Mapping the State of Security Standards Mappings

Mussmann, Andrea; Brunner, Michael; Breu, Ruth

doi:10.30844/wi_2020_l4-mussmann

Cited by 4 publications

(3 citation statements)

References 38 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the same year, Andrea Mussmann et al [15] provided an overview of research focused on mapping security standards (e.g., ISO 27001, ISO 27002, ITIL, COBIT, NIST SP800-53, GDPR). They explored methodologies formulated for these mappings and delved into tools, such as mapping tables, that support the process.…”

Section: Related Workmentioning

confidence: 99%

Leveraging Taxonomical Engineering for Security Baseline Compliance in International Regulatory Frameworks

Grigaliūnas,

Schmidt,

Brūzgienė

et al. 2023

Future Internet

View full text Add to dashboard Cite

A surge in successful Information Security (IS) breaches targeting Research and Education (R&E) institutions highlights a pressing need for enhanced protection. Addressing this, a consortium of European National Research and Education Network (NREN) organizations has developed a unified IS framework. This paper aims to introduce the Security Baseline for NRENs and a security maturity model tailored for R&E entities, derived from established security best practices to meet the specific needs of NRENs, universities, and various research institutions. The models currently in existence do not possess a system to smoothly correlate varying requirement tiers with distinct user groups or scenarios, baseline standards, and existing legislative actions. This segmentation poses a significant hurdle to the community’s capacity to guarantee consistency, congruency, and thorough compliance with a cohesive array of security standards and regulations. By employing taxonomical engineering principles, a mapping of baseline requirements to other security frameworks and regulations has been established. This reveals a correlation across most regulations impacting R&E institutions and uncovers an overlap in the high-level requirements, which is beneficial for the implementation of multiple standards. Consequently, organizations can systematically compare diverse security requirements, pinpoint gaps in their strategy, and formulate a roadmap to bolster their security initiatives.

show abstract

Section: Related Workmentioning

confidence: 99%

Leveraging Taxonomical Engineering for Security Baseline Compliance in International Regulatory Frameworks

Grigaliūnas,

Schmidt,

Brūzgienė

et al. 2023

Future Internet

View full text Add to dashboard Cite

show abstract

“…Therefore, "standard" methods and algorithms are added as implementation guidelines for a possible satisfaction of a particular requirement. Moreover, a requirement may further direct the use of another security standard for selecting methods and algorithms, thus forming a chain of security standards based on which a particular requirement is realised [31].…”

Section: Related Workmentioning

confidence: 99%

“…This document acts as a stepping stone to cater for secure-by-design practices by detailing the security requirements and the capability levels across the ICS zones. The interpretation of the standard against system security requirements also presents a unique challenge regarding the correct mapping of requirements [31]. The current ICS security requirements engineering practices do not offer formal and expressive specification techniques to map the system's requirements to ICS-specific security standards.…”

Section: Introductionmentioning

confidence: 99%

Tracing security requirements in industrial control systems using graph databases

et al. 2022

View full text Add to dashboard Cite

We must explicitly capture relationships and hierarchies between the multitude of system and security standards requirements. Current security requirements specification methods do not capture such structure effectively, making requirements management and traceability harder, consequently increasing costs and time to market for developing certified ICS. We propose a novel requirements repository model for ICS that uses labelled property graphs to structure and store system-specific and standards-based requirements using well-defined relationship types. Furthermore, we integrate the proposed requirements repository with design-time ICS tools to establish requirements traceability. A wind turbine case study illustrates the overall workflow in our framework. We demonstrate that a robust requirements traceability matrix is a natural consequence of using labelled property graphs. We also introduce a compatible requirements change management procedure that aids in adapting to changes in development and certification schemes.

show abstract