Atjaunināt sīkdatņu piekrišanu

Pattern and Security Requirements: Engineering-Based Establishment of Security Standards 2015 ed. [Hardback]

  • Formāts: Hardback, 474 pages, height x width: 235x155 mm, weight: 910 g, 186 Illustrations, black and white; XXV, 474 p. 186 illus., 1 Hardback
  • Izdošanas datums: 28-Apr-2015
  • Izdevniecība: Springer International Publishing AG
  • ISBN-10: 3319166638
  • ISBN-13: 9783319166636
Citas grāmatas par šo tēmu:
  • Hardback
  • Cena: 91,53 €*
  • * ši ir gala cena, t.i., netiek piemērotas nekādas papildus atlaides
  • Standarta cena: 107,69 €
  • Ietaupiet 15%
  • Grāmatu piegādes laiks ir 3-4 nedēļas, ja grāmata ir uz vietas izdevniecības noliktavā. Ja izdevējam nepieciešams publicēt jaunu tirāžu, grāmatas piegāde var aizkavēties.
  • Daudzums:
  • Ielikt grozā
  • Piegādes laiks - 4-6 nedēļas
  • Pievienot vēlmju sarakstam
Pattern and Security Requirements: Engineering-Based Establishment of Security Standards 2015 ed.Palielināt
  • Formāts: Hardback, 474 pages, height x width: 235x155 mm, weight: 910 g, 186 Illustrations, black and white; XXV, 474 p. 186 illus., 1 Hardback
  • Izdošanas datums: 28-Apr-2015
  • Izdevniecība: Springer International Publishing AG
  • ISBN-10: 3319166638
  • ISBN-13: 9783319166636
Citas grāmatas par šo tēmu:
Permanent link: https://www.kriso.lv/db/9783319166636.html
Keywords:

Security threats are a significant problem for information technology companies today. This book focuses on how to mitigate these threats by using security standards and provides ways to address associated problems faced by engineers caused by ambiguities in the standards. The security standards are analysed, fundamental concepts of the security standards presented, and the relations to the elementary concepts of security requirements engineering (SRE) methods explored. Using this knowledge, engineers can build customised methods that support the establishment of security standards.

Standards such as Common Criteria or ISO 27001 are explored and several extensions are provided to well-known SRE methods such as Si*, CORAS, and UML4PF to support the establishment of these security standards. Through careful analysis of the activities demanded by the standards, for example the activities to establish an Information Security Management System (ISMS) in compliance with the ISO 27001 standard, methods are proposed which incorporate existing security requirement approaches and patterns.

Understanding Pattern and Security Requirements engineering methods is important for software engineers, security analysts, and other professionals that are tasked with establishing a security standard, as well as researchers who aim to investigate the problems with establishing security standards. The examples and explanations in this book are designed to be understandable by all these readers.

Recenzijas

The book presents the results of comprehensive research aimed at creating a method for threat analysis and the mitigation of risks through the comparative study of existing standards. The book is interesting for practitioners who have to create enterprise-wide security policies and standards. It is worth reading for researchers who deal with the formal and semi-formal modeling of the security domain. (Bįlint Molnįr, Computing Reviews, September, 2015)

