Presentation is loading. Please wait.

Presentation is loading. Please wait.

CRAC++ Risk-Based Confidentiality Requirements Specification for Outsourced IT Systems.

Published byRonald Hardy Modified over 8 years ago

Similar presentations

Presentation on theme: "CRAC++ Risk-Based Confidentiality Requirements Specification for Outsourced IT Systems."— Presentation transcript:

1 CRAC++ Risk-Based Confidentiality Requirements Specification for Outsourced IT Systems

2 Content Authors Origins Method positioning Related literature Purpose and Main steps Process-Deliverable Diagram Method illustration Questions

3 Authors Ayse Moralie o PhD student at University of Twente o CRAC++ part of PhD dissertation Roel Wieringa o Information Systems Group, University of Twente o Head of Computer Science Department, University of Twente

4 Origins Regulations require companies to have control over the security of IT assets Companies outsource IT systems, the result is confidential data present in two different systems. No practical method to specify confidentiality requirements in SLA’s. Based on CRAC (Morali &Wieringa, 2009)

5 Method positioning

6 Related literature Insurance Contracts (IC) defines security requirements based on past incidents (Gritzalis et al., 2007) Determine adequate security requirements as constraints on functional requirements(Haley et al., 2008) Common Criteria tool for comparing two sets of requirements (ISO 15408, 2007)

7 Purpose and Main steps Assesssing and comparing confidentaility risks of two alternative networked IT architectures Step 0: Elicit Input Data Step 1: Assessing Total Impact of Disclosure per Component Step 2: Assessing Protection Level per Component Step 3: Determining Candidate Confidentiality Requirements

8 PDD

9 PDD

10 Method illustration

11 Questions

Download ppt "CRAC++ Risk-Based Confidentiality Requirements Specification for Outsourced IT Systems."

Similar presentations

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Pedigreed Attribute eLicitation Method (PALM) Onno Dijkstra.

Pedigreed Attribute eLicitation Method (PALM) Onno Dijkstra.
Chapter 4: Security Policy Documents & Organizational Security Policies.

Chapter 4: Security Policy Documents & Organizational Security Policies.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Technical Specification / Schedule Department of Computer Science and Engineering Michigan State University Spring 2007 Team : CSE 498, Collaborative Design.

Technical Specification / Schedule Department of Computer Science and Engineering Michigan State University Spring 2007 Team : CSE 498, Collaborative Design.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
A METHOD FOR COMPATIBLE COTS COMPONENT SELECTION (BHUTA, J., BOEHM, B., 2005) Nikos Argyropoulos - 3954420.

A METHOD FOR COMPATIBLE COTS COMPONENT SELECTION (BHUTA, J., BOEHM, B., 2005) Nikos Argyropoulos
Software Safety Risk Evaluation (SSRE) Process SAŠA ŠPILER METHOD ENGINEERING UTRECHT, APRIL 2014.

Software Safety Risk Evaluation (SSRE) Process SAŠA ŠPILER METHOD ENGINEERING UTRECHT, APRIL 2014.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
Information Security Framework & Standards

Information Security Framework & Standards
CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 4 Tom Olzak, MBA, CISSP.

CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 4 Tom Olzak, MBA, CISSP.
City Hall of Iasi Ethics in e-guidance, privacy and security devices Date: 05.06.2009 Author: Cristina Nucuta.

City Hall of Iasi Ethics in e-guidance, privacy and security devices Date: Author: Cristina Nucuta.
Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October 2012 1.

Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October
Supplementary Specifications (Chapters 20,22 - Requirements Text) Question 1 by Steve & Chandan (Along with others in the past! - See notes, below)

Supplementary Specifications (Chapters 20,22 - Requirements Text) Question 1 by Steve & Chandan (Along with others in the past! - See notes, below)
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Similar presentations

Ads by Google