Skip to main content
SpringerLink
Log in

A Structured Comparison of Security Standards

  • Chapter
Engineering Secure Future Internet Services and Systems

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8431))

Abstract

A number of different security standards exist and it is difficult to choose the right one for a particular project or to evaluate if the right standard was chosen for a certification. These standards are often long and complex texts, whose reading and understanding takes up a lot of time. We provide a conceptual model for security standards that relies upon existing research and contains concepts and phases of security standards. In addition, we developed a template based upon this model, which can be instantiated for given security standard. These instantiated templates can be compared and help software and security engineers to understand the differences of security standards. In particular, the instantiated templates explain which information and what level of detail a system document according to a certain security standard contains. We applied our method to the well known international security standards ISO 27001 and Common Criteria, and the German IT-Grundschutz standards, as well.

This research was partially supported by the EU project Network of Excellence on Engineering Secure Future Internet Software Services and Systems (NESSoS, ICT-2009.1.4 Trustworthy ICT, Grant No. 256980) and the Ministry of Innovation, Science, Research and Technology of the German State of North Rhine-Westphalia and EFRE (Grant No. 300266902 and Grant No. 300267002).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. International Organization for Standardization (ISO), International Electrotechnical Commission (IEC): Information technology - Security techniques - Information security management systems - Requirements (2005)

    Google Scholar 

  2. ISO/IEC: Common Criteria for Information Technology Security Evaluation. ISO/IEC 15408, International Organization for Standardization (ISO) and International Electrotechnical Commission, IEC (2012)

    Google Scholar 

  3. ISO/IEC: Risk management Principles and guidelines. ISO/IEC 31000, International Organization for Standardization (ISO) and International Electrotechnical Commission, IEC (2009)

    Google Scholar 

  4. Sunyaev, A.: Health-Care Telematics in Germany - Design and Application of a Security Analysis Method. Gabler (2011)

    Google Scholar 

  5. Bundesamt für Sicherheit in der Informationstechnik (BSI): Standard 100-3 Risk Analysis based on IT-Grundschutz, Version 2.5 (2008)

    Google Scholar 

  6. JASON: Science of Cyber-Security. Technical report, The MITRE Corporation, JSR-10-102 (2010)

    Google Scholar 

  7. Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. NIST Special Publication 800-30, National Institute of Standards and Technology (NIST), Gaithersburg, MD 20899-8930 (July 2002)

    Google Scholar 

  8. Beckers, K., Eicker, S., Faßbender, S., Heisel, M., Schmidt, H., Schwittek, W.: Ontology-based identification of research gaps and immature research areas. In: Quirchmayr, G., Basl, J., You, I., Xu, L., Weippl, E. (eds.) CD-ARES 2012. LNCS, vol. 7465, pp. 1–16. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  9. Fabian, B., Gürses, S., Heisel, M., Santen, T., Schmidt, H.: A comparison of security requirements engineering methods. Requirements Engineering – Special Issue on Security Requirements Engineering 15(1), 7–40 (2010)

    Google Scholar 

  10. Jackson, M.: Problem Frames. Analyzing and structuring software development problems. Addison-Wesley (2001)

    Google Scholar 

  11. Gollmann, D.: Computer Security, 2nd edn. John Wiley & Sons (2005)

    Google Scholar 

  12. Bishop, M.: Computer Security: Art and science, 1st edn. Pearson (2003)

    Google Scholar 

  13. Viega, J., McGraw, G.: Building secure software: How to avoid security problems the right way, 1st edn. Addison-Wesley (2001)

    Google Scholar 

  14. Firesmith, D.: Common concepts underlying safety, security, and survivability engineering. Technical report sei-2003-tn-033, Carnegie Melon University (2003)

    Google Scholar 

  15. ISO/FDIS: ISO/IEC 27799:2007(E), Health Informatics - Information Security Management in health using ISO/IEC 27002 (November 2007)

    Google Scholar 

  16. Stallinger, M.: CRISAM - Coporate Risk Application Method - Summary V2.0 (2004)

    Google Scholar 

  17. Farquhar, B.: One approach to risk assessment. Computers and Security 10(10), 21–23 (1991)

    Article  Google Scholar 

  18. Karabacak, B., Sogukpinar, I.: Isram: Information security risk analysis method. Computers & Security 24(2), 147–159 (2005)

    Article  Google Scholar 

  19. Japan Information Processing Development Corporation and The Medical Information System Development Center: ISMS User’s Guide for Medical Organizations (2004)

    Google Scholar 

  20. Standards Australia International; Standards New Zealand: Guidelines for managing risk in healthcare sector: Australian/ New Zealand handbook, Standards Australian International (2001)

    Google Scholar 

  21. Food and Drug Administration: Guideline for Industry, Q9 Quality Risk Management (2006); In US Department of Health and Human Services

    Google Scholar 

  22. ISO/IEC: ISO/IEC 27005: 2007, Information technology - Security techniques - Information security risk management (November 2007)

