Erratum to: A pattern-based method for establishing a cloud-specific information security management system (Requirements Eng, 10.1007/s00766-013-0174-7);A pattern-based method for establishing a cloud-specific information security management system: Establishing information security management systems for clouds considering security, privacy, and legal compliance

Requirements Engineering

Volumn 18, Issue 4, 2013, Pages 343-395

  Beckers, Kristian ^a   Côté, Isabelle ^b   Faßbender, Stephan ^a   Heisel, Maritta ^a   Hofbauer, Stefan ^c  

^a UNIVERSITY OF DUISBURG ESSEN   (Germany)

^b ITESYS Institute for Technical Systems GmbH   (Germany)

^c Amadeus Data Processing GmbH   (Germany)

Author keywords

Asset identification privacy; Cloud computing security; Control selection; Information security management system; ISO 27001; Legal compliance; Security policies; Threat analysis

Indexed keywords

CLOUD COMPUTING; COMPLIANCE CONTROL; INDUSTRIAL MANAGEMENT; LAWS AND LEGISLATION; RISK ANALYSIS; RISK ASSESSMENT; SECURITY OF DATA;

ASSET IDENTIFICATION; CLOUD COMPUTING SECURITIES; INFORMATION SECURITY MANAGEMENT SYSTEMS; ISO 27001; LEGAL COMPLIANCE; SECURITY POLICY; THREAT ANALYSIS;

INFORMATION MANAGEMENT;

EID: 84886594364     PISSN: 09473602     EISSN: 1432010X     Source Type: Journal    
DOI: 10.1007/s00766-013-0176-5     Document Type: Erratum

References (64)

