Risk-based confidentiality requirements specification for outsourced IT systems

Proceedings of the 2010 18th IEEE International Requirements Engineering Conference, RE2010

Volumn , Issue , 2010, Pages 199-208

  Morali, Ayşe ^a   Wieringa, Roel ^a  

^a UNIVERSITY OF TWENTE   (Netherlands)

Author keywords

Confidentiality requirements; Outsourcing; Risk assessment; Service level agreements

Indexed keywords

CONFIDENTIALITY REQUIREMENTS; IN-CONTROL; IT ASSETS; IT AUDIT; IT OUTSOURCING; IT SYSTEM; PRACTICAL METHOD; REQUIREMENTS SPECIFICATIONS; RESPONSE TIME; RISK-BASED; SERVICE LEVEL AGREEMENTS;

INDUSTRY; INFORMATION TECHNOLOGY; NETWORK ARCHITECTURE; OUTSOURCING; QUALITY OF SERVICE; RATING; REQUIREMENTS ENGINEERING; RESPONSE TIME (COMPUTER SYSTEMS); SPECIFICATIONS;

RISK ASSESSMENT;

EID: 78650365319     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/RE.2010.30     Document Type: Conference Paper

References (27)

1. American Inst. of Cert. Publ. Accountants. Auditing Standards Board. Statement on auditing standards; 70 Auditing Standards (SAS70), 2008. http://umiss.lib.olemiss.edu:82/record=b1038093.
2. Basel II: Revised international capital framework, 2005. http://www.bis.org/publ/bcbsca.htm.
3. R. Baskerville. Distinguishing action research from participative case studies. J. of Syst. and Info. Techn., 1(1):25-45, March 1997.
4. Bundesdatenschutzgesetz: 42a Informationspflicht bei unrechtmiger Kenntniserlangung von Daten. http://bundesrecht.juris.de/bdsg 1990/ 42a.html.
5. British Government's Central Computer and Telecommunications Agency. CRAMM: Risk Analysis and Management methodology, 2008.
6. ISO 15408:2007 Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2, CCMB- 2007-09-001, CCMB-2007-09-002 and CCMB-2007-09-003, September 2007.
7. A. Dardenne, A. van Lamsweerde, and S. Fickas. Goaldirected requirements acquisition. Sci. Comput. Program., 20(1-2):3-50, 1993.
8. S. Gritzalis, A. Yannacopoulos, C. Lambrinoudakis, P. Hatzopoulos, and S.K.Katsikas. A probabilistic model for optimal insurance contracts against security risks and privacy violation in it outsourcing environments. Int. Journal of Information Security, 6(4):197-211, 2007.
9. B. Haley, C. Laney, D. Moffett, and B. Nuseibeh. Using trust assumptions with security requirements. Requir. Eng., 11(2):138-151, 2006.
10. C. Haley, R. Laney, J. Moffett, and B. Nuseibeh. Security requirements engineering: A framework for representation and analysis. IEEE Trans. Softw. Eng., 34(1):133-153, 2008.
11. C. Huang, R. Behara, and Q. Hu. Managing Risk Propagation in Extended Enterprise Networks. IT Professional, 10(4):14-19, 2008.
12. C. Huang and J. Goo. Rescuing IT Outsourcing: Strategic Use of Service-Level Agreements. IT Prof., 11(1):50-58, 2009.
13. ISO/IEC 17799:2005 Information Security - Code of Practice for Information Security Management, 2000. http://www.iso.org.
14. Y. Karabulut, F. Kerschbaum, F. Massacci, P. Robinson, and A. Yautsiukhin. Security and trust in it business outsourcing: a manifesto. Electronic Notes in Theoretical Computer Science, 179:47 - 58, 2007. Proc. of the 2nd Int. Workshop on Security and Trust Management (STM 2006).
15. K. Mayer and N. Argyres. Learning to Contract: Evidence from the Personal Computer Industry. Organization Science, 15(4):394-410, 2004.
16. D. Mellado, E. Fernańdez-Medina, and M. Piattini. A common criteria based security requirements engineering process for the development of secure information systems. Computer Standards & Interfaces, 29(2):244-253, 2007.
17. R. Miura-Ko, B. Yolken, J. Mitchell, and N. Bambos. Security Decision-Making among Interdependent Organizations. Computer Security Foundations Symposium, IEEE, 0:66-80, 2008.
18. A. Morali and R. J. Wieringa. Risk-based confidentiality requirements specification for outsourced it systems (extended version). Technical Report TR-CTIT-10-09, Centre for Telematics and Information Technology, University of Twente, 2010.
19. A. Morali, E. Zambon, S. Etalle, and R. J. Wieringa. CRAC: Confidentiality Risk Analysis and IT-Architecture Comparison of Business Networks. Technical Report (Submited) TRCTIT- 09-30, Centre for Telematics and Information Technology, University of Twente, 2009.
20. NIST: National Vulnerability Database, 2008. http://nvd.nist.gov/.
21. L. Poppo and T. Zenger. Do formal contracts and relational governance function as substitutes or complements? Strategic Management J., 23:707-725, 2002.
22. E. Power and R. Trope. Averting security missteps in outsourcing. IEEE Security and Privacy, 3(2):70-73, 2005.
23. R. Sabherwal. The role of trust in outsourced is development projects. Commun. ACM, 42(2):80-86, 1999.
24. D. Sjøberg, B. Anda1, E. Arisholm1, T. Dybå, M. Jørgensen1, A. Karahasanović, and M. Vokáccaron. Challenges and recommendations when increasing the realism of controlled software engineering experiments. In R. Conradi and A. Wang, editors, Empirical Methods and Studies in Software Engineering, pages 24-38. Springer, 2003. LNCS 2765.
25. Sarbanes-Oxley Act of 2002, 2002. http://www.sarbanesoxley.com/.
26. R. Wieringa. Design Science as Nested Problem Solving. In Proc. of the 4th Int. Conf. on Design Science Research in Information Systems and Technology, pages 1-12. ACM, 2009.
27. R. Wieringa, N. Maiden, N. Mead, and C. Rolland. Requirements engineering paper classification and evaluation criteria: A proposal and a discussion. J. Req. Eng., 11(1):102-107, 2006.