Information Security Management as a Bridge in Cloud Systems from Private to Public Organizations

: Cloud computing has made it possible for private companies to make rapid changes in their computing environments. However, in the public sector, security issues hinder institutions from adopting cloud computing. To solve these security challenges, in this paper, we propose a methodology for information security management, which quantitatively classifies the importance of information in cloud systems in the public sector. In this study, we adopt a Delphi approach to establish the classification criteria of the proposed methodology in an objective and systematic manner. Further, through a case study of a public corporation, we try to validate the usefulness of the proposed methodology. The results of this study will help public institutions to consider introducing cloud computing and to manage cloud systems effectively and securely.


Introduction
The increasing complexity of computing environments and the increasing computing costs have encouraged enterprises and individuals to adopt cloud computing and thereby reduce their computing OPEN ACCESS investment and improve usability [1].Private companies using huge computing infrastructures, such as Google, Microsoft, and Amazon, have actively constructed cloud computing infrastructures.However, information security issues hinder the adoption of cloud computing by public entities in spite of the high demand for cloud computing [2].Therefore, solutions for providing security against the vulnerabilities of cloud computing will pave the way for the acceptance of cloud computing in public organizations.
For providing security for cloud computing in private entities, various approaches for information security management, such as ISO27001, Cloud Security Alliance (CSA), and European Union Agency for Network and Information Security (ENISA), have been suggested.These approaches focus on private industries and are not suitable for public entities as these approaches mainly reflect the nature of private organizations.The nature of computing in public organizations depends on a combination of factors, such as the different sensitivities of data, the general management staff for information systems, and compliance with laws and regulations [3].Information security management systems using cloud computing reflect the nature of computing in public entities.In this study, we aimed to develop a methodology for the information security management of cloud computing in public organizations and to validate the usefulness of this methodology.The proposed methodology is expected to lessen the security vulnerabilities of introducing cloud computing to public entities, resulting in an improved security level of the public enterprises.

