Analyzing regulatory rules for privacy and security requirements

IEEE Transactions on Software Engineering

Volumn 34, Issue 1, 2008, Pages 5-20

  Breaux, Travis D ^a   Antón, Annie I ^a  

^a North Carolina State University   (United States)

Author keywords

Accountability; Compliance; Information and privacy; Laws and regulations; Requirements engineering

Indexed keywords

DATA PRIVACY; REGULATORY COMPLIANCE; REQUIREMENTS ENGINEERING; SECURITY OF DATA;

REGULATORY RULES; SOFTWARE REQUIREMENTS; SOFTWARE SYSTEMS;

SOFTWARE ENGINEERING;

EID: 40449096076     PISSN: 00985589     EISSN: None     Source Type: Journal    
DOI: 10.1109/TSE.2007.70746     Document Type: Article

References (44)

1. A.I. Antón, "Goal-Based Requirements Analysis," Proc. Second IEEE Int'l Conf. Requirements Eng., pp. 136-144, 1996.
2. A.I. Antón, J.B. Earp, Q. He, W. Stufflebeam, D. Bolchini, and C. Jensen, "Financial Privacy Policies and the Need for Standardization," IEEE Security and Privacy, vol. 2, no. 2, pp. 36-45, Mar./Apr. 2004.
3. A.I. Antón and J.B. Earp, "A Requirements Taxonomy for Reducing Web Site Privacy Vulnerabilities," Requirements Eng., vol. 9, no. 3, pp. 169-185, 2004.
4. P. Ashley, C. Powers, and M. Schunter, "From Privacy Promises to Privacy Management: A New Approach for Enforcing Privacy throughout the Enterprise," Proc. 10th New Security Paradigms Workshop, pp. 43-50, 2002.
5. P. Ashley, S. Hada, G. Karjoth, and M. Schunter, "E-P3P Privacy Policies and Privacy Authorization," Proc. ACM Workshop Privacy in the Electronic Sec., pp. 103-109, 2002.
6. J-W. Byon, E. Bertino, and N. Li, "Purpose-Based Access Control of Complex Data for Privacy Protection," Proc. 10th ACM Symp. Access Control Models and Technologies, pp. 102-110, 2005.
7. T.D. Breaux and A.I. Antón, "Deriving Semantic Models from Privacy Policies," Proc. Sixth IEEE Int'l Workshop Policies for Distributed Systems and Networks, pp. 67-76, 2005.
8. T.D. Breaux and A.I. Antón, "Analyzing Goal Semantics for Rights, Permissions and Obligations," Proc. 13th IEEE Int'l Conf. Requirements Eng., pp. 177-186, 2005.
9. T.D. Breaux and A.I. Antón, "Mining Rule Semantics to Understand Legislative Compliance," Proc. ACM Workshop Privacy in the Electronic Sec., pp. 51-54, 2005.
10. T.D. Breaux, A.I. Antón, C-M. Karat, and J. Karat, "Enforceability vs. Accountability in Electronic Policies," Proc. Seventh IEEE Int'l Workshop Policies for Distributed Systems and Networks, pp. 227-330, 2006.
11. T.D. Breaux and A.I. Antón, "Semantic Parameterization: A Conceptual Modeling Process for Domain Descriptions," Technical Report TR-2006-35, Dept. of Computer Science, North Carolina State Univ., Oct. 2006, ACM Trans. Software Eng. Methods, to appear.
12. T.D. Breaux, A.I. Antón, and E.H. Spafford, "A Distributed Requirements Management Framework for Compliance and Accountability," Technical Report TR-2006-14, Dept. of Computer Science, North Carolina State Univ., July 2006.
13. T.D. Breaux, M.W. Vail, and A.I. Antón, "Towards Compliance: Extracting Rights and Obligations to Align Requirements with Regulations," Proc. 14th IEEE Int'l Conf. Requirements Eng., pp. 49-58, 2006.
14. T.D. Breaux and A.I. Antón, "Impalpable Constraints: Framing Requirements for Formal Methods," Technical Report TR-2007-6, Dept. of Computer Science, North Carolina State Univ., Feb. 2007.
15. C. Brodie, C-M. Karat, J. Karat, and J. Feng, "Usable Security and Privacy: A Case Study of Developing Privacy Management Tools," Proc. First Symp. Usable Privacy and Security, pp. 35-43, 2005.
16. "Health Care," Career Guide to Industries, 2006-2007. Bureau of Labor Statistics, US Dept. of Labor, 2007.
17. C.J. Hoofnagle and D.J. Solove, "Re: Request for Investigation into Data Broker Products for Compliance with the FCRA," Electronic Privacy Information Center, 2004.
18. C.B. Farrell, "Choice Point Settles Data Security Breach Charges: To Pay $10 Million in Civil Penalties and $5 Million for Customer Redress," FTC File 052-3069, Office of Public Affairs, US Fed. Trade Commission, 2006.
