Bibtex
Cite as text
@Select Types{,
Journal = "Band-1",
Title= "Mapping the State of Security Standards Mappings",
Author= "Andrea Mussmann, Michael Brunner, Ruth Breu",
Doi= "https://doi.org/10.30844/wi_2020_l4-mussmann",
Abstract= "Companies often have to comply with more than one security standard and refine parts of security standards to apply to their domain and specific security goals. To understand which requirements different security standards stipulate, a systematic overview or mapping of the relevant natural language security standards is necessary. Creating such standards mappings is a difficult task; to discover which methodologies and tools researchers and practitioners propose and use to map security standards, we conducted a systematic literature review. We identified 44 resources published between 2004 and 2018 using ACM Digital Library, IEEEXplore, SpringerLink, ScienceDirect, dblp and additional grey literature sources. We found that research focuses either on manual methods or on security ontologies to create security standards mappings. We also observed an increase in scientific publications over the investigated timespan which we attribute to the ISO 27001 standard update in 2013 and the EU GDPR coming into effect in 2018.
",
Keywords= "Security Requirements, Security Standards, Security Mapping, Compliance Management, Systematic Literature Review.
",
}
Andrea Mussmann, Michael Brunner, Ruth Breu: Mapping the State of Security Standards Mappings. Online: https://doi.org/10.30844/wi_2020_l4-mussmann (Abgerufen 23.11.24)
Open Access
Companies often have to comply with more than one security standard and refine parts of security standards to apply to their domain and specific security goals. To understand which requirements different security standards stipulate, a systematic overview or mapping of the relevant natural language security standards is necessary. Creating such standards mappings is a difficult task; to discover which methodologies and tools researchers and practitioners propose and use to map security standards, we conducted a systematic literature review. We identified 44 resources published between 2004 and 2018 using ACM Digital Library, IEEEXplore, SpringerLink, ScienceDirect, dblp and additional grey literature sources. We found that research focuses either on manual methods or on security ontologies to create security standards mappings. We also observed an increase in scientific publications over the investigated timespan which we attribute to the ISO 27001 standard update in 2013 and the EU GDPR coming into effect in 2018.
Security Requirements, Security Standards, Security Mapping, Compliance Management, Systematic Literature Review.
1. Purser, S.: Standards for Cyber Security. In: Hathaway, M.E. (ed.): Best Practices in Computer Network Defense: Incident Detection and Response. IOS Press (2014)
2. ISACA. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. ISA (2012)
3. International Organisation for Standardization. ISO/IEC 27001: Information technology – Security techniques – Information security management system – Requirements. Standard (2013)
4. PCI Security Standards Council. PCI DSS v3.2.1. Standard. https://www.pcisecuritystandards.org/document_librarycategory=pcidss&document= pci_dss. (Accessed: 28.01.2019)
5. Haufe, K., Colomo-Palacios, R., Dzombeta, S., Brandis, K., Stantchev, V.: Security Management Standards: A Mapping. In: Procedia Computer Science, vol. 100 pp. 755- 761. Elsevier Online (2016)
6. Olifer, D.: Evaluation Metrics for Ontology-Based Security Standards Mapping. In: 2015 Open Conference of Electrical, Electronic and Information Sciences (eStream). IEEE (2015)
7. Kitchenham, B.: Procedures for Performing Systematic Reviews. In: Keele University, vol. 33, pp. 1–26. Keele, UK (2004)
8. Garousi, V., Felderer, M., Mäntylä, M.V.: The Need for Multivocal Literature Reviews in Software Engineering: Complementing Systematic Literature Reviews with Grey Literature. In: Proceedings of the 20th Intern. Conf. on Evaluation and Assessment in Software Engineering (EASE ’16), p. 26:1-26:6. ACM, New York (2016)
