You are on page 1of 8

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617

HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 117

Mapping Approach of ITIL Service


Management Processes to ISO/IEC 27001
Controls
Razieh Sheikhpour, Nasser Modiri

Abstract Information security plays an important role in protecting the assets of an organization. A number of best practice
frameworks exist to help organizations assess their security risks and implement appropriate security controls. Integration of
security best practices like ISO/IEC 27001 into service management best practices processes like ITIL enables the organization
to lower the overall cost of maintaining acceptable security levels, effectively manage risks and reduce overall risk levels. ITIL
provides a framework of best practice guidances for information technology service management. ISO/IEC 27001 i s a set of
guidelines, which can be used by an or ganization to design, deploy and maintain information security management system.
From an I TIL perspective, most of the security controls identified in ISO/IEC 27001 ar e already part of service management.
This paper describes mapping of ITIL service management processes to controls of ISO/IEC 27001.

Index TermsInformation, Security, Organization, ITIL, ISO/IEC 27001.

1 INTRODUCTION

T HE rapid advances of the information and


communication technologies, in particularly the
internet, and its increase use, have promoted the
reviewing, maintaining and improving a documented
Information Security.
The ITIL security management process describes the
speed and accessibility of operations, resulting in structured fitting of security in the management organiza-
significant changes in the way organizations conduct tion. ITIL security management is based on the ISO 27001
their activities. Consequently organizations become standard [3].
increasingly dependent on the availability, reliability and ISO 27001 and ITIL are very complementary. ITIL is
integrity of their information systems to be competitive focused on service management best practices. ISO/IEC
and create new business opportunities. However, the use 27001 is focused on information security best practices.
of information technology brings significant risks to From an ITIL perspective, most of the security controls
information systems and particularly to the critical identified in ISO/IEC 27001 are already part of service
resources, due to its own nature. An increased number of management. Both ITIL and ISO 27001 identify the
sophisticated attacks are expected to evolve as wireless requirement to build security into all aspects of the
and others technologies transcend. This fact enforces the service in order to effectively manage risks in the
need to ensure the security of the organizations infrastructure [4].
information systems [1]. In this paper, we describe a mapping of ITIL service
There are several security standards and best practice management processes to ISO/IEC 27001 controls. Rest of
models available for information security. Standards can the paper is organized as follows: Section 2 describes
not only provide a framework for implementing effective ISO/IEC 27001 concepts. Section 3 presents an overview
information security practices, they can also make sure of ITIL service management concepts. In Section 4 which
that information security and organizational objectives contains the main focus of the paper, we describe a
are properly aligned. Furthermore, organizations mapping of ITIL processes to ISO/IEC 27001 controls.
recognize that standards demonstrate to clients and Finally, Section 5 concludes the paper.
customers their commitment to good information security
practices. Two of the more widely used standards will be
briefly discussed here, namely ITIL and ISO/IEC 27001
2 ISO/IEC 27001:2005
[2]. ISO/IEC 27001:2005 is the international standard for
ISO/IEC 27001:2005 specifies the requirements for entities to manage their Information Security. It sets out
establishing, implementing, operating, monitoring, how a company should address the requirements of
confidentiality, integrity and availability of its
information assets and incorporate this into an
Razieh Sheikhpour is with the Department of Computer Engineering, Information Security Management System (ISMS) [3, 5].
North Tehran Branch, Islamic Azad University, Tehran, Iran. It specifies the requirements for establishing,
Nasser Modiri is with the Department of Computer Engineering,
Zanjan Branch, Islamic Azad University, Zanjan, Iran.

