Abstract
The background that is required to follow the remainder of this book is provided in this chapter. We provide descriptions of security standards, which are supported by various methods and approaches presented in this book, namely the ISO 27001 and the Common Criteria. In addition, we show how to apply our research to the safety, as well. In contrast to security standards that are concerned with protecting a system from attackers, safety standards aim to prevent harm to humans arising from hazards. The safety standard ISO 26262 focuses on the automotive domain and we introduce the standard in this chapter, as well. This book provides methods and techniques of how to apply requirements engineering methods to the establishment of security and safety standards. Hence, we introduce a conceptual framework for security requirements engineering and several of these methods in detail such as Si* and CORAS. Finally, we show the agenda approach, which is the underlying conceptual foundation of all methods contributed by this book.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Reproduced by permission of DIN Deutsches Institut fr Normung e.V. The definitive version for the implementation of this standard is the edition bearing the most recent date of issue, obtainable from Beuth Verlag GmbH, Burggrafenstraße 6, 10787 Berlin, Germany.
- 2.
The standard was formerly known as ISO 17799 and later renamed to ISO 27002.
- 3.
Online Statement of the ISO 27000 series that ISO 27001 will remain the only mandatory standard of the series: http://www.iso27001security.com/html/27017.html.
- 4.
Note: This is the Bundesamt für Sicherheit in der Informationstechnik (BSI), a national government body that aims to increase IT security. This is not The British Standards Institution (BSI).
- 5.
Note that we defined the term establishment with regard to standards in Chap. 1.
- 6.
- 7.
Note that in contrast to our work Massacci applies the ECO Model also to relations between actors and goals.
- 8.
- 9.
- 10.
References
Alebrahim, A., Hatebur, D., & Heisel, M. (2011). A method to derive software architectures from quality requirements. In Proceedings of the 18th Asia-Pacific Software Engineering Conference (APSEC) (pp. 322–330). IEEE Computer Society.
Asnar, Y., Giorgini, P., & Mylopoulos, J. (2011). Goal-driven risk assessment in requirements engineering. Requirements Engineering, 16(2), 101–116.
BSI. (2011). BSI Grundschutz Homepage. Bonn, Germany: Federal Office for Information Security (BSI). (https://www.bsi.bund.de/DE/Themen/ITGrundschutz/itgrundschutz_node.html).
Calder, A. (2009). Implementing information security based on iso 27001/iso 27002: A management guide. Zaltbommel: Van Haren Publishing.
Coleman, D., Arnold, P., Bodoff, S., Dollin, C., Gilchrist, H., Hayes, F., et al. (1994). Object-oriented development: The fusion method. Englewood Cliffs: Prentice Hall.
Côté, I. (2012). A systematic approach to software evolution. Baden-Baden: Deutscher Wissenschafts-Verlag.
Côté, I., Hatebur, D., Heisel, M., Schmidt, H., & Wentzlaff, I. (2008). A systematic account of problem frames. In Proceedings of the European Conference on Pattern Languages of Programs (EuroPLoP). Universitätsverlag Konstanz.
Côté, I., Hatebur, D., Heisel, M., & Schmidt, H. (2011). UML4PF—A tool for problem-oriented requirements analysis. In Proceedings of the International Conference On Requirements Engineering (RE) (pp. 349–350). IEEE Computer Society.
Fabian, B., Gürses, S., Heisel, M., Santen, T., & Schmidt, H., (2010). A comparison of security requirements engineering methods. Requirements Engineering—Special Issue on Security Requirements Engineering, 15(1), 7–40.
Hatebur, D. (2012). Pattern and component-based development of dependable systems. Deutscher Wissenschafts-Verlag (DWV) Baden-Baden.
Hatebur, D., & Heisel, M. (2009). A foundation for requirements analysis of dependable software. In Proceedings of the International Conference on Computer Safety, Reliability and Security (SAFECOMP) (pp. 311–325). Springer.
Hatebur, D., & Heisel, M. (2010). A UML profile for requirements analysis of dependable software. In Proceedings of the International Conference on Computer Safety, Reliability and Security (SAFECOMP) (pp. 317–331). Springer.
Heisel, M. (1998). Agendas—A concept to guide software development activities. In Proceedings of the IFIP TC2 WG2.4 Working Conference on Systems Implementation: Languages, Methods and Tools (pp. 19–32). Chapman & Hall London.
ISO. (2011). ISO 26262—Road Vehicles—Functional Safety. Geneva, Switzerland: International Organization for Standardization (ISO).
ISO/IEC. (2000). ISO/IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-relevant systems. Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
ISO/IEC. (2005). Information technology—Security techniques—Information security management systems—Requirements (ISO/IEC 27001). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
ISO/IEC. (2008). Information technology—Security techniques—Information security risk management (ISO/IEC 27005). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
ISO/IEC. (2009). Information technology–Security techniques—Information security management systems—Overview and Vocabulary (ISO/IEC 27000). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
ISO/IEC. (2012). Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
ISO/IEC. (2013). Information technology—Security techniques—Information security management systems—Requirements (ISO/IEC 27001). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
ISO/IEC. (2014). Information technology–Security techniques—Information security management systems—Overview and Vocabulary (ISO/IEC 27000). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
ISO. (2009). ISO 31000 risk management—Principles and guidelines Geneva. International Organization for Standardization (ISO): Switzerland.
Jackson, M. (2001). Problem frames: Analyzing and structuring software development problems. Boston: Addison-Wesley.
Jackson, M., & Zave, P. (1995). Deriving specifications from requirements: An example. In Proceedings of the 17th International Conference on Software Engineering (pp. 15–24). ACM.
Karpati, P., Sindre, G., & Opdahl, A. L. (2011). Characterising and analysing security requirements modelling initiatives. In Proceedings of the International Conference on Availability, Reliability and Security (ARES) (pp. 710–715). IEEE Computer Society.
Klipper, S. (2010). Information Security Risk Management MIT ISO/IEC 27005: Risikomanagement MIT ISO/IEC 27001, 27005 und 31010. Vieweg+Teubner.
Lund, M. S., Solhaug, B., & Stølen, K. (2010). Model-driven risk analysis: The CORAS approach (1st ed.). London: Springer.
Mahler, T. (2010). Legal risk management. Unpublished doctoral dissertation, University of Oslo.
Massacci, F., Mylopoulos, J., & Zannone, N. (2010). Security requirements engineering: The SI* modeling language and the secure tropos methodology. Advances in Intelligent Information Systems, 265, 147–174.
UML Revision Task Force. (2010). OMG unified modeling language: Superstructure.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Beckers, K. (2015). Background. In: Pattern and Security Requirements. Springer, Cham. https://doi.org/10.1007/978-3-319-16664-3_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-16664-3_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-16663-6
Online ISBN: 978-3-319-16664-3
eBook Packages: Computer ScienceComputer Science (R0)