Requirements Reuse for Improving Information Systems Security: A Practitioner’s Approach

Information systems security issues have usually been considered only after the system has been developed completely, and rarely during its design, coding, testing or deployment. However, the advisability of considering security from the very beginning of the system development has recently begun to be appreciated, and in particular in the system requirements specification phase. We present a practical method to elicit and specify the system and software requirements, including a repository containing reusable requirements, a spiral process model, and a set of requirements documents templates. In this paper, this method is focused on the security of information systems and, thus, the reusable requirements repository contains all the requirements taken from MAGERIT, the Spanish public administration risk analysis and management method, which conforms to ISO 15408, Common Criteria Framework. Any information system including these security requirements must therefore pass a risk analysis and management study performed with MAGERIT. The requirements specification templates are hierarchically structured and are based on IEEE standards. Finally, we show a case study in a system of our regional administration aimed at managing state subsidies.

[1]  John Mylopoulos,et al.  Non-Functional Requirements in Software Engineering , 2000, International Series in Software Engineering.

[2]  Mark C. Paulk,et al.  The Capability Maturity Model , 1991 .

[3]  José Luis Fernández Alemán,et al.  Can intuition become rigorous? Foundations for UML model verification tools , 2000, Proceedings 11th International Symposium on Software Reliability Engineering. ISSRE 2000.

[4]  Sara Jones,et al.  Trust requirements in e-business , 2000, CACM.

[5]  Ian Sommerville,et al.  Requirements Engineering: Processes and Techniques , 1998 .

[6]  Jacob L. Cybulski,et al.  Requirements Classification and Reuse: Crossing Domain Boundaries , 2000, ICSR.

[7]  E. L. Harder,et al.  The Institute of Electrical and Electronics Engineers, Inc. , 2019, 2019 IEEE International Conference on Software Architecture Companion (ICSA-C).

[8]  Paula M. C. Swatman,et al.  Effective Internet Acceptable Usage Policy for Organisations , 1997 .

[9]  Ian Sommerville,et al.  Software engineering (6th ed.) , 2001 .

[10]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[11]  Norman E. Fenton,et al.  A Strategy for Improving Safety Related Software Engineering Standards , 1998, IEEE Trans. Software Eng..

[12]  Matthias Jarke,et al.  Toward Reference Models of Requirements Traceability , 2001, IEEE Trans. Software Eng..

[13]  Bashar Nuseibeh,et al.  Weaving Together Requirements and Architectures , 2001, Computer.

[14]  Khaled El Emam,et al.  Spice: The Theory and Practice of Software Process Improvement and Capability Determination , 1997 .

[15]  Ben J Hicks,et al.  World Multiconference on Systemics, Cybernetics and Informatics , 2000 .

[16]  Suzanne Robertson,et al.  Mastering the Requirements Process , 1999 .

[17]  A. Antón,et al.  Strategies for Developing Policies and Requirements for Secure Electronic Commerce Systems , 2000 .

[18]  Ali Mili,et al.  Reusing Software: Issues and Research Directions , 1995, IEEE Trans. Software Eng..

[19]  A. Toval,et al.  Improving system reliability via rigorous software modeling: the UML case , 2001, 2001 IEEE Aerospace Conference Proceedings (Cat. No.01TH8542).

[20]  Ari Jaaksi A Method for Your First Object-Oriented Project , 1998, J. Object Oriented Program..

[21]  Stephen Fickas,et al.  Goal-Directed Requirements Acquisition , 1993, Sci. Comput. Program..

[22]  Thorsten von Eicken,et al.  技術解説 IEEE Computer , 1999 .

[23]  Joaquín Nicolás,et al.  Toward Use Case and Conceptual Models through Business Modeling , 2000, ER.

[24]  María del Mar Martínez Sánchez,et al.  Real Decreto 994/1999, de 11 de junio, por el que se aprueba el reglamento de medidas de seguridad de los ficheros automatizados que contengan datos de carácter personal , 2001 .

[25]  Ivar Jacobson,et al.  The Unified Software Development Process , 1999 .

[26]  Begoña Moros Valle,et al.  COMBINING FORMAL SPECIFICATIONS WITH DESIGN BY CONTRACT , 2000 .

[27]  Lawrence Chung,et al.  Dealing with Security Requirements During the Development of Information Systems , 1993, CAiSE.

[28]  Robyn R. Lutz,et al.  Analyzing software requirements errors in safety-critical, embedded systems , 1993, [1993] Proceedings of the IEEE International Symposium on Requirements Engineering.

[29]  Roger S. Pressman,et al.  Software Engineering: A Practitioner's Approach , 1982 .