Risk-based Confidentiality Requirements Specification for Outsourced IT Systems

Today, companies are required to be in control of their IT assets, and to provide proof of this in the form of independent IT audit reports. However, many companies have outsourced various parts of their IT systems to other companies, which potentially threatens the control they have of their IT assets. To provide proof of being in control of outsourced IT systems, the outsourcing client and outsourcing provider need a written service level agreement (SLA) that can be audited by an independent party. SLAs for availability and response time are common practice in business, but so far there is no practical method for specifying confidentiality requirements in an SLA. Specifying confidentiality requirements is hard because in contrast to availability and response time, confidentiality incidents cannot be monitored: attackers who breach confidentiality try to do this unobserved by both client and provider. In addition, providers usually do not want to reveal their own infrastructure to the client for monitoring or risk assessment. Elsewhere, we have presented an architecture-based method for confidentiality risk assessment in IT outsourcing. In this paper, we adapt this method to confidentiality requirements specification, and present a case study to evaluate this new method.

[1]  James A. Hall,et al.  The Sarbanes-Oxley Act: Implications for large-scale IT outsourcing , 2007, Commun. ACM.

[2]  Tore Dybå,et al.  Challenges and Recommendations When Increasing the Realism of Controlled Software Engineering Experiments , 2003, ESERNET.

[3]  Philip Robinson,et al.  Security and Trust in IT Business Outsourcing: a Manifesto , 2007, STM.

[4]  Roel Wieringa,et al.  Design science as nested problem solving , 2009, DESRIST.

[5]  Roland L. Trope,et al.  Averting Security Missteps in Outsourcing , 2005, IEEE Secur. Priv..

[6]  Mario Piattini,et al.  A common criteria based security requirements engineering process for the development of secure information systems , 2007, Comput. Stand. Interfaces.

[7]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[8]  Todd R. Zenger,et al.  Do Formal Contracts and Relational Governance Function as Substitutes or Complements , 2002 .

[9]  Rajiv Sabherwal,et al.  The role of trust in outsourced IS development projects , 1999, CACM.

[10]  Roel Wieringa,et al.  Requirements engineering paper classification and evaluation criteria: a proposal and a discussion , 2005, Requirements Engineering.

[11]  Sandro Etalle,et al.  CRAC: Confidentiality Risk Analysis and IT-Architecture Comparison of Business Networks , 2009 .

[12]  Nicholas Bambos,et al.  Security Decision-Making among Interdependent Organizations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[13]  Kyle J. Mayer,et al.  Learning to Contract: Evidence from the Personal Computer Industry , 2004, Organ. Sci..

[14]  Stephen Fickas,et al.  Goal-Directed Requirements Acquisition , 1993, Sci. Comput. Program..

[15]  Qing Hu,et al.  Managing Risk Propagation in Extended Enterprise Networks , 2008, IT Professional.

[16]  Richard L. Baskerville,et al.  Distinguishing action research from participative case studies , 1997 .

[17]  Bashar Nuseibeh,et al.  Using trust assumptions with security requirements , 2005, Requirements Engineering.

[18]  Costas Lambrinoudakis,et al.  A probabilistic model for optimal insurance contracts against security risks and privacy violation in IT outsourcing environments , 2007, International Journal of Information Security.

[19]  Jahyun Goo,et al.  Rescuing IT Outsourcing: Strategic Use of Service-Level Agreements , 2009, IT Professional.