A distributed requirements management framework for legal compliance and accountability

Computers and Security

Volumn 28, Issue 1-2, 2009, Pages 8-17

  Breaux, Travis D ^a   Antón, Annie I ^a   Spafford, Eugene H ^b  

^a NORTH CAROLINA STATE UNIVERSITY   (United States)

^b PURDUE UNIVERSITY   (United States)

Author keywords

Accountability; Compliance; Policy; regulation; Requirements engineering

Indexed keywords

COMPUTER SOFTWARE PORTABILITY; HEALTH INSURANCE; INFORMATION SYSTEMS; REQUIREMENTS ENGINEERING;

ACCOUNTABILITY; AUDITING MECHANISMS; BUSINESS MANAGERS; BUSINESS PROCESSES; BUSINESS UNITS; COMPLIANCE; GOVERNMENT REGULATIONS; HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACTS; HEALTHCARE SCENARIOS; LEGAL OBLIGATIONS; LIFE-CYCLE; POLICY; REGULATION; RELEVANT INFORMATIONS; REQUIREMENTS MANAGEMENTS; SOFTWARE CONTROLS; SOFTWARE DEVELOPERS; SOFTWARE REQUIREMENTS; SPECIFIC REQUIREMENTS; TECHNICAL CAPABILITIES;

LAWS AND LEGISLATION;

EID: 57849159727     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2008.08.001     Document Type: Article

References (40)

