Home > Publications
Home University of Twente
Prospective Students
Intranet (internal)

EEMCS EPrints Service

17524 Risk-Based Confidentiality Requirements Specification for Outsourced IT Systems (Extended Version)
Home Policy Brochure Browse Search User Area Contact Help

Morali, A. and Wieringa, R.J. (2010) Risk-Based Confidentiality Requirements Specification for Outsourced IT Systems (Extended Version). Technical Report TR-CTIT-10-09, Centre for Telematics and Information Technology University of Twente, Enschede. ISSN 1381-3625

Full text available as:


601 Kb
Open Access

Exported to Metis


Today, companies are required to be in control
of their IT assets, and to provide proof of this in the form
of independent IT audit reports. However, many companies
have outsourced various parts of their IT systems to other
companies, which potentially threatens the control they have
of their IT assets. To provide proof of being in control of
outsourced IT systems, the outsourcing client and outsourcing
provider need a written service level agreement (SLA) that can
be audited by an independent party.
SLAs for availability and response time are common practice
in business, but so far there is no practical method for
specifying confidentiality requirements in an SLA. Specifying
confidentiality requirements is hard because in contrast to
availability and response time, confidentiality incidents cannot
be monitored: attackers who breach confidentiality try to do
this unobserved by both client and provider. In addition,
providers usually do not want to reveal their own infrastructure
to the client for monitoring or risk assessment.
Elsewhere, we have presented an architecture-based method
for confidentiality risk assessment in IT outsourcing. In this
paper, we adapt this method to confidentiality requirements
specification, and present a case study to evaluate this new

Item Type:Internal Report (Technical Report)
Research Group:EWI-DIES: Distributed and Embedded Security, EWI-IS: Information Systems
Research Program:CTIT-ISTRICE: Integrated Security and Privacy in a Networked World
Research Project:VRIEND: Value-Based Security Risk Mitigation in Enterprise Networks that are Decentralized
Uncontrolled Keywords:Confidentiality requirements, Outsourcing, Service level agreements, Risk assessment
ID Code:17524
Deposited On:23 February 2010
More Information:statisticsmetis

Export this item as:

To correct this item please ask your editor

Repository Staff Only: edit this item