Robin A. Gandhi

Software and Information System Department

The University of North Carolina at Charlotte

http://www.nise.sis.uncc.edu/rgandhi

April 11 at 3:00pm
106 Woodward

Abstract:

Security regulations are now considered as a primary driver of efforts for software systems’ security lifecycle in an organization. However, with increasing complexity of software systems, understanding the necessity and sufficiency of regulatory security requirements in supporting an environment with “acceptable level of risk” is not a mere checklist exercise. Security breaches most often occur due to a cascading effect of failure among security constraints that work collectively in a socio-technical context. Therefore, while assessing residual risk, certifiers must systematically take into account the nexus of causal chains that exist among security requirements in the context of the software system operational environment. Numerous natural language regulatory requirements specified in documents or listed in spreadsheets/databases do not facilitate such analysis. Furthermore, complex interactions between the software system and its environment are now far beyond the capacity of manual approaches without additional representational and cognitive aids.

In this talk, I will present a step-wise methodology to discover and understand the multi-dimensional correlations among regulatory security requirements and its application to conduct risk assessment. I will explain our methods and representations that help answer questions regarding the propagative impact of non-compliance with regulatory security requirements with a scenario of investigation using visual analytics for risk assessment. I will also discuss our case study with experts from the government and private sector for The United States Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP). The results demonstrate strong support for the steps in the methodology and its artifacts in improving risk assessment during the C&A process, while providing insights for further improvements.

Bio:

Robin Gandhi is a Ph.D. candidate in Information Technology at The University of North Carolina, Charlotte where he is being advised by Dr. Seok-Won Lee. He will be joining The University of Nebraska, Omaha, College of Information Science and Technology as an assistant professor from fall 2008. He received his undergraduate degree in Electronics Engineering from Sardar Patel University, Gujarat, India in 2000, and his Master of Science in Computer Science from The University of North Carolina, Charlotte in 2001. His research interests include requirements engineering, software engineering, knowledge-intensive software systems, software assurance, certification and accreditation, software metrics and measures, and risk assessment. He is a student member of IEEE and ACM SIGSOFT professional communities. He has co-authored over 20 publications including book chapters, peer-reviewed journals, conferences and workshops. Further information regarding his research, teaching and publications is available at http://www.nise.sis.uncc.edu/rgandhi.

Back