2011 Journal of Computing Press, NY, USA, ISSN 2151-9617


http://sites.google.com/site/journalofcomputing/
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 118

implementing, operating, monitoring, reviewing, review or other relevant information, to achieve continual
maintaining and improving a documented Information improvement of the ISMS [6].
Security Management System within an organization. It is Figure 1 shows PDCA model applied to ISMS
designed to ensure the selection of adequate and processes.
proportionate security controls to protect information
assets. This standard is usually applicable to all types of
organizations, including business enterprises,
government agencies, and so on. The standard introduces
a cyclic model known as the Plan-Do-Check-Act
(PDCA) model that aims to establish, implement, monitor
and improve the effectiveness of an organizations ISMS.
The PDCA cycle has these four phases: [6, 7]
a) Plan phase Establishing the ISMS: Establish
ISMS policy, objectives, processes and procedures
relevant to managing risk and improving information
security to deliver results in accordance with an
organizations overall policies and objectives.
b) Do phase Implementing and operating the
ISMS: Implement and operate the ISMS policy, controls, Fig.1. PDCA model applied to ISMS processes [5].
processes and procedures.
c) Check phase Monitoring and reviewing the
ISMS: Assess and, where applicable, measure process 2.1 ISO/IEC 27001 Control Objectives and Controls
performance against ISMS policy, objectives and practical ISO/IEC 27001:2005 contains 39 control objectives and
experience and report the results to management for 133 specific controls, organized into 11 main sections.
review. Table 1 shows the controls and control objectives of
d) Act phase Maintaining and improving the ISMS: ISO/IEC 27001.
Take corrective and preventive actions, based on the
results of the internal ISMS audit and management

TABLE 1 CONTROL OBJECTIVES AND CONTROLS OF ISO/IEC 27001 [5]


Domain Control Objective Control
A.5 Security policy A.5.1 Information security A.5.1.1 Information security policy document
policy A.5.1.2 Review of the information security policy
A.6 Organization of A.6.1 Internal organization A.6.1.1 Management commitment to information security
information security A.6.1.2 Information security coordination
A.6.1.3 Allocation of information security responsibilities
A.6.1.4 Authorization process for information processing facilities
A.6.1.5 Confidentiality agreements
A.6.1.6 Contact with authorities
A.6.1.7 Contact with special interest groups
A.6.1.8 Independent review of information security
A.6.2 External parties A.6.2.1 Identification of risks related to external parties
A.6.2.2 Addressing security when dealing with customers
A.6.2.3 Addressing security in third party agreements
A.7 Asset manage- A.7.1 Responsibility for A.7.1.1 Inventory of assets
ment assets A.7.1.2 Ownership of assets
A.7.1.3 Acceptable use of assets
A.7.2 Information A.7.2.1 Classification guidelines
classification A.7.2.2 Information labeling and handling
A.8 Human resources A.8.1 Prior to employment A.8.1.1 Roles and responsibilities
security A.8.1.2 Screening
A.8.1.3 Terms and conditions of employment
A.8.2 During employment A.8.2.1 Management responsibilities
A.8.2.2 Information security awareness, education and training
A.8.2.3 Disciplinary process
A.8.3 Termination or A.8.3.1 Termination responsibilities
change of employment A.8.3.2 Return of assets
A.8.3.3 Removal of access rights
A.9 Physical and A.9.1 Secure areas A.9.1.1 Physical security perimeter
environmental security A.9.1.2 Physical entry controls
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 119

A.9.1.3 Securing offices, rooms and facilities


A.9.1.4 Protecting against external and environmental threats
A.9.1.5 Working in secure areas
A.9.1.6 Public access, delivery and loading areas
A.9.2 Equipment security A.9.2.1 Equipment sitting and protection
A.9.2.2 Supporting utilities
A.9.2.3 Cabling security
A.9.2.4 Equipment maintenance
A.9.2.5 Security of equipment off premises
A.9.2.6 Secure disposal or re-use of equipment
A.9.2.7 Removal of property
A.10 Communications and A.10.1 Operational proce- A.10.1.1 Documented operating procedures
operations management dures and responsibilities A.10.1.2 Change management
A.10.1.3 Segregation of duties
A.10.1.4 Separation of development, test and operational facilities
A.10.2 Third party service A.10.2.1 Service delivery
delivery management A.10.2.2 Monitoring and review of third party services
A.10.2.3 Managing changes to third party services
A.10.3 System planning A.10.3.1 Capacity management
and acceptance A.10.3.2 System acceptance
A.10.4 Protection against A.10.4.1 Controls against malicious code
malicious and mobile code A.10.4.2 Controls against mobile code

