A distributed requirements management framework for legal compliance and accountability

Increasingly, new regulations are governing organizations and their information systems. Individuals responsible for ensuring legal compliance and accountability currently lack sufficient guidance and support to manage their legal obligations within relevant information systems. While software contr...

Full description

Saved in:
Bibliographic Details
Published in:Computers & security 2009-02, Vol.28 (1), p.8-17
Main Authors: Breaux, Travis D., Antón, Annie I., Spafford, Eugene H.
Format: Article
Language:English
Subjects:
Accountability
Compliance
Health Insurance Portability & Accountability Act 1996-US
Information systems
Obligations
Policy
regulation
Requirements
Requirements engineering
Studies
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Increasingly, new regulations are governing organizations and their information systems. Individuals responsible for ensuring legal compliance and accountability currently lack sufficient guidance and support to manage their legal obligations within relevant information systems. While software controls provide assurances that business processes adhere to specific requirements, such as those derived from government regulations, there is little support to manage these requirements and their relationships to various policies and regulations. We propose a requirements management framework that enables executives, business managers, software developers and auditors to distribute legal obligations across business units and/or personnel with different roles and technical capabilities. This framework improves accountability by integrating traceability throughout the policy and requirements lifecycle. We illustrate the framework within the context of a concrete healthcare scenario in which obligations incurred from the Health Insurance Portability and Accountability Act (HIPAA) are delegated and refined into software requirements. Additionally, we show how auditing mechanisms can be integrated into the framework and how auditors can certify that specific chains of delegation and refinement decisions comply with government regulations.
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2008.08.001