Luca Compagna
ABSTRACT
Laws set requirements that force organizations to assess the security and privacy of their IT systems and impose the adoption of the implementation of minimal precautionary security measures. Several frameworks have been proposed to deal with thii issue. For instance, purpose-based access control is normally considered a good solution for meeting the requirements of privacy legislation. Yet, understanding why, how, and when such solutions to security and privacy problems have to be deployed is often unanswered.
In this paper, we look at the problem from a broader perspective, accounting for legal and organizational issues. Security engineers and legal experts should be able to start from the organizational model and derive from there the points where security and privacy problems may arise and determine which solutions best fit the (legal) problems that they face. In particular, we investigate the methodology needed to capture security and privacy requirements for a Health Care Centre using a smart items infrastructure.
- T. J. M. Bench-Capon, G. O. Robinson, T. W. Routen, and M. J. Sergot. Logic programming for large scale applications in law: A formalisation of supplementary benefit legislation. In Proc. of ICAIL'87, pages 190--198. ACM Press, 1987. Google Scholar
Digital Library
- T. J. M. Bench-Capon and G. Sartor. A model of legal reasoning with cases incorporating theories and values. Artif. Intell., 150(1--2):97--143, 2003. Google ScholarDigital Library
- K. D. M. and E. M. C. Final technical report: Security patterns for web application development. Technical report, 2002. Available at http://www.scrypt.net/Google Scholar
- E. Fernandez and R. Pan. A Pattern Language for Security Models. In In Proc. of PLoP'01, 2001.Google Scholar
- E. Gamma, R. Helm, R. Johnson, and J. Vlissides. Design patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley, 1994. Google ScholarDigital Library
- P. Giorgini, F. Massacci, and N. Zannone. Security and Trust Requirements Engineering. In FOSAD 2004/2005, LNCS 3655, pages 237--272. Springer-Verlag, 2005. Google ScholarDigital Library
- ISO. Quality Management Systems: Requirements. ISO 9001:2000, 2000.Google Scholar
- S. Kanger. Law and logic. Theoria, 38(3):105--132, 1972.Google ScholarCross Ref
- S. Konrad, B. H. C. Cheng, L. A. Campbell, and R. Wassermann. Using security patterns to model and analyze security requirements. In Proc. of RHAS'03. IEEE Press, 2003.Google Scholar
- R. A. Kowalski and M. J. Sergot. Computer Representation of the Law. In Proc. of IJCAI'05, pages 1269--1270. Morgan Kaufmann, 1985.Google Scholar
- L. Lamport. How to write a long formula. Formal Aspects of Comp., 6(5):580--584, 1994.Google ScholarCross Ref
- F. Massacci, J. Mylopoulos, and N. Zannone. An Ontology for Secure Socio-Technical Systems. In Handbook of Ontologies for Business Interaction. The IDEA Group, 2007.Google Scholar
- H. Mouratidis, M. Weiss, and P. Giorgini. Security patterns meet agent oriented software engineering: a complementary solution for developing security information systems. In In Proc. of ER'05, 2005. Google ScholarDigital Library
- M. Schumacher. Security Engineering with Patterns: Origins, Theoretical Models, and New Applications. Springer-Verlag, 2003. Google ScholarDigital Library
- J. Yoder and J. Barcalow. Architectural Patterns for Enabling Application Security. In In Proc. of PLoP'97, 1997.Google Scholar
Index Terms
- How to capture, model, and verify the knowledge of legal, security, and privacy experts: a pattern-based approach
Recommendations
How to integrate legal requirements into a requirements engineering methodology for the development of security and privacy patterns
Laws set requirements that force organizations to assess the security and privacy of their IT systems and impose them to implement minimal precautionary security measures. Several IT solutions (e.g., Privacy Enhancing Technologies, Access Control ...
Legal goal-oriented requirement language (legal GRL) for modeling regulations
MiSE 2014: Proceedings of the 6th International Workshop on Modeling in Software EngineeringEvery year, governments introduce new or revised regulations that are imposing new types of requirements on software development. Analyzing and modeling these legal requirements is time consuming, challenging and cumbersome for software and ...
Information security requirements - Interpreting the legal aspects
With information security being the focal point of business in the media and in legislatures around the world, organisations face complex requirements to comply with security and privacy standards and regulations. The escalating magnitude of national ...
Comments