Secure application systems are often built using the Software Architecture of the system as a blue print. The Software Architecture of any application system contains along with other functional requirements, the security service requirements for the various constituent components. However for continued maintenance of the security worthiness of the application and for facilitating security re-evaluations and certifications, a separate security architecture definition for an application is also required. In this paper we describe a methodology for developing and maintaining a security-focused architecture for any application system. We have termed this architecture as the Functional Security Architectures (FSA) and the methodology as MDFSA (the acronym standing for Methodology for Development of Functional Security Architecture). FSA provides security service definitions for the various components in the Software Architecture based on abstract models. MDFSA employs a multi-faceted approach for developing the FSA ¿ Business Process Analysis, Abstract Models of Protection & Security Service definition, Information Security Architecture, Structured Security Specification frameworks (e.g. ISO/IEC 15408 Protection Profiles/Security Target) etc. The MDFSA methodology is illustrated by using an Admissions Discharge and Transfer System, a key healthcare IT application system.
Proceedings Title: Third Annual International Systems Security Engineering Association Conference
Conference Dates: March 13-15, 2002
Conference Location: Orlando, FL
Conference Title: International Systems Security Engineering Conference
Pub Type: Conferences
information domains, information security architecture, security services, software security architecture