ارائه مدل سنجش بلوغ مهندسی الزامات امنیتی، از نگاه فرایند تبیین الزامات (نمونه‎پژوهی چندگانه: شرکت‌های تابعه وزارت ارتباطات و فناوری اطلاعات)

نوع مقاله : مقاله پژوهشی

نویسنده

استادیار پژوهشکده امنیت فناوری اطلاعات و ارتباطات، پژوهشگاه ارتباطات و فناوری اطلاعات، تهران، ایران .

چکیده

امروزه، فناوری اطلاعات و ارتباطات، بخش جدایی‌ناپذیری از زندگی روزمره افراد و شرط بقای سازمان‌ها است. هر کسب‌وکاری به‌میزان توانایی و نیاز خود، از فناوری اطلاعات در بخش‌های مختلف استفاده می‌کند. این وابستگی به فناوری اطلاعات و ارتباطات، برای سازمان‌ها، مشکلات امنیتی فراوانی را ایجاد می‌کند. از طرفی باید توجه داشت که تداوم کسب‌وکار و ارائه خدمت توسط یک سازمان فقط، در سایه امنیت تحقق خواهد یافت. از این ‌رو، ضرورت توجه به جنبه‌های مختلف امنیتی برای سامان‌دهی به فعالیت‌های ایمن‌سازی سازمان‌ها، از جمله در شرکت‌های تابعه وزارت ارتباطات و فناوری اطلاعات، بیش ‌از پیش نمایان می‌شود. مهندسی الزامات امنیتی، برای مواجهه سیستماتیک با مسائل امنیتی، راهکاری شناخته‌شده و مؤثر است. بر این اساس، شرکت‌های زیرمجموعه وزارت ارتباطات و فناوری اطلاعات با بهره‌گیری از روش‌های مهندسی الزامات امنیتی می‌توانند به‎صورت بهینه با مشکلات امنیتی فناوری اطلاعات و ارتباطات روبه‌رو شوند. در این راستا، مدل سنجش بلوغ مهندسی الزامات امنیتی می‌تواند به‌عنوان یک نقشه راه استاندارد باز، برای ارزیابی بلوغ این نوع شرکت‌ها‌ محسوب شود. هدف این پژوهش، ارائه مدل سنجش بلوغ مهندسی الزامات امنیتی برای شرکت‌های تابعه وزارت ارتباطات و فناوری اطلاعات بوده و تأکید آن بر ملاحظات رویه‌ای و فرایندی تبیین الزامات است. برای این منظور، چارچوب‌ها و مدل‌های مرجع مهندسی الزامات امنیتی با استفاده از روش فراترکیب ارزیابی شده و فرایندها و روال‌های امنیتی مربوط به تبیین الزامات در قالب مدل مفهومی پیشنهادی سنجش بلوغ، سامان‎دهی شده‌اند. این مدل بلوغ از طریق انجام مصاحبه با خبرگان شرکت‌های منتخب اعتبارسنجی و تحلیل شده‌ و برای بهبود مهندسی الزامات امنیتی در این شرکت‌ها، پیشنهادهایی ارائه شده است.
 

کلیدواژه‌ها


عنوان مقاله [English]

Providing a Maturity Assessment Model for Security Requirements Engineering From the Point of Explaining the Requirements Process (Multiple Case Study of Iran Telecommunication Professional Parent Companies)

نویسنده [English]

  • Abouzar Arabsorkhi
Assistant Prof., Department of Information Technology and Communication Security, Iran Telecommunication Research Institute
چکیده [English]

Nowadays, information technology and communication are an integral part of everyday life of individuals and the condition of the organizations survival. Every business uses the amount of information technology it needs in different parts. This dependency on IT and communications, creates a lot of security problems for organizations. On the other hand, it should be noted that business continuity and service delivery by an organization will only be realized in the context of security. Therefore, the necessity of attention to various aspects of security to organize the organization's security activities, including in telecommunications companies, is becoming more and more evident.security requirements engineering is a well-known and effective solution to systematically facing security issues. Based on this, telecommunication companies can utilize security requirements engineering techniques to meet the security challenges of information technology and communications in an optimal way. In this regard, the maturity assessment model for security requirements engineering can be considered as an open standard road map to evaluate the maturity of telecommunications companies. The purpose of this research is to provide a maturity assessment model for security requirements engineering for for telecommunications companies, and emphasizing on procedural and process considerations of explaining the requirements. For this purpose, the source frameworks and models of security requirements engineering have been studied and and the security processes and procedures related to the requirements explaining have been organized in the form of a conceptual model of maturity assessment. This maturity model has been validated and analyzed through interviewing the experts of selected specialist of telecommunication companies and suggestions have been made to improve the security requirements engineering in these companies.