Related Works
The security issues of cloud computing have been discussed in the literature [4][5][6].CIO research conducted in the U.S. has revealed [7] that the loss of rights in controlling data, availability of data, and compliance with IT governance and regulations lead to security issues in cloud computing.Gartner has reported [8] that issues related to risk management, such as those related to e-discovery, compliance with regulations, and audit, need to be resolved.As these reports mention, these security issues are the highest barrier to the introduction of cloud computing in public entities.For relatively strong security of cloud computing, various security regulations, such as CSA Security, Trust, and Assurance Registry (CSA STAR) [9], ENISA [10], and Federal Risk and Authorization Management Program (FedRAMP) [11], have been adopted, and security controls such as ISO/IEC 27001 [12] and BSI IT Baseline Protection Manual (BSI) [13] have been utilized as security management systems for cloud computing.In this study, we briefly analyze these security regulations and information security management systems.
CSA STAR ensures the consumers of the trust and assurance of a cloud provider.The CSA STAR program is designed to show the varying assurance requirements and maturity levels of cloud providers and consumers.To meet these objectives, the CSA has developed an open certification framework.The purpose of this framework is to provide an evaluation methodology for data protection and the mobility and flexibility of the cloud services to consumers.The framework consists of a three-level certification, wherein Level 1 is self-assessment, Level 2 is third-party assessment-based certification, and Level 3 is continuous monitoring-based certification.Each level implies gradual visibility and transparency of the operations in cloud computing and thus, provides the corresponding assurance to the consumers [9].CSA STAR provides two types of research controls, namely Cloud Controls Matrix (CCM) v.3 and Consensus Assessments Initiative Questionnaire (CAIQ).CCM v.3 provides security controls, consisting of 16 control domains and 136 items utilized for a third-party assessment.Further, CCM v.3 provides the mapping information of control items related to Cobit, PCI-DSS, and FedRAMP [11].CSA STAR scores functions for each CCM security domain.These scores represent the maturity of processes in an organization and indicate the parts that need to be improved.The maturity levels are defined as No, Bronze, Silver, and Gold, and the certified organizations are registered as "STAR Certified" in CSA STAR.This STAR certification represents the overall evaluation of efficiencies, goals, domains, and processes of information management systems.Further, STAR conveys the priorities and the domains that need to be improved in an organization and compares the certification results of cloud providers.
The ENISA guideline [10] deals with risk assessment and divides the risks of cloud computing into policy and organization risks, technical risks, legal risks, and risks not specific to clouds.The guideline classifies vulnerabilities and assets in cloud computing and establishes 12 information assurance requirements.The guideline involves a combination of risk analysis methods to be applied to cloud computing and the corresponding set of security controls.
FedRAMP is a program providing security assessment, authorization, and continuous monitoring for cloud products and services [11].The goals of the program are that the U.S. government efficiently certifies and delivers cloud products and services for federal agencies.In this program, a third-party audit organization (3PAO) evaluates the cloud services and products of the cloud service provider and the U.S. government certifies the provider on the basis of the evaluation results.The processes of FedRAMP are divided into four levels.First, a 3PAO is accredited at Level 1, and then, the accredited 3PAO assesses the security of cloud products and services at Level 2. At Level 3, a U.S. agency that wants to introduce cloud services and products designates a service provider from the relevant list from the security repository database.At Level 4, the 3PAO continuously monitors the approved cloud provider at least once every year.The assessment criteria are drawn from the control items of the SP 800-53 revision of National Institute of Standards and Technology (NIST).Although FedRAMP has a solid basis in certifying cloud providers, its approach demands a considerable amount of resources for establishing certification programs and strongly unites with the Federal Information Security Management Act (FISMA).The application of FedRAMP to public entities other than those in the U.S. requires significantly more effort and a well-pre-established security infrastructure [11].
ISO/IEC27001 is a popular and an internationally recognized standard for information security management systems, specifying the requirements of these systems.ISO/IEC27001 ensures that the security requirements are fine-tuned to keep pace with security environments [12].Further, ISO/IEC27001 adopts the plan-do-check-act (PDCA) model and is not restricted to a specific industry.It defines the requirements for implementing, monitoring and auditing, maintaining, and improving information security management systems.ISO/IEC27001 defines the goals and domains of information security management systems considering the relevant businesses and organizations and the nature of the information assets and technologies owned by these organizations.On the basis of the strategy of risk processing, ISO/IEC27002 selects security controls from the standard ones.Further, ISO/IEC27005 conducts a risk analysis and defines a strategy for risk reduction, risk avoidance, and risk transfer for compliance with an information security policy.
The Federal Office for Information Security established BSI standard-100 and IT-Grundschutz Catalogues [14].IT-Grundschutz Catalogues is a collection of modules, threat catalogs, and a safeguard catalog.Each module of IT-Grundschutz describes the applicable components, approaches, and IT systems, as well as the threat scenarios and the appropriate safeguards.IT-Grundschutz consists of five different layers [15], which are S1 the generic security of information technology, S2 the security of the infrastructure, S3 the security of IT systems, S4 the security in networks, and S5 the actual application.Threat catalogs contain threats such as T0 basic threat, T1 force majeure, T2 organizational shortcomings, T3 technical failure, and T4 deliberate acts.The safeguard catalog contains a description of the security safeguards mentioned in the module, and is defined as S1 infrastructure, S2 organization, S3 personnel, S4 hardware and software, and S5 communication.GSK (IT-Grundschutz Catalogues) classifies risks through combinations of threats and safeguards for a designated module [16].BSI standard 100-1 defines the requirements for ISMS [17].BSI standard 100-2 (IT-Grundschutz Catalogues: GSK) describes how to establish and monitor security based on the standard of security safeguards [18].BSI standard 100-3 discusses a method for analyzing risks that is based on IT-Grundschutz (BSI standard 100-2) [19].BSI-Standard 100-4 describes business continuity management.BSI standards and IT-Grundschutz Catalogues are well-defined standards in that the methodology systematically combines the threat and the corresponding safeguard for a specific layer.In terms of feasibility, it demands considerably more resources to establish and manage information security systems.