1 Introduction
1(10)
1.1 Motivation
1(4)
1.2 Research Questions
5(2)
1.3 Overview
7(4)
References
8(3)
2 Background
11(26)
2.1 Overview
11(1)
2.2 Security Standards
11(6)
2.2.1 The ISO 27000 Series of Standards
12(2)
2.2.2 ISO 27001
14(1)
2.2.3 ISO 27001:2013
15(1)
2.2.4 Common Criteria
16(1)
2.3 Safety Standard ISO 26262
17(1)
2.4 A Conceptual Framework for Security Requirements Engineering
18(2)
2.5 Security Requirements Engineering Methods
20(13)
2.5.1 Si*
20(3)
2.5.2 CORAS
23(6)
2.5.3 Problem Frame-Based Methods
29(4)
2.6 The Agenda Concept
33(4)
References
33(4)
3 The PEERESS Framework
37(14)
3.1 Introduction
37(1)
3.2 Coverage of Knowledge Areas
38(2)
3.3 An Overview of the PEERESS Framework
40(5)
3.4 Application of Our PEERESS Framework
45(2)
3.5 Summary
47(4)
References
48(3)
4 The CAST Method for Comparing Security Standards
51(34)
4.1 Introduction
51(1)
4.2 A Method for Comparing Security Standards
52(1)
4.3 CAST Step 1: Define a Common Terminology
53(1)
4.4 CAST Step 2: Analyze Existing Work
54(3)
4.4.1 The HatSec Method
55(1)
4.4.2 NIST SP 800-30 Standard
56(1)
4.5 CAST Step 3: Define a Conceptual Model
57(5)
4.6 CAST Step 4: Instantiate Template with Standards
62(11)
4.6.1 ISO 27001
62(1)
4.6.2 ISO 27001:2013
63(1)
4.6.3 IT Grundschutz
64(5)
4.6.4 The Common Criteria
69(4)
4.7 CAST Step 5: Compare Standards
73(8)
4.8 Discussion
81(1)
4.9 Summary
81(4)
References
82(3)
5 Relating ISO 27001 to the Conceptual Framework for Security Requirements Engineering Methods
85(24)
5.1 Introduction
85(2)
5.2 Relating ISO 27001 to Security Requirements Engineering Methods
87(11)
5.3 Insights
98(6)
5.4 Practical Application of Our Results
104(2)
5.5 Related Work
106(1)
5.6 Summary
106(3)
References
107(2)
6 Supporting ISO 27001 Compliant ISMS Establishment with Si*
109(30)
6.1 Introduction
109(1)
6.2 A Method for Goal-Based ISMS Establishment
110(5)
6.3 Application of Our Method to a Smart Grid Scenario
115(17)
6.4 Discussion
132(1)
6.5 Related Work
133(2)
6.5.1 Techniques that support ISO 27001 compliant ISMS Establishment
133(1)
6.5.2 Goal-based Requirements Engineering for Security Analysis
134(1)
6.6 Summary
135(4)
References
135(4)
7 Supporting ISO 27001 Establishment with CORAS
139(56)
7.1 Introduction
139(2)
7.2 The ISMS-CORAS Method
141(8)
7.3 Application of Our Method
149(39)
7.4 Related Work
188(3)
7.5 Summary
191(4)
References
192(3)
8 Supporting Common Criteria Security Analysis with Problem Frames
195(34)
8.1 Introduction
195(1)
8.2 Supporting Common Criteria Using Problem Frames
196(1)
8.3 UML Profile for Problem-Based and Common Criteria-Compliant Security Analysis
197(3)
8.4 A Method for a Systematic Security Analysis and Documentation
200(6)
8.5 Application of Our Method
206(12)
8.6 Tool Support
218(2)
8.7 Discussion of Our Results with Practicioners
220(2)
8.8 Related Work
222(3)
8.9 Summary
225(4)
References
226(3)
9 Supporting ISO 26262 Hazard Analysis with Problem Frames
229(18)
9.1 Introduction
229(1)
9.2 Challenges in an ISO 26262 Hazard Analysis
230(1)
9.3 A Hazard Analysis and Risk Assessment Method
231(6)
9.4 Tool Support
237(2)
9.5 Application
239(4)
9.6 Related Work
243(1)
9.7 Summary
244(3)
References
245(2)
10 A Catalog of Context-Patterns
247(34)
10.1 Introduction
247(1)
10.2 Definition
248(1)
10.3 Related Work
249(2)
10.4 Cloud System Analysis Pattern
251(11)
10.4.1 Graphical Pattern
252(1)
10.4.2 Templates
253(1)
10.4.3 Method
254(3)
10.4.4 Example
257(2)
10.4.5 Tool Support
259(3)
10.5 Peer-to-Peer System Analysis Pattern
262(4)
10.5.1 Graphical Pattern
263(1)
10.5.2 Templates
264(1)
10.5.3 Method
264(2)
10.6 Service-Oriented Architecture Pattern
266(6)
10.6.1 Graphical Patterns
266(3)
10.6.2 Templates
269(1)
10.6.3 Method
269(3)
10.7 Law Pattern
272(5)
10.7.1 Graphical Patterns
272(1)
10.7.2 Templates
273(1)
10.7.3 Method
273(4)
10.8 Summary
277(4)
References
