Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation

Extending Requirements Engineering modelling and formal analysis methodologies to cope with Security Requirements has been a major effort in the past decade. Yet, only few works describe complex case studies that show the ability of the informal and formal approaches to cope with the level complexity required by compliance with ISO-17799 security management requirements. In this paper we present a comprehensive case study of the application of the Secure Tropos RE methodology for compliance to the Italian legislation on Privacy and Data Protection by the University of Trento, leading to the definition and analysis of a ISO-17799-like security management scheme.

[1]  Thomas Peltier,et al.  Information Technology: Code of Practice for Information Security Management , 2001 .

[2]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[3]  Michael Waidner,et al.  Platform for Enterprise Privacy Practices: Privacy-Enabled Management of Customer Data , 2002, Privacy Enhancing Technologies.

[4]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2000, Proceedings 37th International Conference on Technology of Object-Oriented Languages and Systems. TOOLS-Pacific 2000.

[5]  John Mylopoulos,et al.  Requirements Engineering Meets Trust Management: Model, Methodology, and Reasoning , 2004, iTrust.

[6]  John Mylopoulos,et al.  Requirements engineering for trust management: model, methodology, and reasoning , 2006, International Journal of Information Security.

[7]  Birgit Pfitzmann,et al.  A Toolkit for Managing Enterprise Privacy Policies , 2003, ESORICS.

[8]  Fausto Giunchiglia,et al.  Tropos: An Agent-Oriented Software Development Methodology , 2004, Autonomous Agents and Multi-Agent Systems.

[9]  Kwo-Jean Farn,et al.  A study on information security management system evaluation - assets, threat and vulnerability , 2004, Comput. Stand. Interfaces.

[10]  Annie I. Antón,et al.  A requirements taxonomy for reducing Web site privacy vulnerabilities , 2004, Requirements Engineering.

[11]  John Mylopoulos,et al.  Filling the Gap between Requirements Engineering and Public Key/Trust Management Infrastructures , 2004, EuroPKI.

[12]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[13]  日本規格協会 情報技術 : 情報セキュリティ管理実施基準 : 国際規格 : ISO/IEC 17799 = Information technology : code of practice for infromation security management : international standard : ISO/IEC 17799 , 2000 .

[14]  Michael Backes,et al.  Efficient comparison of enterprise privacy policies , 2004, SAC '04.

[15]  Mario Piattini,et al.  Legal requirements reuse: a critical success factor for requirements quality and personal data protection , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[16]  Marc Langheinrich,et al.  The platform for privacy preferences 1.0 (p3p1.0) specification , 2002 .

[17]  Ramakrishnan Srikant,et al.  An Implementation of P3P Using Database Technology , 2004, EDBT.

[18]  Axel van Lamsweerde,et al.  From system goals to intruder anti-goals: attack generation and resolution for security requirements engineering , 2003 .

[19]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[20]  Peter Sewell,et al.  Cassandra: flexible trust management, applied to electronic health records , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[21]  Kwo-Jean Farn,et al.  Paper: a study on the certification of the information security management systems , 2003, Comput. Stand. Interfaces.

[22]  Annie I. Antón,et al.  Analyzing Website privacy requirements using a privacy goal taxonomy , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[23]  Paul Williams Information Security Governance , 2001, Inf. Secur. Tech. Rep..

[24]  Ramakrishnan Srikant,et al.  Hippocratic Databases , 2002, VLDB.