Information Security Management Systems for Cloud Computing in Public Organizations
This study analyzes the representative methodologies for cloud systems, such as FedRAMP and ENISA's security management, and proposes a methodology for the security management of cloud systems in public organizations.

FedRAMP
For the security management of cloud systems, FedRAMP utilizes NIST special publication 800-60.To introduce suitable security controls for cloud systems, FedRAMP categorizes cloud systems in terms of their impact level.NIST special publication 800-60 categorization determines the security impact level for the cloud environment that may host any or all of the service model information as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).The goal of the security categorization is to help the cloud service provider (CSP) to select and implement the FedRAMP security controls applicable to its environment [11].
The categorization is based upon NIST special publication 800-60.An analysis of the data contained in the systems will determine whether the security categorization for the systems is at the low, moderate, or high impact level.The security categories are determined upon the potential impact on an organization when certain events occur [20].
FedRAMP defines three levels of potential impact on organizations or individuals when a breach of security events (i.e., a loss of confidentiality, integrity, or availability) occurs.Conducting an appropriate security category for a cloud system simply requires determining the potential impact for each security objective of the particular cloud systems.For the categorization of cloud systems, the following processes are required.First, identify the relevant cloud systems and the document organization's business and mission area.Second, identify the cloud information that are input, stored, processed, and/or output from each system.Third, select the security impact level for the identified information type on the basis of qualitative criteria.Security category of cloud systems = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the values for potential impact are low, moderate, or high.The resulting security level of the cloud systems is decided on the basis of the highest value among confidentiality, integrity, and availability.Fourth, adjust the impact levels for reflecting situations, operational drivers, and legal reasons related to the organization.Fifth, determine the security impact level of cloud systems on the basis of the aggregate of information type.
The completed security categorization will help the CSP in the selection and implementation of FedRAMP security controls at the determined categorization level.The FedRAMP program takes into account that systems may vary between vendors and allows some flexibility in the implementation of compensating controls or in alternative implementations.

Security Framework for Government Clouds by ENISA
ENISA adopts the Plan-Do-Check-Act (PDCA) model identified as a suitable model for information security management systems in government cloud systems.In the Plan phase, the security policy is set for implementing controls to achieve security objectives.In the Do phase, the controls are implemented and operated.In the Check phase, a review and an evaluation of the performance of systems are performed, and in the Act phase, remedial actions are taken for the deficiencies or gaps identified in the Check phase [21].
In the Plan phase, security activities such as risk profiling, architectural modeling, and security and privacy requirements occur.The risk profiling activity consists of the following actions: (1) selection of the security dimensions (properties) that are relevant for each cloud service (e.g., confidentiality, integrity, and availability); (2) evaluation of the potential impact on the cloud service (i.e., low, medium, or high) when a threat exploits a vulnerability and its likelihood to happen; (3) determination of the risk level of the service; and (4) determination of the overall risk profile.Based on the overall risk profile, the list of security requirements is formulated.The methodology of the security framework by ENISA is similar to that of FeDRAMP in that ENISA's methodology determines the security impact level of each service qualitatively.
In the Do phase, specific security controls or security measures are implemented to fulfill the security requirements drawn during the Plan stage.Deployment and accreditation form phases 3 and 4, and imply the actual formalization and implementation of the selected security controls, as well as the start of the operation of the government cloud service.