A.10.5 Back-up A.10.5.1 Information back-up


A.10.6 Network security A.10.6.1 Network controls
management A.10.6.2 Security of network services
A.10.7 Media handling A.10.7.1 Management of removable media
A.10.7.2 Disposal of media
A.10.7.3 Information handling procedures
A.10.7.4 Security of system documentation
A.10.8 Exchange of A.10.8.1 Information exchange policies and procedures
information A.10.8.2 Exchange agreements
A.10.8.3 Physical media in transit
A.10.8.4 Electronic messaging
A.10.8.5 Business information systems
A.10.9 Electronic A.10.9.1 Electronic commerce
commerce services A.10.9.2 On-line transactions
A.10.9.3 Publicly available information
A.10.10 Monitoring A.10.10.1 Audit logging
A.10.10.2 Monitoring system use
A.10.10.3 Protection of log information
A.10.10.4 Administrator and operator logs
A.10.10.5 Fault logging
A.10.10.6 Clock synchronization
A.11 Access control A.11.1 Business require- A.11.1.1 Access control policy
ment for access control
A.11.2 User access A.11.2.1 User registration
management A.11.2.2 Privilege management
A.11.2.3 User password management
A.11.2.4 Review of user access rights
A.11.3 User responsibilities A.11.3.1 Password use
A.11.3.2 Unattended user equipment
A.11.3.3 Clear desk and clear screen policy
A.11.4 Network access A.11.4.1 Policy on use of network services
control A.11.4.2 User authentication for external connections
A.11.4.3 Equipment identification in networks
A.11.4.4 Remote diagnostic and configuration port protection
A.11.4.5 Segregation in networks
A.11.4.6 Network connection control
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 120

A.11.4.7 Network routing control


A.11.5 Operating system A.11.5.1 Secure log-on procedures
access control A.11.5.2 User identification and authentication
A.11.5.3 Password management system
A.11.5.4 Use of system utilities
A.11.5.5 Session time-out
A.11.5.6 Limitation of connection time
A.11.6 Application and A.11.6.1 Information access restriction
information access control A.11.6.2 Sensitive system isolation
A.11.7 Mobile computing A.11.7.1 Mobile computing and communications
and teleworking A.11.7.2 Teleworking

A.12 Information systems A.12.1 Security require- A.12.1.1 Security requirements analysis and specification
acquisition, development ments of information sys-
and maintenance tems
A.12.2 Correct processing A.12.2.1 Input data validation
in applications A.12.2.2 Control of internal processing
A.12.2.3 Message integrity
A.12.2.4 Output data validation
A.12.3 Cryptographic A.12.3.1 Policy on the use of cryptographic controls
controls A.12.3.2 Key management
A.12.4 Security of system A.12.4.1 Control of operational software
files A.12.4.2 Protection of system test data
A.12.4.3 Access control to program source code
A.12.5 Security in A.12.5.1 Change control procedures
development and support A.12.5.2 Technical review of applications after operatingsystem changes
processes A.12.5.3 Restrictions on changes to software packages
A.12.5.4 Information leakage
A.12.5.5 Outsourced software development
A.12.6 Technical A.12.6.1 Control of technical vulnerabilities
Vulnerability Management
A.13 Information security A.13.1 Reporting A.13.1.1 Reporting information security events
incident management information security events A.13.1.2 Reporting security weaknesses
and weaknesses
A.13.2 Management of A.13.2.1 Responsibilities and procedures
information security inci- A.13.2.2 Learning from information security incidents
dents and improvements A.13.2.3 Collection of evidence
A.14 Business continuity A.14.1 Information security A.14.1.1 Including information security in the business continuity man-
management aspects of business agement process
continuity management A.14.1.2 Business continuity and risk assessment
A.14.1.3 Developing and implementing continuity plans including in-
formation security
A.14.1.4 Business continuity planning framework
A.14.1.5 Testing, maintaining and reassessing business continuity plans