9. Hulsebosch, B.: White paper: Inventory and Classification of Cyber Security Standards. Independent Summary of the Final Report. Technical Report (2015)
10. National Institute of Standards and Technology.: NIST Special Publication 800-53 Information Security. CreateSpace, Paramount (2013)
11. Axelos.: ITIL – Service Lifecycle Publication Suite. The Stationery Office, London (2011)
12. Bundesamt für Sicherheit in der Informationstechnik. BSI IT-Grundschutz-Kompendium – Edition 2018. Standard (2018)
13. The dblp Team: dblp Computer Science Bibliography. Monthly Snapshot release of February 2019. https://dbl.org/xml/release/dblp-2019-02-01.xml.gz (2019)
14. LIBER: The DART-Europe E-theses Portal. https://www.dart-europe.eu (Accessed
10.02.2019)
15. Google Inc: Google Search https://www.google.com (Accessed: 12.02.2019)
16. Wohlin, C.: Guidelines for Snowballing in Systematic Literature Studies and a Replication in Software Engineering. In: Proceedings of the 18th Intern. Conf. on Evaluation and Assessment in Software Engineering, pp. 321–330. Citeseer, ACM, New York (2014)
17. Guest, G., MacQueen, K.M., Namey, E.E.: Applied thematic analysis. Sage Publications, Los Angeles (2012)
18. Bundesamt für Sicherheit in der Informationstechnik. Zuordnungstabelle ISO zum modernisierten IT-Grundschutz. Technical Report, BSI (2018)
19. Mataracioglu, T.. 2016. Comparison of PCI Dss and ISO/IEC 27001 Standards. In: ISACA Journal, 2016 vol. 1. Online (2016)
20. Cloud Security Alliance. Cloud Controls Matrix. Standard (2018)
21. ENISA. Metaframework. Technical Report (2011)
22. Falk, M.: Ableitung des Control-Frameworks für IT-Compliance. In: IT-Compliance in der Corporate Governance, pp. 149–246. Gabler Verlag, Wiesbaden (2012)
23. DHHS Office for Civil Rights. HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework. Technical Report. U.S. Department of Health & Human Services (2016)
24. Trevor, H.J., Kabir, B.: Bridging ISO 27001 to GDPR: Where Security and Privacy Share Common Ground. Technical Report. IAPP-OneTrust Research. (2018)
25. InformationShield. PCI-DSS Policy Mapping Table. Mapping.
26. Oparaugo, C.: ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance. COBIT Focus. Online (2015)
27. ISO27001Security: Mapping Between GDPR (the EU General Data Protection Regulation) and ISO27k. Technical Report (2016)
28. Pardo, C., Pino, F.J., García, F., Piattini, M., Baldassarre, M.T.: An Ontology for the Harmonization of Multiple Standards and Models. In: Computer Standards & Interfaces, vol. 34, no. 1, pp. 48-59. Elsevier, Online (2012)
29. Ramanauskaite, S., Olifer, D., Goranin, N., Cenys, A.: Security Ontology for Adaptive Mapping of Security Standards. Intern. Journal of Computers, Communications & Control (IJCCC), vol. 8, no. 6, pp. 878-890. CCC Publications, Online (2013)
30. Beckers, K., Côté, I., Fenz, S., Hatebur, D., Heisel, M.: A Structured Comparison of Security Standards. In: Engineering Secure Future Internet Services and Systems, pp. 1–
34. Springer, Heidelberg (2014)
31. Di Giulio, C., Sprabery, R., Kamhoua, C., Kwiat, K., Campbell, R., Bashir, M.N.: IT Security and Privacy Standards in Comparison: Improving FedRAMP Authorization for Cloud Service Providers. In 2017 17th IEEE ACM Intern. Symposium on Cluster, Cloud and Grid Computing (CCGRID), pp. 1090–1099. IEEE (2017)
32. Gikas,C.: 2010. A General Comparison of FISMA, HIPAA, ISO 27000 and PCI-DSS Standards. In: Information Security Journal: A Global Perspective, vol. 19, no. 3, pp. 132- 141. Taylor & Francis, Online (2010)
33. Breaux, T.D., Gordon, D.G., Papanikolaou, N., Pearson, S.: Mapping Legal Requirements to IT Controls. In: 6th Intern. Workshop on Req. Eng. and Law, 11–20. IEEE (2013)
34. Ridley, G., Hartnett, J., Jarern-Imakul, W.: Mapping Information Security Standards: A Counter-Terrorism Example. In: ECIS 2008 proceedings, pp. 1370–1381. (2008)
35. Di Giulio, C., Sprabery, R., Kamhoua, C., Kwiat, K., Campbell, R.H., Bashir, M.N.: Cloud security certifications: a comparison to improve cloud service provider security. In: Proceedings of the Second Intern. Conf. on IoT and Cloud Comp. ACM, New York (2017)