Methodology for Security Management for Cloud Systems in Public Organizations
This study suggests a methodology for information security management for cloud computing in public organizations.The methodology classifies the importance of information security in cloud systems used in public organizations in terms of security.The importance of information is classified on the basis of the potential impacts of the information on a public organization.The classification of information importance in cloud systems enables an organization in the public sector to effectively manage the security of its cloud systems and efficiently select the appropriate security controls, reflecting the characteristics of the public organization.
Information is processed, stored, sent, and deleted in the form of data, and represents the status of tasks in the organization.The processes for classifying the importance of information involve four steps, namely the identification of information in cloud systems, the classification of information importance, the adjustment of information importance, and the specification of information resources in a sequence.
In the first step, the information in the cloud systems of a public organization is identified.This step recognizes the information related to the considered tasks, the management, the software and hardware, and the staff of the public organization.Thereafter, the relationships among these types of information are clearly defined.
In the second step, the importance of information is classified as low, medium, or high.The importance of information represents the potential impact of the information on the organization when an event occurs [20].The importance of information is measured through the quantification of the criteria for confidentiality, integrity, and availability of cloud systems.Confidentiality preserves authorized rights to information access and disclosure, including protection of personal privacy and proprietary information [22].Further, without permission to disclose certain information, an enterprise may incur some damages.Integrity represents the unauthorized modification or destruction of information adversely affecting the organization [20].Availability assures timely and reliable usage of information [22].Disruption of availability prevents users from accessing information and information systems.The approach of quantitative measurement prohibits an evaluator from subjectively judging and overestimating the importance of information in cloud systems.
To establish the criteria measuring the importance of information, in this study, we utilized a simplified Delphi approach, which is a useful method for drawing expert opinions without any interference [23].We conducted two rounds of the Delphi.In the first round, we asked 10 security experts to write down the criteria quantifying the three security objectives for cloud systems in public organizations.Two professors, four practitioners, and four researchers participated in this round of the Delphi.The experts returned eight criteria for the nature of information, seven criteria for the mission of public-sector organizations, four criteria for the corruption of information resources, two criteria for privacy, and eight criteria for the characteristics of the sector.In the second round, we informed the experts of the results from the first round and asked them to select the criteria for the quantitative assessment from these results.On the basis of the results of the second round, we selected the most commonly appearing criteria and determined the final set of 24 criteria for quantifying the security objectives of cloud systems.Table 1 lists the criteria obtained from two rounds of the Delphi approach.These criteria are measured on a five-point scale.
Table 1.Criteria for quantification of information importance.

Quantification Criteria Score
Criteria for confidentiality 1 2 3 4 5 Relevance to sensitive information such as unrevealed policies, sensitive issues of management, and privacy Necessity of protecting the information Possibility of arguments caused by unauthorized disclosure of the information Necessity of restrictions to access the information Degree of damage caused by a misuse of the information Possibility of damage caused by a disclosure of the information Necessity of audit in the case of information retrieval Necessity of certificates or biometric certification to access the information  The information importance score is calculated as follows: Information importance score = (Σ score of the confidentiality + Σ score of the integrity criteria + Σ score of the availability) In the third step, the importance of the information is adjusted qualitatively taking into account the following factors: The environment surrounding the organization, the number of users of cloud systems, the distinct characteristics of the organization, and the legislation and regulations related to cloud computing.
In the fourth step, information resources such as specific hardware, specific software, and the corresponding organization staff are specified according to the importance of the information in the cloud systems.The above classification enables an organization to securely manage its information resources and appropriately establish security controls for its cloud systems [24].

Security Controls for Cloud Systems in Public Organizations
In this paper, we propose the use of a set of security controls for cloud systems in the public sector matching the methodology discussed above.In this study, we compared various security controls such as CSA-CCM, FedRAMP, and ISO27000 and conducted a comparison of the security controls of ENISA, Gartner, BSI, and FISMA.On the basis of this comparison, we selected a set of common security controls for the cloud systems.Table 2 lists the set of security controls; there are 12 domains and 30 security controls listed.The security controls can be divided into detailed components and differently applied according to the different levels of importance of the information in the cloud systems used in the public sector.
The evaluation programs of CSA STAR, ENISA, ISO/IEC 27001, and BSI do not concentrate on the classification of information and the establishment of different security controls for the different levels of information importance in cloud systems.

Applying the Methodology to the Case of Korea Expressway Corporation
In this study, we try to validate the proposed methodology for information security management through cloud systems in Korea Expressway Corporation (KEC).KEC is one of the largest public companies owned and regulated by the Korean government.In particular, KEC is obliged to follow official security guidelines and ensure the security of its many information systems.KEC depends heavily on its information systems, and through these systems, it manages expressways, road charges, emergency, convenience facilities, and traffic information for users.KEC is now using cloud systems for the management of these systems.To validate the methodology for information security management for cloud systems, we interviewed the security managers and the managers of the cloud systems at KEC six times between October and November 2012.Three researchers, three security managers, and six managers of the KEC cloud systems participated in this validation.