A.15 Compliance A.15.1 Compliance with A.15.1.1 Identification of applicable legislation


legal requirements A.15.1.2 Intellectual property rights (IPR)
A.15.1.3 Protection of organizational records
A.15.1.4 Data protection and privacy of personal information
A.15.1.5 Prevention of misuse of information processing facilities
A.15.1.6 Regulation of cryptographic controls

A.15.2 Compliance with A.15.2.1 Compliance with security policies and standards
security policies and A.15.2.2 Technical compliance checking
standards, and technical
compliance
A.15.3 Information systems A.15.3.1 Information systems audit controls
audit considerations A.15.3.2 Protection of information systems audit tools
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 121

The goal of the ISM process is to align IT security with


business security and ensure that information security is
3 ITIL V3 FRAMEWORK effectively managed in all service and service
The Information Technology Infrastructure Library (ITIL) management activities. The ITIL security management
provides a framework of Best Practice guidances for process describes the structured fitting of security in the
information technology service management and since its management organization. ITIL security management is
creation, ITIL has grown to become the most widely based on the ISO 27001 standard [3].
accepted approach to IT service management in the world The ISM process contains several sub processes in ITIL
[8]. v3. They are design of security controls, security testing,
The primary objective of service management is to management of security incidents and security review.
ensure that the IT services are aligned to the business The objective of the sub process of the security controls is
needs and actively support them. If IT processes and IT to design the appropriate technical and organizational
services are implemented, managed and supported in the measures in order to ensure the confidentiality, integrity,
appropriate way, the business will be more successful, security, availability of an organizations assets,
suffer less disruption and loss of productive hours, information, data and services [11].
reduce costs, increase revenue, improve public relations
and achieve its business objectives [8].
The ITIL v3 Core consists of five publications, each
providing guidance on a specific phase in the service 4 MAPPING OF ITIL V3 PROCESSES TO
management lifecycle. The ITIL core publications are as ISO/IEC 27001:2005 CONTROLS
follows: [4] Fox IT Ltd and QT&C Group Ltd have performed a
Service Strategy mapping exercise that looked at each of the 11
Service Design information security control areas [7]. Integration of
Service Transition security best practices into service management best
Service Operation practices processes enables the organization to lower the
Continual Service Improvement overall cost of maintaining acceptable security levels,
ITIL describes processes, functions and structures that effectively manage risks and reduce overall risk levels.
support most areas of IT service management, mostly ISO 27001 and ITIL v3 are very complementary. From an
from the viewpoint of the service provider. One of the ITIL perspective, most of the security controls identified
many processes it describes is Information Security in ISO 27001 are already part of service management.
Management (ISM) [9]. Both ITIL and ISO 27001 identify the requirement to build
With the placement on Information Security security into all aspects of the service in order to
Management within the Service Design core book the effectively manage risks in the infrastructure [4]. Table 2
process is integrated with several other processes which describes mapping of ITIL processes to controls of
enables the ISM process to be streamlined in the Service ISO/IEC 27001.
Lifecycle more easily[10].

TABLE 2 MAPPING OF ITIL PROCESSES TO ISO/IEC 27001CONTROLS


ITIL processes ISO/IEC 27001 Controls
Service Strategy
Demand management -
Financial management -
Service Design
Service Catalog management A.6.2.2 Addressing security when dealing with customers
A.6.2.3 Addressing security in third party agreements
Service Level management A.6.2.2 Addressing security when dealing with customers
A.6.2.3 Addressing security in third party agreements
A.10.2.1 Service delivery
A.10.6.2 Security of network services
A.10.8.2 Exchange agreements
A.12.3.2 Key management
Capacity management A.10.3.1 Capacity management
Availability management A.10.5.1 Information back-up
A.10.8.4 Electronic messaging
IT service continuity management A.6.2.3 Addressing security in third party agreements
A.9.2.2 Supporting utilities
A.10.4.1 Controls against malicious code
A.10.5.1 Information back-up
A.14.1.1 Including information security in the business continuity management process
A.14.1.2 Business continuity and risk assessment
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 122

