Escolar Documentos
Profissional Documentos
Cultura Documentos
System engineers are confronted with fast-paced technology developments, complicated contractual relationships, emerging threats
and global security requirements, concerns for sustainability and viability of their ventures and a raft of other issues. In this
environment, information technology-intensive systems in particular are exposed to risk and recent high-profile incidents have
contributed to significant emphasis to be given to security. It is however impossible for systems engineers to become specialists in all
areas of concern in order to be able to tackle effectively those issues and thus architecting systems needs to take into account good
practice and existing relevant knowledge. When such knowledge is embodied into established and widely accepted standards, not only
is there the opportunity to capitalise on their mature content but also to ripe the benefits of compliance, seamless integration and
competitive advantage that standardisation provides. In this spirit we investigate in this paper the use of two popular and established
standards, the ISO 27000 series and ISO/IEC 26702, as aids in the process of engineering secure systems.
Index Termssecurity engineering, standards.
I.
INTRODUCTION
II.
P124
exposure to various risks. The management stage is introduced
by selecting appropriate countermeasures to deal with the risk
exposure. This approach is usually performed on an existing
IS, and is not easily integrated into the systems development.
That is because at the development stages a systems model is
altering from stage to stage and consequently, this approach is
more applicable to an already developed information system.
Risk analysis and management are techniques that require
expert skills in evaluating the information related risk and
implementing countermeasures on a cost/benefit basis. As
further criticism, IS risk analysis and management are not
regarded as scientific methods, because of their lack of
feedback concerning the specification, design and
countermeasure implementation [5]. Yet they are of the most
popular approaches that practice has embraced.
Both previous streams of practices are characterised by the
fact that they are usually applied after the systems
development. Such a post-applied practices could expose the
system to risk until the security is implemented and also they
are usually applicable to a systems frozen instance in time,
meaning that significant rework needs to be performed every
time that changes are implemented into the system.
Irvine et al. [6], separate the risks of IS in development and
functionality risks. The development risks are separated in
sublime errors that can be handled with quality assurance and
malicious development that can be handled with configuration
management. However, this is not a simple task because of the
limited time to perform it and also due to the associated cost.
For this reason audits are conducted over representative areas
and are targeted and selective.
It is now well over a decade ago since Wood noted a trend
for integrating baseline security features into commercial
products [7]. In such a way the responsibility for the provision
of security is transferred to the manufacturer/service supplier.
Consequently the organisation is responsible of ensuring that
the product is deployed properly and the users are trained for
its use.
However, the majority of existing development
methodologies does not appear to embed particular security
provisions for the system under development. Popular
methodologies such as MERISE, DSDM and the Information
Engineering refer partially, if at all to how the developer will
integrate security features along with the desired functionality.
That is why approaches of the third and most recent research
stream, try to incorporate security requirements within the
development process of information systems. In such a way,
security is introduced early into the system, making it easier to
tackle potential future changes.
In this stream of research, studies are concerned about how
the use of techniques and tools could help in the merging of
the security requirements with the specifications of the IS.
Siponen [8] identifies a duality in these techniques in terms of
their focus to either the modelling techniques (the majority of
proposals) or the development process. From a modelling
point of view, Baskerville [9] proposed the use of popular
diagramming techniques such as Data Flow Diagrams and
Entity-Relationships Models for the specification of security
2
requirements. Other researchers provide modelling extensions
of widely used modelling languages such as the Unified
Modelling Language (UML), in order to accommodate the
security requirements [10].
From a process point of view, Downs et al. [11] present in
their book an interface between CRAMM and SSADM. More
recently, Warren and Batten [12] introduced a complementary
method to be used alongside ETHICS (SIM-ETHICS) and
Evertsson et al. [13] proposed a framework for integration of
security to the systems development process.
There also exist alternative approaches such as the Virtual
Methodology (VM) developed by Hitchings [14], that largely
utilises managerial and problem solving techniques such as the
Soft Systems Methodology [15] for the construction of system
models and the assessment of the risk exposure. In this stream
we can also categorise the Security By Analysis [16]
methodology, developed in Sweden where the socio-technical
system design is popular. It is based on a process of
engagement of the key system stakeholders to analyse and to
consent on the issues of asset valuation, risk exposure and
security controls selection over a series of frequent meetings.
Information security management refers to the structured
process for the implementation and ongoing management of
information security in an organization [17], where risk
assessment is a core element. Risk assessment is the process
that includes risk analysis, thus identifying risks and
describing them in quantitative or qualitative terms, and risk
evaluation, thus prioritizing risk against risk evaluation criteria
and objectives.
In more detail, the objective of risk assessment is to
determine the value of information assets, identify the
applicable threats and vulnerabilities and determine potential
consequences. Finally, risk assessment aims at prioritizing the
derived risks and ranking them against the risk evaluation
criteria. Following risk assessment, risk treatment takes place
in order to determine and implement controls to reduce, retain,
avoid or transfer the risks. Finally, risk acceptance tasks are
conducted to ensure that residual risks are explicitly accepted
by the managers of the organization, and risk communication
activities are implemented so as information about risk to be
exchanged between the decision-makers and the other
stakeholders.
III.
P124
understanding and agreement of functional and non-functional
requirements, thus facilitating the design of systems that
ensure the compatibility of equipment of diverse origins and
strengthen interoperability.
In the information systems security area, more specifically,
standards support the common understanding of security
requirements and ensure that the security mechanisms
implemented do comply with globally accepted rules and
practices. In this way the systems that are being implemented
reach a commonly accepted security level and interoperate
with other systems in an efficient and secure way
(International Organization for Standardization - ISO).
