A Structured Comparison of Security Standards

A number of different security standards exist and it is difficult to choose the right one for a particular project or to evaluate if the right standard was chosen for a certification. These standards are often long and complex texts, whose reading and understanding takes up a lot of time. We provide a conceptual model for security standards that relies upon existing research and contains concepts and phases of security standards. In addition, we developed a template based upon this model, which can be instantiated for given security standard. These instantiated templates can be compared and help software and security engineers to understand the differences of security standards. In particular, the instantiated templates explain which information and what level of detail a system document according to a certain security standard contains. We applied our method to the well known international security standards ISO 27001 and Common Criteria, and the German IT-Grundschutz standards, as well.

[1]  Athanasia Pouloudi,et al.  Aspects of the stakeholder concept and their implications for information systems development , 1999, Proceedings of the 32nd Annual Hawaii International Conference on Systems Sciences. 1999. HICSS-32. Abstracts and CD-ROM of Full Papers.

[2]  Galal H. Galal-Edeen,et al.  Stakeholder identification in the requirements engineering process , 1999, Proceedings. Tenth International Workshop on Database and Expert Systems Applications. DEXA 99.

[3]  Mikko T. Siponen,et al.  Information security management standards: Problems and solutions , 2009, Inf. Manag..

[4]  Stephan Faßbender,et al.  A Common Body of Knowledge for Engineering Secure Software and Services , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[5]  Dieter Gollmann,et al.  Computer Security , 1979, Lecture Notes in Computer Science.

[6]  Annabelle Lee,et al.  SP 800-29. A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2 , 2001 .

[7]  N. Pletneva COMMENTARY ON THE INTERNATIONAL STANDARD ISO 31000–2009 “RISK MANAGEMENT. PRINCIPLES AND GUIDELINES” , 2014 .

[8]  Ibrahim Sogukpinar,et al.  ISRAM: information security risk analysis method , 2005, Comput. Secur..

[9]  Alexander Kott Science of Cyber Security as a System of Models and Problems , 2015, ArXiv.

[10]  Gerald Quirchmayr,et al.  Multidisciplinary Research and Practice for Information Systems , 2012, Lecture Notes in Computer Science.

[11]  Robert P. Evans A Comparison of Cross-Sector Cyber Security Standards , 2005 .

[12]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[13]  Stephen N. Luko,et al.  Risk Management Principles and Guidelines , 2013 .

[14]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[15]  Kristian Beckers,et al.  Ontology-Based Identification of Research Gaps and Immature Research Areas , 2012, CD-ARES.

[16]  Ali Sunyaev,et al.  Design and Application of a Security Analysis Method for Healthcare Telematics in Germany (HatSec) , 2009 .

[17]  Michael A. Jackson,et al.  Problem Frames - Analysing and Structuring Software Development Problems , 2000 .

[18]  Ali Sunyaev,et al.  Health-Care Telematics in Germany , 2011 .

[19]  Bill Farquhar One approach to risk assessment , 1991, Comput. Secur..

[20]  D McMorrow,et al.  Science of Cyber-Security , 2010 .

[21]  Maritta Heisel,et al.  A comparison of security requirements engineering methods , 2010, Requirements Engineering.

[22]  Ali Sunyaev Health-care telematics in Germany: design and application of a security analysis method , 2011 .

[23]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[24]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[25]  Donald Firesmith,et al.  Common Concepts Underlying Safety, Security, and Survivability Engineering , 2003 .

[26]  Christine Kuligowski,et al.  COMPARISON OF IT SECURITY STANDARDS) , 2009 .

[27]  Teodor Sommestad,et al.  SCADA system cyber security — A comparison of standards , 2010, IEEE PES General Meeting.

[28]  Rick Huhn,et al.  Security Standards for the RFID Market , 2005, IEEE Secur. Priv..