Information security management A.5.1.1 Information security policy document


A.5.1.2 Review of the information security policy
A.6.1.1 Management commitment to information security
A.6.1.2 Information security coordination
A.6.1.3 Allocation of information security responsibilities
A.6.2.1 Identification of risks related to external parties
A.10.6.2 Security of network services
A.11.1.1 Access control policy
Supplier Management A.6.2.3 Addressing security in third party agreements
A.6.2.1 Identification of risks related to external parties
A.10.2.1 Service delivery
A.10.2.2 Monitoring and review of third party services
A.10.8.2 Exchange agreements
A.12.3.2 Key management
Service Transition
Change management A.6.1.4 Authorization process for information processing facilities
A.6.2.3 Addressing security in third party agreements
A.9.2.6 Secure disposal or re-use of equipment
A.9.2.7 Removal of property
A.10.1.2 Change management
A.10.2.3 Managing changes to third party services
A.11.2.4 Review of user access rights
A.12.4.1 Control of operational software
A.12.4.3 Access control to program source code
A.12.5.1 Change control procedures
A.13.2.1 Responsibilities and procedures
Service asset & configuration A.7.1.1 Inventory of assets
management A.9.1.6 Public access, delivery and loading areas
A.9.2.1 Equipment sitting and protection
A.9.2.3 Cabling security
A.9.2.4 Equipment maintenance
A.9.2.7 Removal of property
A.10.4.1 Controls against malicious code
A.12.4.1 Control of operational software
A.12.4.3 Access control to program source code
A.12.6.1 Control of technical vulnerabilities
A.14.1.1 Including information security in the business continuity management process
Release & deployment A.10.3.2 System acceptance
management
Service validation & testing A.10.3.2 System acceptance
A.12.4.1 Control of operational software
A.12.5.2 Technical review of applications after operating system changes
Evaluation A.10.3.2 System acceptance
A.12.5.2 Technical review of applications after operating system changes
Risk management A.6.1.2 Information security coordination
A.6.2.1 Identification of risks related to external parties
A.7.2.1 Classification guidelines
A.9.1.4 Protecting against external and environmental threats
A.9.2.5 Security of equipment off premises
A.9.2.6 Secure disposal or re-use of equipment
A.10.6.1 Network controls
A.14.1.2 Business continuity and risk assessment
Knowledge management -
Service Operation
Event management A.10.3.1 Capacity management
A.10.10.1 Audit logging
A.10.10.2 Monitoring system use
A.10.10.3 Protection of log information
A.10.10.4 Administrator and operator logs
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 123

Incident management A.6.1.2 Information security coordination


A.9.2.4 Equipment maintenance
A.10.3.1 Capacity management
A.10.10.5 Fault logging
A.13.1.1 Reporting information security events
A.13.1.2 Reporting security weaknesses
A.13.2.1 Responsibilities and procedures
A.13.2.2 Learning from information security incidents
Request management -
Problem management A.6.2.3 Addressing security in third party agreements
A.13.2.2 Learning from information security incidents
Access management A.6.2.1 Identification of risks related to external parties
A.6.2.2 Addressing security when dealing with customers
A.8.3.3 Removal of access rights
A.9.1.6 Public access, delivery and loading areas
A.11.1.1 Access control policy
A.11.2.1 User registration
A.11.2.3 User password management
A.11.2.4 Review of user access rights
A.11.4.1 Policy on use of network services
A.11.5.2 User identification and authentication
A.11.6.1 Information access restriction
A.12.4.3 Access control to program source code
Continual Service Improvement
CSI Process A.13.2.2 Learning from information security incidents
Service Reporting A.6.2.3 Addressing security in third party agreements
Document management A.10.1.1 Documented operating procedures
A.10.7.3 Information handling procedures
A.10.7.4 Security of system documentation
Human resource management A.6.1.3 Allocation of information security responsibilities
A.6.1.5 Confidentiality agreements
A.8.1.1 Roles and responsibilities
A.8.1.2 Screening
A.8.1.3 Terms and conditions of employment
A.8.2.1 Management responsibilities
A.8.2.2 Information security awareness, education and training
A.8.2.3 Disciplinary process
A.8.3.1 Termination responsibilities
A.8.3.2 Return of assets
A.8.3.3 Removal of access rights
A.11.3.1 Password use
A.11.3.2 Unattended user equipment
A.11.3.3 Clear desk and clear screen policy

