Analyzing Regulatory Rules for Privacy and Security Requirements

Information practices that use personal, financial, and health-related information are governed by US laws and regulations to prevent unauthorized use and disclosure. To ensure compliance under the law, the security and privacy requirements of relevant software systems must properly be aligned with these regulations. However, these regulations describe stakeholder rules, called rights and obligations, in complex and sometimes ambiguous legal language. These "rules" are often precursors to software requirements that must undergo considerable refinement and analysis before they become implementable. To support the software engineering effort to derive security requirements from regulations, we present a methodology for directly extracting access rights and obligations from regulation texts. The methodology provides statement-level coverage for an entire regulatory document to consistently identify and infer six types of data access constraints, handle complex cross references, resolve ambiguities, and assign required priorities between access rights and obligations to avoid unlawful information disclosures. We present results from applying this methodology to the entire regulation text of the US Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

[1]  Annie I. Antón,et al.  Financial privacy policies and the need for standardization , 2004, IEEE Security & Privacy Magazine.

[2]  Annie I. Antón,et al.  A Distributed Requirements Management Framework for Compliance and Accountability , 2006 .

[3]  Annie I. Antón,et al.  Impalpable constraints: Framing requirements for formal methods , 2007 .

[4]  Paul Ashley,et al.  E-P3P privacy policies and privacy authorization , 2002, WPES '02.

[5]  Lorrie Faith Cranor,et al.  The platform for privacy preferences , 1999, CACM.

[6]  Insup Lee,et al.  Privacy APIs: access control techniques to analyze and verify legal privacy policies , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[7]  Clare-Marie Karat,et al.  Usable security and privacy: a case study of developing privacy management tools , 2005, SOUPS '05.

[8]  John Mylopoulos,et al.  Modeling security requirements through ownership, permission and delegation , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[9]  H. Humphrey,et al.  Standards for privacy of individually identifiable health information. , 2003, Health care law monthly.

[10]  Paul Ashley,et al.  From privacy promises to privacy management: a new approach for enforcing privacy throughout an enterprise , 2002, NSPW '02.

[11]  Michael Jackson,et al.  The World and the Machine , 1995, 1995 17th International Conference on Software Engineering.

[12]  Robin A. Gandhi,et al.  Building problem domain ontology from security requirements in regulatory documents , 2006, SESS '06.

[13]  Annie I. Antón,et al.  A requirements taxonomy for reducing Web site privacy vulnerabilities , 2004, Requirements Engineering.

[14]  Annie I. Antón,et al.  Mining rule semantics to understand legislative compliance , 2005, WPES '05.

[15]  Eugene H. Spafford,et al.  A distributed requirements management framework for legal compliance and accountability , 2009, Comput. Secur..

[16]  Michael Jackson,et al.  Four dark corners of requirements engineering , 1997, TSEM.

[17]  Bashar Nuseibeh,et al.  Arguing security: validating security requirements using structured argumentation , 2005 .

[18]  Elisa Bertino,et al.  Privacy Protection , 2022 .

[19]  Bashar Nuseibeh,et al.  The effect of trust assumptions on the elaboration of security requirements , 2004, Proceedings. 12th IEEE International Requirements Engineering Conference, 2004..

[20]  Bashar Nuseibeh,et al.  Introducing abuse frames for analysing security requirements , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[21]  Annie I. Antón,et al.  Goal-based requirements analysis , 1996, Proceedings of the Second International Conference on Requirements Engineering.

[22]  Clare-Marie Karat,et al.  Enforceability vs. accountability in electronic policies , 2006, Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06).

[23]  Wouter Joosen,et al.  Requirements traceability to support evolution of access control , 2005, SESS@ICSE.

[24]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[25]  Michael Jackson,et al.  Domain descriptions , 1993, [1993] Proceedings of the IEEE International Symposium on Requirements Engineering.

[26]  Annie I. Antón,et al.  Towards Regulatory Compliance: Extracting Rights and Obligations to Align Requirements with Regulations , 2006, 14th IEEE International Requirements Engineering Conference (RE'06).

[27]  Hhs Centers for Medicare Medicare Services Health insurance reform: security standards. Final rule. , 2003, Federal register.

[28]  John Mylopoulos,et al.  From object-oriented to goal-oriented requirements analysis , 1999, CACM.

[29]  Sabrina De Capitani di Vimercati,et al.  Access Control: Policies, Models, and Mechanisms , 2000, FOSAD.

[30]  Annie I. Antón,et al.  Deriving semantic models from privacy policies , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[31]  Bashar Nuseibeh,et al.  Deriving security requirements from crosscutting threat descriptions , 2004, AOSD '04.

[32]  Dianxiang Xu,et al.  An Aspect-Oriented Approach to Security Requirements Analysis , 2006, 30th Annual International Computer Software and Applications Conference (COMPSAC'06).

[33]  J. Horty Agency and Deontic Logic , 2001 .

[34]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[35]  Annie I. Antón,et al.  Analyzing goal semantics for rights, permissions, and obligations , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[36]  A. Strauss,et al.  The Discovery of Grounded Theory , 1967 .