[Step 1] Identification of cloud systems
We identified many information systems and selected four cloud systems for validating the proposed methodology.These cloud systems had different characteristics in terms of data, users, and sensitivity.The four selected cloud systems were electronic service area management systems, electronic procurement management systems, electronic documents management systems, and electronic toll management systems.Table 3 presents a summary of these systems.

[Step 2] Classification of the importance of information in the cloud systems
To classify the importance of information in the cloud systems, we simultaneously measured the importance of information in a cloud system qualitatively and quantitatively.First, we asked the security managers and the manager of each cloud system to qualitatively assign the importance of the information in the cloud systems, a grade of high, medium, or low.Second, we explained the criteria for the importance of the information in the cloud systems to them and asked them to assign a score to the abovementioned criteria through interviews.The interviews were conducted twice.Table 4 shows the results of the importance of information in the cloud systems.A comparison of the results of the information importance between the qualitative measurement and the quantitative measurement revealed that the results did not differ for most of the considered cloud systems.Therefore, we concluded that the proposed methodology for information security management for cloud systems is valid.

Electronic toll management systems
Relevance to sensitive information such as unrevealed policies, sensitive issues of management, and privacy The score of the information importance 31 28.6 37.6 38.3 The importance of information High Medium High High [Step 3] Adjustment of the importance of information in the cloud systems We did not need to adjust the importance of information in the considered cloud systems, classified in the second step, according to the environments, the number of users, and the relevant legislation and regulations.

[Step 4] Specification and classification of the information resources by information importance
The information resources in the cloud systems are specified to users, database, operating systems, local area network, applications and wide area network.The importance of an information resource belonging to a specific cloud system is classified according to that of the system.Table 5 shows the specifications and the importance of the information resources.Previously, KEC had tried to classify the importance of information in its cloud systems and planned to classify the security controls in the near future.We did not have any opportunity to validate the appropriateness of the suggested set of security controls.The classification of information importance in cloud systems is expected to help KEC to easily adopt a categorization of security controls in accordance with the proposed methodology.

Applying FedRAMP to the Case of Korea South-East Power Corporation
In this study, we apply FedRAMP to the case of Korea South-East Power Cooperation (KOSEP) in order to compare FedRAMP with the proposed methodology for security in cloud systems.KOSEP is one of the largest public companies that own and operate power stations.In particular, KOSEP is sensitive to information security and plans to transform its information systems into cloud systems.In this study, we apply FedRAMP processes to the cloud systems of KOSEP.This experiment is based on interviews and documents produced during the process of security consulting.Table 6 shows the application of FedRAMP to Management Information Systems (MIS) in KOSEP.The procedures applied are as follows: [Step 1] Identify the type of cloud system.
KOSEP has different types of information systems from MIS systems to Supervisory Control and Data Acquisition Systems (SCADA).Among information systems, MIS systems could be the first target for the transformation into cloud systems.KOSEP implements MIS systems in Enterprise Resource Planning (ERP).The ERP systems process information related to finance, budget, accounting, fuel, and material.Further, they process various types of information, such as business information, mission information, and data.Personnel information systems and accounting systems are selected for the categorization of the impact level.
This study selects personnel information systems among MIS systems.The provisional impact level of personnel information systems could be assessed as follows: {Confidentiality, moderate; integrity, moderate; availability, low}.The provisional impact level of accounting systems could be assessed as follows: {Confidentiality, moderate; integrity, moderate; availability, high}.
[Step 3] Review provisional impact level and adjust impact level.
Security managers are asked to review the provisional impact level and adjust the impact level.They review the provisional impact level of the personnel information systems and adjust it as follows: {Confidentiality, high; integrity, high; availability, moderate}.The adjusted impact levels of the accounting information systems are as follows: {Confidentiality, moderate; integrity, moderate; availability, moderate}.
[ Step 4] Assign the importance of cloud systems to the security category.
The categorization of MIS systems is decided to be high.

