TY - JOUR
T1 - Architecture-based regulatory compliance argumentation
AU - Mihaylov, Boyan
AU - Onea, Lucian
AU - Hansen, Klaus Marius
PY - 2016
Y1 - 2016
N2 - Standards and regulations are difficult to understand and map to software, which makes compliance with them challenging to argue for software products and development process. This is problematic since lack of compliance may lead to issues with security, safety, and even to economic sanctions. An increasing number of applications (for example in healthcare) are expected to have to live up to regulatory requirements in the future, which will lead to more software development projects having to deal with such requirements. We present an approach that models regulations such that compliance arguments can be made in a principled way based on architectural requirements and architectural decisions. In particular, we discuss how one can form architectural requirements which are linked to regulatory texts. We then argue for completeness and correctness of this bi-directional link. We evaluate the approach on the migration of the telemedicine platform Net4Care to the cloud, where certain regulations (for example privacy) should be concerned. The approach has the potential to support simpler compliance argumentation with the eventual promise of safer and more secure applications.
AB - Standards and regulations are difficult to understand and map to software, which makes compliance with them challenging to argue for software products and development process. This is problematic since lack of compliance may lead to issues with security, safety, and even to economic sanctions. An increasing number of applications (for example in healthcare) are expected to have to live up to regulatory requirements in the future, which will lead to more software development projects having to deal with such requirements. We present an approach that models regulations such that compliance arguments can be made in a principled way based on architectural requirements and architectural decisions. In particular, we discuss how one can form architectural requirements which are linked to regulatory texts. We then argue for completeness and correctness of this bi-directional link. We evaluate the approach on the migration of the telemedicine platform Net4Care to the cloud, where certain regulations (for example privacy) should be concerned. The approach has the potential to support simpler compliance argumentation with the eventual promise of safer and more secure applications.
KW - Regulatory compliance
KW - Software architecture
KW - Software development
UR - http://www.scopus.com/inward/record.url?scp=84973636747&partnerID=8YFLogxK
U2 - 10.1016/j.jss.2016.04.057
DO - 10.1016/j.jss.2016.04.057
M3 - Journal article
AN - SCOPUS:84973636747
SN - 0164-1212
VL - 119
SP - 1
EP - 30
JO - Journal of Systems and Software
JF - Journal of Systems and Software
ER -