Therefore, the basic purpose of the information security
standardization is to create a common security model in order
to enable companies to carry out their business and cooperate
globally [18].
A.
ISO/IEC 26702 (IEEE 1220)
The international standard ISO/IEC 26702 Application and
Management of the Systems Engineering Process defines the
interdisciplinary tasks that are required throughout a systems
life cycle to transform stakeholder needs, requirements, and
constraints into a system solution [19]. ISO/IEC 26702 is
aimed at development of commercial product-oriented
systems, such as aeroplanes and information systems, and is
currently utilised globally by industry, government, and
academia [20].
The standard consists of 6 clauses.
1. Scope, purpose, and organization
2. References
3. Terms and acronyms
4. General requirements
5. Life-cycle stages
6. Systems engineering process (SEP)
The SEP (shown in figure 1), consists of eight
subprocesses; requirements analysis, requirements validation,
functional analysis, functional verification, synthesis, design
verification, systems analysis, and control.
Requirements Analysis - Stakeholder input is used to
establish the required system capability through performance
criteria, operational environments, system interfaces and
constraints. Trade-off and risk analyses are conducted to
identify and resolve any conflicts.
The output is a
requirements baseline that contains an operational view, a
functional view, and a design view of the system.
Requirements Validation The requirements baseline is
evaluated against the stakeholder expectations and system
constraints. If the baseline fails to address the criteria then
both Analysis and Validation must be repeated iteratively.
Functional Analysis - The requirements defined during
Analysis are translated into a collection of design elements.
The output is a functional architecture for the system.
Functional Verification The functional architecture is
evaluated against the original requirements baseline to ensure
that it is complete.
Synthesis The verified functional architecture is translated
into several possible design solutions. The optimal solution is
3
selected using criteria relating to budget, schedule,
performance, and risk.
Design Verification - The design solution architecture is
evaluated against the requirements baseline and functional
architecture to ensure alignment.
Systems Analysis A set of techniques to assist with the
three analysis stages, Requirement, Functional, and Synthesis.
These techniques can include conflict resolution, system
effectiveness assessments, and risk management.
Control Tasks are carried out to manage and document
SEP activities and results, this information is used to monitor
progress of the project.
ISO/IEC 26702, initially released as the trial issue standard
IEEE 1220 in 1995 and as a full standard in 1998, has
remained largely unchanged since. A 2007 revision aligned
application of IEEE 1220 practices and processes with the
P124
attempting to apply the concepts.. However, according to
Sheard [20], the key systems engineering standards, including
ISO/IEC 26702, have begun to move away from a federal
government contract-centric approach to a commercial,
voluntary compliance approach. The focus has changed from
management to process orientation. The hope is that the
most recent revision (2007) will encourage use of the standard
in more commercial settings and in a wider range of
organisation types, both in the US and globally.
A number of capability assessment tools (e.g. SECM,
EIA/IS 731, CMMI) can be used in conjunction with ISO/IEC
26702. In this way an organisation can monitor and improve
its systems engineering efforts against pre-defined levels.
These levels, once obtained, can be used to demonstrate
competence to clients or stakeholders and to differentiate an
organisation from its competitors. Through these tools
ISO/IEC 26702 can add value to any organisation in the
business of developing complex systems.
B.
ISO/IEC 27000 series (BS7799)
ISO/IEC 27000 series is a family of standards published by
the International Organization for Standardization (ISO) and
the International Electrotechnical Commission (IEC). The
series includes standards that provide best practice
recommendations on information security management, risks
and controls.
The provided guidelines are based on an Information
Security Management System (ISMS) and a process-oriented
approach structured in a circular model (Plan-Do-Check-Act,
fig. 2) for security management. The purpose of such an ISMS
is to ensure the selection of adequate and proportionate
security controls that protect information assets and give
confidence to interested parties. The proposed practices apply
to all kinds of organizations irrespectively of size or type
(commercial, governmental etc.). ISO/IEC 27000 series, at the
moment, comprise from seven standards (Table 1); while two
more standards are under development. Furthermore,
guidelines regarding ISMSs in specific sectors are published;
i.e. ISO/IEC 27011 for telecommunication organization.
The advantages of security standardization are nowadays
recognized by organizations, as it is depicted by the growing
acceptance and adoption of security standards. Organizations
in the United Kingdom (UK) are increasingly utilising the ISO
4
however, are ISO/IEC 27001 and ISO/IEC 27002; for both
standards an increasing adoption is revealed from surveys [23]
[25], and furthermore, an increase of ISO/IEC 27001:2005
certifications has also be noticed [26].
Briefly, the Plan-Do-Check-Act models main elements
(ISO/IEC 27001, 2005) include: the Planning phase that
TABLE I
THE ISO/IEC 27000 SERIES
STANDARD
ISO/IEC
27000
ISO/IEC
27001
ISO/IEC
27002
ISO/IEC
27003
ISO/IEC
27004
ISO/IEC
27005
ISO/IEC
27006
ISO/IEC
27007
ISO/IEC
27008
STATUS
Published in 2009
Formerly known
as BS7799-part2.
Published in 2005
(a revision is
planned).
Formerly known
as ISO 17799 and
BS7799-part1.
Published in 2005
(a revision is
planned).
Published in 2010.
Published in 2009
Based on BS7799part3. Published
in 2008.
Published in 2007
Under
development.
Under
development.
P124
V.
P124
6
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]