By Topic

Ensuring compliance between policies, requirements and software design: a case study

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

4 Author(s)
Qingfeng He ; ABB Inc., US Corporate Res. Center, Raleigh, NC, USA ; P. Otto ; A. I. Anton ; L. Jones

Specifying correct and complete access control policies is essential to secure data and ensure privacy in information systems. Traditionally, policy specification has not been an explicit part of the software development process. This isolation of policy specification from software development often results in policies that are not in compliance with system requirements and/or organizational security and privacy policies, leaving the system vulnerable to data breaches. This paper presents the results and lessons learned from a case study that employs the Requirements-based Access Control Analysis and Policy Specification (ReCAPS) method to specify access control policies for a Web-based event registration system. The ReCAPS method aids software and security engineers in specifying access control policies derived from requirements specifications and other available sources. Our case study revealed that the ReCAPS method helps identify inconsistencies across various software artifacts, such as requirements specification, database design, and organizational security and privacy policies. Had these problems not been identified and resolved, they would have crippled later phases of software development, resulted in missing or incomplete system functionality, and compromised the system's security and privacy. This case study reinforces, validates, and extends our previous recommendations that access control policy specification should be an integral part of the software development process for information systems to achieve information assurance and improve the quality of the information system

Published in:

Fourth IEEE International Workshop on Information Assurance (IWIA'06)

Date of Conference:

13-14 April 2006