Model for Security Cross-Standard Compliance Tracking and Requirement Prioritization in Critical Infrastructure

Abstract

This thesis presents research in the field of information security. We present a model that uniformly represents the building blocks of the security requirements that are defined in various standards, security guidelines, and regulations for Critical Infrastructure. We analyze the structure of the requirements in the most commonly used standards for this purpose. We have extended the model with components to prioritize and track the implementation and compliance of similar requirements selected from different security publications. We define prioritization criteria for selecting the requirements for implementation that rely on four factors: risk assessment results, essence levels of the requirements set that is analyzed, dependency graph of the social actors involved in the implementation, and the domain affiliation of the requirement. We also define a framework with a set of activities that follow the elements of the proposed model to demonstrate its practical applicability.