Risk-Based Confidentiality Requirements Specification for Outsourced IT Systems

A. Morali, Roelf J. Wieringa

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    17 Citations (Scopus)
    424 Downloads (Pure)

    Abstract

    Today, companies are required to be in control of their IT assets, and to provide proof of this in the form of independent IT audit reports. However, many companies have outsourced various parts of their IT systems to other companies, which potentially threatens the control they have of their IT assets. To provide proof of being in control of outsourced IT systems, the outsourcing client and outsourcing provider need a written service level agreement (SLA) that can be audited by an independent party. SLAs for availability and response time are common practice in business, but so far there is no practical method for specifying confidentiality requirements in an SLA. Specifying confidentiality requirements is hard because in contrast to availability and response time, confidentiality incidents cannot be monitored: attackers who breach confidentiality try to do this unobserved by both client and provider. In addition, providers usually do not want to reveal their own infrastructure to the client for monitoring or risk assessment. Elsewhere, we have presented an architecture-based method for confidentiality risk assessment in IT outsourcing. In this paper, we adapt this method to confidentiality requirements specification, and present a case study to evaluate this new method.
    Original languageUndefined
    Title of host publicationProceedings of the 18th IEEE International Requirements Engineering Conference (RE 2010)
    Place of PublicationLos Alamitos, California
    PublisherIEEE Computer Society
    Pages199-208
    Number of pages10
    ISBN (Print)978-0-7695-4162-4
    DOIs
    Publication statusPublished - Sep 2010
    Event18th International IEEE Requirements Engineering Conference, RE 2010 - Sydney, Australia
    Duration: 27 Sep 20101 Oct 2010
    Conference number: 18

    Publication series

    Name
    PublisherIEEE Computer Society

    Conference

    Conference18th International IEEE Requirements Engineering Conference, RE 2010
    Abbreviated titleRE 2010
    CountryAustralia
    CitySydney
    Period27/09/101/10/10

    Keywords

    • METIS-270871
    • Confidentiality requirements
    • IR-72163
    • SCS-Services
    • RISK ASSESSMENT
    • Service level agreements
    • EWI-18061
    • Outsourcing

    Cite this