ISO/IEC JTC1/SC7 Software and Systems Engineering Secretariat: CANADA (SCC) ISO/IEC JTC1/SC7 /N3040 2004-05-12 Document Type Title Source Report ISO/IEC JTC 1/SC7 WG9 Report to the Brisbane Plenary AG Meeting WG9 Covener Project Status Final Reference Action ID FYI or ACT Due Date Distribution AG No. of Pages 16 Note Address reply to: ISO/IEC JTC1/SC7 Secretariat École de technologie supérieure Département de génie électrique 1100 Notre Dame Ouest, Montréal, Québec Canada H3C 1K3 secretariat@jtc1-sc7.org www.jtc1-sc7.org
Paul R. Croll Chair, IEEE Software and Systems Engineering Standards Committee Convener, ISO/IEC JTC1/SC7 WG9 pcroll@csc.com An Overview of Standards Supporting System and Software Assurance and the SC7/WG9 Program of Work
How Does Assurance Fit in the System and Software Life Cycles?
Life Cycle Process Framework Standards System Life Cycle ISO/IEC 15288, Systems engineering System life cycle processes Software Life Cycle ISO/IEC 12207, Standard for Information Technology Software life cycle processes SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 3
Assurance in the ISO/IEC 15288 System Life Cycle Process Framework SYSTEM LIFE CYCLE (25) Safety, Security, Integrity ENTERPRISE(5) AGREEMENT (2) PROJECT (7) SYSTEM LIFE CYCLE MANAGEMENT RESOURCE MANAGEMENT QUALITY MANAGEMENT PROJECT PLANNING TECHNICAL (11) ACQUISITION SUPPLY ENTERPRISE ENVIRONMENT MANAGEMENT INVESTMENT MANAGEMENT PROJECT ASSESSMENT PROJECT CONTROL DECISION MAKING RISK MANAGEMENT CONFIGURATION MANAGEMENT INFORMATION MANAGEMENT STAKEHOLDER REQUIREMENTS DEFINITION REQUIREMENTS ANALYSIS ARCHITECTURAL DESIGN IMPLEMENTATION INTEGRATION VERIFICATION TRANSITION VALIDATION OPERATION MAINTENANCE DISPOSAL SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 4
Assurance in the IEEE/EIA 12207 Software Life Cycle Process Framework SOFTWARE LIFE CYCLE (17+1) Safety, Security, Integrity SUPPORTING (8) PRIMARY (5) DOCUMENTATION CONFIGURATION MANAGEMENT QUALITY ASSURANCE VERIFICATION VALIDATION ACQUISITION SUPPLY DEVELOPMENT OPERATION MAINTENANCE JOINT REVIEW AUDIT PROBLEM RESOLUTION ISO/IEC 16085 Risk Management Adapted from: Raghu Singh, An Introduction to International Standards ISO/IEC 12207, Software Life Cycle Processes, 1997. ORGANIZATIONAL (4) MANAGEMENT INFRASTRUCTURE IMPROVEMENT TRAINING TAILORING SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 5
What Standards Organizations Support System and Software Assurance?
Standards Organizations Supporting System and Software Assurance ISO IEC TC176 JTC1 TC56 SC65A Quality Information Technology Dependability Functional Safety SC1 SC7 SC22 SC27 Terminology Software Engineering Language, OS IT Security Techniques ISO IEEE CS IEC FISMA Projects IEEE CS S2ESC Software and Systems Engineering IASC Information Assurance SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 7
Dependability Standards IEC 50-191 Dependability vocabulary IEC 300-1 Programme management IEC 300-2 Programme elements & tasks ISO IEC IEC 300-3-6 SW aspects of dependability Risk Analysis IEC 300-3-9 Risk analysis of technological sys Risk Control ISO/IEC 15026 Integrity levels Achieving Confidence ISO/IEC NWI 61720 Tech. & tools for confidence IEC 1025 Fault tree analysis IEC 812 Failure mode and effects analysis ISO/IEC 15288 System life cycle processes ISO/IEC 12207 SW life cycle processes Risk Management Adapted from James W. Moore, Software Engineering Standards: A User's Road Map, IEEE Computer Society Press, Los Alamitos, CA, 1997 ISO/IEC 16085 Risk Management SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 8
Safety and Security Standards IEC 61508 Functional Safety IEEE/EIA 12207 SW life cycle processes IEEE 1228 SW safety plans Safety IEC Sector-Specific Standards IEC 60880 SW in nuclear power safety systems IEC 60601 Programmable electrical medical systems DO 178B SW considerations in airborne equip certification IEEE CS RTCA ISO/IEC 15408 Common Criteria for IT Security Evaluation ISO/IEC 10181 Security frameworks for open systems ISO/IEC 9796 Digital Security Schemes ISO/IEC 21827 Systems Security Engineering CMM Security ISO IEEE/EIA 12207 SW life cycle processes IEEE P1619 Standard Architecture for Encrypted Shared Storage Media IEEE P1700 Security Architecture for Certification and Accreditation of Information IEEE P2200 Baseline Operating System Security IEEE CS SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 9
SC7 WG9 Overview
WG9 Terms of Reference Development of standards and technical reports for system and software assurance. System and software assurance addresses management of risk and assurance of safety, security, and dependability within the context of system and software life cycles. SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 11
Current NB Membership Australia Japan United Kingdom (Secretariat) United States (Convener) SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 12
SC7 WG9 Current Projects
SC7/WG9 Current Projects Revision of ISO/IEC 15026 Revision of ISO/IEC 16085 SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 14
SC7 WG9 Business Objectives
Near Term Objectives Complete the revision of ISO/IEC 15026. Complete the revision of ISO/IEC 16085. Determine the viability of the NWI for 61720 and either provide and editor or cancel the NWI. Establish liaisons with IEC TC56, TC65A, JTC1/SC27 and any other standards bodies whose program of work relates to system and software assurance, for the purposes of harmonization and collaboration on a unified body of work to meet users needs. Establish a Study Group to determine the derived system and software assurance requirements from ISO/IEC 15288, ISO/IEC 12207, and ISO/IEC 15026, and to recommend requirements for the development, modification, adoption, or reference of supporting standards. Expand the membership of WG9 to include participation from additional national bodies. SSTC 2004, Monday 19 April 2004, Track 1, 1440 Paul R. Croll Slide 16