Engineering Security Requirement

Slides:



Advertisements
Similar presentations
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Advertisements

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
1 COMPUTER SECURITY AND ETHICS Chapter Five. Computer Security Risks 2.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Security Controls – What Works
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
1 An Overview of Computer Security computer security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
1 Output Controls Ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Exposures of this sort can cause serious.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice
Session 3 – Information Security Policies
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) = * 5, = $ What happens to the.004? =
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
HIPAA PRIVACY AND SECURITY AWARENESS.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.
CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
BUSINESS B1 Information Security.
Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Cryptography, Authentication and Digital Signatures
Information Systems Security Operational Control for Information Security.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
1 Boundary Control Chapter Materi: Boundary controls:  Cryptographic controls  Access controls  Personal identification numbers  Digital signatures.
Types of Electronic Infection
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent.
. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.
Information Security What is Information Security?
Database Security Outline.. Introduction Security requirement Reliability and Integrity Sensitive data Inference Multilevel databases Multilevel security.
CPS ® and CAP ® Examination Review OFFICE SYTEMS AND TECHNOLOGY, Fifth Edition By Schroeder and Graf ©2005 Pearson Education, Inc. Pearson Prentice Hall.
Chapter 2 Securing Network Server and User Workstations.
McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
DIGITAL SIGNATURE.
Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Chap1: Is there a Security Problem in Computing?.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
ISO/IEC 27001:2013 Annex A.8 Asset management
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Protection.
Security and Ethics Safeguards and Codes of Conduct.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Information Security and Privacy in HRIS
Security Issues in Information Technology
Securing Network Servers
Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.
Design for Security Pepper.
APPLICATION RISK AND CONTROLS
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek
INFORMATION SYSTEMS SECURITY and CONTROL
Computer Security By: Muhammed Anwar.
Presentation transcript:

Engineering Security Requirement Research Paper Published By: Donald G. Firesmith Presentation Prepared By: Sohab Mihssen Mitul Shah Gaurangbhai Shah Anantvir Brar Mansi Alsmarah

WHAT IS REQUIREMENT An established need justifying Which are necessary attribute, capability, characteristic or quality of a system in order for it to have value and utility to a user Requirement phase is very important in any project development cycle Why we need? As we already studied roughly 42% of project failure is due to the requirements – gathering, documentation and management So here Key component is Requirement Types: Functional Requirement Data Requirement Quality Requirement Interface Requirement

SECURITY REQUIREMENT (why we need it) The quality representing the degree to which a system or component prevents, detects, reacts, and adapts to malicious harm to valuable assets caused by attackers Most requirements engineers are poorly trained to elicit, analyze, specify, and manage such quality requirements as interoperability, operational availability, performance, portability, reliability, and usability, many are at a loss when it comes to security requirements This article will help you distinguish between security requirements and the mechanisms for achieving them, and will provide you with good examples of each type of security requirement

GUIDELINES • Security Policy Misuse Cases • Threats vs. Goals • Requirements vs. Architectural Mechanisms and Design Decisions • Validating Security Requirements

REQUIREMENTS To meet the objectives, we will briefly address each of the following Corresponding kinds of security requirements: • Identification Requirements • Authentication Requirements • Authorization Requirements • Immunity Requirements • Integrity Requirements • Intrusion Detection Requirements • Nonrepudiation Requirements • Privacy Requirements • Security Auditing Requirements • Survivability Requirements • Physical Protection Requirements • System Maintenance Security Requirements

IDENTIFICATION REQUIREMENTS Objectives: Ensure that all of the important externals are identified before they are allowed access Examples: The application will identify all its human user’s before allowing them to use its capabilities. A Data Center Facility will identify all personnel before allowing them to enter premises.

IDENTIFICATION REQUIREMENTS Guidelines: Necessary prerequisites for Authentication Requirements. consistent with privacy requirements, which may require the anonymity of users. Used to implement : Who you say you are: What you have: Who you are: Measurements: Minimum number(percentage) of valid users identified Maximum number(percentage) invalid users identified What is Measurement? : To evaluate the detection arrival rate by severity of defect in this release in order to deliver our software product with required quality and insure that all known defects are corrected before shipment. Defect Detection Arrival Rate by Severity = Number of defects detected that period  

AUTHENTICATION REQUIREMENTS Objectives : To verify the identity of its user’s Avoid compromising security to an impostor. Examples: verify the identity of all its of its user’s before allowing them to update their user information. verify the identity of its user’s before accepting a credit card payment from that user

AUTHENTICATION REQUIREMENTS Guidelines: Authentication depends on identification. prerequisites for authorization requirements. Used to implement : Who you say you are: What you have: Who you are: Measurements Minimum number (percentage) of valid identities authenticated. Maximum number (percentage) of invalid identities authenticated.

AUTHORIZATION REQUIREMENTS Objectives : To authorize specific authenticated externals to access specific services or information. Ensure that specific authenticated externals can access specific services or information Examples: not allowing any customer to access any account information not allowing customer service agents to access the credit card information of customers.