36. Di Giulio, C., Sprabery, R., Kamhoua, C., Kwiat, K., Campbell, R.H., Bashir, M.N.: Cloud Standards in Comparison: Are New Security Frameworks Improving Cloud Security? In: 2017 IEEE 10th Intern. Conf. on Cloud Computing (CLOUD), pp. 50–57. IEEE (2017)
37. Catteddu, D., Chin, V., Cordero, S., Foo, A.P., Laris, K., Maaloul, A., Pannetrat, A., Roza, M., Savanovic, D., Skoutaris, E., Tierling, E.: Methodology for the Mapping of the Cloud Controls Matrix (CCM). Technical Report (2018)
38. Sunyaev, A.: Health-Care Telematics in Germany: Design and Application of a Security Analysis Method. Springer, Heidelberg, Germany (2011)
39. Fenz, S., Ekelhart, A.: Formalizing Information Security Knowledge. In: Proceedings of the 4th Intern. Symposium on Information, Computer, and Communications Security, pp. 183-194. ACM, New York (2009)
40. Herzog, A., Shahmehri, N., Duma, C.: An Ontology of Information Security. In: Intern. Journal of Information Security and Privacy (IJISP), vol. 1, no. 4, pp. 1-23. IGI Publishing, Hershey (2007)
41. Souag, A., Salinesi, C., Comyn-Wattiau, I.: Ontologies for Security Requirements: A Literature Survey and classification. In: Intern. Conf. on Advanced Information Systems Engineering, pp. 61–69. Springer, Berlin, Heidelberg, Germany (2012)
42. Fenz, S., Goluch, G., Ekelhart, A., Riedl, B., Weippl, E.: Information Security Fortification by Ontological Mapping of the ISO/IEC 27001 Standard. In: 13th Pacific Rim Intern. Symposium on Dependable Computing (PRDC 2007), pp. 381-388. IEEE (2007)
43. Bartolini, C., Giurgiu, A., Lenzini, G., Robaldo, L.: A Framework to Reason about the Legal Compliance of Security Standards. In: Tenth Intern. Workshop on Juris-informatics (JURISIN). (2016)
44. Abdullah, N.S., Indulska, M., Sadiq, S.: Compliance Management Ontology — a Shared Conceptualization for Research and Practice in Compliance Management. In: Information Systems Frontiers, vol. 18, no. 5, pp. 995–1020. Springer, Heidelberg (2016)
45. Almeida, R., Lourinho, R., Mira da Silva, M., Pereira, R.: A Model for Assessing COBIT 5 and ISO 27001 Simultaneously. In: 2018 IEEE 20th Conference on Business Informatics (CBI), vol. 1, pp. 60–69. IEEE (2018)
46. Almeida, R., Pinto, P., Mira da Silva, M.: Using ArchiMate to assess COBIT 5 and ITIL implementations. In: 25th Intern. Conf. on Information Systems Development, pp. 235– 246. Katowice, Poland: University of Economics in Katowice (2016)
47. Beckers, K., Heiselm M., Solhaug, B., Stølen, K.: ISMS-CORAS: A Structured Method for Establishing an ISO 27001 Compliant Information Security Management System. In: Engineering Secure Future Internet Services and Systems, pp. 315-344. Springer, Heidelberg (2014)
48. Cheng, D.C., Lim-Cheng, N.R.: An ontology-based framework to support multi-standard compliance for an enterprise. In: 2017 Intern. Conf. on Research and Innovation in Information Systems (ICRIIS), pp. 1–6. IEEE (2017)
49. Ecklhart, A., Fenz, S., Goluch, G., Weippl, E.: Ontological mapping of common criteria’s security assurance requirements. In: IFIP Intern. Inf. Sec. Conf., pp. 85–95. Springer, Heidelberg (2007)
50. Fenz, S., Neubauer, T.: Ontology-based information security compliance determination and control selection on the example of ISO 27002. In: Information & Computer Security, vol. 26, no. 5, pp. 551-567. Emerald Insight, Online (2018)
51. Fenz, S., Plieschnegger, S., Hobel, H.: Mapping information security standard ISO 27002 to an ontological structure. In: Information & Computer Security, vol.24, no. 5, pp. 452- 473. Emerald Insight, Online (2016)
52. Fenz, S., Pruckner, T., Manutscheri, A.: Ontological mapping of information security bestpractice guidelines. In: International Conference on Business Information Systems (BSI ’09), pp. 49–60. Springer, Heidelberg (2009)
53. Hulitt, E., Vaughn, R.B.: Information system security compliance to FISMA standard: a quantitative measure. In: Telecommunication Systems, vol. 45, no. 2, pp. 139-152. Springer, Heidelberg (2010)