1. Antón A.I., Carter R.A., Dagnino A., Dempster J.H., and Siege D.F. Deriving goals from a use case based requirements specification. Requirements Engineering Journal 6 (May 2001) 63-73 Springer-Verlag
2. Antón A.I., Earp J.B., Bolchini D., He Q., Jensen C., and Stufflebeam W. The lack of clarity in financial privacy policies and the need for standardization. IEEE Security and Privacy 2 2 (2004) 36-45
3. Antón A.I., Earp J.B., Vail M.W., Jain N., Gheen C., and Frink J.M. HIPAA's effect on web site privacy policies. IEEE Security and Privacy (2007) 45-52
4. Antón AI, Goal identification and refinement in the specification of software-based information systems. Ph.D. thesis, Georgia Institute of Technology, Atlanta, GA, USA; 1997.
5. Antón AI, McCracken WM, Potts C. Goal decomposition and scenario analysis in business process engineering. In: Advanced information systems engineering, sixth international conference, Utrecht, Netherlands; 1994. p. 94-104, 6-10.
6. Bandara A.K., Lupu E.C., Moffett J., and Russo A. A goal-based approach to policy refinement. Policies for distributed systems and network (2004), Yorktown Heights, NY, USA p. 229-39
7. Bandmann O., Dam M., and Firozabadi B.S. Constrained delegation. IEEE Symposium on Security Privacy (2002) 131-140
8. Barka E, Sandhu R, Framework for role-based delegation models. In: Sixteenth annual conference on computer security application; 2000. p. 168-76.
9. Breaux TD, Antón AI, Analyzing goal semantics for rights, permissions, and obligations. In: IEEE 13th requirements engineering conference, Paris, France; 2005. p. 177-86.
10. Breaux T.D., and Antón A.I. Analyzing regulatory rules for privacy and security requirements. Special Issue on Software Engineering for Secure Systems. IEEE Transactions on Software Engineering 34 1 (January/February 2008) 5-20
11. Breaux TD, Antón AI, Boucher K, Dorfman M, Legal requirements, compliance and practice: an industry case study in accessibility. In: Sixteenth IEEE International requirements engineering conference, Barcelona, Spain; 2008.
12. Breaux TD, Antón AI, Karat CM, Karat J, Enforceability vs. accountability in electronic policies. In: IEEE seventh workshop on policies for distributed systems and networks, London, Ontario; 2006a. p. 227-30.
13. Breaux TD, Vail MW, Anton AI, Towards compliance: extracting rights and obligations to align requirements and regulations. In: IEEE 14th international conference requirements engineering; 2006b. p. 49-58.
14. Buchholz F., and Spafford E.H. On the role of file system metadata in digital forensics. Digital Investigation 1 4 (2004) 298-309
15. Damianou N, Dulay N, Lupu E, Sloman M, The ponder policy language. In: Proceedings of the international workshop on policies for distributed systems and networks, Bristol, UK; 2001. p. 29-31.
16. Damian D, Lanubile F, Mallardo T, The role of asynchronous discussions in increasing the effectiveness of remote synchronous requirements negotiations. In: International conference on software engineering, Shanghai, China; 2006. p. 917-20.
17. Darimont R, Delor E, Massonet P, van Lamsweerde A, GRAIL/KAOS: an environment for goal-driven requirements engineering. In: IEEE 19th international conference on software engineering, Boston, MA; 2005. p. 612-13.
18. Dardenne A., van Lamsweerde A., and Fickas S. Goal-directed requirements acquisition. Science of Computer Programming 20 (1993) 3-50
19. Dulay N, Lupu E, Sloman M, Damianou N, A policy deployment model for the ponder language. In: IEEE/IFIP intetnational symposium on integrated network management. Seattle, WA, USA; 2001. p. 529-43.
20. Dömges R., and Pohl K. Adapting traceability environments to project-specific needs. Communications of the ACM 41 12 (December 1998) 54-62
21. Ernst, Young. In: Tenth annual global information security survey: achieving a balance of risk and performance; 2007.
22. In: Garner B.A. (Ed). Blacks law dictionary. 8th ed. (2004), Thompson West, St. Paul, Minnesota
23. Giorgini P, Massacci F, Mylopoulos J, Zannone N. Modeling security requirements through ownership, permission and delegation. In: Thirteenth IEEE international conference on requirements engineering, Paris, France; 2005. p. 167-76.
24. ISO/IEC 15408:2005, Information technology - security techniques - evaluation criteria for IT security; 2005.
25. ISO/IEC 9001:2000, Quality management systems - requirements; 2005.
26. Jackson D. Alloy: a lightweight object modeling notation. ACM Transactions on Software Engineering and Methodology 11 2 (2002) 256-290
27. Kim G., and Spafford E.H. The design and implementation of tripwire: a file system integrity checker. Second ACM conference on computer and communications security (1994), ACM Press
28. Minksy N.H., and Ungureanu V. Law-governed interaction: a coordination and control mechanism for heterogeneous distributed systems. ACM Transactions on Software Engineering and Methodology 9 3 (2000) 273-305
29. Moffett JD, Requirements and policies. In: Workshop on policies for distributed systems and networks, Bristol, UK; 1999.
30. Moffett JD, Sloman MS, The representation of policies as system objects. In: Conference on Organisational Computer Systems, Atlanta, Georgia, USA; 1991. p. 171-184.
31. Oh S, Sandhu R, Role administration: a model for role administration using organization structure. In: Seventh ACM symposium on access control models and technology, Monterey, CA, USA; 2002. p. 155-62.
32. Park J.S., Costello K.P., Neven T.M., and Diosomito J.A. A composite RBAC approach for large, complex organizations. Ninth ACM symposium on access control models and technologies (2004), Yorktown Heights, NY, USA p. 163-72
33. ABC usage control model. ACM Transactions on information and system security 7 1 (2004) 128-174
34. Rees J., Bandyopadhyay S., and Spafford E.H. PFIRES: a policy framework for information security. Communications of the ACM 46 7 (2003) 101-106
35. Ramesh B. Factors influencing requirements traceability practice. Communications of the ACM 41 12 (December 1998) 37-44
36. Spafford E.H., and Antón A.I. The balance of privacy and security. In: Lee Kleinman D. (Ed). Science and technology in society: from biotechnology to the internet (2007), Blackwell Publishing
37. U.K. Office of Government Commerce. Information technology infrastructure library, version 3 vols. 1-5 (2007), The Stationary Office, Ltd., United Kingdom
38. 45 CFR Part 160, Part 164 Subpart E. U.S. Office of Civil Rights. Standards for privacy of individually identifiable health information. Federal Register 68 34 (Feb. 20, 2003) 8334-8381
39. 45 CFR Part 164, Subpart C. U.S. Office of Civil Rights. Standards for the protection of electronic protected health information. Federal Register 68 34 (Feb. 20, 2003) 8334-8381
40. U.S. National Institute of Standards and Measures. An introduction to computer security: the NIST security handbook (1995), NIST SP-800-12, Gaithersburg, MD, USA