ISO/IEC JTC1/SC7 /N3040

Transcription

1 ISO/IEC JTC1/SC7 Software and Systems Engineering Secretariat: CANADA (SCC) ISO/IEC JTC1/SC7 /N Document Type Title Source Report ISO/IEC JTC 1/SC7 WG9 Report to the Brisbane Plenary AG Meeting WG9 Covener Project Status Final Reference Action ID FYI or ACT Due Date Distribution AG No. of Pages 16 Note Address reply to: ISO/IEC JTC1/SC7 Secretariat École de technologie supérieure Département de génie électrique 1100 Notre Dame Ouest, Montréal, Québec Canada H3C 1K3

2 Paul R. Croll Chair, IEEE Software and Systems Engineering Standards Committee Convener, ISO/IEC JTC1/SC7 WG9 An Overview of Standards Supporting System and Software Assurance and the SC7/WG9 Program of Work

3 How Does Assurance Fit in the System and Software Life Cycles?

4 Life Cycle Process Framework Standards System Life Cycle ISO/IEC 15288, Systems engineering System life cycle processes Software Life Cycle ISO/IEC 12207, Standard for Information Technology Software life cycle processes SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 3

5 Assurance in the ISO/IEC System Life Cycle Process Framework SYSTEM LIFE CYCLE (25) Safety, Security, Integrity ENTERPRISE(5) AGREEMENT (2) PROJECT (7) SYSTEM LIFE CYCLE MANAGEMENT RESOURCE MANAGEMENT QUALITY MANAGEMENT PROJECT PLANNING TECHNICAL (11) ACQUISITION SUPPLY ENTERPRISE ENVIRONMENT MANAGEMENT INVESTMENT MANAGEMENT PROJECT ASSESSMENT PROJECT CONTROL DECISION MAKING RISK MANAGEMENT CONFIGURATION MANAGEMENT INFORMATION MANAGEMENT STAKEHOLDER REQUIREMENTS DEFINITION REQUIREMENTS ANALYSIS ARCHITECTURAL DESIGN IMPLEMENTATION INTEGRATION VERIFICATION TRANSITION VALIDATION OPERATION MAINTENANCE DISPOSAL SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 4

6 Assurance in the IEEE/EIA Software Life Cycle Process Framework SOFTWARE LIFE CYCLE (17+1) Safety, Security, Integrity SUPPORTING (8) PRIMARY (5) DOCUMENTATION CONFIGURATION MANAGEMENT QUALITY ASSURANCE VERIFICATION VALIDATION ACQUISITION SUPPLY DEVELOPMENT OPERATION MAINTENANCE JOINT REVIEW AUDIT PROBLEM RESOLUTION ISO/IEC Risk Management Adapted from: Raghu Singh, An Introduction to International Standards ISO/IEC 12207, Software Life Cycle Processes, ORGANIZATIONAL (4) MANAGEMENT INFRASTRUCTURE IMPROVEMENT TRAINING TAILORING SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 5

7 What Standards Organizations Support System and Software Assurance?

8 Standards Organizations Supporting System and Software Assurance ISO IEC TC176 JTC1 TC56 SC65A Quality Information Technology Dependability Functional Safety SC1 SC7 SC22 SC27 Terminology Software Engineering Language, OS IT Security Techniques ISO IEEE CS IEC FISMA Projects IEEE CS S2ESC Software and Systems Engineering IASC Information Assurance SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 7

9 Dependability Standards IEC Dependability vocabulary IEC Programme management IEC Programme elements & tasks ISO IEC IEC SW aspects of dependability Risk Analysis IEC Risk analysis of technological sys Risk Control ISO/IEC Integrity levels Achieving Confidence ISO/IEC NWI Tech. & tools for confidence IEC 1025 Fault tree analysis IEC 812 Failure mode and effects analysis ISO/IEC System life cycle processes ISO/IEC SW life cycle processes Risk Management Adapted from James W. Moore, Software Engineering Standards: A User's Road Map, IEEE Computer Society Press, Los Alamitos, CA, 1997 ISO/IEC Risk Management SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 8

10 Safety and Security Standards IEC Functional Safety IEEE/EIA SW life cycle processes IEEE 1228 SW safety plans Safety IEC Sector-Specific Standards IEC SW in nuclear power safety systems IEC Programmable electrical medical systems DO 178B SW considerations in airborne equip certification IEEE CS RTCA ISO/IEC Common Criteria for IT Security Evaluation ISO/IEC Security frameworks for open systems ISO/IEC 9796 Digital Security Schemes ISO/IEC Systems Security Engineering CMM Security ISO IEEE/EIA SW life cycle processes IEEE P1619 Standard Architecture for Encrypted Shared Storage Media IEEE P1700 Security Architecture for Certification and Accreditation of Information IEEE P2200 Baseline Operating System Security IEEE CS SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 9

11 SC7 WG9 Overview

12 WG9 Terms of Reference Development of standards and technical reports for system and software assurance. System and software assurance addresses management of risk and assurance of safety, security, and dependability within the context of system and software life cycles. SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 11

13 Current NB Membership Australia Japan United Kingdom (Secretariat) United States (Convener) SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 12

14 SC7 WG9 Current Projects

15 SC7/WG9 Current Projects Revision of ISO/IEC Revision of ISO/IEC SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 14

16 SC7 WG9 Business Objectives

17 Near Term Objectives Complete the revision of ISO/IEC Complete the revision of ISO/IEC Determine the viability of the NWI for and either provide and editor or cancel the NWI. Establish liaisons with IEC TC56, TC65A, JTC1/SC27 and any other standards bodies whose program of work relates to system and software assurance, for the purposes of harmonization and collaboration on a unified body of work to meet users needs. Establish a Study Group to determine the derived system and software assurance requirements from ISO/IEC 15288, ISO/IEC 12207, and ISO/IEC 15026, and to recommend requirements for the development, modification, adoption, or reference of supporting standards. Expand the membership of WG9 to include participation from additional national bodies. SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 16