The CAST Method for Comparing Security Standards

Working with security standards is difficult, because these are long and ambiguous texts. The time spent to understand what activities and documents are necessary to establish the standard is significant. Furthermore, comparing standards is even more time consuming, because this process has to be done multiple times. We propose a structured methodology called CAST that helps to understand and compare security standards by using a template derived from existing standards. Our template contains specific sections for each standard activity. Moreover, we defined a common terminology for security standards that serves as a baseline for comparing the terminology of the standards. We show instantiations of the template for the standards ISO 27001:2005, ISO 27001:2013, Common Criteria, and IT Grundschutz. Our results contain an analysis of these instantiations that shows the different approaches of these standards and their differences in terminology. The CAST method can be applied to further standards with little effort.

[1]  Kristian Beckers,et al.  A Structured Comparison of Security Standards , 2014, Engineering Secure Future Internet Services and Systems.

[2]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[3]  Ibrahim Sogukpinar,et al.  ISRAM: information security risk analysis method , 2005, Comput. Secur..

[4]  Athanasia Pouloudi,et al.  Aspects of the stakeholder concept and their implications for information systems development , 1999, Proceedings of the 32nd Annual Hawaii International Conference on Systems Sciences. 1999. HICSS-32. Abstracts and CD-ROM of Full Papers.

[5]  Stephan Faßbender,et al.  A Common Body of Knowledge for Engineering Secure Software and Services , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[6]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[7]  Anne Marsden,et al.  International Organization for Standardization , 2014 .

[8]  Galal H. Galal-Edeen,et al.  Stakeholder identification in the requirements engineering process , 1999, Proceedings. Tenth International Workshop on Database and Expert Systems Applications. DEXA 99.

[9]  Maritta Heisel,et al.  A comparison of security requirements engineering methods , 2010, Requirements Engineering.

[10]  Ali Sunyaev,et al.  Design and Application of a Security Analysis Method for Healthcare Telematics in Germany (HatSec) , 2009 .

[11]  D McMorrow,et al.  Science of Cyber-Security , 2010 .

[12]  Michael A. Jackson,et al.  Problem Frames - Analysing and Structuring Software Development Problems , 2000 .

[13]  Ali Sunyaev,et al.  Health-Care Telematics in Germany , 2011 .

[14]  Kristian Beckers,et al.  Ontology-Based Identification of Research Gaps and Immature Research Areas , 2012, CD-ARES.

[15]  Donald Firesmith,et al.  Common Concepts Underlying Safety, Security, and Survivability Engineering , 2003 .

[16]  Bill Farquhar One approach to risk assessment , 1991, Comput. Secur..

[17]  Emmanuel Aroms,et al.  NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems , 2012 .

[18]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .