Regulation compliance is getting more and more important for software systems that process and manage sensitive information. Therefore, identifying and analysing relevant legal regulations and aligning them with security requirements become necessary for the effective development of secure software systems. Nevertheless, Secure Software Engineering Modelling Languages (SSEML) use different concepts and terminology from those used in the legal domain for the description of legal regulations. This situation, together with the lack of appropriate background and knowledge of laws and regulations, introduces a challenge for software developers. In particular, it makes difficult to perform (i) the elicitation of appropriate security requirements from the relevant laws and regulations; and (ii) the correct tracing of the security requirements throughout the development stages. This paper presents a framework to support the consideration of laws and regulations during the development of secure software systems. In particular, the framework enables software developers (i) to correctly elicit security requirements from the appropriate laws and regulations; and (ii) to trace these requirements throughout the development stages in order to ensure that the design indeed supports the required laws and regulations. Our framework is based on existing work from the area of secure software engineering, and it complements this work with a novel and structured process and a well-defined method. A practical case study is employed to demonstrate the applicability of our work.

• 出版日期2011-7