Towards Compliant Reference Architectures by Finding Analogies and Overlaps in Compliance Regulations

Eduardo B. Fernandez, Dereje Yimam

2015

Abstract

Business software is subject to a variety of regulations depending on the type of application. For example, software handling of medical records must follow HIPAA; software for financial applications must comply with Sarbanes Oxley, and so on. A close examination of the policies included in those regulations shows that they have analog and common aspects. Analog parts of regulations can be expressed as Semantic Analysis Patterns (SAPs), which can lead to building similar parts in other regulations. Overlapping parts usually correspond to security patterns and can be used to add security to other regulations. If we collect SAPs and security patterns in a catalog we can build reference architectures (RAs) for existing and new regulations. The resultant Compliant RAs (CRAs) can be used as guidelines for building compliant applications.

References

  1. Avgeriou, P. 2003, 'Describing, instantiating and evaluating a reference architecture: A case study', Enterprise Architecture Journal.
  2. Breaux, T. D. and Anton, A. I. 2008, 'Analyzing regulatory rules for privacy and security requirements', IEEE Trans. on Soft. Eng., vol. 34, No 1, Jan. /Feb., 5-20.
  3. Breaux, T.D. and Gordon, D.G. 2011, 'Regulatory requirements as open systems: Structures, patterns and metrics for the design of formal requirements specifications', Rept. CMU-ISR-11-100, Carnegie Mellon University.
  4. Buschmann, F., Meunier, R., Rohnert, H., Sommerlad, P., Stal, M. 1996, Pattern-Oriented Software Architecture: A System of Patterns, Volume 1, Wiley.
  5. Fernandez, E. B., Larrondo-Petrie, M.M., Sorgente, T., and VanHilst, M. 2006, 'A methodology to develop secure systems using patterns", Chapter 5 in "Integrating security and software engineering: Advances and future vision', H. Mouratidis and P. Giorgini (Eds.), IDEA Press, 107-126.
  6. Fernandez, E. B. and Yuan, X. 2000, 'Semantic analysis patterns', Proceedings of the 19th Int. Conf. on Conceptual Modeling, ER2000, 183-195.
  7. Fernandez, E. B. 2013, Security patterns in practice: Building secure architectures using software patterns, Wiley Series on Software Design Patterns.
  8. Fernandez, E. B. and Mujica, S. 2014, 'Two patterns for HIPAA regulations', Procs. of AsianPLoP (Pattern Languages of Programs), Tokyo, Japan.
  9. Fernandez, E. B. and Mujica, Sergio 2014, 'From domain models to secure and compliant applications', Procs. 12th LACCEI.
  10. Fernandez, E. B., Monge, Raul, and Hashizume, Keiko 2015, 'Building a security reference architecture for cloud systems', Requirements Engineering. DOI: 10.1007/s00766-014-0218-7.
  11. Fernandez, E. B., Monge, R., Carvajal, Encina, O., Hernandez, J., and Silva, P., R. 2014, 'Patterns for Content-Dependent and Context-Enhanced Authorization'. Proceedings of 19th European Conference on Pattern Languages of Programs, Germany.
  12. Fowler, M. 1997, Analysis patterns - Reusable object models, Addison-Wesley.
  13. Gamma, E., Helm, R., Johnson, R., Vlissides, J. 1994, Design Patterns: Elements of Reusable ObjectOriented Software, Addison-Wesley, Boston, Mass.
  14. GLBA 2015, Gramm-Leach-Bliley Act. Available from: <http://www.business.ftc.gov/privacy-and-security/ gramm-leach-bliley-act. [10 January 2015].
  15. Hamdaqa, M. and Hamou-Lhadj, A. 2009, 'Citation Analysis: An Approach for Facilitating the Analysis of Regulatory Compliance Documents', Procs. 2009 6th Int. Conf. on Information technology: New Generations, IEEE, 278-283.
  16. HIPAA 2015, Understanding Health Information Privacy. Available from: http://www.hhs.gov/ocr/privacy/ hipaa/understanding/index.html. [8 January 2015].
  17. HIPAA 2013, HIPAA Administrative Simplification. Available from: <http://www.hhs.gov/ocr/privacy/ hipaa/administrative/combined/hipaa-simplification201303.pdf. [10 January 2015].
  18. Lam, Peifung E., Mitchell, John C., Sharada Sundaram 2009, 'A Formalization of HIPAA for a Medical Messaging System', in Trust, Privacy and Security in Digital Business, Lecture Notes in Computer Science, Volume 5695, 73-85.
  19. Massacci, F., Presti, M., and Zannone, N. 2005, 'Using a security requirements engineering methodology in practice: the compliance with the Italian data protection legislation', Computer Standards & Interfaces, 27 (5), 445-455.
  20. Massey, A.K., Smith, B., Otto, P.N., and Anton, A.I. 2011, 'Assessing the accuracy of legal implementation readiness decisions', 19th IEEE Int. Reqs. Eng. Conf., 207-216.
  21. PCI 2015, Official Source of PCI DSS Data Security Standards. Available from: <https://www.pcisecurity standards.org/security_standards/ index.php>. [11 January 2015]
  22. Rumbaugh, J., Jacobson, I., and Booch, G. 1999, The Unified Modeling Language Reference Manual, Addison-Wesley, Boston, Mass.
  23. Sorgente, T. and Fernandez 2004, 'Analysis patterns for patient treatment', Procs. of PLoP.
  24. SOX 2015, The Sarbanes-Oxley Act. Available from :< http://www.soxlaw.com/>. [11 January 2015].
  25. Taylor, R. N., Medvidovic, N., and Dashofy, N. 2010, Software architecture: Foundation, theory, and practice, Wiley.
  26. Uzunov, A., Fernandez, E. B., Falkner, K. 2015, 'ASE: A Comprehensive Pattern-Driven Security Methodology for Distributed Systems', Journal of Computer Standards & Interfaces , Volume 41, September 2015, Pages 112-137, http://www.sciencedirect.com/science /article/pii/S0920548915000276
  27. Warmer, J. and Kleppe, A. 2003, The Object Constraint Language (2nd Ed.), Addison-Wesley.
Download


Paper Citation


in Harvard Style

B. Fernandez E. and Yimam D. (2015). Towards Compliant Reference Architectures by Finding Analogies and Overlaps in Compliance Regulations . In Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015) ISBN 978-989-758-117-5, pages 435-440. DOI: 10.5220/0005575604350440


in Bibtex Style

@conference{secrypt15,
author={Eduardo B. Fernandez and Dereje Yimam},
title={Towards Compliant Reference Architectures by Finding Analogies and Overlaps in Compliance Regulations},
booktitle={Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)},
year={2015},
pages={435-440},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005575604350440},
isbn={978-989-758-117-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)
TI - Towards Compliant Reference Architectures by Finding Analogies and Overlaps in Compliance Regulations
SN - 978-989-758-117-5
AU - B. Fernandez E.
AU - Yimam D.
PY - 2015
SP - 435
EP - 440
DO - 10.5220/0005575604350440