Abstract—Information practices that use personal, financial, and health-related information are governed by US laws and regulations to prevent unauthorized use and disclosure. To ensure compliance under the law, the security and privacy requirements of relevant software systems must properly be aligned with these regulations. However, these regulations describe stakeholder rules, called rights and obligations, in complex and sometimes ambiguous legal language. These “rules ” are often precursors to software requirements that must undergo considerable refinement and analysis before they become implementable. To support the software engineering effort to derive security requirements from regulations, we present a methodology for directly extracting access rights and obligations from regulation texts. The methodology provides statement-level coverage for an entire regulatory document to consistently identify and infer six types of data access constraints, handle complex cross references, resolve ambiguities, and assign required priorities between access rights and obligations to avoid unlawful information disclosures. We present results from applying this methodology to the entire regulation text of the US Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Index Terms—Data security and privacy, laws and regulations, compliance, accountability, requirements engineering.

Integrating security concerns throughout the whole software development process is one of today's challenges in software and requirements engineering research. A challenge that so far has proved difficult to meet. The major difficulty

Software engineers must systematically account for the broad scope of environmental behavior, including nonfunctional requirements, intended to coordinate the actions of stakeholders and software systems. The Inquiry Cycle Model (ICM) provides engineers with a strategy to acquire and refine these requirements by having domain experts answer six questions: who, what, where, when, how, and why. Goal-based requirements engineering has led to the formalization of requirements to answer the ICM questions about when, how, and why goals are achieved, maintained, or avoided. In this article, we present a systematic process called Semantic Parameterization for expressing natural language domain descriptions of goals as specifications in description logic. The formalization of goals in description logic allows engineers to automate inquiries using who, what, and where questions, completing the formalization of the ICM questions. The contributions of this approach include new theory to conceptually compare and disambiguate goal specifications that enables querying goals and organizing goals into specialization hierarchies. The artifacts in the process include a dictionary that aligns the domain lexicon with unique concepts, distinguishing between synonyms and polysemes, and several natural language patterns that aid engineers in mapping common domain descriptions to formal specifications. Semantic Parameterization has been empirically validated in three case studies on policy and regulatory descriptions that govern information systems in the finance and health-care domains.

A number of recent proposals aim to incorporate security engineering into mainstream software engineering. Yet, capturing trust and security requirements at an organizational level, as opposed to an IT system level, and mapping these into security and trust management policies is still an open problem. This paper proposes a set of concepts founded on the notions of ownership, permission and trust and intended for requirements modeling. It also extends Tropos, an agent-oriented software engineering methodology, to support security requirements engineering. These concepts are formalized and are shown to support the automatic verification of security and trust requirements using Datalog. To make the discussion more concrete, we illustrate the proposal with a Health Care case study.

The U.S. department of Health and Human Services' (HHS) Privacy Rule requires healthcare institutions to notify their customers about the institution's privacy practices. Privacy practices are typically posted online in the form of privacy policy documents, which are intended to help consumers develop an understanding of how their sensitive information is used. We investigate the online privacy practices of three categories of healthcare Web sites ---- pharmaceuticals, health insurance companies and online drugstores ---- and present our analysis of 24 online privacy documents from nine institutions. Our study provides a unique perspective on the state of privacy practices before and after HIPAA's enactment, by comparing our current results to our pre-HIPAA (Health Insurance Portability and Accountability Act) study of these same institutions' privacy practices. We discuss how HIPAA's introduction has resulted in more descriptive and detailed privacy policies but has not necessarily improved the online privacy practices of these organizations. The results of this analysis may be helpful for forecasting how future legislation will affect the state of online privacy in other domains.

this paper is to propose a re-engineering approach and algorithms for automatically extracting privacy requirements from policy statements stored in existing Hippocratic databases. These are then represented in a Requirements Engineering framework where tools are available for formal analysis. Specifically, we aim to re-model privacy concerns captured in Hippocratic databases in Secure Tropos and check for their consistency. This approach has two advantages. Firstly, it provides a representation of the enterprise privacy policy in a modeling framework where formal tools are available for model checking (see Ref. 16). Secondly, it o#ers a unifying view of systems built using a structured Requirements Engineering methodology such as Tropos/i* or KAOS and systems directly implemented as Hippocratic databases. Thus, di#erent design decisions can be compared at a level suitable for the designer

Policies and government regulations impose restrictions on information practices in healthcare and finance. These restrictions govern the use and disclosure of information that spans organizations and their business practices. To comply with policies and the law, organizations must demonstrate that they have verifiable procedures in-place to implement these restrictions. To this end, we present techniques that software engineers can use to systematically acquire software artifacts from natural language policies and regulations based on our in-depth analysis of the U.S. Health Insurance Portability and Accountability Act 1 (HIPAA). The techniques apply semantic primitives to regulatory statements to express class structures using the Z notation. From these structures, software engineers distinguish between necessary and discretionary software requirements and acquire the following software artifacts: specifications for transactions including interfaces between software and business processes; data schemas and data maintenance requirements; and event-based test cases for ensuring that systems comply with policies and regulations. 1.

For the last few years a considerable number of efforts have been devoted into integrating security issues into information systems development practices. This has led to a number of languages, methods, methodologies and techniques for considering security issues during the developmental stages of an information system. However, these approaches mainly focus on security requirements elicitation, analysis and design issues and neglect testing. This paper presents the Security Attack Testing (SAT) approach, a novel scenario-based approach that tests the security of an information system at the design time. The approach is illustrated with the aid of a real-life case study involving the development of a health and social care information system. r 2007 Elsevier B.V. All rights reserved.

this paper we present a comprehensive case study of the application of the Secure Tropos RE methodology for the compliance to the Italian legislation on Privacy and Data Protection by the University of Trento, leading to the definition and analysis of a ISO-17799-like security management scheme

Abstract. Growth in electronic commerce has enabled businesses to reduce costs and expand markets by deploying information technology through new and existing business practices. However, government laws and regulations require businesses to employ reasonable security measures to thwart risks associated with this technology. Because many security vulnerabilities are only discovered after attacker exploitation, regulators update their interpretation of reasonable security to stay current with emerging threats. With a focus on determining what businesses must do to comply with these changing interpretations of the law, we conducted an empirical, multi-case study to discover and measure the meaning and evolution of “reasonable ” security by examining 19 regulatory enforcement actions by the U.S. Federal Trade Commission (FTC) over a 10 year period. The results reveal trends in FTC enforcement actions that are institutionalizing security knowledge as evidenced by 39 security requirements that mitigate 110 legal security vulnerabilities.