    Google Scholar 

  23. DCSSI: Expression des Besoins et Identification des Objectifs de Scurit (EBIOS) - Section 2 - Approach. General Secretariat of National Defence Central Information Systems Security Division (DCSSI) (February 2004)

    Google Scholar 

  24. Sharp, H., Finkelstein, A., Galal, G.: Stakeholder identification in the requirements engineering process. In: DEXA Workshop, pp. 387–391 (1999)

    Google Scholar 

  25. Pouloudi, A.: Aspects of the stakeholder concept and their implications for information systems development. In: HICSS (1999)

    Google Scholar 

  26. Bundesamt für Sicherheit in der Informationstechnik (BSI): Standard 100-1 Information Security Management Systems (ISMS), Version 1.5 (2008)

    Google Scholar 

  27. BSI: IT-Grundschutz-Vorgehensweise. BSI standard 100-2, Bundesamt für Sicherheit in der Informationstechnik (BSI) (2008)

    Google Scholar 

  28. BSI: BSI Standard 100-4 Business Continuity Management, Version 1.0. BSI standard 100-4, Bundesamt für Sicherheit in der Informationstechnik (BSI) (2009)

    Google Scholar 

  29. BSI: Protection Profile for the Gateway of a Smart Metering System (Gateway PP). Version 01.01.01 (final draft), Bundesamt für Sicherheit in der Informationstechnik (BSI) - Federal Office for Information Security Germany, Bonn, Germany (2011), https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/SmartMeter/PP-SmartMeter.pdf?__blob=publicationFile

  30. Schwittek, W., Schmidt, H., Eicker, S., Heisel, M.: Towards a Common Body of Knowledge for Engineering Secure Software and Services. In: Proceedings of the International Conference on Knowledge Management and Information Sharing (KMIS), pp. 369–374. SciTePress - Science and Technology Publications (2011)

    Google Scholar 

  31. U.S. Department of Energy: A comparison of cross-sector cyber security standards. Technical report, Idaho National Laboratory (2005)

    Google Scholar 

  32. Siponen, M., Willison, R.: Information security management standards: Problems and solutions. Inf. Manage 46(5), 267–270 (2009)

    Article  Google Scholar 

  33. Sommestad, T., Ericsson, G., Nordlander, J.: Scada system cyber security: A comparison of standards. In: 2010 IEEE Power and Energy Society General Meeting, pp. 1–8 (July 2010)

    Google Scholar 

  34. Phillips, T., Karygiannis, T., Kuhn, R.: Security standards for the rfid market. IEEE Security Privacy 3(6), 85–89 (2005)

    Article  Google Scholar 

  35. Kuligowski, C.: Comparison of IT Security Standards. Technical report (2009), http://www.federalcybersecurity.org/CourseFiles/WhitePapers/ISOvNIST.pdf

  36. NIST: A Comparison of the Security Requirements For Cryptographic Modules In FIPS 140-1 and FIPS 140-2. Nist special publication 800-29, National Institute of Standards and Technology (NIST), Gaithersburg, United States (2001) http://csrc.nist.gov/publications/nistpubs/800-29/sp800-29.pdf

  37. HKSAR: An Overview of Information Security Standards. Technical report, The Government of the Hong Kong Special Administrative Region (HKSAR), Hong Kong, China (2008), http://www.infosec.gov.hk/english/technical/files/overview.pdf

  38. Arora, V.: Comparing different information security standards: COBIT vs. ISO 27001. Technical report, Carnegie Mellon University, Qatar, United States (2010), http://qatar.cmu.edu/media/assets/CPUCIS2010-1.pdf

Download references

Author information

Authors and Affiliations

  1. paluno - The Ruhr Institute for Software Technology, University of Duisburg-Essen, Germany

    Kristian Beckers, Denis Hatebur & Maritta Heisel

  2. Vienna University of Technology, Austria

    Stefan Fenz

  3. ITESYS, Dortmund, Germany

    Isabelle Côté & Denis Hatebur

Authors
  1. Kristian Beckers
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Isabelle Côté
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stefan Fenz
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Denis Hatebur
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Maritta Heisel
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. INKO, Software Engineering, Universität Duisburg-Essen, 47048, Duisburg, Germany

    Maritta Heisel

  2. Department of Computer Science, KU Leuven, Celestijnenlaan 200A, 3001, Heverlee, Belgium

    Wouter Joosen

  3. Computer Science Department, Network, Information and Computer Security Lab, University of Malaga, 29071, Malaga, Spain

    Javier Lopez

  4. Istituto di Informatica e Telematica (IIT), Consiglio Nazionale delle Ricerche (CNR), Via G. Moruzzi 1, 56124, Pisa, Italy

    Fabio Martinelli

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Beckers, K., Côté, I., Fenz, S., Hatebur, D., Heisel, M. (2014). A Structured Comparison of Security Standards. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds) Engineering Secure Future Internet Services and Systems. Lecture Notes in Computer Science, vol 8431. Springer, Cham. https://doi.org/10.1007/978-3-319-07452-8_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-07452-8_1

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-07451-1

  • Online ISBN: 978-3-319-07452-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation