A Master of Science in ESM (Engineering Systems Management) Submitted to the School of Engineering by Ghanem Ibrahim El - Shahry, "A Systematic Approach to the Management of System Security Reengineering Process," May 2005. Thesis Advisor Dr. Kassem Saleh. Available are Both Soft and Hard Copies of the Thesis.
With the increasing dependency on the electronic world for doing business using computers, palms, wireless devices, and the Internet, there is a need for revising the security measures and controls built into existing communication and computer systems. Several computer-based systems were originally built without considering the security in the system development phase. Consequently, a systematic approach to the management of the reengineering of system's security is recommended. The goal is to ensure that all critical services are well protected and less vulnerable to security threats. Ultimately, the system will be secured according to the organization's business security needs and business continuity plan. The proposed approach uses formal and standard specification techniques for describing security requirements and developing security acceptance test cases. A security gap analysis is first performed, and the system is reengineered starting from the requirements analysis ending with the user acceptance testing. The benefits of the approach are twofold. First, security requirements, as expected by the system stakeholders, will be satisfied by the current implementation, hence enhancing the system security and improving the trust in it. Second, any additional and future security requirements or modifications to existing requirements will be dealt with in a formal way and not as security patches or fixes to the implementation. The current security standards have been examined. International Organization for Standardization 17799:2000, security standard was chosen since it addresses all current types of security requirements, and for its international visibility. An overview of all known security requirements related to the four security goals, namely confidentiality, integrity, availability and accountability, were discussed. A comprehensive listing and mapping of all known types of security requirements are linked to the Secure Unified Modeling Language security stereotypes. As a result of this mapping, the author has extended the language stereotypes to address additional availability, accountability and immunity security requirements. Finally, security requirements are mapped to the security mechanism using corresponding serotypes. This approach is a product-independent and mechanism-independent system security reengineering process to cope with the rapid changes in evolving technologies and the dynamic nature of the technology world.