Abstract
Working with security standards is difficult, because these are long and ambiguous texts. The time spent to understand what activities and documents are necessary to establish the standard is significant. Furthermore, comparing standards is even more time consuming, because this process has to be done multiple times. We propose a structured methodology called CAST that helps to understand and compare security standards by using a template derived from existing standards. Our template contains specific sections for each standard activity. Moreover, we defined a common terminology for security standards that serves as a baseline for comparing the terminology of the standards. We show instantiations of the template for the standards ISO 27001:2005, ISO 27001:2013, Common Criteria, and IT Grundschutz. Our results contain an analysis of these instantiations that shows the different approaches of these standards and their differences in terminology. The CAST method can be applied to further standards with little effort.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Beckers, K., Eicker, S., Faßbender, S., Heisel, M., Schmidt, H., & Schwittek, W. (2012). Ontology-based identification of research gaps and immature research areas. In Proceedings of the International Cross Domain Conference and Workshop (CD-ARES 2012) (pp. 1–16). Berlin: Springer.
Beckers, K., Côté, I., Fenz, S., Hatebur, D., & Heisel, M. (2014). A structured comparison of security standards. In M. Heisel, W. Joosen, J. Lopez, & F. Martinelli (Eds.), Advances in engineering secure future internet services and systems (pp. 1–34). Berlin: Springer.
Bishop, M. (2003). Computer security: Art and science (1st ed.). Upper Saddle River: Pearson.
BSI. (2008a). Standard 100–1 Information Security Management Systems (ISMS), Version 1.5. Bonn Germany: Bundesamt für Sicherheit in der Informationstechnik (BSI).
BSI. (2008b). IT-Grundschutz-Vorgehensweise (BSI Standard 100-2). Bonn Germany: Bundesamt für Sicherheit in der Informationstechnik (BSI).
BSI. (2008c). Standard 100-3 Risk Analysis Based on IT-Grundschutz, Version 2.5 Technical Report. Bonn Germany: Bundesamt für Sicherheit in der Informationstechnik (BSI).
BSI. (2009). BSI Standard 100-4 Business Continuity Management, Version 1.0 (BSI Standard 100-4). Bonn Germany: Bundesamt für Sicherheit in der Informationstechnik (BSI).
BSI. (2010). IT-Grundschutzkataloge. Bonn Germany: Bundesamt für Sicherheit in der Informationstechnik (BSI). http://www.bsi.bund.de
BSI. (2011a). BSI Grundschutz Homepage. Bonn Germany: Bundesamt für Sicherheit in der Informationstechnik (BSI). https://www.bsi.bund.de/DE/Themen/ITGrundschutz/itgrundschutznode.html
BSI. (2011b). BSI Grundschutz Standards Homepage. Bonn Germany: Bundesamt für Sicherheit in der Informationstechnik (BSI). https://www.bsi.bund.de/EN/Publications/BSIStandards/BSIStandardsnode.html
BSI. (2011c). Protection Profile for the Gateway of a Smart Metering System (Gateway PP) (Version 01.01.01(final draft)). Bonn, Germany: Bundesamt für Sicherheit in der Informationstechnik (BSI)—Federal Office for Information Security Germany. https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/SmartMeter/PP-SmartMeter.pdf?blob=publicationFile
DCSSI. (2004). Expression des Besoins et Identification des Objectifs de Sécurité (EBIOS)—Section 2—Approach. General Secretariat of National Defence Central Information Systems Security Division (DCSSI).
Fabian, B., Gürses, S., Heisel, M., Santen, T., & Schmidt, H. (2010). A comparison of security requirements engineering methods. Requirements Engineering—Special Issue on Security Requirements Engineering, 15(1), 7–40.
Farquhar, B. (1991). One approach to risk assessment. Computers and Security, 10(10), 21–23.
Firesmith, D. (2003). Common concepts underlying safety, security, and survivability engineering Technical report SEI-2003-TN-033). Pittsburgh, United States: Carnegie Melon University.
Food, & Administration, D. (2006). Guideline for Industry, Q9 quality Risk Management. (In US Department of Health and Human Services).
Gollmann, D. (2005). Computer security (2nd ed.). Hoboken: Wiley.
ISO. (2009). ISO 31000 risk management—Principles and guidelines.
ISO/FDIS. (2007, November). ISO/IEC 27799:2007(E), Health informatics—Information security management in health using ISO/IEC 27002. Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
ISO/IEC. (2005). Information technology—Security techniques—Information security management systems—Requirements (ISO/IEC 27001). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
ISO/IEC. (2008). Information technology—security techniques—information security risk management (ISO/IEC 27005). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
ISO/IEC. (2012). Common criteria for information technology security evaluation (ISO/IEC 15408). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
ISO/IEC. (2013). Information technology—Security techniques—Information security management systems—Requirements (ISO/IEC 27001). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
Jackson, M. (2001). Problem Frames. Analyzing and structuring software development problems. Addison-Wesley.
Japan Information Processing Development Corporation and The Medical Information System Development Center. (2004). ISMS User’s Guide for Medical Organizations.
JASON. (2010). Science of Cyber-Security. Technical Report. Bedford Massachusetts and McLean Virginia United States: The MITRE Corporation. Retrieved from http://www.fas.org/irp/agency/dod/jason/cyber.pdf (JSR-10-102)
Karabacak, B., & Sogukpinar, I. (2005). ISRAM: information security risk analysis method. Computers and Security, 24(2), 147–159.
Pouloudi, A. (1999). Aspects of the stakeholder concept and their implications for information systems development. In Proceedings of the Hawaii International Conference on System Sciences (HICSS) (pp. 5–8). IEEE Computer Society.
Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., & Sommerlad, P. (2006). Security patterns: Integrating security and systems engineering. Wiley.
Schwittek, W., Schmidt, H., Eicker, S., & Heisel, M. (2011). Towards a common body of knowledge for engineering secure software and services. In Proceedings of the International Conference on Knowledge Management and Information Sharing (KMIS) (pp. 369–374). SciTePress—Science and Technology Publications.
Schwittek, W., Schmidt, H., Beckers, K., Eicker, S., Faßbender, S., & Heisel, M. (2012). A common body of knowledge for engineering secure software and services. In Proceedings of the International Conference on Availability, Reliability and Security (ARES)—1st International Workshop on Security Ontologies and Taxonomies (SecOnT 2012) (pp. 499–506). IEEE Computer Society.
Sharp, H., Finkelstein, A., & Galal, G. (1999). Stakeholder identification in the requirements engineering process. In Proceedings of the Dexa Workshop (pp. 387–391). IEEE Computer Society.
Siemens. (2003). CRAMM—The total information security toolkit. http://www.cramm.com/
Stallinger, M. (2004). CRISAM—Corporate risk application method—Summary V2.0.
Standards Australia International; Standards New Zealand. (2001). Guidelines for managing risk in healthcare sector: Australian/ New Zealand handbook. (Standards Australian International).
Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems (NIST Special Publication No. 800-30). Gaithersburg, U.S.: National Institute of Standards and Technology (NIST).
Sunyaev, A. (2011). Health-care telematics in Germany—design and application of a security analysis method. Gabler.
Viega, J., & McGraw, G. (2001). Building secure software: How to avoid security problems the right way (1st ed.). Boston: Addison-Wesley.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Beckers, K. (2015). The CAST Method for Comparing Security Standards. In: Pattern and Security Requirements. Springer, Cham. https://doi.org/10.1007/978-3-319-16664-3_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-16664-3_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-16663-6
Online ISBN: 978-3-319-16664-3
eBook Packages: Computer ScienceComputer Science (R0)