within the Service Design core practice of ITIL v3


provides several ways that information security can be
5 CONCLUSION improved. The ISM process encourages organizations to
Information Security aspects are really important for incorporate security controls, and to test these controls
company success and business stability. As no single regularly.
formula can guarantee 100% security, there is a need for a This paper described a mapping of ITIL service
set of benchmarks or standards to help ensure an management processes to ISO/IEC 27001 controls. ITIL
adequate level of security is attained, resources are used and ISO 27001 identify the requirement to build security
efficiently, and the best security practices are adopted. By into all aspects of the service in order to effectively
implementing ITIL and ISO/IEC 27001, organizations can manage risks in the infrastructure.
better meet information security service expectations with
internal and external customers. REFERENCES
ISO/IEC 27001 helps an organization to develop a
[1] T. Pereira, H. Santos, A Security Audit Framework to Manage
business continuity plan that will minimize the impact of Information System Security, pp. 918, Springer-Verlag Berlin
security breaches. ITIL is a framework of best practices that Heidelberg 2010.
promote quality computing services in IT sector. ISM process [2] N. Zegers, A methodology for Improving information securi-
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 7, JULY 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 124

ty incident identification and response, Master Thesis


Informatics & Economics, Erasmus University Rotterdam, 2006.
[3] A. Rezakhani, A. Hajebi, N. Mohammadi, Standardization of
all Information Security Management Systems, International
Journal of Computer Applications (0975 8887) Volume 18
No.8, March 2011.
[4] K V Warre, Security Controls in Service Management, SANS
Institute, December 2010.
[5] ISO/IEC 2005, Information technology- Security techniques -
Information security management systems- requirements, ISO
copyright office, Published in Switzerland.
[6] The Government of the Hong Kong Special Administrative
Region, AN OVERVIEW OF INFORMATION SECURITY
STANDARDS, February 2008.
[7] M.Sykes, N.Landman, ITIL and ISO/IEC 27001- How ITIL can
be used to support the delivery of compliant practices for In-
formaton Security Management Systems Fox IT Ltd and
QT&C Group Ltd, 2010.
[8] H. Liu, Y. Lin, P. Chen, L. Jin, F. Ding, Practical Availability
practices Risk Assessment Framework in ITIL, proceeding of
Fifth IEEE International Symposium on Service Oriented Sys-
tem Engineering, 2010.
[9] J. Clinch, ITIL V3 and information security, White paper,
May 2009.
[10] G. Taylor, ITIL V3 Improves Information Security Manage-
ment, East Carolina University.
[11] E. R. Larrocha, J. M. Minguet, G. Diaz, M, Castro, A. Vara, Fill-
ing the gap of Information Security Management inside ITIL:
proposals for postgraduate students, IEEE EGUCON Educa-
tion Engineering,2010.

Razieh Sheikhpour received the BS degree in software engineering


from department of computer engineering, Islamic Azad University of
Iran in 2007. She is currently working toward the MS degree in
software engineering from Islamic Azad University of Iran. Her
research interests include information security, IT Governance and
Sensor networks.

Nasser Modiri received the MS degree in MicroElectronics from


university of Southampton, UK in 1986. He received PHD degree in
Computer Networks from Sussex university of UK in 1989. He is a
lecture at department of computer engineering at Islamic Azad
University of Zanjan, Iran. His research interests include Network
Operation Centres, Framework for Securing Networks, Virtual
Organizations, RFID, Product Life Cycle Development and
Framework For Securing Networks.