Abstract
Assessment and assurance of conformity with regulation documents assumes significant cost in modern economies. Demonstration of compliance with security standards involves providing evidence that the standards’ security criteria are met in full substantiating appropriate decision. Nevertheless despite its importance such type of activity haven’t been addressed adequately by the available solutions and the tool support given to conformity assessment and assurance processes is rather poor. International standards do not contain any formal technique for security evaluation, what makes performing evaluation process complicated and one-sided. In the article the approach to the security assurance evaluation Advanced Security Assurance Case (ASAC) is proposed based on refined definition of existed assurance case structure.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
ISO/IEC 15408-1:2009, Informational technology – Security techniques – Evaluation criteria for IT security, Part 1: Introduction and general model (2009)
ISO/IEC 15408-3:2008, Informational technology – Security techniques – Evaluation criteria for IT security, Part 3: Security assurance requirement (2008)
ISO/IEC 18045:2008, Informational technology – Security techniques – Methodology for IT security evaluation (2008)
Potii, O., Komin, D., Rebriy, I.: Method of Assurance Requirements Evaluation. In: Kharchenko, V., Tagarev, T. (eds.) Kharkiv, National Aerospace University n. a. N. E. Zhukovsky “KhAI”, vol. 1, pp. 123–132 (2011)
ISO/IEC TR 15443-1:2012, Information technology – Security techniques – Security assurance framework – Part 1: Introduction and concepts (2012)
Kelly, T., McDermid, T.: Safety Case Construction and Reuse Using Patterns. In: Daniel, T. (ed.) Proceedings of the 16th International Conference on Computer Safety, Reliability and Security (SAFECOMP 1997), pp. 55–69. Springer, London (1997)
Cyra, L., Gorski, J.: SCF - A Framework Supporting Achieving and Assessing Conformity with Standards. Special Issue: Secure Semantic Web 33(1), 80–95 (2011)
Williams, J.R., George, F.J.: A Framework for Reasoning about Assurance, Document Number ATR 97043. Arca Systems, Inc. (April 23, 1998)
Nair, S., de la Vara, J.L., Sabetzadeh, M., Briand, L.: An Extended Systematic Literature Review on Provision of Evidence for Safety Certification. Information and Software Technology 56, 689–717 (2014)
Bishop, P., Bloomfield, R.: The SHIP Safety Case. In: Rabe, G. (ed.) The proceedings of the 14th Conference on Computer Safety, Reliability and Security, SafeComp 1995, Belgirate, Italy, pp. 437–451. Springer (1995)
Strigini, L.: Formalism and Judgement in Assurance Cases. In: DSN 2004 Workshop on Assurance Cases: Best Practices, Possible Obstacles, and Future Opportunities, Florence, Italy (2004)
Bloomfield, R.E., Wetherilt, A.: Computer Trading and Systemic Risk: a Nuclear Perspective. Foresight study, The Future of Computer Trading in Financial Markets, Driver Review DR26. Government Office for Science (2012)
Kelly, T., Weaver, R.: The Goal Structuring Notation – A Safety Argument Notation. In: Workshop on Assurance Cases, 2004 International Conference on Dependable Systems and Networks, Florence (2004)
Bishop, P.G., Bloomfield, R.E.: A Methodology for Safety Case Development. In: Redmill, F., Anderson, T. (eds.) Industrial Perspectives of Safety-critical Systems: Proceedings of the Sixth Safety-Critical Systems Symposium, Birmingham, pp. 194–203. Springer, London (1998)
ISO/IEC 15026-2:2011. Systems and software engineering — Systems and software assurance, Part 2: Assurance case (2011)
NPP Safety Automation Systems Analysis. State of the Art, VTT, http://www.vtt.fi/files/projects/mallintarkastus/npp_safety_automation_systems_analysis_state_of_the_art.pdf (access date: January 2015)
The Purpose, Scope, and Content of Safety Cases, ONR Nuclear Safety Technical Assessment Guide, http://www.onr.org.uk/operational/tech_asst_guides/ns-tast-gd-051.pdf (access date: January 2015)
Safety Case Development Manual, European Organization For The Safety of Air Navigation, http://www.eurocontrol.int/sites/default/files/article/content/documents/nm/link2000/safety-case-development-manual-v2.2-ri-13nov06.pdf (access date: January 2015)
Building a Preliminary Safety Case: An Example from Aerospace, http://www-users.cs.york.ac.uk/tpk/preliminary.pdf (access date: January 2015)
Netkachova, K., Bloomfield, R.E., Stroud, R.J.: Security-informed safety cases. In: Specification and Safety and Security Analysis and Assessment Techniques. D3.1, SESAMO project, http://sesamo-project.eu (access date: January 2015)
Scott, A.T., Krombolz, A.H.: Structured Assurance Cases: Three Common Standards. In: 9th IEEE International Symposium on High-Assurance Systems Engineering, http://www.acq.osd.mil/se/webinars/2010-01-19-SECIE-Structured-Assurance-Ankrum-Kromholz-brief.pdf (access date: January 2015)
Adelard Safety Case Development Manual, http://www.adelard.com/resources/ascad/ascad_download.html (access date: January 2015)
Kharchenko, V., Illiashenko, O., Kovalenko, A., Sklyar, V., Boyarchuk, A.: Security Informed Safety Assessment of NPP I&C Systems: GAP-IMECA Technique. In: 22nd International Conference on Nuclear Engineering, ICONE 22, Prague, Czech Republic. Next Generation Reactors and Advanced Reactors; Nuclear Safety and Security, vol. 3, p. V003T06A054 (2014)
A Method of Trust Case Templates to Support Standards Conformity Achievement and Assessment, http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.163.906&rep=rep1&type=pdf (access date: January 2015)
Towards an Assurance Case Practice for Medical Devices, Carnegie Mellon University, http://www.sei.cmu.edu/reports/09tn018.pdf (access date: January 2015)
Linling, S., Kelly, T.: Safety arguments in aircraft certification. In: 4th IET International Conference on Systems Safety 2009. Incorporating the SaRS Annual Conference, London, pp. 1–6 (2009)
Jøsang, A.: Subjective logic. University of Oslo, http://folk.uio.no/josang/papers/subjective_logic.pdf (access date: January 2015)
Parondzhanov, V.: How to improve the work of your mind. Algorithms without programmers – it’s very simple! Delo. Moscow (2001)
DRAKON official website, http://drakon-editor.sourceforge.net/ (access date: January 2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Potii, O., Illiashenko, O., Komin, D. (2015). Advanced Security Assurance Case Based on ISO/IEC 15408. In: Zamojski, W., Mazurkiewicz, J., Sugier, J., Walkowiak, T., Kacprzyk, J. (eds) Theory and Engineering of Complex Systems and Dependability. DepCoS-RELCOMEX 2015. Advances in Intelligent Systems and Computing, vol 365. Springer, Cham. https://doi.org/10.1007/978-3-319-19216-1_37
Download citation
DOI: https://doi.org/10.1007/978-3-319-19216-1_37
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-19215-4
Online ISBN: 978-3-319-19216-1
eBook Packages: EngineeringEngineering (R0)