Evaluating existing security and privacy requirements for legal compliance

Authors:
Aaron K. Massey;Paul N. Otto;Lauren J. Hayward;Annie I. Antón
Affiliations:
North Carolina State University, Department of Computer Science, Raleigh, NC, USA;North Carolina State University, Department of Computer Science, Raleigh, NC, USA and Duke University, School of Law, Durham, NC, USA;North Carolina State University, Department of Computer Science, Raleigh, NC, USA;North Carolina State University, Department of Computer Science, Raleigh, NC, USA
Venue:
Requirements Engineering - Special Issue on RE'09: Security Requirements Engineering; Guest Editors: Eric Dubois and Haralambos Mouratidis
Year:
2010

Citing 0
Cited 8

Checking Existing Requirements for Compliance with Law Using a Production Rule Model

RELAW '09 Proceedings of the 2009 Second International Workshop on Requirements Engineering and Law
Prioritizing Legal Requirements

RELAW '09 Proceedings of the 2009 Second International Workshop on Requirements Engineering and Law
The production rule framework: developing a canonical set of software requirements for compliance with law

Proceedings of the 1st ACM International Health Informatics Symposium
Evaluating access control of open source electronic health record systems

Proceedings of the 3rd Workshop on Software Engineering in Health Care
Advances and Current State of the Security and Privacy in Electronic Health Records: Survey from a Social Perspective

Journal of Medical Systems
Model Based Process to Support Security and Privacy Requirements Engineering

International Journal of Secure Software Engineering
A framework to support selection of cloud providers based on security and privacy requirements

Journal of Systems and Software
Towards the design of secure and privacy-oriented information systems in the cloud: Identifying the major concepts

Computer Standards & Interfaces

Quantified Score

Hi-index	0.00

Visualization

Abstract

Governments enact laws and regulations to safeguard the security and privacy of their citizens. In response, requirements engineers must specify compliant system requirements to satisfy applicable legal security and privacy obligations. Specifying legally compliant requirements is challenging because legal texts are complex and ambiguous by nature. In this paper, we discuss our evaluation of the requirements for iTrust, an open-source Electronic Health Records system, for compliance with legal requirements governing security and privacy in the healthcare domain. We begin with an overview of the method we developed, using existing requirements engineering techniques, and then summarize our experiences in applying our method to the iTrust system. We illustrate some of the challenges that practitioners face when specifying requirements for a system that must comply with law and close with a discussion of needed future research focusing on security and privacy requirements.