Abstract
A recent study by the University of California at Berkeley [UclaO3] has observed that information in e-mails and other electronic records is growing at a rate of 30% per year. Secure, efficient information asset usage lends increasing importance to the integration, protection, analysis, and storage in organisational systems. Information assets are valuable, not least to the individual, and the introduction of legislative and regulatory frameworks, such as the Data Protection Act acknowledges this; it is the duty of organisations to exercise Regulatory Compliance [IdcO4, Fisma03, SoxO2, IsgiO6, and GrsmO6J, largely understood to be a component of the organisation’s information security contexts and Information Lifecycle Management (ILM).
Despite the increasing number of publications in security requirements engineering (RE), little or no research has so far taken place in order to address requirements for software systems to which Regulatory Compliance applies. Although a number of security RE approaches appear to offer potential for a solution, we argue that current approaches to security requirements are inadequate when it comes to addressing the issues of organisations as they face the changing legislation and regulation.
This position paper also argues the need for a flexible and responsive approach to system RE that properly distinguishes between security and compliance requirements and facilitates the understanding of the overall role of compliance requirements in RE. It calls attention to the potential benefits to be had from the unification of the views of compliance requirements analysis from the standpoints of software RE and of organisational systems. Using Problem Frames, our research is exploring the use of conceptual tools as a foundation to model the impact of compliance requirements, and will lead to a stronger compliance RE framework that allows an organisation to engineer changes to their existing socio-technical systems and to do so in a non-disruptive manner.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
I. Alexander, “Misuse Cases,” Proceedings of International Requirements Engineering Conference (RE’02), 2002.
Ross Anderson (2001), “Why Information Security is Hard-An Economic Perspective” University of Cambridge, Computer Labs 30th January 2001
Ross Anderson (2002), “Security Engineering”, A Guide to Building Dependable Distributed Systems, John Willey and Sons Inc (2001)
M. Blaze et el, “Trust Management and Network Layer Security Protocols,” Security Protocols Workshop, pp. 103–118, 1999.
Matt Blaze et el, “Decentralized Trust Management,” presented at Proc. IEEE Conference on Security and Privacy, Oakland CA, 1996
Matt Blaze et el, “The Role of Trust Management in Distributed Systems Security,” Secure Internet Programming, vol. 20, pp. 185–210, 1999-2000.
E. Bozaki, “IP Security Protocols,” Dr. Dobb’s Journal, vol. 306, pp. 42–55, 1999.
John Brier, Lucia Rapanotti, and Jon G. Hall. Problem based analysis of organisational change: a real-world example, International Workshop on Advances and Applications of Problem Frames. ACM, 2006
Jose Caldera, Survivability Requirements for the U.S. Health Care Industry, Carnegie Mellon University, Masters Thesis (May 2003)-pp37–45 http://www.cert.org/archive/pdf/surv-us-health-thesis.pdf
FISMA-Federal Information Security Management Act. National Institute of Technology http://csrc.nist.gov/sec-cert/
D. Flynn. Information Systems Requirements: Determination and Analysis. McGraw-Hill, 2nd edition, 1998.
http://www.govtech.net/magazine/channel_story.php?channel6&id=92578 Government Regulations and Security Management Survey
Regulatory Compliance: What Role Will Technology Play? DC #3 1213, April 2004.
C. E. Irvine, “Cybersecurity Considerations for Information Systems,” Center for Information Systems Security Studies and Research, Department of Computer Science, Naval Postgraduate School, Monterey, California 93943, 2003.
Information Security Governance: Information Systems Audit and Controls Association. http://www.isaca.org/Template.cfm?Section=Research2&Template= ITaggedPage/TaggedPageDisplay.cfm&TPLID=14&ContentID=7396
M. Jackson, “Problem Frames: Analysing and Structuring Software Development Problems”, Addison Wesley. ISBN 020159627X
J. Jurjens, “Developing Secure Systems with UMLsec From Business Processes to Implementation,” Paper at VIS’2001, Computing Laboratory, University of Oxford, GB, 2001.
Evangelia Kavakli, Goal Oriented Requirements Engineering: A Unifying Framework, Department of Cultural Technology and Communication, University of the Aegean.
A. van Lamsweerde et el, “Goal-oriented Elaboration of Security Requirements,” Louvain-la-Neuve, Annee academique 2000-2001, 2001
A. van Lamsweerde and E. Letier, “Handling Obstacles in Goal-oriented Requirements Engineering,” IEEE Transactions on Software Engineering, 26 (10). 2000. 2000.
A. van Lamsweerde et el, “Elaborating Security Requirements by Construction of Intentional Anti-Models”, Louvain-la-Neuve, Annee academique 2003-2004, 2004
McDermott, J. & Fox, C. “Using Abuse Case Models for Security Requirements Analysis,” 55–64. Proceedings 15th Annual Computer Security Applications Conference. Scottsdale, AZ, Dec. 6-10, 1999. Los Alamitos, CA: IEEE Computer Society Press, 1999.
Fabio Massacci and Marco Prest and Nicola Zannone, “Using a Security Requirements Engineering Methodology in Practice: The compliance with the Italian Data Protection Legislation” CSI, 2005
B. A. Nuseibeh and Jonathan D. Moffett, “A Framework for Security Requirements Engineering,” Open University Security Requirements Group, 2003.
Lucia Rapanotti, Jon G. Hall, Michael Jackson, and Bashar Nuseibeh. Architecture-driven problem decomposition. In 12th IEEE International Conference on Requirements Engineering (RE 2004), pages 80–89. IEEE Computer Society, 2004
Rules Rules Rules-http://www.informationweek.com/story/showArticle.jhtml ?article-ID=20301021&pgno=1
B. Schneier, Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C: Wiley Computer
B. Schneier, “Attack Trees: Modeling Security Threats”, Dr. Dobb’s Journal, December 1999.
D. G. F. Guttorm Sindre, Andreas L. Opdahl, “A Reuse-Based Approach to Determining Security Requirements,” 2003.
Sarbanes-Oxley Act of 2002-http://www.sec.gov/divisions/conpfin/faqs/soxact2002.htm
How much information? University of California at Berkeley, 2003 http://www.sims.berkeley.edu/research/projects/how-much-info-2003/
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2006 Friedr. Vieweg & Sohn Verlag | GWV-Fachverlage GmbH, Wiesbaden
About this chapter
Cite this chapter
Ali, S., Hall, J. (2006). Introducing Regulatory Compliance Requirements Engineering. In: ISSE 2006 — Securing Electronic Busines Processes. Vieweg. https://doi.org/10.1007/978-3-8348-9195-2_47
Download citation
DOI: https://doi.org/10.1007/978-3-8348-9195-2_47
Publisher Name: Vieweg
Print ISBN: 978-3-8348-0213-2
Online ISBN: 978-3-8348-9195-2
eBook Packages: Computer ScienceComputer Science (R0)