Managing information security complexity
School of Computer and Information Science, Edith Cowan University
Faculty of Computing, Health and Science
School of Computer and Information Science
This paper examines using a requirements management tool as a common thread to managing the complexity of information security systems. Requirements management provides a mechanism to trace requirements through to design, implementation, operating, monitoring, reviewing, testing, and reporting by creating links to associated, critical artefacts. This is instrumental in managing complex and dynamic systems where change can impact other subsystems and associated documentation. It helps to identify the affected artefacts through many layers. Benefits to this approach would include better project planning and management, improved risk management, superior change management, ease of reuse, enhanced quality control and more effective acceptance testing. It would also improve the ability to audit, especially at a time when outsourcing of security functions is occurring throughout the world. ISO 27001:2006 provides a model for the implementation of an Information Security Management System (ISMS) that can be tailored by an organization. It is proposed that employment of a requirements management tool could manage the traceability aspects of an ISMS.