Context-Based Security Policies: A New Modeling Approach
PERCOMW '04 Proceedings of the Second IEEE Annual Conference on Pervasive Computing and Communications Workshops
Modeling insecurity: policy engineering for survivability
Proceedings of the 2003 ACM workshop on Survivable and self-regenerative systems: in association with 10th ACM Conference on Computer and Communications Security
A framework for security requirements engineering
Proceedings of the 2006 international workshop on Software engineering for secure systems
The Impact of Certification Criteria on Integrated COTS-Based Systems
ICCBSS '07 Proceedings of the Sixth International IEEE Conference on Commercial-off-the-Shelf (COTS)-Based Software Systems
Logging in the Age of Web Services
IEEE Security and Privacy
NIST Special Publication 800-53 Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
Security policy foundations in context UNITY
Proceedings of the 7th International Workshop on Software Engineering for Secure Systems
| Hi-index | 0.00 |
Expressing security controls as functional requirements aids in the verification step of security certification and accreditation. Distributed, multi-component systems or systems of systems (SoSs) are difficult to verify because the security controls must be understood in functional terms with respect to their local effects on components, their global effects on the SoS, and their effect on component information exchange. In this paper, we define a process to formulate functional requirements from security controls with SoSs as the target. The process starts by extracting model elements associated with assets, functions, organization variables, and external influences. These models are composed across a set of security controls and normalized to maintain consistency and remove redundancies. We apply the models to SoSs to provide essential details to their specification in functional requirements. The objective is to reduce ambiguity when verifying SoSs as well as minimize recertification efforts when the system or security expectations changes.