A Framework for Analyzing Federal Regulations for Information Security
Advisor Information
Robin Gandhi
Location
Dr. C.C. and Mabel L. Criss Library
Presentation Type
Poster
Start Date
6-3-2015 11:00 AM
End Date
6-3-2015 12:30 PM
Abstract
This research examines regulatory compliance in information systems from a software assurance perspective. Today information systems are software intensive. They are thus prone to software weaknesses, which are exploited by various attacks on the systems. However, when stakeholders are incorporating new systems, they usually tailor security controls based on system needs, thereby, software security concerns receive very less attention than it deserves. In our research, we extend NOMOS, a framework for modeling roles, norms and situations, and evaluate its applicability to information security regulations. We present a case study with the Federal Information Security Management Act (FISMA) of 2002. FISMA statements with high variability space for categorizing information and information systems across multiple documents are examined to explore the utility and limits of the NOMOS framework. Finally, we introduce mechanisms to determine applicability of FISMA and related standards to tailored constraints on software components in a larger information system.
A Framework for Analyzing Federal Regulations for Information Security
Dr. C.C. and Mabel L. Criss Library
This research examines regulatory compliance in information systems from a software assurance perspective. Today information systems are software intensive. They are thus prone to software weaknesses, which are exploited by various attacks on the systems. However, when stakeholders are incorporating new systems, they usually tailor security controls based on system needs, thereby, software security concerns receive very less attention than it deserves. In our research, we extend NOMOS, a framework for modeling roles, norms and situations, and evaluate its applicability to information security regulations. We present a case study with the Federal Information Security Management Act (FISMA) of 2002. FISMA statements with high variability space for categorizing information and information systems across multiple documents are examined to explore the utility and limits of the NOMOS framework. Finally, we introduce mechanisms to determine applicability of FISMA and related standards to tailored constraints on software components in a larger information system.