Certification process artifacts defined as measurable units for software assurance

Software Process Improvement and Practice

Volumn 12, Issue 2, 2007, Pages 165-189

  Lee, Seok Won ^a   Gandhi, Robin A ^a   Ahn, Gail Joon ^a  

^a University of North Carolina at Charlotte   (United States)

Author keywords

Certification and accreditation; Metrics and measures; Ontological engineering; Requirements engineering; Risk assessment; Software intensive systems

Indexed keywords

COMPUTER SOFTWARE; LIFE CYCLE; ONTOLOGY; QUALITY ASSURANCE; REQUIREMENTS ENGINEERING; RISK ASSESSMENT;

CERTIFICATION AND ACCREDITATION; DESIGN PRINCIPLES; SOFTWARE-INTENSIVE SYSTEMS;

ACCREDITATION;

EID: 34247487097     PISSN: 10774866     EISSN: 10991670     Source Type: Journal    
DOI: 10.1002/spip.313     Document Type: Article

References (43)

1. Aagedal JO, den Braber F, Dimitrakos T, Gran BA, Raptis D, Stolen K. 2002. Model-based risk assessment to improve enterprise security. In Proceedings of the 6th International Enterprise Distributed Object Computing Conference, Lausanne, Switzerland, Sept 17, 51-62.
2. SM Criteria, Version 2.0. CMU/SEI-2001-TR-016 ESC-TR-2001-016.
3. Basili VR, Rombach HD. 1988. The TAME project: towards improvement-oriented software environments. IEEE Transactions on Software Engineering 14(6): 758-773.
4. BS 7799.1999. Information Security Management.
5. Carr MJ, Konda SL, Monarch I, Ulrich FC, Walker CF. 1993. Taxonomy-based risk identification. Technical Report CMU/SEI-93-TR-6 ESC-TR-93-183. Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA.
6. Carroll JJ, Dickinson I, Dollin C, Reynolds D, Seaborne A, Wilkinson K. 2004. Jena: implementing the semantic web recommendations. In Proceedings of the 13th International World Wide Web Conference, New York, USA, May 17-22, 74-83.
7. Chaudhri VK, Farquhar A, Fikes R, Karp PD, Rice JP. 1998. OKBC: a programmatic foundation for knowledge base interoperability. In Proceedings of the 15th National Conference on Artificial Intelligence, AAAI, Menlo Park, CA, 600-607.
8. Common Criteria. 1999. Common Criteria for Information Technology Security Evaluation. Parts 1, 2 & 3. Version 2.1. ISO/IEC 15408-1:1999(E).
9. Davis T. 2005. Federal Computer Security Report Card Grades of 2004. Press Release, http://reform.house.gov/UploadedFiles/ 021605FISMAstatement.pdf.
10. DoD 8510.1-M. 2000. Department of Defense Information Technology Security Certification and Accreditation (DITSCAP) Application Manual.
11. DoDI 5200.40. 1997. Department of Defense Information Technology Security Certification and Accreditation (DITSCAP).
12. FISMA. 2005. Federal Information Security Management Act (FISMA) 2004 Report to Congress, http://www.whitehouse.gov/omb/inforeg/2004_fisma_report.pdf.
13. Freeman JW, Darr TC, Neely RB. 1997. Risk assessment for large heterogeneous systems. In Proceedings of the 13th Annual Computer Security Applications Conference, San Diego, CA, 44.
14. ISO/IEC 12207. 1995. Information Technology - Software Life Cycle Processes.
15. ISO/IEC 13335. 1996. Guidelines for the management of IT security. Technical Report BS ISO/IEC TR 13335-1:1996, ISBN: 0580303918.
16. ISO/IEC 15504. 1998. Software Process Assessment (SPICE). Technical Report, http://www.isospice.type-pad.com/isospice_s15504/.
17. ISO/IEC 15288 CD2.2000. Life Cycle Management - System Life Cycle Processes.
18. ISO/IEC 15443. 2001. Information Technology - Security Techniques - A Framework for IT Security Assurance.
19. ISSRR. 2001. Proceedings of Workshop on Information-Security-System Rating and Ranking (ISSRR) held in Williamsburg, Williamsburg, VA.
20. Jackson M. 1997. The meaning of requirements. Annals of Software Engineering, Vol. 3. Baltzer Science Publishers: 5-21.
21. Järvinen J, Hamann D, Van Solingen R. 1999. On integrating assessment and measurement: towards continuous assessment of software engineering processes. In Proceedings of the 6th International Symposium on Software Metrics METRICS. IEEE Computer Society: Boca Raton, Florida, USA, Nov 4-6, 22.