19. United States v. ChoicePoint, Inc., Case 1:06-CV-00198-JTC, (Northern District of Georgia), Feb. 2006.
20. Black's Law Dictionary, B.A. Garner, ed., eighth ed., 2004.
21. B.C. Glaser and A.L. Strauss, The Discovery of Grounded Theory. Aldine Publishing, 1967.
22. P. Giorgini, F. Massacci, J. Mylopoulos, and N. Zannone, Modeling Security Requirements through Ownership, Permission and Delegation," Proc. 13th IEEE Int'l Conf. Requirements Eng., pp. 167-176, 2005.
23. M. Jackson, "The World and the Machine," Proc. 17th IEEE Int'l Conf. Software Eng., pp. 283-292, 1995.
24. M. Jackson and P. Zave, "Domain Descriptions," Proc. First IEEE Symp. Requirements Eng., pp. 56-64, 1993.
25. "HIPAA Administrative Simplification: Enforcement - Parts 160 and 164," Federal Register, US Dept. of Health and Human Services, vol. 71, no. 32, pp. 8389-8433, Feb. 2006.
26. C.B. Haley, R.C. Laney, J.D. Moffett, and B. Nuseibeh, "The Effect of Trust Assumptions on the Elaboration of Security Requirements," Proc. 12th IEEE Int'l Conf. Requirements Eng., pp. 102-111, 2004.
27. C.B. Haley, R. Laney, and B. Nuseibeh, "Deriving Security Requirements from Crosscutting Threat Descriptions," Proc. Third Int'l Conf. Aspect-Oriented Software Development, pp. 112-121, 2004.
28. C.B. Haley, J.D. Moffett, R. Laney, and B. Nuseibeh, "Arguing Security: Validating Security Requirements Using Structured Argumentation," Proc. Third Symp. Requirements Eng. for Information Security, 2005.
29. J.F. Horty, Agency and Deontic Logic. Oxford Univ. Press, 2001.
30. "Standards for Privacy of Individually Identifiable Health Information - Part 164, Subpart E," Federal Register, US Dept. of Health and Human Services, vol. 68, no. 34, pp. 8334-8381, Feb. 2003.
31. "Standards for the Protection of Electronic Protected Health Information - Part 164, Subpart C," Federal Register, US Dept. of Health and Human Services, vol. 68, no. 34, pp. 8334-8381, Feb. 2003.
32. A. van Lamsweerde, "Elaborating Security Requirements by Construction of Intentional Anti-Models," Proc. 26th IEEE Int'l Conf. Software Eng., pp. 148-157, 2004.
33. S-W. Lee, R. Gandhi, D. Muthurajan, D. Yavagal, and G-J. Ahn, "Building Problem Domain Ontology from Security Requirements in Regulatory Documents," Proc. Second Int'l Workshop Software Eng. for Secure Systems, pp. 43-50, 2006.
34. L. Lin, B. Nuseibeh, D. Ince, M. Jackson, and J. Moffett, "Introducing Abuse Frames for Analyzing Security Requirements," Proc. 11th IEEE Int'l Conf. Requirements Eng., pp. 371-372, 2003.
35. M.J. May, C.A. Gunter, and I. Lee, "Privacy APIs: Access Control Techniques to Analyze and Verify Legal Privacy Policies," Proc. 19th IEEE Computer Security Foundations Workshop, pp. 85-97, 2006.
36. J. Mylopoulos, L. Chung, and E. Yu, "From Object-Oriented to Goal-Oriented Requirements Analysis," Comm. ACM, vol. 42, no. 1, pp. 31-37, 1999.
37. J. Reagle and L.F. Cranor, "The Platform for Privacy Preferences," Comm. ACM, vol. 42, no. 2, pp. 48-55, 1999.
38. P. Samarati and S. de Capitani di Vimercati, "Access Control: Policies, Models and Mechanisms," Foundations of Security Analysis and Design vol. 2171, pp. 137-193, 2001.
39. R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman, "Role-Based Access Control Models," Computer, vol. 29, no. 2, pp. 38-47, Feb. 1996.
40. T. Verhannenman, F. Piessens, B. de Win, and W. Joosen, "Requirements Traceability to Support Evolution of Access Control," Proc. First Workshop Software Eng. for Secure Systems, pp. 1-7, 2005.
41. D. Xu, V. Goel, and K. Nygard, "An Aspect-Oriented Approach to Security Requirements Analysis," Proc. 30th Ann. Int'l Computer Software and Applications Conf., pp. 79-82, 2006.
42. P. Zave and M. Jackson, "The Four Dark Corner's of Requirements Engineering," ACM Trans. Software Eng. Methods, vol. 6, no. 1, pp. 1-30, 1997.
43. HIPAA Medical Privacy and Transition Rules: Overkill or Overdue?, Hearing before the Special Committee on Aging, US Senate, 108th Congress, Ser. 108-23, 23 Sept. 2003.
44. Extensible Access Control Markup Language (XACML) Version 2.0, Oasis Standards Group, Feb. 2005.