摘要: Information practices that use personal, financial, and health-related information are governed by US laws regulations to prevent unauthorized disclosure. To ensure compliance under the law, security privacy requirements of relevant software systems must properly be aligned with these regulations. However, describe stakeholder rules, called rights obligations, in complex sometimes ambiguous legal language. These "rules" often precursors undergo considerable refinement analysis before they become implementable. support engineering effort derive from regulations, we present a methodology for directly extracting access obligations regulation texts. The provides statement-level coverage an entire regulatory document consistently identify infer six types data constraints, handle cross references, resolve ambiguities, assign required priorities between avoid unlawful disclosures. We results applying this text Health Insurance Portability Accountability Act (HIPAA) Privacy Rule.
computer.org
ieeecomputersociety.org
acm.org参考文章(34)
Hhs Centers for Medicare Medicaid Services (Csm), Health insurance reform: security standards. Final rule. Federal Register. ,vol. 68, pp. 8334- 8381 ,(2003)
John Francis Horty, Agency and Deontic Logic ,(2001)
Barney G. Glaser, The Discovery of Grounded Theory ,(1967)
Robin Laney, Jonathan D. Moffett, Charles B. Haley, Bashar Nuseibeh, Arguing security: validating security requirements using structured argumentation ,(2005)
R.C. Laney, J.D. Moffett, C.B. Haley, B. Nuseibeh, The effect of trust assumptions on the elaboration of security requirements ieee international conference on requirements engineering. pp. 102- 111 ,(2004) , 10.1109/RE.2004.50
A.I. Anton, Goal-based requirements analysis international conference on requirements engineering. pp. 136- 144 ,(1996) , 10.1109/ICRE.1996.491438
M.J. May, C.A. Gunter, Insup Lee, Privacy APIs: access control techniques to analyze and verify legal privacy policies ieee computer security foundations symposium. pp. 85- 97 ,(2006) , 10.1109/CSFW.2006.24
Travis D. Breaux, Annie I. Antón, Eugene H. Spafford, A distributed requirements management framework for legal compliance and accountability Computers & Security. ,vol. 28, pp. 8- 17 ,(2009) , 10.1016/J.COSE.2008.08.001
Tine Verhanneman, Frank Piessens, Bart De Win, Wouter Joosen, Requirements traceability to support evolution of access control ACM SIGSOFT Software Engineering Notes. ,vol. 30, pp. 1- 7 ,(2005) , 10.1145/1082983.1083212
John Mylopoulos, Lawrence Chung, Eric Yu, From object-oriented to goal-oriented requirements analysis Communications of The ACM. ,vol. 42, pp. 31- 37 ,(1999) , 10.1145/291469.293165