Article: Investigating fulfilment of traceability requirements in a combined process for safety and security assessments Journal: International Journal of Critical Computer-Based Systems (IJCCBS) 2015 Vol.6 No.2 pp.100 - 132 Abstract: Combined harm assessment of safety and security for information systems (CHASSIS) method defines a unified process for safety and security assessments. CHASSIS applies techniques from safety and security fields - e.g., misuse case and HAZOP - to identify and model hazards, threats, safety and security requirements to a system. Ensuring traceability between safety and security requirements as well as other artefacts is one of the important tasks required to provide safety and security assurance. In this paper, we present an approach for traceability, called SaTrAP, which was used to provide traceability support to CHASSIS. We discuss the application of SaTrAp and CHASSIS with the help of an ATM remote tower example. We evaluate whether CHASSIS together with SaTrAp fulfils the traceability requirements set by standards. In this regard, we have analysed regulations/standards from ATM domain for requirements on traceability. We also analysed how security has been addressed by these standards. Inderscience Publishers - linking academia, business and industry through research

Title: Investigating fulfilment of traceability requirements in a combined process for safety and security assessments

Authors: Vikash Katta; Christian Raspotnig; Peter Karpati; Tor Stålhane

Addresses: Department of Computer and Information Science, Norwegian University of Science and Technology, Sem Sælands vei 9, 7491 Trondheim, Norway; Department of Software Engineering, Institute for Energy Technology, Os Allé 5, 1777 Halden, Norway ' Department of Information Science and Media Studies, University of Bergen, Fosswinckelsgata 6, 5020 Bergen, Norway; Department of Software Engineering, Institute for Energy Technology, Os Allé 5, 1777 Halden, Norway ' Department of Software Engineering, Institute for Energy Technology, Os Allé 5, 1777 Halden, Norway ' Department of Computer and Information Science, Norwegian University of Science and Technology, Sem Sælands vei 9, 7491 Trondheim, Norway

Abstract: Combined harm assessment of safety and security for information systems (CHASSIS) method defines a unified process for safety and security assessments. CHASSIS applies techniques from safety and security fields - e.g., misuse case and HAZOP - to identify and model hazards, threats, safety and security requirements to a system. Ensuring traceability between safety and security requirements as well as other artefacts is one of the important tasks required to provide safety and security assurance. In this paper, we present an approach for traceability, called SaTrAP, which was used to provide traceability support to CHASSIS. We discuss the application of SaTrAp and CHASSIS with the help of an ATM remote tower example. We evaluate whether CHASSIS together with SaTrAp fulfils the traceability requirements set by standards. In this regard, we have analysed regulations/standards from ATM domain for requirements on traceability. We also analysed how security has been addressed by these standards.

Keywords: security assessment; safety assessment; requirements management; traceability; modelling; standards; air traffic management; ATM remote towers; information systems.

DOI: 10.1504/IJCCBS.2015.073530

International Journal of Critical Computer-Based Systems, 2015 Vol.6 No.2, pp.100 - 132

Accepted: 23 Jun 2015
Published online: 11 Dec 2015 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article

Title: Investigating fulfilment of traceability requirements in a combined process for safety and security assessments

Keep up-to-date