Special Issue—Security Requirements Engineering

Requirements Engineering

, Volume 15, Issue 1, pp 119-137

First online:

Evaluating existing security and privacy requirements for legal compliance

  • Aaron K. MasseyAffiliated withDepartment of Computer Science, North Carolina State University Email author 
  • , Paul N. OttoAffiliated withDepartment of Computer Science, North Carolina State UniversitySchool of Law, Duke University
  • , Lauren J. HaywardAffiliated withDepartment of Computer Science, North Carolina State University
  • , Annie I. AntónAffiliated withDepartment of Computer Science, North Carolina State University

Rent the article at a discount

Rent now

* Final gross prices may vary according to local VAT.

Get Access

Abstract

Governments enact laws and regulations to safeguard the security and privacy of their citizens. In response, requirements engineers must specify compliant system requirements to satisfy applicable legal security and privacy obligations. Specifying legally compliant requirements is challenging because legal texts are complex and ambiguous by nature. In this paper, we discuss our evaluation of the requirements for iTrust, an open-source Electronic Health Records system, for compliance with legal requirements governing security and privacy in the healthcare domain. We begin with an overview of the method we developed, using existing requirements engineering techniques, and then summarize our experiences in applying our method to the iTrust system. We illustrate some of the challenges that practitioners face when specifying requirements for a system that must comply with law and close with a discussion of needed future research focusing on security and privacy requirements.

Keywords

Security requirements Privacy requirements Legal compliance Refactoring requirements