OTPAF: A Security Requirement Conceptual Model of SaaS for Malaysian Government based on Common Criteria

Abstract

The aim of this study is to define security requirements (SR) of Information Technology (IT) product that is deployed on Cloud platform as Software as a Service (SaaS) for Malaysian government. This is critical in order to secure the product from information security threats such as malware attack, account hijacking, data leakage and at the same time, in line with government policy. It is important to address the SR as early as before the product acquisition to avoid any security incidents happen that will affect the government IT ecosystem. Hence, to help government officer from IT and procurement department in preparing security specification for acquisition or procurement exercise, we introduce OTPAF model, a novel approach for defining SR by connecting security components which are security objective (O), threat (T), policy (P), assumption (A) and functionality (F) in deriving a relational statement. First we acquire the government information security objectives and policies. Then cloud top threats and controls are referred to map altogether. Following that, we elicit the security functionality using Common Criteria (CC) approach and combines the components to become SR. Result presents how the conceptual model OTPAF and the values of the security components deriving to a relational statement that becoming SR.