Applying Security Assurance Cases for Cloud-based Systems in the Medical Domain
Abstract
Regulatory compliance is of major concern to medical
software companies that are involved in developing safetycritical
software whose failure could result in loss of life,
significant property damage or damage to the environment.
A common approach to demonstrate compliance with safety
requirements is through assurance cases, which are structured
arguments, supported by evidence, intended to justify that a
system is acceptably assured. The usage of assurance cases
to prove compliance for other properties other than safety
like cybersecurity has been increasing. However there are no
formal guidelines to follow when creating security assurance
cases as there is for safety assurance cases. The purpose of our
research is to simplify the process of creating security assurance
cases for their products by creating a set of guidelines. By
conducting a design science study at a Swedish cloud-based
medical software company, we analyzed external needs regarding
the best practices in cybersecurity, regulations and standards
in the medical domain. Contrasting these with the company’s
internal needs, we constructed a security assurance case for a
part of their system based on the external and internal needs of
the company. The guidelines were the outcome that emerged out
of the case we created for the company.
Degree
Student essay
Collections
View/ Open
Date
2020-12-02Author
Drgham, Mohamad
Hassan, Mohamed
Language
eng