Ensuring compliance between policies, requirements and software design: A case study

Proceedings - Fourth IEEE International Workshop on Information Assurance, IWIA 2006

Volumn 2006, Issue , 2006, Pages 79-92

  He, Qingfeng ^a   Otto, Paul ^b   Antón, Annie I ^b   Jones, Laurie ^c  

^a ABB INC   (United States)

^b North Carolina State University   (United States)

^c MILLS COLLEGE   (United States)

Author keywords

Access control; Policy specification; Requirements analysis; Software design

Indexed keywords

ACCESS CONTROL; POLICY SPECIFICATION; REQUIREMENTS ANALYSIS; SOFTWARE DESIGN;

INFORMATION RETRIEVAL SYSTEMS; PRODUCT DEVELOPMENT; PUBLIC POLICY; REGULATORY COMPLIANCE; SECURITY OF DATA; SPECIFICATIONS;

COMPUTER AIDED SOFTWARE ENGINEERING;

EID: 33750956931     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/IWIA.2006.7     Document Type: Conference Paper

References (35)

1. A.I. Antón, J.B. Earp and R.A. Carter. Precluding Incongruous Behavior by Aligning Software Requirements with Security and Privacy Policies, Information and Software Technology, Vol. 45 (14), pp. 967-977, 2003.
2. I. Alexander. Misuse Cases: Use Cases with Hostile Intent. IEEE Software, Vol. 20 (1), pp. 58-66, 2003.
3. K. Beznosov. Requirements for Access Control: US Healthcare Domain, 3rd ACM Workshop on Role-Based Access Control, pp. 43, 1998.
4. C. Bettini, S. Jajodia, S. Wang, D. Wijesekera, Provisions and obligations in policy rule management and security applications, 28th Int 'I Conf. on Very Large Data Bases (VLDB'02), pp. 502-513, 2002.
5. G. Brose, M. Koch, and K.-P. Löhr. Integrating Access Control Design into the Software Development Process. 6th Int'I Conf. on Integrated Design and Process Technology (IDPT), 2002.
6. D.E. Bell and L.J. LaPadula. Secure computer systems: Mathematical foundations, Technical Report MTR-2547, Vol. 1, MITRE Corporation, 1973.
7. R. Crook, D. Ince, and B. Nuseibeh. Modelling Access Policies Using Roles in Requirements Engineering, Information and Software Technology, 45(14), pp. 979-991, Elsevier, 2003.
8. E.J. Coyne. Role Engineering, 1st ACM Workshop on Role-Based Access Control (RBAC'96), pp. 15-16, 1996.
9. N.C. Damianou. A Policy Framework for Management of Distributed Systems, PhD Thesis, Imperial College, London, 2002.
10. D. E. Denning and P. J. Denning, Cryptography and Data Security, Addison-Wesley, 1982.
11. D.E. Denning. A Lattice Model of Secure Information Flow, Comm. of the ACM, 19(5), pp. 236-243, 1976.
12. A. Dardenne, A. van Lamsweerde, and S. Fickas. Goal-Directed Requirements Acquisition, Science of Computer Programming, 20: 3-50, 1993.
13. E.B. Fernandez and J.C. Hawkins. Determining Role Rights from Use Cases, 2nd ACM Workshop on Role-Based Access Control, pp. 121-125, 1997.
14. I. Fundulaki and M. Marx. Specifying access control policies for XML documents with XPath, 9th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 61-69, 2004.
15. P.-J. Fontaine. Goal-Oriented Elaboration of Security Requirements, Project Dissertation, Université Catholique de Louvain, Belgium, 2001.
16. Q. He and A.I. Anton. A Framework for Modeling Privacy Requirements in Role Engineering, 9th Int'l Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ'03), pp. 137-146, 2003.
17. M.H. Harrison, W.L. Ruzzo, and J.D. Ullman. Protection in operating systems, Communications of the ACM, 19 (8), pp. 461-471, 1976.
18. Q. He. Requirements-Based Access Control Analysis and Policy Specification. PhD Dissertation, North Carolina State University, Raleigh, NC, 2005.
19. D. Jackson. Alloy: A Lightweight Object Modelling Notation. ACM Transactions on Software engineering and Methodology, Vol. 11 (2), pp. 256-290, 2002.
20. N. Jain, A.I. Anton, W.H. Stufflebeam, and Q. He. Security and Privacy Requirements Analysis Tool (SPRAT) Software Requirements Specification Version 2.00, NCSU CS Technical Report TR-2004-7, April 9, 2004.
21. S. Jajodia, P. Samarati, and V.S. Subrahmanian. A Logical Language for Expressing Authorizations. 1997 IEEE Symposium on Security and Privacy, pp. 31-42, 1997.
22. S. Jajodia, P. Samarati, M.L. Sapino, V.S. Subrahmanian. Flexible support for multiple access control policies, ACM Transactions on Database Systems (TODS), 26(2), pp. 214-260, 2001.
23. B.W. Lampson. Protection, 5th Princeton Symposium on Information Science and Systems, pp. 437-443, 1971.
24. A. van Lamsweerde. Elaborating Security Requirements by Construction of Intentional Anti-Models. 26th Int'l Conf. on Software Engineering (ICSE'04), pp. 148-157, 2004.
25. L. Liu, E. Yu and J. Mylopoulos. Security and Privacy Requirements Analysis within a Social Setting, 11th Int'l Requirements Eng. Conf. (RE'03), pp. 151-161, 2003.
26. J.D. Moffett, C.B. Haley, and B. Nuseibeh. Core Security Requirements Artefacts. Technical Report Number 2004/23, Department of Computing, Open University, UK, 2004.
27. J.D. Moffett and M.S. Sloman. Policy Hierarchies for Distributed Systems Management. IEEE Journal on Selected Areas in Communications, Vol. 11 (9), pp. 1404-1414, 1993.
28. G. Neumann and M. Strembeck. A Scenario-driven Role Engineering Process for Functional RBAC Roles, 7th ACM Symp. on Access Control Models and Technologies (SACMAT'02), pp. 33-42, 2002.
29. OASIS extensible Access Control Markup Language (XACML). Version 2.0, February 1, 2005. http://www.oasis-open.org/committees/xacml
30. C. Potts, K. Takahashi and A.I. Anton. Inquiry-Based Requirements Analysis, IEEE Software, 11(2), pp. 21-32, 1994.
31. R.S. Sandhu, E.J. Coyne, H.L. Feinstein, C.E. Youman. Role-Based Access Control Models, IEEE Computer, 29(2), pp. 38-47, 1996.
32. A. Schaad, J. Moffett, J. Jacob. The Role-Based Access Control System of a European Bank: A Case Study and Discussion, 6th ACM Symp. on Access Control Models & Technologies (SACMAT'01), pp. 3-9, 2001.
33. S. Su, et al. Transnational Information Sharing, Event Notification, Rule Enforcement and Process Coordination. Int'l Journal of Electronic Government Research (IJEGR), Vol. 1 (2), pp. 1-26, 2005.
34. P. Samarati, S. De Capitani di Vimercati. Access Control: Policies, Models, and Mechanisms, IFIP WG 1.7 Int'l School on Foundations of Security Analysis and Design (FOSAD 2000), LNCS 2171, pp. 137-196, 2001.
35. E. Yu. Modeling Organizations for Information Systems Requirements Engineering, 1st IEEE Int'l Symp. on Requirements Engineering, pp. 34-41,1993.