278(3)
11 Initiating a Pattern Language for Context-Patterns
281(18)
11.1 Motivation
281(1)
11.2 A Template for Pattern Languages
282(8)
11.2.1 Viewpoints of Pattern Languages
282(2)
11.2.2 A Template for Describing a Pattern Language
284(1)
11.2.3 Software Engineering Definitions of a Pattern Language
285(3)
11.2.4 A Pattern Language for Context-Patterns
288(2)
11.3 A Meta-Model for Context-Pattern
290(2)
11.4 Relations Between Existing Context-Patterns
292(5)
11.5 Summary
297(2)
References
297(2)
12 Supporting the Establishment of a Cloud-Specific ISMS According to ISO 27001 Using the Cloud System Analysis Pattern
299(94)
12.1 Introduction
299(1)
12.2 Governance, Risk, and Compliance for Clouds
300(3)
12.3 Motivation for a Cloud-Specific ISMS Establishment Method
303(3)
12.4 Overview of Our PACTS Method
306(3)
12.5 PACTS Step 1: Get Management Commitment
309(4)
12.6 PACTS Step 2: Define ISMS Scope
313(9)
12.6.1 The Extended Cloud Pattern
313(5)
12.6.2 Instantiate the Extended Cloud Pattern with Our Running Example
318(4)
12.7 PACTS Step 3: Identify Assets
322(8)
12.8 PACTS Step 4: Analyze Threats
330(14)
12.8.1 Cloud Security Alliance---Top Threats to Cloud Computing
331(1)
12.8.2 Gartner's Cloud Security Risks Assessment
332(2)
12.8.3 Relations Between Threats and the Cloud Pattern
334(2)
12.8.4 Cloud Threat Patterns
336(4)
12.8.5 A Method for Pattern-Based Threat Analysis for Clouds
340(4)
12.9 PACTS Step 5: Conduct Risk Assessment
344(3)
12.10 PACTS Step 6: Create Security Policies and Reason About Controls
347(14)
12.10.1 Controls in the ISO 27001 Standard
349(1)
12.10.2 A Method for Establishing ISO 27001 Policies
349(3)
12.10.3 Cloud Security Alliance: Cloud Controls Matrix
352(3)
12.10.4 Application of Our ISO 27001 Policy Method to Our Running Example
355(2)
12.10.5 Consistency Checks
357(2)
12.10.6 Policy Change Pattern
359(2)
12.11 PACTS Step 7: Design ISMS Specification
361(1)
12.12 Considering Legal Compliance in the PACTS Method
362(13)
12.12.1 Overview on Compliance Issues of Clouds
364(2)
12.12.2 PACTS Step 8: Identify Relevant Laws and Regulations
366(2)
12.12.3 Example
368(3)
12.12.4 PACTS Step 9: Define Compliance Controls
371(2)
12.12.5 Example
373(2)
12.13 Considering Privacy in the PACTS Method
375(10)
12.13.1 A Method for Considering Privacy in an ISMS
376(1)
12.13.2 Pacts Step 10: Instantiate Privacy Patterns
376(5)
12.13.3 Pacts Step 11: Analyze Privacy Threats
381(1)
12.13.4 Example of Our Privacy Method
381(4)
12.14 Related Work
385(3)
12.15 Summary
388(5)
References
389(4)
13 Validation and Extension of Our Context-Pattern Approach
393(22)
13.1 Introduction
393(2)
13.2 The ClouDAT Framework
395(1)
13.3 A Catalog for Cloud Security Requirements Patterns
396(2)
13.4 Representing Cloud Security Requirements Patterns
398(6)
13.5 Discussion and Analysis
404(1)
13.6 Tool Support
405(4)
13.7 Discussions with Practitioners
409(2)
13.8 Summary
411(4)
References
412(3)
14 Conclusion
415(9)
14.1 Overview
415(1)
14.2 Key Findings
415(5)
14.2.1 Security-Requirements-Engineering-Based Establishment of Security Standards
416(2)
14.2.2 Knowledge Transfer of Our Results to the Establishment of Safety Standards
418(1)
14.2.3 Structured Elicitation of the Environment with Context Patterns
419(1)
14.3 Answers to Our Research Questions
420(2)
14.4 Directions for Future Research
422(2)
14.4.1 Ontology-Based Support for Identifying Knowledge Objects to Support Security Standard Establishment
422(1)
14.4.2 Investigating the Relations Between SRE and Security Testing
423(1)
14.4.3 Empirical Studies
424(1)
14.5 Summary
424(1)
References 424(3)
Appendix A OCL-Expressions for Validation and Security Reasoning 427(30)
Appendix B Comparing ISO 27001 and ISO 31000 457(8)
Appendix C Comparing Annex A of ISO 27001 and ISO 27001:2013 465(8)
Appendix D Template for Security Standards 473