22. Johansson E, Johnson P. 2005. Assessment of enterprise information security - estimating the credibility of the results. Proceedings of the Symposium on RE for Information Security (SREIS 05), Requirements Engineering (RE'05). IEEE CS Press: Paris, France.
23. Kaplan RS, Norton DP. 1996. The Balanced Scorecard: Translating Strategy into Action. Harvard Business School Press: Boston, MA, USA.
24. Kimbell J, WalrathM. 2001. Life cycle security and DITSCAP. IANewsletter. 4(2): 16-26. http://iac.dtic.mil/iatac.
25. Kotonya G, Sommerville I. 1998. Requirements Engineering - Processes and Techniques. John Wiley: New York.
26. Lamsweerde A. 2001. Goal-oriented requirements engineering: a guided tour. In Proceedings of the 5th International Symposium on Requirements Engineering, Toronto, Canada, August, 249-262.
27. Lee SW, Rine DC. 2004a. Missing requirements and relationship discovery through proxy viewpoints model. Studia Information Universalis: International Journal on Informatics 3(3): 315-342.
28. th International Conference on Software Engineering and Knowledge Engineering. Banff, Alberta, Canada, 117-122.
29. th Asia-Pacific Software Engineering Conference (APSEC '05). IEEE Computer Society Press: Taipei, Taiwan.
30. th IEEE International RE Conference, Workshop on Requirements Engineering for High-Availability Systems (RHAS). Software Engineering Institute (SEI), Carnegie Mellon University & IEEE Press: Paris, France, 40-48.
31. th IEEE International Conference on Software Engineering (ICSE '05), Workshop on Software Engineering for Secure Systems (SESS)., Vol. 30(4). Also appeared in ACM SIGSOFT Software Engineering Notes, ACM Press: St. Louis, MO, 43-49.
32. Lee SW, Gandhi RA, Ahn G. 2005b. Security requirements driven risk assessment for critical infrastructure information systems. In Proceedings of the Symposium on Requirements Engineering for Information Security (SREIS 05), Requirements Engineering (RE'05). IEEE Computer Society: Paris, France, August.
33. Lee SW, Yavagal D. 2005. GenOM User's Guide V2.0. Technical Report TR-NiSE-05-05, Knowledge Intensive Software Engineering Research Group, Department of Software and Information Systems, UNC, Charlotte.
34. Lekkas D, Spinellis D. 2005. Handling and reporting security advisories: a scorecard approach. IEEE Security and Privacy 3(4): 32-41.
35. McGuinness D, van Harmelen F (eds). 2004. OWL Web Ontology Language Overview. W3C Recommendation: http://www.w3.org/TR/owl-features/.
36. Offen R. 2002. Domain understanding is key to successful to system development. Requirements Engineering Journal, Vol. 7(3). Springer-Verlag: London, UK, 172-175.
37. Ross R, Swanson M, Stoneburner G, Katzke S, Johnson A. 2004. Guide for the Security Certification and Accreditation of Federal Information Systems. NIST Special Publication #800-37, Gaithersburg, MD, USA.
38. SSE-CMM. 2003. System Security Engineering Capability Maturity Model (SSE CMM) Model Description Document, Version 3.0. http://www.sse-cmm.org.
39. Sutcliffe A. 1998. Scenario-based requirements analysis. Requirements Engineering Journal, Vol. 3(1). Springer-Verlag: New York, USA, 48-65.
40. Swanson M. 2001. Security Self-assessment Guide for Information Technology Systems. NIST Special Publication #800-26, Gaithersburg, MD, USA.
41. Swanson M, Bartol N, Sabato J, Hash J, Graffo L. 2003. Security Metrics Guide for Information Technology Systems. NIST Special Publication #800-55, Gaithersburg, MD, USA.
42. Vaughn RB, Henning R, Siraj A. 2003. Information assurance measures and Metrics-state of practice and proposed taxonomy. In Proceedings of the 36th Annual Hawaii International Conference on System Sciences, Hawaii, USA, 331-340.
43. Xacta. 2004. Web C&A™ Reference Manual, Version 4.0. Service Pack 2. http://www.xacta.com/.