitable paradigm for elicitation of security requirements and their analysis on both a social and a technical dimension. Nevertheless, goal-driven security requirements engineering methodologies are not appropriately tailored to the specific demands of SPL, while on the other hand specific proposals of SPL engineering have traditionally ignored security requirements. This paper presents work that fills this gap by proposing "SecureTropos-SPL" framework. © 2014 Elsevier B.V.

Loading Spanish Tax Agency collaborators
Loading Spanish Tax Agency collaborators