Semantic hierarchies for extracting, modeling, and connecting compliance requirements in information security control standards

Matthew L Hale, Rose F. Gamble

Research output: Contribution to journalArticle

2 Citations (Scopus)

Abstract

Companies and government organizations are increasingly compelled, if not required by law, to ensure that their information systems will comply with various federal and industry regulatory standards, such as the NIST Special Publication on Security Controls for Federal Information Systems (NIST SP-800-53), or the Common Criteria (ISO 15408-2). Such organizations operate business or mission critical systems where a lack of or lapse in security protections translates to serious confidentiality, integrity, and availability risks that, if exploited, could result in information disclosure, loss of money, or, at worst, loss of life. To mitigate these risks and ensure that their information systems meet regulatory standards, organizations must be able to (a) contextualize regulatory documents in a way that extracts the relevant technical implications for their systems, (b) formally represent their systems and demonstrate that they meet the extracted requirements following an accreditation process, and (c) ensure that all third-party systems, which may exist outside of the information system enclave as web or cloud services also implement appropriate security measures consistent with organizational expectations. This paper introduces a step-wise process, based on semantic hierarchies, that systematically extracts relevant security requirements from control standards to build a certification baseline for organizations to use in conjunction with formal methods and service agreements for accreditation. The approach is demonstrated following a case study of all audit-related controls in the SP-800-53, ISO 15408-2, and related documents. Accuracy, applicability, consistency, and efficacy of the approach were evaluated using controlled qualitative and quantitative methods in two separate studies.

Original languageEnglish (US)
Pages (from-to)365-402
Number of pages38
JournalRequirements Engineering
Volume24
Issue number3
DOIs
StatePublished - Sep 1 2019

Fingerprint

Security of data
Information systems
Semantics
Accreditation
Industry
Formal methods
Availability
Compliance

Keywords

  • Accreditation
  • Certification
  • Regulatory compliance
  • Requirement extraction
  • Security control standards
  • Security policy
  • Security requirements
  • Semantic hierarchy

ASJC Scopus subject areas

  • Software
  • Information Systems

Cite this

Semantic hierarchies for extracting, modeling, and connecting compliance requirements in information security control standards. / Hale, Matthew L; Gamble, Rose F.

In: Requirements Engineering, Vol. 24, No. 3, 01.09.2019, p. 365-402.

Research output: Contribution to journalArticle

@article{0975cf918c024a52a1d85a89159b519c,
title = "Semantic hierarchies for extracting, modeling, and connecting compliance requirements in information security control standards",
abstract = "Companies and government organizations are increasingly compelled, if not required by law, to ensure that their information systems will comply with various federal and industry regulatory standards, such as the NIST Special Publication on Security Controls for Federal Information Systems (NIST SP-800-53), or the Common Criteria (ISO 15408-2). Such organizations operate business or mission critical systems where a lack of or lapse in security protections translates to serious confidentiality, integrity, and availability risks that, if exploited, could result in information disclosure, loss of money, or, at worst, loss of life. To mitigate these risks and ensure that their information systems meet regulatory standards, organizations must be able to (a) contextualize regulatory documents in a way that extracts the relevant technical implications for their systems, (b) formally represent their systems and demonstrate that they meet the extracted requirements following an accreditation process, and (c) ensure that all third-party systems, which may exist outside of the information system enclave as web or cloud services also implement appropriate security measures consistent with organizational expectations. This paper introduces a step-wise process, based on semantic hierarchies, that systematically extracts relevant security requirements from control standards to build a certification baseline for organizations to use in conjunction with formal methods and service agreements for accreditation. The approach is demonstrated following a case study of all audit-related controls in the SP-800-53, ISO 15408-2, and related documents. Accuracy, applicability, consistency, and efficacy of the approach were evaluated using controlled qualitative and quantitative methods in two separate studies.",
keywords = "Accreditation, Certification, Regulatory compliance, Requirement extraction, Security control standards, Security policy, Security requirements, Semantic hierarchy",
author = "Hale, {Matthew L} and Gamble, {Rose F.}",
year = "2019",
month = "9",
day = "1",
doi = "10.1007/s00766-017-0287-5",
language = "English (US)",
volume = "24",
pages = "365--402",
journal = "Requirements Engineering",
issn = "0947-3602",
publisher = "Springer London",
number = "3",

