论文信息 - Bridging the Gap between Risk Analysis and Security Policies

Bridging the Gap between Risk Analysis and Security Policies

In the IT security management process, a methodological gap exists between the results of a risk analysis, the development of adequate security policies and the selection of appropriate operational controls. We believe that a number of methods and techniques developed by the Requirement Engineering community, and goal requirements modelling in particular, can be useful to bridge this gap by providing modelling frameworks that might support those processes.

Eric Dubois | Paul Gaunard

[1] Lawrence Chung,et al. Dealing with Security Requirements During the Development of Information Systems , 1993, CAiSE.

[2] A. Antón,et al. Strategies for Developing Policies and Requirements for Secure Electronic Commerce Systems , 2000 .

[3] John Mylopoulos,et al. Representing and Using Nonfunctional Requirements: A Process-Oriented Approach , 1992, IEEE Trans. Software Eng..

[4] Jonathan D. Moffett. Requirements and Policies , 1999 .

[5] Jonathan D. Moffett,et al. The Integration of Safety and Security Requirements , 1999, SAFECOMP.

[6] G. Stoneburner,et al. Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .