This paper is joint work with Raydel Montesino from University of Informatics Sciences (Cuba). It will be presented at the Sixth International Conference on Availability, Reliability and Security (ARES) in Vienna, Austria. You can download the full paper from the Publications section in August 2011.
Abstract: Information security management is a very complex task which involves the implementation and monitoring of more than 130 security controls. To achieve greater efficiency in this process it is necessary to automate as many controls as possible. This paper provides an analysis of how many controls can be automated, based on the standards ISO 27001 and NIST SP800-53. Furthermore, we take the automation potential of controls included in the Consensus Audit Guidelines into account. Finally, we provide an overview of security applications that support automation in the operation of information security controls to increase the efficiency of information security management.