AUTHORIZATION REQUIREMENTS Guidelines: depends on both identification and authentication. used to implement : Hardware electronic keys Measurements: Minimum number (percentage) of authenticated externals authorized. Maximum number (percentage) of non-authenticated externals authorized.

IMMUNITY REQUIREMENTS Objectives : protect itself from infection by unauthorized undesirable programs (e.g., computer viruses, worms, and Trojan horses). Example : Scanning Prevention Notification

IMMUNITY REQUIREMENTS Guidelines : Used to implement : Commercial antivirus programs. Firewalls. Programming standards (e.g., for ensuring type safety and array bounds checking). Measurements : Minimum number(percentage) of malicious programs identified. Minimum number(percentage) of malicious programs prevented from causing infection. Minimum number(percentage) of malicious programs cured (removed from infected machine).

INTEGRITY REQUIREMENTS Objective: ensure that its data and communications are not intentionally corrupted via unauthorized creation, modification, or deletion Example: protect the data during transmitting or receiving data (attached files). Guidelines: Integrity requirements should not be specified in terms of the types of security architecture mechanisms that are typically used to implement them: - Cryptography - The use of hash codes Measurement: Maximum number of data files/records corrupted per unit time. Maximum number of messages corrupted. Maximum number of programs corrupted per unit time.

INTRUSION DETECTION REQUIREMENTS Objective: detect and record attempted access or modification by unauthorized individuals. & also notify security personal to handle unauthorized access Example: detect and record all attempted accesses or repeated that fail required identification, authentication, and authorization. So the application shall notify the data center security office. Guidelines: It depend on identification, authentication, and authorization requirements. Use to implements: Alarms, Error reporting, IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) Measurement: Minimum percentage of successful intrusions detected. Minimum percentage of unsuccessful intrusions detected

NONREPUDIATION REQUIREMENTS Objectives : Ensure that adequate tamper-proof records are kept to prevent parties to interactions from denying that they have taken place. Example : Stores temper-proof records of : contents of the invoice The date and time that the order or invoice was sent The date and time that the order or invoice was received Identity of customer

NONREPUDIATION REQUIREMENTS Guidelines : To ensure that adequate tamperproof records are kept. Used to Implement : Digital signatures (to identify the parties) Timestamps (to capture dates and times) Encryption and decryption (to protect the information) Hash functions (to ensure that the information has not been changed) Measurements : Maximum percentage of transactions repudiated.

PRIVACY REQUIREMENTS Objectives : keep sensitive data and communications private from unauthorized individuals and programs. Provide access on a “need to know” basis. Examples : Anonymity Communications privacy Data storage privacy

PRIVACY REQUIREMENTS Guidelines : legal constraints such as laws that require certain data to be kept private. Used to implement : Public or private key encryption and decryption. Commercial-off-the-shelf (COTS) cryptography packages. Measurements : Anonymity: As a function of threat, Maximum number (percentage) of confidential identities compromised per unit time Confidentiality: As a function of threat, Maximum number (percentage) of confidential data compromised per unit time

SECURITY AUDITING REQUIREMENTS Objectives : enable security personnel to audit the status and use of its security mechanisms. Examples : Security Audit Control Security Audit Log Contents Security Audit Reporting Security Audit Log Protection

SECURITY AUDITING REQUIREMENTS Guidelines : Care should be taken to avoid unnecessary duplication between security-auditing and intrusion detection requirements. Used to Implement : Audit Trails Event logs Measurements Minimum percentage of authorized users able to control security auditing. Minimum percentage of security auditing commands correctly performed when requested by authorized users. Minimum percentage of security events correctly logged.

SURVIVABILITY REQUIREMENTS Objectives : Ensure that failure under attack is graceful, resulting in a degraded mode of operation that still provides essential services. Examples : even if a data center is destroyed, The application shall continue to function (possibly in degraded mode) Guidelines : Critical for military applications Deal with safeguarding against damage or loss due to intentional malicious threats used to implement them: Hardware redundancy. Data center redundancy. Failover software

SYSTEM MAINTENANCE SECURITY REQUIREMENTS Objectives : prevent authorized modifications from accidentally defeating its security mechanisms. to maintain the levels of security specified in the security requirements during the usage phase Examples : The application shall not violate its security requirements as a result of the upgrading or replacement of a data, hardware, or software component. Guidelines : System maintenance security requirements may conflict with operational availability requirements Used to implement : Maintenance and enhancement procedures. Associated training. Security regression testing.

PHYSICAL PROTECTION REQUIREMENTS Physical Protection means the physical measures designed to safeguard personnel, property, and information Academic view definition Technical view definition Objectives : To protect and secure firms, companies, labs, individuals and structures. The level of protection depends on the type, location and nature of work and material.

PHYSICAL PROTECTION REQUIREMENTS Guidelines : We must separate between physical protection and regular surveillance and security procedures, physical protection goes beyond that, it passes roles, instructions and ideas about how to create a safe environment to all. Physical protection is not something you see but it’s something you live with.

Conclusion This research paper has addressed the need to systematically analyze and specify real security requirements as part of the quality requirements for a project.