IT:AD:SQuaRE
- Notes
- Resources

IT:AD:SQuaRE

* See also:

  <callout type="Navigation" class="small">

* IT:AD:ISO 25010

</callout>

Summary

The acronym SQuaRE is used in the following cases: * System Quality Requirements Engineering * Security Quality Requirements Engineering

They both follow the same 9 steps, more or less.

Notes

System

System Quality Requirements Engineering (SQUARE) is a process model developed at Carnegie Mellon University (CMU).

SQUARE provides a means for eliciting, categorizing, and prioritizing security requirements for information technology systems and applications.

The focus of the model is to build security and quality concepts into the early stages of the analysing, development, development stages of the development life cycle.

Agree on definitions
Identify security goals
Develop artifacts to support security requirements definition
Assess risks
Select elicitation technique(s)
Elicit security requirements
Categorize requirements
Prioritize requirements
Inspect requirements

Security

0. Agree on Definitions

Input: Candidate definitions from IEEE and other standards
Techniques: Structured interviews, focus group
Participants: Stakeholders, requirements engineer
Output: Agreed-to definitions

2. Identify Assets and Security Goals

Input: Definitions, candidate goals, business drivers, policies and procedures, examples
Techniques: Facilitated work session, surveys, interviews
Participants: Stakeholders, requirements engineer
Output: Assets and goals

3. Develop artifacts to support security requirements definition

Input: Potential artifacts (e.g., scenarios, misuse cases, templates, forms)
Techniques: Work session
Participants: Requirements engineer
Output: Needed artifacts: scenarios, misuse cases, models, templates, forms

4. Perform Risk Assessment

  Input: Misuse cases, scenarios, security goals
  Techniques: Risk assessment method, analysis of anticipated risk against organizational risk tolerance, including threat analysis
  Participants: Requirements engineer, risk expert, stakeholders
  Output: Risk assessment results

5. Select elicitation Techniques

Input: Goals, definitions, candidate techniques, expertise of stakeholders, organizational style, culture, level of security needed, cost benefit analysis, etc.
Techniques: Work session
Participants: Requirements engineer
Output: Selected elicitation techniques

6. Elicit Security Requirements

Input: Artifacts, risk assessment results, selected techniques
Techniques: Joint Application Development (JAD), interviews, surveys, model-based analysis, checklists, lists of reusable requirements types, document reviews
Participants: Stakeholders facilitated by requirements engineer
Output: Initial cut at security requirements

7. Categorize Requirements as to Level (System, Software, etc.) and Whether They Are Requirements or Other Kinds of Constraints

Input: Initial requirements, architecture
Techniques: Work session using a standard set of categories
Participants: Requirements engineer, other specialists as needed
Output: Categorized requirements

8. Prioritize Requirements

Input: Categorized requirements and risk assessment results
Techniques: Prioritization methods such as Triage, Win-Win
Participants: Stakeholders facilitated by requirements engineer
Output: Prioritized requirements

9. Inspect Requirements

Input: Prioritized requirements, candidate formal inspection technique
Techniques: Inspection methods such as Fagan, peer reviews
Participants: Inspection team
Output: Initial selected requirements, documentation of decision-making process and rationale

Resources

* http://www.iso.org/iso/catalogue_detail.htm?csnumber=35683 * http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=64764 * https://www.iso.org/obp/ui/#iso:std:iso-iec:25000:ed-2:v1:en * http://www.ittoday.info/ITPerformanceImprovement/Articles/2012-01Merkow.html