Extracting Security Control Requirements

摘要

Expressing security controls as functional requirements aids in the verification step of security certification and accreditation. Distributed, multi-component systems or systems of systems (SoSs) are difficult to verify because the security controls must be understood in functional terms with respect to their local effects on components, their global effects on the SoS, and their effect on component information exchange. In this paper, we define a process to formulate functional requirements from security controls with SoSs as the target. The process starts by extracting model elements associated with assets, functions, organization variables, and external influences. These models are composed across a set of security controls and normalized to maintain consistency and remove redundancies. We apply the models to SoSs to provide essential details to their specification in functional requirements. The objective is to reduce ambiguity when verifying SoSs as well as minimize recertification efforts when the system or security expectations changes.