The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.01 - January (2008 vol.34)
pp: 5-20
ABSTRACT
Information practices that use personal, financial and health-related information are governed by U.S. laws and regulations to prevent unauthorized use and disclosure. To ensure compliance under the law, the security and privacy requirements of relevant software systems must be properly aligned with these regulations. However, these regulations describe stakeholder rules, called rights and obligations, in complex and sometimes ambiguous legal language. These "rules" are often precursors to software requirements that must undergo considerable refinement and analysis before they are implementable. To support the software engineering effort to derive security requirements from regulations, we present a methodology to extract access rights and obligations directly from regulation texts. The methodology provides statement-level coverage for an entire regulatory document to consistently identify and infer six types of data access constraints, handle complex cross-references, resolve ambiguities, and assign required priorities between access rights and obligations to avoid unlawful information disclosures. We present results from applying this methodology to the entire regulation text of the U.S. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
INDEX TERMS
Requirements/Specifications, Security and Privacy Protection, Legal Aspects of Computing
CITATION
Travis Breaux, Annie Antón, "Analyzing Regulatory Rules for Privacy and Security Requirements", IEEE Transactions on Software Engineering, vol.34, no. 1, pp. 5-20, January 2008, doi:10.1109/TSE.2007.70746
REFERENCES
[1] A.I. Antón, “Goal-Based Requirements Analysis,” Proc. Second IEEE Int'l Conf. Requirements Eng., pp. 136-144, 1996.
[2] A.I. Antón, J.B. Earp, Q. He, W. Stufflebeam, D. Bolchini, and C. Jensen, “Financial Privacy Policies and the Need for Standardization,” IEEE Security and Privacy, vol. 2, no. 2, pp. 36-45, Mar./Apr. 2004.
[3] A.I. Antón and J.B. Earp, “A Requirements Taxonomy for Reducing Web Site Privacy Vulnerabilities,” Requirements Eng., vol. 9, no. 3, pp. 169-185, 2004.
[4] P. Ashley, C. Powers, and M. Schunter, “From Privacy Promises to Privacy Management: A New Approach for Enforcing Privacy throughout the Enterprise,” Proc. 10th New Security Paradigms Workshop, pp. 43-50, 2002.
[5] P. Ashley, S. Hada, G. Karjoth, and M. Schunter, “E-P3P Privacy Policies and Privacy Authorization,” Proc. ACM Workshop Privacy in the Electronic Soc., pp. 103-109, 2002.
[6] J-W. Byon, E. Bertino, and N. Li, “Purpose-Based Access Control of Complex Data for Privacy Protection,” Proc. 10th ACM Symp. Access Control Models and Technologies, pp. 102-110, 2005.
[7] T.D. Breaux and A.I. Antón, “Deriving Semantic Models from Privacy Policies,” Proc. Sixth IEEE Int'l Workshop Policies for Distributed Systems and Networks, pp. 67-76, 2005.
[8] T.D. Breaux and A.I. Antón, “Analyzing Goal Semantics for Rights, Permissions and Obligations,” Proc. 13th IEEE Int'l Conf. Requirements Eng., pp. 177-186, 2005.
[9] T.D. Breaux and A.I. Antón, “Mining Rule Semantics to Understand Legislative Compliance,” Proc. ACM Workshop Privacy in the Electronic Soc., pp. 51-54, 2005.
[10] T.D. Breaux, A.I. Antón, C-M. Karat, and J. Karat, “Enforceability vs. Accountability in Electronic Policies,” Proc. Seventh IEEE Int'l Workshop Policies for Distributed Systems and Networks, pp. 227-330, 2006.
[11] T.D. Breaux and A.I. Antón, “Semantic Parameterization: A Conceptual Modeling Process for Domain Descriptions,” Technical Report TR-2006-35, Dept. of Computer Science, North Carolina State Univ., Oct. 2006, ACM Trans. Software Eng. Methods, to appear.
[12] T.D. Breaux, A.I. Antón, and E.H. Spafford, “A Distributed Requirements Management Framework for Compliance and Accountability,” Technical Report TR-2006-14, Dept. of Computer Science, North Carolina State Univ., July 2006.
[13] T.D. Breaux, M.W. Vail, and A.I. Antón, “Towards Compliance: Extracting Rights and Obligations to Align Requirements with Regulations,” Proc. 14th IEEE Int'l Conf. Requirements Eng., pp. 49-58, 2006.
[14] T.D. Breaux and A.I. Antón, “Impalpable Constraints: Framing Requirements for Formal Methods,” Technical Report TR-2007-6, Dept. of Computer Science, North Carolina State Univ., Feb. 2007.
[15] C. Brodie, C-M. Karat, J. Karat, and J. Feng, “Usable Security and Privacy: A Case Study of Developing Privacy Management Tools,” Proc. First Symp. Usable Privacy and Security, pp. 35-43, 2005.
[16] “Health Care,” Career Guide to Industries, 2006-2007. Bureau of Labor Statistics, US Dept. of Labor, 2007.
[17] C.J. Hoofnagle and D.J. Solove, “Re: Request for Investigation into Data Broker Products for Compliance with the FCRA,” Electronic Privacy Information Center, 2004.
