Abstract
Data is of ever-growing importance and is widely considered to be a company’s most valuable asset. Since data is becoming the main driver of business value, data quality and, specifically, data security are of paramount importance to companies. Various regulations related to data cybersecurity have been drawn up, such as the GDPR and the Cybersecurity Act, thus proving the importance placed on data cybersecurity by influential legislative institutions. Several standards related to security have emerged in recent years, most notably those of the ISO/IEC 27000 series. They are, however, focused on management systems and security infrastructure and ignore the security of the data itself. Other standards related to data quality, such as ISO 8000, also fail to address data security in depth. This paper, therefore, proposes a framework for the evaluation of data cybersecurity, consisting of a quality model, an evaluation process, and a tool for the visualization of the assessment results. This evaluation framework has been employed as the basis for a data cybersecurity certification scheme, which complements other certifiable standards related to data and security, such as ISO/IEC 27001 and ISO 8000. This work additionally presents the results of a pilot project in which the data cybersecurity of a commercial product was evaluated. The results of this pilot application allowed us to validate the feasibility of the evaluation framework defined.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
ASCSM 1.0: Automated Source Code CISQ Security Measure. Object Management Group (2016).
Carretero, A. G., Gualo, F., Caballero, I., & Piattini, M. (2017). MAMD 2.0: Environment for data quality processes implantation based on ISO 8000-6X and ISO/IEC 33000. Computer Standards and Interfaces, 54, 139–151.
European Comission website, https://ec.europa.eu/commission/news/cybersecurity-act-2018-dec-11_en, last accessed 2019/10/09.
European Union law website, https://eur-lex.europa.eu/eli/reg/2016/679/oj, last accessed 2019/10/09.
ISO/IEC 14598-1: Information technology -- Software product evaluation -- Part 1: General overview. International Organization for Standardization / ISO/IEC JTC 1/SC 7 Software and systems engineering (1999).
ISO/IEC 25000: Systems and software engineering -- Systems and software Quality Requirements and Evaluation (SQuaRE) -- Guide to SQuaRE. International Organization for Standardization / ISO/IEC JTC 1/SC 7 Software and systems engineering (2014).
ISO/IEC 25010: Software Engineering -- Software product Quality Requirements and Evaluation (SQuaRE) -- System and software quality models. International Organization for Standardization / ISO/IEC JTC 1/SC 7 Software and systems engineering (2011).
ISO/IEC 25012: Software Engineering -- Software product Quality Requirements and Evaluation (SQuaRE) -- Data Quality Model. International Organization for Standardization / ISO/IEC JTC 1/SC 7 Software and systems engineering (2008).
ISO/IEC 25020: Software Engineering -- Software product Quality Requirements and Evaluation (SQuaRE) -- Measurement reference model and guide. International Organization for Standardization / ISO/IEC JTC 1/SC 7 Software and systems engineering (2007).
ISO/IEC 25022: Software Engineering -- Software product Quality Requirements and Evaluation (SQuaRE) -- Measurement of quality in use. International Organization for Standardization / ISO/IEC JTC 1/SC 7 Software and systems engineering (2016).
ISO/IEC 25023: Software Engineering -- Software product Quality Requirements and Evaluation (SQuaRE) -- Measurement of system and software product quality. International Organization for Standardization / ISO/IEC JTC 1/SC 7 Software and systems engineering (2016).
ISO/IEC 25024: Software Engineering -- Software product Quality Requirements and Evaluation (SQuaRE) -- Measurement of data quality. International Organization for Standardization / ISO/IEC JTC 1/SC 7 Software and systems engineering (2015).
ISO/IEC 25040: Software Engineering -- Software product Quality Requirements and Evaluation (SQuaRE) --Evaluation process. International Organization for Standardization / ISO/IEC JTC 1/SC 7 Software and systems engineering (2011).
ISO/IEC 25041: Software Engineering -- Software product Quality Requirements and Evaluation (SQuaRE) --Evaluation guide for developers, acquirers and independent evaluators. International Organization for Standardization / ISO/IEC JTC 1/SC 7 Software and systems engineering (2012).
ISO/IEC 25051: Software Engineering -- Software product Quality Requirements and Evaluation (SQuaRE) --Requirements for quality of Ready to Use Software Product (RUSP) and instructions for testing. International Organization for Standardization / ISO/IEC JTC 1/SC 7 Software and systems engineering (2014).
ISO/IEC 27000: Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary. International Organization for Standardization / ISO/IEC JTC 1/SC 27 Information Security, cybersecurity and privacy protection (2018).
ISO/IEC 9126-1: Software engineering -- Product quality -- Part 1: Quality model. International Organization for Standardization / ISO/IEC JTC 1/SC 7 Software and systems engineering (2001).
ISO/IEC TS 25011: Software Engineering -- Software product Quality Requirements and Evaluation (SQuaRE) -- Service quality models. International Organization for Standardization / ISO/IEC JTC 1/SC 7 Software and systems engineering (2017).
ISO/TS 8000-60: Data Quality -- Part 60: Data Quality Management: Overview. International Organization for Standardization / TC 184/SC 4 Industrial data (2017).
Rivas, B., Merino, J., Caballero, I., Serrano, M. A., & Piattini, M. (2017). Towards a service architecture for master data exchange based on ISO 8000 with support to process large datasets. Computer Standards and Interfaces, 54, 94–104.
Rodríguez, M., & Piattini, M. (2015). Fernandez, C. M.:A hard look at software quality: Pilot program uses ISO/IEC 25000 family to evaluate, improve and certify software products. Quality Progress, 48, 30–36.
Rodríguez, M., Oviedo, J. R., & Piattini, M. (2016). Evaluation of Software Product Functional Suitability: A Case Study. Software Quality Professional, 18(3), 18–29.
Rodríguez, M., Piattini, M., & Ebert, C. (2019). Software verification and validation technologies and tools. IEEE Software, 36(2), 13–24.
World Economic Forum, https://www.weforum.org/agenda/2016/01/the-fourth-industrial-revolution-what-it-means-and-how-to-respond/, last accessed 2019/10/09.
Zubrow, D. (2004). Measuring software product quality: The ISO 25000 series and CMMI. SEI.
Funding
This research is part of the DQIoT project (INNO-20171086), funded by CDTI;ECD project (PT3Q-16-08504), funded by the “Torres Quevedo” Program of the Spanish Ministry of Economy, Industry and Competitiveness; the CYBERDATA project (REF: (ISO/IEC 14598-1 1999)/17/IN/013) funded by Consejería de Economía, Empresas y Empleo JCCM and FEDER (Fondo Europeo de Desarrollo Regional); the ECLIPSE project (Ministerio de Ciencia, Innovación y Universidades, and Fondo Europeo de Desarrollo Regional FEDER, RTI2018-094283-B-C31); and the TESTIMO project (Consejería de Educación, Cultura y Deportes de la Junta de Comunidades de Castilla La Mancha, and the Fondo Europeo de Desarrollo Regional FEDER, SBPLY/17/180501/000503).
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This article belongs to the Topical Collection on Quality Management for Information Systems
Guest Editors: Mario Piattini, Ignacio García Rodríguez de Guzmán, Ricardo Pérez del Castillo
Rights and permissions
About this article
Cite this article
Verdugo, J., Rodríguez, M. Assessing data cybersecurity using ISO/IEC 25012. Software Qual J 28, 965–985 (2020). https://doi.org/10.1007/s11219-019-09494-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11219-019-09494-x