Daisuke Horie

GEST: A Generator of ISO/IEC 15408 Security Target Templates

This paper presents a generator of ISO/IEC 15408 security target templates, named “GEST,” that can automatically generate security target templates for target information systems from evaluated and certified security targets. GEST can choose certified security targets resembling target system according to keywords inputted by users, and detect and correct discordance of templates. By using GEST, designers with a little experience can easily get security target templates as the basis to create security targets of target systems.

Development of ISEE: An Information Security Engineering Environment

Security Engineering has some features that are intrinsically different from Software (Reliability) Engineering. Traditional software engineering environments are not adequate and effective for designing, developing, managing, and maintaining secure software systems. This paper presents our development of ISEE, an information security engineering environment we are developing, that integrates various tools and provides comprehensive facilities to support design, development, management, and maintenance of security facilities of information/software systems continuously and consistently, and guides and helps all users to perform their tasks regularly according to ISO/IEC security standards. ISEE is the first real information security engineering environment.

A New Model of Software Life Cycle Processes for Consistent Design, Development, Management, and Maintenance of Secure Information Systems

This paper presents a new model of software life cycle processes for consistent design, development, management, maintenance, and abolition of secure information systems.The model clearly specifies tasks for engineering security facilities, standards underlying the tasks, and a regular sequence of the tasks.We defined the model according to ISO/IEC 12207 and other ISO standards related to security.The model can be customized as software life cycle processes for various systems with particular purposes.Users of software life cycle processes according to the model can continuously and consistently design, develop, manage, maintain, and abrogate secure information systems whose security is ensured by ISO standards.

A security requirement management database based on ISO/IEC 15408

With the scale-spreading and diversification of information systems, security requirements for the systems are being more and more complicated. It is desirable to apply database technologies to information security engineering in order to manage the security requirements in design and development of the systems. This paper proposes a security requirement management database based on the international standard ISO/IEC 15408 that defines security functional requirements which should be satisfied by various information systems. The database can aid design and development of information systems that require high security such that it enables to suitably refer to required data of security requirements.

A Database System for Effective Utilization of ISO/IEC 27002

ISO/IEC 27002 is an international standard for information security management. Although many organizations need to manage their information systems according to ISO/IEC 27002, ISO/IEC 27002 is not convenient for users to retrieve terms, definitions, and security controls and to make documents for information security management because the ISO/IEC 27002 is distributed only in form of booklet or PDF. On the other hand, ISEE, an information security engineering environment, has been proposed to support all tasks in from requirement analysis to maintenance of security facilities of software/information systems. ISEDS, an information security engineering database system, as a main component of ISEE, is planed manage all ISO standards related with information security and their concerning documents. This paper presents a database system for effective utilization of ISO/IEC 27002 that is obtained by adding ISO/IEC 27002 and related documents into ISEDS. The paper analyzes usages of ISO/IEC 27002, gives requirement analysis of the database system, presents a design and construction of the database system, and shows a usage example. The paper also investigates a systematic method to construct databases of ISO standards for information security in ISEDS.

A web user interface of the security requirement management database based on ISO/IEC 15408

In order to support design and development of secure information systems, we have proposed a security requirement management database based on the international standard ISO/IEC 15408. Design and development of secure information systems concern issues of information security engineering as well as software engineering. Our security requirement management database will be useful in practices only if we can provide its users with a highly usable user interface. This paper presents the design and development of a web user interface of our security requirement management database. We analyze and define usability requirements that the database should satisfy, present design and implementation of the web user interface, and show some examples for evaluating the interface from the viewpoint of usability engineering.