[18] C.B. Farrell, “ChoicePoint Settles Data Security Breach Charges: To Pay $10 Million in Civil Penalties and $5 Million for Customer Redress,” FTC File 052-3069, Office of Public Affairs, US Fed. Trade Commission, 2006.
[19] United States v. ChoicePoint, Inc., Case 1:06-CV-00198-JTC, (Northern District of Georgia), Feb. 2006.
[20] Black's Law Dictionary, B.A. Garner, ed., eighth ed., 2004.
[21] B.C. Glaser and A.L. Strauss, The Discovery of Grounded Theory. Aldine Publishing, 1967.
[22] P. Giorgini, F. Massacci, J. Mylopoulos, and N. Zannone, “Modeling Security Requirements through Ownership, Permission and Delegation,” Proc. 13th IEEE Int'l Conf. Requirements Eng., pp. 167-176, 2005.
[23] M. Jackson, “The World and the Machine,” Proc. 17th IEEE Int'l Conf. Software Eng., pp. 283-292, 1995.
[24] M. Jackson and P. Zave, “Domain Descriptions,” Proc. First IEEE Symp. Requirements Eng., pp. 56-64, 1993.
[25] “HIPAA Administrative Simplification: Enforcement—Parts 160 and 164,” Federal Register, US Dept. of Health and Human Services, vol. 71, no. 32, pp. 8389-8433, Feb. 2006.
[26] C.B. Haley, R.C. Laney, J.D. Moffett, and B. Nuseibeh, “The Effect of Trust Assumptions on the Elaboration of Security Requirements,” Proc. 12th IEEE Int'l Conf. Requirements Eng., pp. 102-111, 2004.
[27] C.B. Haley, R. Laney, and B. Nuseibeh, “Deriving Security Requirements from Crosscutting Threat Descriptions,” Proc. Third Int'l Conf. Aspect-Oriented Software Development, pp. 112-121, 2004.
[28] C.B. Haley, J.D. Moffett, R. Laney, and B. Nuseibeh, “Arguing Security: Validating Security Requirements Using Structured Argumentation,” Proc. Third Symp. Requirements Eng. for Information Security, 2005.
[29] J.F. Horty, Agency and Deontic Logic. Oxford Univ. Press, 2001.
[30] “Standards for Privacy of Individually Identifiable Health Information—Part 164, Subpart E,” Federal Register, US Dept. of Health and Human Services, vol. 68, no. 34, pp. 8334-8381, Feb. 2003.
[31] “Standards for the Protection of Electronic Protected Health Information—Part 164, Subpart C,” Federal Register, US Dept. of Health and Human Services, vol. 68, no. 34, pp. 8334-8381, Feb. 2003.
[32] A. van Lamsweerde, “Elaborating Security Requirements by Construction of Intentional Anti-Models,” Proc. 26th IEEE Int'l Conf. Software Eng., pp. 148-157, 2004.
[33] S-W. Lee, R. Gandhi, D. Muthurajan, D. Yavagal, and G-J. Ahn, “Building Problem Domain Ontology from Security Requirements in Regulatory Documents,” Proc. Second Int'l Workshop Software Eng. for Secure Systems, pp. 43-50, 2006.
[34] L. Lin, B. Nuseibeh, D. Ince, M. Jackson, and J. Moffett, “Introducing Abuse Frames for Analyzing Security Requirements,” Proc. 11th IEEE Int'l Conf. Requirements Eng., pp. 371-372, 2003.
[35] M.J. May, C.A. Gunter, and I. Lee, “Privacy APIs: Access Control Techniques to Analyze and Verify Legal Privacy Policies,” Proc. 19th IEEE Computer Security Foundations Workshop, pp. 85-97, 2006.
[36] J. Mylopoulos, L. Chung, and E. Yu, “From Object-Oriented to Goal-Oriented Requirements Analysis,” Comm. ACM, vol. 42, no. 1, pp. 31-37, 1999.
[37] J. Reagle and L.F. Cranor, “The Platform for Privacy Preferences,” Comm. ACM, vol. 42, no. 2, pp. 48-55, 1999.
[38] P. Samarati and S. de Capitani di Vimercati, “Access Control: Policies, Models and Mechanisms,” Foundations of Security Analysis and Design, vol. 2171, pp. 137-193, 2001.
[39] R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman, “Role-Based Access Control Models,” Computer, vol. 29, no. 2, pp. 38-47, Feb. 1996.
[40] T. Verhannenman, F. Piessens, B. de Win, and W. Joosen, “Requirements Traceability to Support Evolution of Access Control,” Proc. First Workshop Software Eng. for Secure Systems, pp. 1-7, 2005.
[41] D. Xu, V. Goel, and K. Nygard, “An Aspect-Oriented Approach to Security Requirements Analysis,” Proc. 30th Ann. Int'l Computer Software and Applications Conf., pp. 79-82, 2006.
[42] P. Zave and M. Jackson, “The Four Dark Corner's of Requirements Engineering,” ACM Trans. Software Eng. Methods, vol. 6, no. 1, pp.1-30, 1997.
[43] HIPAA Medical Privacy and Transition Rules: Overkill or Overdue?, Hearing before the Special Committee on Aging, US Senate, 108th Congress, Ser. 108-23, 23 Sept. 2003.
[44] Extensible Access Control Markup Language (XACML) Version 2.0, Oasis Standards Group, Feb. 2005.
7 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool