A Distributed Requirements Management Framework for Compliance and Accountability

Increasingly, regulations are requiring organizations to comply with the law and account for their actions. Individuals responsible for ensuring compliance and accountability currently lack guidance and support to manage their legal obligations within relevant information systems. Software controls provide assurances that business processes adhere to specific requirements, such as those derived from government regulations. We propose a requirements management framework that enables executives, business managers, software developers and auditors to distribute legal obligations across business units and/or personnel with different roles and technical capabilities. This framework improves accountability by integrating traceability throughout the policy and requirements lifecycle. We illustrate the framework within the context of a concrete healthcare scenario in which obligations incurred from the Health Insurance Portability and Accountability Act (HIPAA) are delegated and refined into software requirements. Additionally, we show how auditing mechanisms can be integrated into the framework and how auditors can certify that specific chains of delegation and refinement decisions comply with the intent of government regulations.

[1]  Annie I. Antón,et al.  Deriving semantic models from privacy policies , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[2]  Annie I. Antón,et al.  Mining rule semantics to understand legislative compliance , 2005, WPES '05.

[3]  Stephen Fickas,et al.  Goal-Directed Requirements Acquisition , 1993, Sci. Comput. Program..

[4]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[5]  Morris Sloman,et al.  The representation of policies as system objects , 1991, COCS '91.

[6]  Annie I. Antón,et al.  Financial privacy policies and the need for standardization , 2004, IEEE Security & Privacy Magazine.

[7]  Annie I. Antón,et al.  Analyzing goal semantics for rights, permissions, and obligations , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[8]  Jonathan D. Moffett Requirements and Policies , 1999 .

[9]  Ravi S. Sandhu,et al.  Framework for role-based delegation models , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[10]  John Mylopoulos,et al.  Modeling security requirements through ownership, permission and delegation , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[11]  Victoria Ungureanu,et al.  Law-governed interaction: a coordination and control mechanism for heterogeneous distributed systems , 2000, TSEM.

[12]  Eugene H. Spafford,et al.  PFIRES: a policy framework for information security , 2003, CACM.

[13]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[14]  Ravi S. Sandhu,et al.  A model for role administration using organization structure , 2002, SACMAT '02.

[15]  Alessandra Russo,et al.  A goal-based approach to policy refinement , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[16]  Ana I. Anton,et al.  Goal identification and refinement in the specification of software-based information systems , 1997 .

[17]  Joon S. Park,et al.  A composite rbac approach for large, complex organizations , 2004, SACMAT '04.

[18]  Philippe Massonet,et al.  GRAIL/KAOS: An Environment for Goal-Driven Requirements Engineering , 1997, Proceedings of the (19th) International Conference on Software Engineering.

[19]  Matthew W. Vail,et al.  An analysis of web site privacy policy evolution in the presence of HIPAA , 2004 .

[20]  Clare-Marie Karat,et al.  Enforceability vs. accountability in electronic policies , 2006, Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06).

[21]  Emil C. Lupu,et al.  A policy deployment model for the Ponder language , 2001, 2001 IEEE/IFIP International Symposium on Integrated Network Management Proceedings. Integrated Network Management VII. Integrated Management Strategies for the New Millennium (Cat. No.01EX470).