Application of Security Framework to the Case of Korea South-East Power Corporation
To compare the effectiveness among security methodologies, we applied the security framework of ENISA to the case of KOSEP.To apply the security framework of ENISA, we also interviewed the security managers and referred to documents from KOSEP.In this study, we confined the application of the security framework to the risk profiling process of the Plan phase.Table 7 shows the application of the security framework to MIS systems.The application procedure is as follows: MIS systems, such as personnel information systems and accounting information systems, are transformed into cloud systems by the security managers.
[Step 2] Select the relevant security dimensions.
Confidentiality, integrity, and availability are identified as the security dimensions of personnel information systems.The security dimensions of accounting information systems are identified as confidentiality, integrity, and availability.
[Step 3] Evaluate the individual impact on the MIS.
The security dimensions of personnel information systems are evaluated as follows: {Confidentiality, moderate; integrity, moderate; availability, moderate}.Accounting information systems are also evaluated as follows: {Confidentiality, moderate; integrity, moderate; availability, moderate}.
[ Step 4] Determine the risk profile of MIS.
The security level of personnel information systems is decided to be moderate and that of accounting information systems is determined to be moderate.

Comparison of FedRAMP, Security Framework, and the Proposed Methodology
This study compares FedRAMP, the abovementioned security framework, and the proposed methodology in terms of the approach to the evaluation of the impact level, the priority among cloud systems, and the business effects on the categorization of cloud systems.FedRAMP and the security framework adopt a qualitative approach and have advantages in terms of cost savings of the evaluation and simplicity over the proposed methodology.However, the proposed methodology has other benefits over the existing approaches such as the following: First, FedRAMP and the security framework qualitatively evaluate the impact level on the organization when certain events occur, whereas the proposed method quantitatively evaluates the impact level.As the experiment of FedRAMP shows, even a fine adjustment in the impact level leads to significant changes in the overall categorization of cloud systems.In the proposed methodology, a fine adjustment of the impact level confines the security dimension within the security objectives.A qualitative approach can tolerate the differences in the impact level depending on the evaluators, whereas a quantitative approach can minimize the differences in the impact level by evaluators.
Second, priority among cloud systems can clearly be established in the aggregation of cloud systems by the impact level.FedRAMP and the abovementioned security framework aggregate the results of the impact level evaluation of cloud systems.The results of the impact level of cloud systems are one of the following: Low, moderate, or high.To establish the priority impact level of cloud systems, the evaluator qualitatively adjusts the results of the impact level among cloud systems.The proposed methodology has readiness in establishing priority among cloud systems.
Third, factors influencing the impact level of the cloud systems in FedRAMP and the abovementioned security framework are subjectively identified by the evaluators.In selecting the impact level of cloud systems, each evaluator could adopt his/her criteria.In the proposed methodology, the evaluator just selects the impact level according to the established criteria.The proposed methodology increases the objectivity of the impact level of the cloud systems.

Validating the Effectiveness of the Proposed Security Controls
To validate the effectiveness of the proposed security controls, we compared the security controls with the representative security controls such as FedRAMP and ENISA [25] in this study.As shown in Figure 2, the proposed security controls match the security measures of ENSIA.The proposed security control emphasizes the importance of cryptography and legislation.Public institutions have to protect public information from external threats and internal threats.To protect secure data, a cryptography technology and the usage and management of verified cryptography are essentially required.The operation of cloud systems in public domains has to satisfy legal requirements.The proposed security controls satisfy official requirements, such as the usage of verified cryptography and legal requirements and simultaneously provides the security functions of ENISA. Figure 3 compares the security controls between the proposed method and FedRAMP.The proposed security controls map the security controls in FedRAMP.As shown in Figure 2, FedRAMP and the proposed security controls simultaneously satisfy the requirements of cryptography functions and legislation.The structure of the proposed security controls is relatively simple and easy as compared to FedRAMP.Accordingly, the proposed security control reflects its specific requirements and simple structure and can be easily applied to the cloud systems of public organizations.The simple structure and specific requirements of the proposed security controls, reflecting the characteristics of public organizations, allow users to flexibly select security controls in accordance with the importance of information in their cloud systems.Thus, the proposed methodology is expected to be useful for saving costs and effort.
The emphasis on cryptography and legislation in the proposed security controls assures the security of cloud systems of public organizations, resulting in actively introducing cloud systems to public organizations and resolving the legal hindrances in establishing cloud systems in public organizations.
The proposed security controls can be an example that can be applied to public organizations.The security environment of each public organization may differ.An approach using the derived security controls of the proposed methodology reveals the minimum security requirements of public organizations.

