Title :
Mapping legal requirements to IT controls
Author :
Breaux, Travis D. ; Gordon, David G. ; Papanikolaou, N. ; Pearson, Siani
Author_Institution :
Inst. for Software Res., Carnegie Mellon Univ., Pittsburgh, PA, USA
Abstract :
Information technology (IT) controls are reusable system requirements that IT managers, administrators and developers use to demonstrate compliance with international standards, such as ISO 27000 standard. As controls are reusable, they tend to cover best practice independently from what specific government laws may require. However, because considerable effort has already been invested by IT companies in linking controls to their existing systems, aligning controls with regulations can yield important savings by avoiding noncompliance or unnecessary redesign. We report the results of a case study to align legal requirements from the U.S. and India that govern healthcare systems with three popular control catalogues: the NIST 800-53, ISO/IEC 27002:2009 and the Cloud Security Alliance CCM v1.3. The contributions include a repeatable protocol for mapping controls, heuristics to explain the types of mappings that may arise, and guidance for addressing incomplete mappings.
Keywords :
IEC standards; ISO standards; law; Cloud Security Alliance CCM v1.3; ISO 27000 standard; ISO-IEC 27002:2009; IT administrators; IT controls; IT developers; IT managers; NIST 800-53; healthcare systems; information technology controls; international standards; mapping legal requirements; repeatable protocol; reusable system requirements; specific government laws; ISO standards; Law; NIST; Process control; Security; CCM; HIPAA; ISO 27002; NIST 800-53; healthcare requirements; privacy requirements; requirements engineering;
Conference_Titel :
Requirements Engineering and Law (RELAW), 2013 Sixth International Workshop on
Conference_Location :
Rio de Janeiro
DOI :
10.1109/RELAW.2013.6671341