کلیدواژه‌ها [English]

  • Security Requirements Engineering
  • ICTs
  • Security Requirements
  • Security Requirements Explanation Processes
  • Ministry of Communication and Information Technology Subsidiaries
پورسعید بناب، زهرا؛ موسی خانی، محمد؛ عرب سرخی، ابوذر؛ محمدیان، ایوب (1397). ارائه مدل بلوغ قابلیت نوآوری مبتنی بر دانش مشتری بر اساس روش فراترکیب. دوفصلنامه مدیریت اطلاعات، 4(2)، 89-109.
عرب‎سرخی، ابوذر؛ موسی خانی، محمد؛ مانیان، امیر (1395). ارائه مدلی مرجع برای تبیین الزامات امنیتی در حوزه یادگیری الکترونیکی از نگاه ذی‌نفعان مختلف. مدیریت فناوری اطلاعات، 8(1)، 141-154.
محقر، علی؛ جعفرنژاد، احمد؛ مدرس یزدی، محمد؛ صادقی مقدم، محمدرضا (1392). ارائه الگوی جامع هماهنگی اطلاعاتی شبکه تأمین خودروسازی با استفاده از روش فراترکیب. مدیریت فناوری اطلاعات، 5(4)، 161- 194.
 
Agarwal, A., & Gupta, D. (2008). Security Requirements Elicitation Using View Points for Online System. First International Conference on Emerging Trends in Engineering and Technology.pp. 1238-1243.
Alena, B. (2019). Green ICT maturity model for Czech SMEs. Journal of Systems Integration 6(1), 24-36.
Baskerville, R. (1993). Information Systems Security Design Methods: Implications for Information Systems Development. Computing Surveys, 25(4), 375-414.
Belani, H., Car, Z., & Caric, A. (2009). RUP-based process model for security requirements engineering in value-added service development. IWSESSICSE Workshop on Software Engineering for Secure Systems. pp. 54-60.
Braber, F., Hogganvik, I., Lund, M., Stolen, K., & Vraalsen, F. (2007). Model-based security analysis in seven steps—a guided tour to the CORAS method. BT Technol  Journal, 25(1), 101-117.
Cooper Brathwaite, A. (2007). Selection of a Conceptual Model/Framework for Guiding Research Interventions. The Internet Journal of Advanced Nursing Practice, 6(1),
Dzazali, S., Sulaiman, A., & Zolait, A. (2009). Information Security Landscape and Maturity Level: Case Study of Malaysian Public Service (MPS) Organizations. Government Information Quarterly, 26, 584-593.
Drobyazko, S., Hryhoruk, I., Pavlova, H., Volchanska, L., and Sergiychuk, S. (2019). Entrepreneurship innovation model for telecommunications enterprises. Journal of Entrepreneurship Education, 22(2).
Elahi, G., & Eric, S. (2008). Trust Trade-off Analysis for Security Requirements Engineering. 17th IEEE International Requirements Engineering Conference, 31 Aug.-4 Sept. pp. 243-248.
EL-Hadary, H., & EL-Kassas, S. (2014). Capturing security requirements for software systems. Journal of Advanced Research, 5(4), 463-472.
Fabian, B., Gürses, S., Heisel, M., Santen, T., and Schmidt, H. (2010). A Comparison of Security Requirements Engineering Methods. Requirements Engineering - Special Issue on Security Requirements Engineering, 15, 7-40.
Gandotra, V., Singhal, A., & Bedi, P. (2009). Identifying Security Requirements Hybrid Technique. In the Proceedings of the 4th International Conference on Software Engineering Advances (ICSEA). Porto, Portugal. IEEE Computer Society. pp. 407-412.
Ghaffari, F., & Arabsorkhi, A. (2018). A New Adaptive Cyber-security Capability Maturity Model. In 2018 9th International Symposium on Telecommunications (IST) (pp. 298-304). IEEE.
Gorschek, T., Gomes, A., Pettersson, A., & Torkar, R. (2012). Introduction of a process maturity model for market-driven product management and requirements engineering. Journal of Software Maintenance, 24, 83-113.
Haley, C., Laney, R., Moffett, J., and Nuseibeh, B. 2008. Security Requirements Engineering:A Framework for Representation and Analysis. IEEE Ttansactions on Software Engineering, 34(1).
Haley, C., Moffett, J., Laney, R., and Nuseibeh, B. (2006). A framework for security requirements engineering. In: SESS’06: proceedings of the 2006 international workshop on Software engineering for secure systems. ACM Press, New York. pp. 35-42.
Hameed, S., Khan, F. I., and Hameed, B. (2019). Understanding security requirements and challenges in Internet of Things (IoT): A review. Journal of Computer Networks and Communications. https://doi.org/10.1155/2019/9629381.
Hassan, R., Eltoweissy, M., Bohner, S., & El-Kassas, S. (2010). Formal analysis and design for engineering security automated derivation of formal software security specifications from goal-oriented security requirementsSoftware. IET. Software, 4(2), 149-160.