Conclusions
To vitalize cloud systems in the public sector, the related security issues need to be resolved as the public sector considers more sensitive security issues than the private sector.To ensure the security of cloud computing in the public sector, security management has to reflect the characteristics of public institutions.For a consolidation of security, in this paper, we proposed a methodology for the information security management of cloud systems in the public sector and validated its usefulness through a case study.The proposed methodology has the following advantages: First, it makes it possible to establish the appropriate security level of the security controls in the public sector.However, to determine the appropriate security level of the security controls and security activities, a risk analysis and other technical consulting have to be considered [26].Such a risk analysis requires complex processes, and the practitioners tend to find it difficult to conduct [27].The abovementioned classification is less difficult than a risk analysis and produces a clear direction for the security activities and the security controls of the public sector.The above classification could efficiently invest the resources of an organization in security.Second, in the process of the classification of information importance in the cloud systems, the managers and the users surrounding the cloud systems come to identify their security responsibility.This ensures their active involvement in the security of cloud systems.Third, the completion of the classification enables an organization to recover its information resources quickly.Further, the classification, requiring detailed information about the information resources of the organization, enables a systematic recovery from a disaster.
Necessity of restrictions on modification or deletion of the information Necessity of audit logging a modification of the information Possibility of arguments caused by unauthorized modifications or deletions of the information Degree of misuse caused by modification or deletion of the information Trust level among citizens in publishing the information officially Necessity of backing up the information Necessity of certificates or other certification tools for processing the information Necessity of validating information integrity Criteria for availability 1 2 3 4 5 Necessity of having continuous access to the information Necessity of the information's continuously supporting the tasks of an organization Number of users of the cloud systems Degree of disorder caused by restrictions to the use or access of the information Necessity of dual infrastructures to access the information High recovery priority after disasters Possibility of arguments caused by restrictions to the access or use of the information Necessity of backing up the information The importance of the information is decided by the scores obtained on the abovementioned five-point scale and is classified as high, medium, or low depending on this score.The importance of information is categorized as follows: High: 31 ≤ informtion importance score ≤ 42 Medium ∶ 23 ≤ informtion importance score ≤ 31 Low ∶ 8 ≤ informtion importance score ≤ 23 (1)

-
Figure1shows the software used for classifying the importance of information in the cloud systems of KEC.

Figure 1 .
Figure 1.The software used for classifying the information importance in the cloud systems of KEC.

4 5 4 5
Necessity of the information's continuously supporting the tasks of an organization 3 4Number of users of the cloud systems 5 4Degree of disorder caused by restrictions to the use or access of the information 4

Figure 2 .
Figure 2. Comparison between the proposed security controls and the security controls of ENISA.

Figure 3 .
Figure 3.Comparison between the proposed security controls and the security controls of FedRAMP.

Table 2 .
A set of security controls for cloud security in the public sector.

Table 3 .
Cloud systems of KEC.

Table 4 .
The importance of information in the cloud systems of KE.

Table 5 .
Specifications and importance of resources of the cloud systems of KEC.

Table 7 .
Application of risk profiling of the security framework to MIS. [

Step 1] Identify a cloud service
MIS systems such as personnel information systems and accounting information systems [

Step 2] Select the relevant security dimension of the systems
Security dimension of personnel information systems: Confidentiality, integrity, and availability Security dimension of accounting information systems: Confidentiality, integrity, and availability [