Research On Method And Key Technologies Of Business Process-oriented Security Requirements Elicitation For Information Systems

With the support from the item of State 863 High-Tech R&D Program of China (No.2003AA414045) and the major research project of Zhejiang manufacturing enterprise informationization engineering (2003C11010), a business process-oriented security requirements elicitation method (BPoSREM) of information system was put forward to strengthen the security management and elicit the security requirements of information system. The application of BPoSREM was researched in a security management project of the agile production management system.In chapter 1, through the analysis of the development of manufacturing enterprise informationization, the severe security problem was pointed out. Based on the review of the art of the state of information system security, the elicitation of information system security requirements was pointed out to be the key and basis for resolving the information systems' security problem. According to the research on security requirements analysis and the feathers of manufacturing enterprise information systems, the idea of business process-oriented security requirements elicitation of information system was presented. Finally, the research objective, contents and framework of the dissertation were proposed.In chapter 2, after analyzing the relationship among business processes and information system security, the necessity of business process-oriented security requirements elicitation was discussed and the methodology of business process-oriented security requirements elicitation was proposed, whose fundamental theory, processes and key technologies were pointed out and introducedIn chapter 3, the activity-asset correlative model was put forward to identify the assets which support the business process operation and the relationship between activities and assets. Then the business activity-oriented security relationship model of information system was presented. Then, the informal heuristics rules and the process for the elicitation of security requirements of information system were given. Finally, the method of how to describe the security requirements was shown.In chapter 4, a method of business process elements (BPEs)-based method of acquiring security requirement PRI was presented after the analysis on the relationship between security requirements and the security objectives of BPEs. According to the confidentiality, integrity and availability objectives of BPEs, the PRIs of the corresponding security requirements were acquired based on the two-level table of conversing security objectives to security requirements PRI.In chapter 5, a coverage analysis method on security requirements was put forward. To cleaning up the conflicts between security requirements, the consistency coverage mechanism was given based on the correlation analysis of business activities. According to the feathers of security requirements, the collecting coverage mechanism was put forward for guiding the selection and implementation of the adaptive security measurements.In chapter 6, the research in this dissertation and future research directions were summarized.Finally, the practical application of the proposed business process-oriented security requirements elicitation method and technologies were concluded and summarized in appendix A.