IBM-ISF. (2007).Introducing the IBM security Framework and IBM Security Blueprint to Realize Business- Driven Security Red guides for Business Leaders.
ISM3 Consortium. (2007). Information Security Management Maturity Model version 2.10.
Jose Virgilio, R.M. (2010). SURE: Secure and usable requirements engineering. PhD Dissertation University of California, Irvine 215.
Li, T., Horkoff, J., and  Mylopoulos, J. (2018).Holistic security requirements analysis for socio-technical systems. Software & Systems Modeling, 17(4), 1253-1285.
Martínez, A., Jenkins, M., and Quesada-López, C. (2019). Identifying implied security requirements from functional requirements. In 2019 14th Iberian Conference on Information Systems and Technologies (CISTI) (pp. 1-7). IEEE.
Mead, N., Hough, E., & Stehney, T. (2005). Security quality requirements engineering (SQUARE) methodology. Carnegie Mellon.
Mead, N., Shoemaker, D., & Ingalsbe, J. (2009). Teaching Security Requirements Engineering Using SQUARE. REET. pp. 20-27.
Mead, N., Viswanathan, V., Padmanabhan, D., & Raveendran, A. (2008). Incorporating security quality requirements engineering.DOI:10.21236/ada482345
Mellado, D., Blanco, C., Sanchez, L., and Fernandez-Medina, E. (2010). A systematic review of security requirements engineering. Computer Standards and Interfaces, 32(4),153-165.
Mellado, D., Fernandez Medina, E., & Piattini, M. (2006). Applying a security requirements engineering process. In: ESORICS’06.
Mellado, D., Fernández-Medina, E., & Piattini, M. (2007). A common criteria based security requirements engineering process for the development of secure information systems. Computer Standards and Interfaces, 29, 244-253.
Mohammad, M. N. A., Nazir, M., & Mustafa, K. (2019). A Systematic Review and Analytical Evaluation of Security Requirements Engineering Approaches. Arabian Journal for Science and Engineering, 44(11), 8963-8987.
NIST. (2007). Program Review for Information Security Management Assistance – PRISMA. Available in: https://csrc.nist.gov/projects/program-review-for-information-security-assistance.
Romero-Mariona, J., Ziv, H., and Richardson, D. 2010. Formality of the Security Specification Process: Benefits Beyond Requirements. HICSS.pp. 1-6.
Ross, R. (2018). Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. Special Publication (NIST SP) - 800-37 Rev. 2.
Ross, Ronald S., McEvilley.,M, Janet C. 2018. Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. Special Publication (NIST SP) - 800-160.
Sharma, S., Warkentin, M. (2019). Do I really belong?: Impact of employment status on information security policy compliance. Computers & Security, 87, 101397.
Sindre, G., & Opdah, A. (2004). Eliciting security requirements with misuse cases. Requirements Engineering,10, 34-44.
Tøndel, I., Jaatun, M., & Meland, P. (2008). Security requirements for the rest of us: A survey, IEEE Software, 25(1), 20-27.
von Solms, S., & Marnewick, A. (2019). Identifying Security Requirements Body of Knowledge for the Security Systems Engineer. In IFIP World Conference on Information Security Education (pp. 59-71). Springer, Cham.
Wang, H., Jia, Z., & Shen, Z. (2009). Research on security requirements engineering process. In: Industrial Engineering and Engineering Management (pp. 1285-1288). 16th International Conference on IEEE.
Woodhouse, S. (2008). An ISMS (Im) – Maturity Capability Model. Proceedings of the IEEE 8th International Conference on Computer and Information Technology Workshops.
Yasin, A., Liu, L., Li, T., Wang, J., & Zowghi, D. (2018). Design and preliminary evaluation of a cyber Security Requirements Education Game (SREG). Information and Software Technology, 95, 179-200.
Zimmer, L. (2006). Qualitative meta-synthesis: A question of dialoguing with texts. Journal of Advanced Nursing, 53(3), 311-318.
Zuccato, A. (2007). Holistic security management framework applied in electronic commerce. journal of computers and security, 26, 256-265.
Zuccato, A., Endersz, V., & Daniaels, N. (2008). Security Requirement Engineering at a Telecom Provider. Proceedings of the Third International Conference on Availability, Reliability and Security. pp. 1139-1147.