CRAC++ Risk-Based Confidentiality Requirements Specification for Outsourced IT Systems

Content Authors Origins Method positioning Related literature Purpose and Main steps Process-Deliverable Diagram Method illustration Questions

Authors Ayse Moralie o PhD student at University of Twente o CRAC++ part of PhD dissertation Roel Wieringa o Information Systems Group, University of Twente o Head of Computer Science Department, University of Twente

Origins Regulations require companies to have control over the security of IT assets Companies outsource IT systems, the result is confidential data present in two different systems. No practical method to specify confidentiality requirements in SLA’s. Based on CRAC (Morali &Wieringa, 2009)

Method positioning

Related literature Insurance Contracts (IC) defines security requirements based on past incidents (Gritzalis et al., 2007) Determine adequate security requirements as constraints on functional requirements(Haley et al., 2008) Common Criteria tool for comparing two sets of requirements (ISO 15408, 2007)

Purpose and Main steps Assesssing and comparing confidentaility risks of two alternative networked IT architectures Step 0: Elicit Input Data Step 1: Assessing Total Impact of Disclosure per Component Step 2: Assessing Protection Level per Component Step 3: Determining Candidate Confidentiality Requirements

PDD

PDD

Method illustration

Questions