ABSTRACT
The cost of noncompliance, as well as lost reputation and brand damage resulting from noncompliance, makes legal compliance critical in software systems. In this paper, we present a production rule framework that software engineers can to specify compliance requirements for software. A component of our framework is the production rule modeling methodology, which we have introduced in previous work [12, 14]. We apply the framework to check iTrust, an open source electronic medical records system, for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. We model the Security Rule using production rules and employ the model to analyze the iTrust requirements for legal compliance. Using the framework, we were able to identify 13 functional and 5 non-functional requirements that were previously overlooked using an agile driven software engineering approach. These new requirements are critical for compliance with the Security Rule.
- T.J.M. Bench-Capon, G.O. Robinson, T.W. Routen, M.J. Sergot, "Logic Programming for Large Scale Applications in Law: A Formalisation of Supplementary Benefit Legislation", Proc. of the 1st ACM Intl. Conf. on Artificial Intelligence and Law, Boston, 1987, pp. 190--198. Google ScholarDigital Library
- C. Biagioli, P. Mariani, D. Tiscornia, "Esplex: A Rule and Conceptual Model for Representing Statutes", Proc. of the 1st ACM Intl. Conf. on Artificial Intelligence and Law, Boston, 1987, pp. 240--251. Google ScholarDigital Library
- T.D. Breaux, "Legal Requirements Acquisition for the Specification of Legally Compliant Information Systems", Ph.D. Dissertation, North Carolina State University, 2009. Google ScholarDigital Library
- T.D. Breaux, A.I. Antón, "Analyzing Regulatory Rules for Privacy and Security Requirements", IEEE Trans. on Software Engineering, 34(1), Jan.-Feb. 2008, pp. 5--20. Google ScholarDigital Library
- S. Ghanavati, D. Amyot, L. Peyton, "Towards a Framework for Tracking Legal Compliance in Healthcare", Proc. of the 19th Intl. Conf. on Advanced Information Systems Engineering, Trondheim, Norway, 2007, pp. 218--232. Google ScholarDigital Library
- S. Ghanavati, D. Amyot, L. Peyton, "Compliance Analysis Based on a Goal-Oriented Requirement Language Evaluation Methodology", Proc. of the 17th IEEE Intl. Conf. on Requirements Engineering, Atlanta, 2009, pp. 133--142. Google ScholarDigital Library
- W.N. Hohfeld, "Some Fundamental Legal Conceptions as Applied in Judicial Reasoning", The Yale Law Journal, 23(1), Nov. 1913, pp. 16--59.Google ScholarCross Ref
- B. Krebs, "ChoicePoint Breach, Exposed 13,750 Consumer Records", The Washington Post, Oct. 19, 2009, http://voices.washingtonpost.com/securityfix/2009/10/choicepoint_breach_exposed_137.html.Google Scholar
- P.E. Lam, J.C. Mitchell, S. Sundaram, "A Formalization of HIPAA for a Medical Messaging System", Proc. of the 6th International Conference on Trust, Privacy & Security in Digital Business, Linz, 2009. Google ScholarDigital Library
- A.K. Massey, P.N. Otto, A.I. Antón, "Prioritizing Legal Requirements", Proc. of the 2nd Intl. IEEE Workshop on Requirements Engineering and the Law, Atlanta, 2009. Google ScholarDigital Library
- A.K. Massey, P.N. Otto, L.J. Hayward, and A.I. Antón, "Evaluating Existing Security and Privacy Requirements for Legal Compliance", Requirements Engineering Journal, 15(1), Mar. 2010, pp. 119--137. Google ScholarDigital Library
- J.C. Maxwell, A.I. Antón, "Developing Production Rule Models to Aid in Acquiring Requirements from Legal Texts", Proc. of the 17th Intl. IEEE Requirements Engineering Conf., Atlanta, 2009, pp. 101--110. Google ScholarDigital Library
- J.C. Maxwell, A.I. Antón, "Validating Existing Requirements for Compliance with Law Using a Production Rule Model", Proc. of the 2nd Intl. IEEE Workshop on Requirements Engineering and the Law, Atlanta, 2009, pp. 1--6. Google ScholarDigital Library
- J.C. Maxwell, A.I. Antón, "A Refined Production Rule Model for Aiding in Regulatory Compliance", (in submission) IEEE Trans. on Software Engineering, 2010. North Carolina State University Technical Report, TR-2010-3, 2010.Google Scholar