1. ISO/IEC (2009) Common criteria for information technology security evaluation. ISO/IEC 15408, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
2. Cloud Security Alliance (CSA) (2010) Top threats to cloud computing v1. 0. http://cloudsecurityalliance. org/topthreats/csathreats. v1. 0. pdf.
3. Gartner (2008) Assessing the security risks of cloud computing. http://www. gartner. com/id=685308.
4. ISO/IEC (2005) Information technology-Security techniques-Information security management systems-Requirements. ISO/IEC 27001, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
5. Armbrust M, Fox A, Griffith R, Joseph AD, Katz RH, Konwinski A, Lee G, Patterson DA, Rabkin A, Stoica I, Zaharia M (2009) Above the clouds: A berkeley view of cloud computing. Technical report, EECS Department, University of California, Berkeley.
6. Mell P, Grance T (2009) The NIST definition of cloud computing. Working Paper of the National Institute of Standards and Technology (NIST).
7. Vaquero LM, Rodero-Merino L, Caceres J, Lindner M (2008) A break in the clouds: Towards a cloud definition. Special Interest Group Data Commun (SIGCOMM) Comput Commun Rev 39(1): 50-55.
8. Buyya R, Ranjan R, Calheiros RN (2009) Modeling and simulation of scalable cloud computing environments and the cloudsim toolkit: Challenges and opportunities. In: Proceedings of the international conference von high performance computing and simulation (HPCS). IEEE Computer Society.
9. Beckers K, Küster JC, Faßbender S, Schmidt H (2011) Pattern-based support for context establishment and asset identification of the ISO 27000 in the field of cloud computing. In: Proceedings of the international conference on availability, reliability and security (ARES). IEEE Computer Society, pp 327-333.
10. Jackson M (2001) Problem frames: analyzing and structuring software development problems. Addison-Wesley, Reading, MA.
11. Fowler M (1996) Analysis patterns: reusable object models. Addison-Wesley, Reading, MA.
12. Gamma E, Helm R, Johnson R, Vlissides J (1994) Design patterns: elements of reusable object-oriented software. Addison-Wesley, Reading, MA.
13. Schumacher M, Fernandez-Buglioni E, Hybertson D, Buschmann F, Sommerlad P (2006) Security patterns: integrating security and systems engineering. Wiley, New York.
14. Calder A (2009) Implementing Information Security based on ISO 27001/ISO 27002: A Management Guide. Haren van Publishing.
15. ISO/IEC (2009) Information technology-Security techniques-Information security management systems-Overview and Vocabulary. ISO/IEC 27000, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
16. Klipper S (2010) Information security risk management mit ISO/IEC 27005: Risikomanagement mit ISO/IEC 27001, 27005 und 31010. Vieweg+ Teubner.
17. UML Revision Task Force. OMG Unified Modeling Language (UML), Superstructure. http://www. omg. org/spec/UML/2. 3/Superstructure/PDF.
18. IETF (1997) Hmac: keyed-hashing for message authentication. IETF rfc 2104, Internet Engineering Task Force (IETF).
19. Jansen WA (2011) Cloud hooks: Security and privacy issues in cloud computing. In: HICSS. IEEE Computer Society, pp 1-10.
20. Chang F, Dean J, Ghemawat S (2006) Bigtable: A distributed storage system for structured data. Technical report, Google.
21. Chow R, Golle P, Jakobsson M, Shi E, Staddon J, Masuoka R, Molina J (2009) Controlling data in the cloud: outsourcing computation without outsourcing control. In: CCSW. ACM, pp 85-90.
22. Scarfone KA, Souppaya MP, Hoffman P (2011) Sp 800-125. guide to security for full virtualization technologies. Technical report, NIST, Gaithersburg, MD, USA.
23. Government H (2012) It infrastructure library (ITIL). http://www. itil-officialsite. com/home/home. aspx.
24. Fabian B, Gürses S, Heisel M, Santen T, Schmidt H (2010) A comparison of security requirements engineering methods. Requir Eng 15(1): 7-40.
25. Opdahl AL, Sindre G (2009) Experimental comparison of attack trees and misuse cases for security threat identification. Inf Softw Technol 51: 916-932.
26. Deng M, Wuyts K, Scandariato R, Preneel B, Joosen W (2011) A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requir Eng 16: 3-32.
27. Lund MS, Solhaug B, Stølen K (2010) Model-driven risk analysis: the CORAS approach, 1st edn. Springer, Berlin.
28. American National Standards Institute (ANSI) (2004) American national standard for information technology-role based access control. Ansi incits, pp 359-2004, ANSI.
29. OASIS (2005) extensible Access Control Markup Language TC v2. 0 (XACML). OASIS. http://docs. oasis-open. org/xacml/2. 0/access_control-xacml-2. 0-core-spec-os. pdf.
30. McGraw G (2006) Software security: building security in. Addison-Wesley, Reading, MA.
31. VMWARE. Vmware ha. http://www. vmware. com/de/products/datacenter-virtualization/vsphere/high-availability. html.
32. VMWARE. Vmware vmotion. http://www. vmware. com/files/pdf/VMware-VMotion-DS-EN. pdf.
33. Beckers K, Faßbender S, Küster JC, Schmidt H (2012) A pattern-based method for identifying and analyzing laws. In: Proceedings of the international working conference on requirements engineering: foundation for software quality (REFSQ). In: LNCS. Springer, pp 256-262.
34. Beckers K, Faßbender S, Schmidt H (2012) An integrated method for pattern-based elicitation of legal requirements applied to a cloud computing example. In: Proceedings of the international conference on availability, reliability and security (ARES)-2nd international workshop on resilience and it-risk in social infrastructures (RISI 2012). IEEE Computer Society, pp 463-472.
35. Biagioli C, Mariani P, Tiscornia D (1987) Esplex: a rule and conceptual model for representing statutes. In: ICAIL. ACM, pp 240-251.
