An applied methodology for information security and assurance: A study case for cloud computing

Information security is one of the main concerns in many fields of computer and information technologies, and even more on new emerging technologies such as cloud computing. Current security standards and models usually focus on "what" has to be done about security, but they do not propose "how" to deal with the inherent complexity of assuring modern infrastructures. Security standards usually produce large check lists describing security countermeasures, but they lack a comprehensive and complete process to define the security requirements of information being managed. As a consequence, security implementations may miss important security controls, and they cannot guarantee a consistent and in-depth security implementation at the different layers of the system. We propose a methodology with a novel hierarchical approach to guide a comprehensive and complete assurance process. Real use cases are shown, by applying our methodology to assure a private cloud being developed at the Universidad de Costa Rica (UCR).