}

TY - JOUR

T1 - Semantic hierarchies for extracting, modeling, and connecting compliance requirements in information security control standards

AU - Hale, Matthew L

AU - Gamble, Rose F.

PY - 2019/9/1

Y1 - 2019/9/1

N2 - Companies and government organizations are increasingly compelled, if not required by law, to ensure that their information systems will comply with various federal and industry regulatory standards, such as the NIST Special Publication on Security Controls for Federal Information Systems (NIST SP-800-53), or the Common Criteria (ISO 15408-2). Such organizations operate business or mission critical systems where a lack of or lapse in security protections translates to serious confidentiality, integrity, and availability risks that, if exploited, could result in information disclosure, loss of money, or, at worst, loss of life. To mitigate these risks and ensure that their information systems meet regulatory standards, organizations must be able to (a) contextualize regulatory documents in a way that extracts the relevant technical implications for their systems, (b) formally represent their systems and demonstrate that they meet the extracted requirements following an accreditation process, and (c) ensure that all third-party systems, which may exist outside of the information system enclave as web or cloud services also implement appropriate security measures consistent with organizational expectations. This paper introduces a step-wise process, based on semantic hierarchies, that systematically extracts relevant security requirements from control standards to build a certification baseline for organizations to use in conjunction with formal methods and service agreements for accreditation. The approach is demonstrated following a case study of all audit-related controls in the SP-800-53, ISO 15408-2, and related documents. Accuracy, applicability, consistency, and efficacy of the approach were evaluated using controlled qualitative and quantitative methods in two separate studies.

AB - Companies and government organizations are increasingly compelled, if not required by law, to ensure that their information systems will comply with various federal and industry regulatory standards, such as the NIST Special Publication on Security Controls for Federal Information Systems (NIST SP-800-53), or the Common Criteria (ISO 15408-2). Such organizations operate business or mission critical systems where a lack of or lapse in security protections translates to serious confidentiality, integrity, and availability risks that, if exploited, could result in information disclosure, loss of money, or, at worst, loss of life. To mitigate these risks and ensure that their information systems meet regulatory standards, organizations must be able to (a) contextualize regulatory documents in a way that extracts the relevant technical implications for their systems, (b) formally represent their systems and demonstrate that they meet the extracted requirements following an accreditation process, and (c) ensure that all third-party systems, which may exist outside of the information system enclave as web or cloud services also implement appropriate security measures consistent with organizational expectations. This paper introduces a step-wise process, based on semantic hierarchies, that systematically extracts relevant security requirements from control standards to build a certification baseline for organizations to use in conjunction with formal methods and service agreements for accreditation. The approach is demonstrated following a case study of all audit-related controls in the SP-800-53, ISO 15408-2, and related documents. Accuracy, applicability, consistency, and efficacy of the approach were evaluated using controlled qualitative and quantitative methods in two separate studies.

KW - Accreditation

KW - Certification

KW - Regulatory compliance

KW - Requirement extraction

KW - Security control standards

KW - Security policy

KW - Security requirements

KW - Semantic hierarchy

UR - http://www.scopus.com/inward/record.url?scp=85039734400&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85039734400&partnerID=8YFLogxK

U2 - 10.1007/s00766-017-0287-5

DO - 10.1007/s00766-017-0287-5

M3 - Article

VL - 24

SP - 365

EP - 402

JO - Requirements Engineering

JF - Requirements Engineering

SN - 0947-3602

IS - 3

ER -