36. Duisberg A (2011) Gelöste und ungelöste Rechtsfragen im IT-Outsourcing und Cloud Computing. In: Picot A, Götz T, Hertz U (eds) Trust in IT, Springer, Berlin, pp 49-70.
37. Gürses SF, Santen T (2006) Contextualizing security goals: a method for multilateral security requirements elicitation. In: Dittmann J (ed.), Sicherheit 2006: Sicherheit-Schutz und Zuverlässigkeit, Beiträge der 3. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e. v. (GI), pp 20-22. Februar 2006 in Magdeburg, vol 77 of LNI., pp 42-53. GI.
38. OECD (1980) OECD guidelines on the protection of privacy and transborder flows of personal data. Technical report, Organisation for Economic Co-operation and Development (OECD).
39. Beckers K, Heisel M (2012) A foundation for requirements analysis of privacy preserving software. In: Proceedings of the International Cross Domain Conference and Workshop (CD-ARES 2012). Lecture Notes in Computer Science, Springer, pp 93-107.
40. Beckers K, Faßbender S, Heisel M, Meis R (2012) A problem-based approach for computer aided privacy threat identification. In: Privacy Forum 2012. Lecture Notes in Computer Science, Springer. Accepted for Publication.
41. Côté I, Hatebur D, Heisel M, Schmidt H (2011) UML4PF-a tool for problem-oriented requirements analysis. In: Proceedings of the international conference on requirements engineering (RE), IEEE Computer Society, pp 349-350.
42. Pfitzmann A, Hansen M (2011) A terminology for talking about privacy by data minimization: Anonymity, unlinkability, unobservability, pseudonymity, and identity management-version v0. 34. Technical report, TU Dresden and ULD Kiel.
43. Clauß S, Kesdogan D, Kölsch T (2005) Privacy enhancing identity management: protection against re-identification and profiling. In: Proceedings of the 2005 workshop on Digital identity management. DIM '05, ACM, pp 84-93.
44. Kersten H, Reuter J, Schröder KW (2011) IT-Sicherheits management nach ISO 27001 und Grundschutz. Vieweg+Teubner.
45. Cheremushkin DV, Lyubimov AV (2010) An application of integral engineering technique to information security standards analysis and refinement. In: Proceedings of the international conference on Security of information and networks. SIN '10, ACM, pp 12-18.
46. Lyubimov A, Cheremushkin D, Andreeva N, Shustikov S (2011) Information security integral engineering technique and its application in isms design. In: Proceedings of the international conference on availability, reliability and security (ARES), IEEE Computer Society, pp 585-590.
47. Montesino R, Fenz S (2011) Information security automation: how far can we go? In: Proceedings of the international conference on availability, reliability and security (ARES), IEEE Computer Society, pp 280-285.
48. Fenz S, Goluch G, Ekelhart A, Riedl B, Weippl E (2007) Information security fortification by ontological mapping of the ISO/IEC 27001 standard. In: Proceedings of the international symposium on dependable computing, IEEE Computer Society, pp 381-388.
49. Auty M, Creese S, Goldsmith M, Hopkins P (2010) Inadequacies of current risk controls for the cloud. In: Proceedings of the 2010 IEEE second international conference on cloud computing technology and science. CLOUDCOM '10, IEEE Computer Society, pp 659-666.
50. ISO/IEC (2005) Information technology - Security techniques-code of practice for information security management. ISO/IEC 27002, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
51. Shaikh F, Haider S (2011) Security threats in cloud computing. In: Internet technology and secured transactions (ICITST), 2011 international conference for, pp 214 -219.
52. Greenwood D, Sommerville I (2011) Responsibility modeling for identifying sociotechnical threats to the dependability of coalitions of systems. In: System of systems engineering (SoSE), 2011 6th international conference on, pp 173 -178.
53. Grobauer B, Walloschek T, Stocker E (2011) Understanding cloud computing vulnerabilities. Secur Priv, IEEE 9(2): 50-57.
54. ISO/IEC (2008) Information technology-security techniques-information security risk management. ISO/IEC 27005, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
55. Breaux TD, Vail MW, Antón AI (2006) Towards regulatory compliance: Extracting rights and obligations to align requirements with regulations. In: RE, IEEE Computer Society, pp 46-55.
56. Breaux TD, Antón AI (2008) Analyzing regulatory rules for privacy and security requirements. IEEE Trans Softw Eng 34(1): 5-20.
57. Bench-Capon T, Robinson G, Routen T, Sergot M (1987) Logic programming for large scale applications in law: a formalization of supplementary benefit legislation. In: ICAIL, ACM, pp 190-198.
58. Siena A, Perini A, Susi A (2008) From laws to requirements. In: RELAW, IEEE Computer Society, pp 6-10.
59. Hohfeld WN (1917) Fundamental legal conceptions as applied in judicial reasoning. Yale Law J 26(8): 710-770.
60. Siena A, Perini A, Susi A, Mylopoulos J (2009) A meta-model for modelling law-compliant requirements. In: Proceedings of the international workshop on requirements engineering and law (RELAW), IEEE Computer Society, pp 45-51.
61. Álvarez JAT, Olmos A, Piattini M (2002) Legal requirements reuse: a critical success factor for requirements quality and personal data protection. In: Proceedings of the international conference on requirements engineering (RE), IEEE Computer Society, pp 95-103.
62. Kalloniatis C, Kavakli E, Gritzalis S (2008) Addressing privacy requirements in system design: the PriS method. Requir Eng 13: 241-255.
63. Hafiz M (2006) A collection of privacy design patterns. In: Proceedings of the 2006 conference on pattern languages of programs. PLoP '06, ACM, pp 7: 1-7: 13.
64. UML Revision Task Force (2010) OMG object constraint language: reference.