54. Koelle, R., Strijland, W., Roels, S.: Towards Harmonising the Legislative, Regulatory, and Standards-Based Framework for ATM Security: Developing a Software Support Tool. In: 2013 Intern. Conference on Availability, Reliability and Security, pp. 787-793. IEEE (2013)
55. Nicho, M.: Incorporating COBIT best practices in PCI DSS V2. 0 for Effective Compliance. ISACA Journal, 2012 vol. 1, p. 42. Online (2012)
56. Pardo, C., Pino, F., García, F., Romero, F., Piattini, M., Baldassarre, M.T.: HProcessTOOL: a support tool in the harmonization of multiple reference models. In: Intern. Conf. on Computational Science and Its Applications, pp. 370–382. Springer, Heidelberg (2011)
57. Pardo, C., Pino, F.J., García, F., Piattini, M., Baldassarre, M.T.: A process for driving the harmonization of models. In: Proceedings of the 11th Intern. Conf. on Product Focused Software, pp. 51–54. ACM, New York (2010)
58. Pardo, C., Pino, F.J., García, F., Piattini, M., Baldassarre, M.T., Lemus, S.: Homogenization, comparison and integration: a harmonizing strategy for the unification of multi-models in the banking sector. In: Intern. Conf. on Product Focused Software Process Improvement, pp. 59–72. Springer, Heidelberg (2011)
59. Pardo, C., Pino, F.J., García, F., Velthius, M.P., Baldassarre, M.T.: Trends in harmonization of multiple reference models. In: Intern. Conf. on Evaluation of Novel Approaches to Software Engineering, pp. 61–73. Springer, Heidelberg (2010)
60. Pardo-Calvache, C.J., García-Rubio, F.O., Piattini-Velthuis, M., Pino-Correa, F.J., Baldassarre, M.T.: A reference ontology for harmonizing process-reference models. In: Revista Facultad de Ingeniería Universidad de Antioquia, vol. 73, pp. 29-42. Online (2014)
61. Pardo-Calvache, C.J., Pino, F.J., Félix García, Baldassarre, M.T., Piattini, M.: From chaos to the systematic harmonization of multiple reference models: A harmonization framework applied in two case studies. In: Journal of Systems and Software, vol. 86, no. 1, pp. 125- 143. Elsevier, Online (2013)
62. Pardo, C., Pino, F.J., Garcia, F.: Towards an Integrated Management System (IMS), harmonizing the ISO/IEC 27001 and ISO/IEC 20000-2 Standards. In: Intern. Journal of Software Engineering and Its Applications, vol. 10, no. 9, pp. 217-230. Online (2016)
63. Ramanauskaite, S., Goranin, N., Cenys, A., Olifer, D.: Ontology-Based Security Standards Mapping Optimization by the Means of Graph Theory. In: Intern. congress on engineering and technology. (2013)
64. Vorobiev, V.I., Fedorchenko, L.N., Zabolotsky, V.P., and Lyubimov, A.V.: Ontologybased Analysis of Information Security Standards and Capabilities for their Harmonization. In: Proceedings of the 3rd Intern. Conf. on Sec. of Information and Networks, pp. 137–141. ACM, New York (2010)
65. Winter, K., Rinderle-Ma, S.: Detecting Constraints and their Relations from Regulatory Documents Using NLP Techniques. In: Panetto, H., Debruyne, C., Proper, H.A., Ardagna, C.A., Roman, D., Meersman, R. (eds.) OTM Confederated Intern. Conf. “On the Move to Meaningful Internet Systems”, pp. 261–278. Springer, Heidelberg (2018)
66. Booth, H., Christopher. T.: NIST Draft: Vulnerability Description Ontology (VDO). Technical Report, NIST (2018)
67. Morris, K.C., Narayanan, A., Lechevalier, D.: NOVIS – NIST Ontological Visualisation. Technical Report (2017)
68. Papanikolaou, N.: Natural Language Processing of Rules and Regulations for Compliance in the Cloud. In: OTM Confederated Intern. Conf. “On the Move to Meaningful Internet Systems”, pp. 620–627. Springer, Heidelberg (2012)
69. Cleland-Huang, J., Czauderna, A., Gibiec, M., Emenecker, J.: A Machine Learning Approach for Tracing Regulatory Codes to Product Specific Requirements. In: 2010 ACM/IEEE 32nd Intern. Conf. on Software Engineering, vol. 1, pp. 155–164. IEEE (2010)
70. Mandal. S., Gandhi, R., Siy, H.: Modular Norm Models: A Lightweight Approach for Modeling and Reasoning about Legal Compliance. In: 2017 IEEE DASC/PiCom/DataCom/CyberSciTech, pp. 657-662. IEEE (2017)
71. Allgress Inc: Mapping Subscription. https://allgress.com/compliance-mappingsubscription (Accessed 12.11.2019)
72. Advisera Expert Solutions Ltd. https//adviser.com (Accessed 12.11.2019)