Information has become a major asset in companies that have based their business on the production and exploitation of this information, but also in traditional companies that exploit their information with a view to continuously improving their processes. This is the case in collaborative systems where companies are interconnected but also in intelligent systems that have many information exchanges with there environment. It is important that companies keep control of the information they import, process and distribute. In this article, in the context of a risk management approach, we present a new security criterion: controllability.

The new information and communication technologies have brought an evolution of IT systems from a standalone architecture to architectures where the systems are interconnected, and this in a multi-organizational environment. Through their interactions and their collaboration with external systems, notably via the service paradigm, information systems have become the place where information from different sources converges: data collected by the information system, computed data, data from outsourced services or databases,… Therefore, from a computer security point of view we can no longer focus solely on hardware, software and network issues. From now on, we must take into account the data that is an integral part of an organization’s capital: data is today the main concern of companies. In this article we address the information security from the perspective of risk management taking into account the ability of an organization to control its data flows (incoming and outgoing). We propose the introduction of a new security criterion: the “controllability”. The consideration of this criterion is essential to avoid the garbage in, garbage out issue (incoming data) and to reduce the risks in the use of the data produced (outgoing data).

Face à la “révolution numérique”, provoquée par la diffusion massive des technologies numériques au sein de la société, l’université de Bordeaux a lancé un projet trans-disciplinaire: “les convergences du droit et du numérique”. Cet événement, réalisé en partenariat avec l’initiative d’excellence de Bordeaux, le forum Montesquieu et la cour administrative d’appel de Bordeaux, est destiné à créer des ponts durables entre les professionnels du droit et ceux du numérique.

In this thesis we discuss the application of risk management to distributed information systems. We handle problems of interoperability and securisation of the exchanges within DRM systems and we propose the implementation of this system for the company: it needs to permit the distribution of self-protected contents. We then present the (our) participation in the creation of an innovative company which emphasizes on the security of information, in particular the management of risks through the ISO/IEC 27005:2011 standard. We present risks related to the use of services, highlighting in particular the ones which are not technological: we approach inheritent risks in clouds (provider failure, etc…) but also the more insidious aspects of espionage and intrusion in personal data (case PRISM in June 2013). In the last section, we present a concept of a DRM company which uses metadata to deploy settings in usage control models. We propose a draft formalization of metadata necessary for the implementation of a security policy and guarantee respect of regulations and legislation.

Service Oriented Architectures (SOA) offer new opportunities for the interconnection of systems. However, for a company, opening its Information System to the world is not insignificant in terms of security. Whether to use available services or provide its own services, new technologies have introduced new vulnerabilities and therefore new risks. Our work aims to propose an approach for risk management which is based on the ISO/IEC 27005:2011 standard: we propose a development of this standard (by an extension of Annex D) so that it can fully take into account the type service as web services and cloud services. Indeed, a world of services is not limited to link interconnected systems, it is more a relationship between customer and supplier, where notions of trust, accountability, traceability and governance are developed. Following this study we introduce a new security criterion, controllability, to ensure that a company keeps control of its information even if it uses such outsourced services.

Information security is currently one of the most important issues in information systems. This concerns the confidentiality of information but also its integrity and availability. The problem becomes even more difficult when several companies are working together on a project and that the various documents “go out of” their respective information systems. We propose an architecture in which the documents themselves ensure their security and thus can be exchanged over uncontrolled resources such as cloud storage or even USB flash drives. For this we encapsulate within the document itself some security components (e.g. access control, usage control) to achieve an autonomic document architecture for Enterprise DRM (E-DRM). Using such self-protecting documents, a company can ensure security and privacy for its documents when outsourcing storage services (e.g. cloud).