Security Process Capability Model Based on ISO/IEC 15504 Conformant Enterprise SPICE

Antanas Mitasiunas; Leonids Novickis; Rimas Kalpokas

doi:10.2478/acss-2014-0006

Abstract

In the context of modern information systems, security has become one of the most critical quality attributes. The purpose of this paper is to address the problem of quality of information security. An approach to solve this problem is based on the main assumption that security is a process oriented activity. According to this approach, product quality can be achieved by means of process quality - process capability. Introduced in the paper, SPICE conformant information security process capability model is based on process capability modeling elaborated by world-wide software engineering community during the last 25 years, namely ISO/IEC 15504 that defines the capability dimension and the requirements for process definition and domain independent integrated model for enterprise-wide assessment and Enterprise SPICE improvement

References

[1] Mangin, O., Barafort, B., Heymans, P., Dubois, E.: Designing a Process Reference Model for Information Security Management Systems. In: Mas, A., Mesquida, A., Rout, T., O’Connor, R.V., Dorling, A (Eds.) SPICE 2012, CCIS, vol. 290, Heidelberg, Springer (2012), p. 129-140.
Search in Google Scholar
[2] Barafort, B., Humbert, J.P., Poggi, S.: Information security management and ISO/IEC 15504: the link opportunity between security and quality. In Proceedings of the 6th International SPICE Conference on Process Assessment and Improvement (SPICE 2006), Luxembourg, (2006): http://alpha.nyit.edu/som/faculty/khoo/spring2012/mist757/others/wp13 _spice.pdf
Search in Google Scholar
[3] Information Security Management Systems (ISMS), BSI-Standard 100-1, Version 1.5. May, 2008, www.bsi.bund.de
Search in Google Scholar
[4] IT-Grundschutz Methodology, BSI-Standard 100-2, Version 2.0. May 2008, www.bsi.bund.de
Search in Google Scholar
[5] Boronowsky, M., Woronowicz, T., Mitasiunas, A. BONITA - Improve Transfer from Universities for Regional Development. The Proceedings of the 3rd ISPIM Innovation Symposium held in Quebec City, 2010: http://www.ispim.org/members/proceedings/Quebec10/commonfiles/file s/26728727_Paper.pdf
Search in Google Scholar
[6] Cloud Computing. Benefits, risks and recommendations for information security. European Network and Information Security Agency (ENISA), 2009: https://www.enisa.europa.eu/activities/riskmanagement/ files/deliverables/cloud-computing-risk-assessment
Search in Google Scholar
[7] CMMI-ACQ, 2010. CMMI for Acquisition, Version 1.3. Software Engineering Institute: www.sei.cmu.edu/reports/10tr032.pdf
Search in Google Scholar
[8] CMMI-DEV, 2010. CMMI for Development, Version 1.3. Software Engineering Institute: www.sei.cmu.edu/reports/10tr033.pdf
Search in Google Scholar
[9] CMMI-SVC, 2010. CMMI for Services, Version 1.3. Software Engineering Institute: www.sei.cmu.edu/reports/10tr034.pdf
Search in Google Scholar
[10] Enterprise SPICE An Integrated Model for Enterprise-wide Assessment and Improvement. Technical Report - Issue 1. The Enterprise SPICE Project Team, September 2010, p. 184, www.enterprisespice.com/page/publication-1
Search in Google Scholar
[11] Ibrahim, L., Bradford, B., Cole, D., LaBruyere, L., Leinneweber, H., Piszczek, D., Reed, N., Rymond, M., Smith, D., Virga, M., Wells, C. FAA-iCMM. The Federal Aviation Administration Integrated Capability Maturity Model for Enterprise-wide Improvement. U.S. Federal Aviation Administration, published by FAA (2001), p. 480.
Search in Google Scholar
[12] Ibrahim, L., Jarzombek, J., Ashford, M., Bate, R., Croll, P., Horn, M., LaBruyere, L., Wells, C., 2004. Safety and Security Extensions for Integrated Capability Maturity Models. U.S. Federal Aviation Administration: https://buildsecurityin.uscert. gov/sites/default/files/SafetyandSecurityExt-Sep2004.pdf
Search in Google Scholar
[13] ISO/IEC 15504-2, 2003. Information Technology - Process Assessment - Part 2: Performing an Assessment. ISO, Geneva (2003), p. 26
Search in Google Scholar
[14] ISO/IEC 15504-5, 2006. Information Technology - Process Assessment - Part 5: An Exemplar Process Assessment Model. ISO, Geneva (2006), p.172
Search in Google Scholar
[15] ISO/IEC 15504-10, 2011. Information Technology - Process Assessment - Part 10: Safety Extension. Technical specification. ISO, Geneva (2011). p.32
Search in Google Scholar
[16] Mesquida, A. L., Mas, A., Amengual, E. An ISO/IEC 15504 Security Extension. In: Rout, t., O’Connor, R.V., Rout, T., MaCaffery, F., Dorling, A (Eds.) SPICE 2011, CCIS, vol. 155, Heidelberg, Springer (2011), p.64-72
Search in Google Scholar
[17] Mitašiūnas, A., Novickis, L. Enterprise SPICE based education capability maturity model. In: Niedrite, L., Strazdina, R., Wangler, B. (eds.) BIR 2011 Workshops. LNBIP, vol. 102-116, Heidelberg, Springer (2012), p. 106-116
Search in Google Scholar
[18] Novickis, L., Lesovskis, A., Mitasiunas, A. Technology Transfer Model and Web-based Solution for Transport Logistics Service Providers. Proceedings of the European Computing Conference (ECC’11), Wisconsin, USA , WSEAS, Stevens Point (2011), p. 65-74
Search in Google Scholar
[19] +SAFE. A Safety Extension to CMMI-DEV, version 1.2. Software Engineering Institute, 2007: http://www.sei.cmu.edu/reports/07tn006.pdf
Search in Google Scholar
[20] Sunyaev, A., Schneider, S. Cloud Services Certification. Communications of the ACM. Volume 56, issue 2 (2013), p. 33-36. http://dx.doi.org/10.1145/2408776.240878
Search in Google Scholar

Security Process Capability Model Based on ISO/IEC 15504 Conformant Enterprise SPICE

Abstract

Paradigm

My account