Morali, A. and Wieringa, R.J.
Risk-Based Confidentiality Requirements Specification for Outsourced IT Systems (Extended Version).
Technical Report TR-CTIT-10-09,
Centre for Telematics and Information Technology University of Twente, Enschede.
Full text available as:
Today, companies are required to be in control
of their IT assets, and to provide proof of this in the form
of independent IT audit reports. However, many companies
have outsourced various parts of their IT systems to other
companies, which potentially threatens the control they have
of their IT assets. To provide proof of being in control of
outsourced IT systems, the outsourcing client and outsourcing
provider need a written service level agreement (SLA) that can
be audited by an independent party.
SLAs for availability and response time are common practice
in business, but so far there is no practical method for
specifying confidentiality requirements in an SLA. Specifying
confidentiality requirements is hard because in contrast to
availability and response time, confidentiality incidents cannot
be monitored: attackers who breach confidentiality try to do
this unobserved by both client and provider. In addition,
providers usually do not want to reveal their own infrastructure
to the client for monitoring or risk assessment.
Elsewhere, we have presented an architecture-based method
for confidentiality risk assessment in IT outsourcing. In this
paper, we adapt this method to confidentiality requirements
specification, and present a case study to evaluate this new
|Item Type:||Internal Report (Technical Report)|
|Research Group:||EWI-DIES: Distributed and Embedded Security, EWI-IS: Information Systems|
|Research Program:||CTIT-ISTRICE: Integrated Security and Privacy in a Networked World|
|Research Project:||VRIEND: Value-Based Security Risk Mitigation in Enterprise Networks that are Decentralized|
|Uncontrolled Keywords:||Confidentiality requirements, Outsourcing, Service level agreements, Risk assessment|
|Deposited On:||23 February 2010|
Export this item as:
To correct this item please ask your editor
Repository Staff Only: edit this item