- M.J. May, C.A. Gunter, I. Lee, "Privacy APIs: Access Control Techniques to Analyze and Verify Legal Privacy Policies", 19th IEEE Computer Security Foundations Workshop, pp. 85--97, 2006. Google ScholarDigital Library
- G. McGraw, Software Security: Building Security In, Addison-Wesley, 2006. Google ScholarDigital Library
- J. Mylopoulos, L. Chung, B. Nixon, "Representing and Using Nonfunctional Requirements: A Process-Oriented Approach", IEEE Trans. on Software Engineering, 18(6), Jun. 1992, pp. 483--497. Google ScholarDigital Library
- P.N. Otto, A.I. Antón, D.L. Baumer, "The Choicepoint Dilemma: How Data Brokers Should Handle the Privacy of Personal Information", IEEE Security and Privacy, 5(5), Sep.-Oct. 2007, pp. 15--23. Google ScholarDigital Library
- N.P. Padhy, Artificial Intelligence and Intelligent Systems, Oxford University Press, 2005.Google Scholar
- M.J. Sergot, A.S. Kamble, K.K. Bajaj, "Indian Central Civil Service Pension Rules: A Case Study in Logic Programming Applied to Regulations", Proc. of the 3rd ACM Intl. Conf. on Artificial Intelligence and Law, Oxford, 1991, pp. 118--127. Google ScholarDigital Library
- M.J. Sergot, F. Sadri, A. Kowalski, F. Kriwaczek, P. Hammond, H.T. Cory, "The British Nationality Act as a Logic Program", Comm. of the ACM, 29(5), May 1986, pp. 370--386. Google ScholarDigital Library
- D.M. Sherman, "A Prolog Model of the Income Tax Act of Canada", Proc. of the 1st ACM Intl. Conf. on Artificial Intelligence and Law, Boston, 1987, pp. 127--136. Google ScholarDigital Library
- A. Siena, A. Perini, A. Susi, J. J. Mylopoulos, "A Meta-Model for Modelling Law-Compliant Requirements", Proc. of the 2nd Intl. Workshop on Requirements and Law, Atlanta, 2009. Google ScholarDigital Library
- G. Sindre, A.L. Opdahl, "Eliciting security requirements by misuse cases", Proc. of the 37th Intl. Conf. on Technology of Object-Oriented Languages and Systems, 2000, pp. 120--131.Google Scholar
- I. Sommerville, Software Engineering, Pearson Education, 2004, 7th ed. Google ScholarDigital Library
- L. Sterling, and E. Shapiro, The Art of Prolog: Advanced Programming Techniques, MIT Press, 1994, 2nd ed. Google ScholarDigital Library
- A.D. Toro, B.B. Jimenez, A.R. Cortes, M.T. Bonilla, "A Requirements Elicitation Approach Based in Templates and Patterns", Proc. of the 2nd Latin America Workshop on Requirements Engineering, Buenos Aires, 1999.Google Scholar
- R.K. Yin, Case Study Research: Design and Methods, in Applied Social Research Methods Series, Vol. 5, 2003, 3rd ed.Google Scholar
- J.D. Young, "Commitment Analysis to Operationalize Software Requirements from Privacy Notices," (in press) Requirements Engineering Journal, 2010. Google ScholarDigital Library
- J.D. Young and Annie I. Antón, "A Method for Identifying Software Requirements Based on Policy Commitments," (in press) 18th International IEEE Requirements Engineering Conference, 2010. Google ScholarDigital Library
Index Terms
- The production rule framework: developing a canonical set of software requirements for compliance with law
Recommendations
Developing Production Rule Models to Aid in Acquiring Requirements from Legal Texts
RE '09: Proceedings of the 2009 17th IEEE International Requirements Engineering Conference, RERegulatory compliance is an important consideration for requirements engineering because recent regulations impose costly penalties for noncompliance. This paper details how developing production rule models can aid in acquiring software requirements ...
A legal cross-references taxonomy for reasoning about compliance requirements
Special Issue: RE'11 Best PapersCompanies must ensure their software complies with relevant laws and regulations to avoid the risk of costly penalties, lost reputation, and brand damage resulting from non-compliance. Laws and regulations contain internal cross-references to portions ...
Identifying How the Brazilian Software Industry Specifies Legal Requirements
SBES '19: Proceedings of the XXXIII Brazilian Symposium on Software Engineering[Background] Software requirements are usually specified in Natural Language, bringing challenges for Requirements Engineering (RE) as these specifications are inherently ambiguous. These challenges become bigger when dealing with software requirements ...
Comments