Share Email Print

Proceedings Paper

Recognition and categorization considerations for information assurance requirements development and speficication
Author(s): Martin R. Stytz; Michael May; Sheila B. Banks
Format Member Price Non-Member Price
PDF $14.40 $18.00

Paper Abstract

Department of Defense (DoD) Information Technology (IT) systems operate in an environment different from the commercial world, the differences arise from the differences in the types of attacks, the interdependencies between DoD software systems, and the reliance upon commercial software to provide basic capabilities. The challenge that we face is determining how to specify the information assurance requirements for a system without requiring changes to the commercial software and in light of the interdependencies between systems. As a result of the interdependencies and interconnections between systems introduced by the global information grid (GIG), an assessment of the IA requirements for a system must consider three facets of a system's IA capabilities: 1) the IA vulnerabilities of the system, 2) the ability of a system to repel IA attacks, and 3) the ability of a system to insure that any IA attack that penetrates the system is contained within the system and does not spread. Each facet should be assessed independently and the requirements should be derived independently from the assessments. In addition to the desired IA technology capabilities of the system, a complete assessment of the system's overall IA security technology readiness level cannot be accomplished without an assessment of the capabilities required of the system for its capability to recover from and remediate IA vulnerabilities and compromises. To allow us to accomplish these three formidable tasks, we propose a general system architecture designed to separate the system's IA capabilities from its other capability requirements; thereby allowing the IA capabilities to be developed and assessed separately from the other system capabilities. The architecture also enables independent requirements specification, implementation, assessment, measurement, and improvement of a system's IA capabilities without requiring modification of the underlying application software.

Paper Details

Date Published: 13 April 2009
PDF: 11 pages
Proc. SPIE 7344, Data Mining, Intrusion Detection, Information Security and Assurance, and Data Networks Security 2009, 73440K (13 April 2009); doi: 10.1117/12.819535
Show Author Affiliations
Martin R. Stytz, Institute for Defense Analyses (United States)
Michael May, Institute for Defense Analyses (United States)
Sheila B. Banks, Calculated Insight (United States)

Published in SPIE Proceedings Vol. 7344:
Data Mining, Intrusion Detection, Information Security and Assurance, and Data Networks Security 2009
Belur V. Dasarathy, Editor(s)

© SPIE. Terms of Use
Back to Top