Mapping legal requirements to IT controls

Author

Breaux, Travis D. ; Gordon, David G. ; Papanikolaou, N. ; Pearson, Siani

Author_Institution

Inst. for Software Res., Carnegie Mellon Univ., Pittsburgh, PA, USA

fYear

2013

fDate

16-16 July 2013

Firstpage

11

Lastpage

20

Abstract

Information technology (IT) controls are reusable system requirements that IT managers, administrators and developers use to demonstrate compliance with international standards, such as ISO 27000 standard. As controls are reusable, they tend to cover best practice independently from what specific government laws may require. However, because considerable effort has already been invested by IT companies in linking controls to their existing systems, aligning controls with regulations can yield important savings by avoiding noncompliance or unnecessary redesign. We report the results of a case study to align legal requirements from the U.S. and India that govern healthcare systems with three popular control catalogues: the NIST 800-53, ISO/IEC 27002:2009 and the Cloud Security Alliance CCM v1.3. The contributions include a repeatable protocol for mapping controls, heuristics to explain the types of mappings that may arise, and guidance for addressing incomplete mappings.

Keywords

IEC standards; ISO standards; law; Cloud Security Alliance CCM v1.3; ISO 27000 standard; ISO-IEC 27002:2009; IT administrators; IT controls; IT developers; IT managers; NIST 800-53; healthcare systems; information technology controls; international standards; mapping legal requirements; repeatable protocol; reusable system requirements; specific government laws; ISO standards; Law; NIST; Process control; Security; CCM; HIPAA; ISO 27002; NIST 800-53; healthcare requirements; privacy requirements; requirements engineering;

fLanguage

English

Publisher

ieee

Conference_Titel

Requirements Engineering and Law (RELAW), 2013 Sixth International Workshop on

Conference_Location

Rio de Janeiro

Type

conf

DOI

10.1109/RELAW.2013.6671341

Filename

6671341