Issue No.01 - January (2008 vol.34)
Information practices that use personal, financial and health-related information are governed by U.S. laws and regulations to prevent unauthorized use and disclosure. To ensure compliance under the law, the security and privacy requirements of relevant software systems must be properly aligned with these regulations. However, these regulations describe stakeholder rules, called rights and obligations, in complex and sometimes ambiguous legal language. These "rules" are often precursors to software requirements that must undergo considerable refinement and analysis before they are implementable. To support the software engineering effort to derive security requirements from regulations, we present a methodology to extract access rights and obligations directly from regulation texts. The methodology provides statement-level coverage for an entire regulatory document to consistently identify and infer six types of data access constraints, handle complex cross-references, resolve ambiguities, and assign required priorities between access rights and obligations to avoid unlawful information disclosures. We present results from applying this methodology to the entire regulation text of the U.S. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
Requirements/Specifications, Security and Privacy Protection, Legal Aspects of Computing
Travis Breaux, Annie Antón, "Analyzing Regulatory Rules for Privacy and Security Requirements", IEEE Transactions on Software Engineering, vol.34, no. 1, pp. 5-20, January 2008, doi:10.1109/TSE.2007.70746