An Audit Method of Personal Data Based on Requirements Engineering

Miguel A. Martínez, Joaquín Lasheras, Ambrosio Toval, Mario Piattini

Abstract

Security analysis of computer systems studies the vulnerabilities that affect an organization from various points of view. In recent years, a growing interest in guaranteeing that the organization makes a suitable use of personal data has been identified. Furthermore, the privacy of personal data is regulated by the Law and is considered important in a number of Quality Standards. This paper presents a practical proposal to make a systematic audit of personal data protection - within the framework of CobiT audit - based on SIREN. SIREN is a method of Requirements Engineering based on standards of this discipline and requirements reuse. The requirements predefined in the SIREN catalog of Personal Data Protection (PDP), along with a method of data protection audit, based on the use of this catalog, can provide organizations with a guarantee of ensuring the privacy and the good use of personal data. The audit method proposed in this paper has been validated following the Action Research method, in a case study of a medical center, which has a high level of protection in the personal data that it handles.

References

  1. Baldwin, A., Shiu, S. Enabling shared audit data. International Journal of Information Security. Springer-Verlag. Volume 4, Number 4. pp. 263 - 276. October 2005.
  2. Baskerville, R. L. (1999) Investigating Information Systems with Action Research, Communications of the Association for Information Systems, 2.
  3. Baskerville, R. L. and Wood-Harper, A. T. (1996) A Critical Perspective on Action Research. Communications of the Association for Information Systems, 2(19).
  4. British Authority of Data Protection. http://www.informationcommissioner.gov.uk
  5. Chung L. Dealing with Security Requirements during the development of Information Systems. In: Rolland C, Bodat F. and Cauvert C. (eds). Advanced Information Systems Eng., Proc., 5th Int. Conf. CAiSE 7893. Berlin: Springer Verlag. Paris. pp. 234-251.
  6. CMMI. CAPABILITY MATURITY MODEL INTEGRATION, VERSION 1.1. Technical Report. CMU/SEI-2002-TR-028. Carnegie Mellon. Software Engineering Institute. August.
  7. CobiT. Control Objectives for Information and related Technology. Version 4.0. 2005. http://www.isaca.org/cobit.htm
  8. Directive 95/46/CE of the European Parliament and Council, dated October 24th: about People protection regarding the personal data management and the free circulation of these data. DOCE no. L281, 23/11/1995, P.0031-0050.
  9. Directive 2002/58/CE, of the European Parliament and Council, of July 12, 2002, relative to the processing of personal data and the protection of privacy in the electronic communications industry (Official Gazette of the European Union L 201 of 31.7.2002).
  10. Dowie, R., Kennedy, A. Clinical audit in NHS acute and community trusts: a comparative analysis. British Journal of Clinical Governance, Volume 6, Number 2 (2001), pp. 94-101.
  11. Duri, S., Elliott, J., Gruteser, M., Liu, X., Moskowitz, P., Perez, R., Singh, M., Tang, J. Data Protection and Data Sharing in Telematics. Mobile Networks and Applications. Volume 9, Issue 6. Pages: 693-701. December, 2004.
  12. Federal Trade Commission. Protecting America's Consumers. http://www.ftc.gov
  13. Firesmith, D. Engineering Security Requirements. Journal of Object Technology (JOT), 2(1), Swiss Federal Institute of Technology (ETH), Zurich, Switzerland, pp. 53-68, January/February 2003.
  14. Hughes, R. Is audit research? The relationships between clinical audit and social research. International Journal of Health Care Quality Assurance, Volume 18, Number 4 (April 2005), pp. 289-299.
  15. IEEE (1999). Std 830-1998 Guide to Software Requirements Specifications (ANSI). In Volume 4: Resource and Technique Standards The Institute of Electrical and Electronics Engineers, Inc. IEEE Software Engineering Standards Collection.
  16. IEEE (1999). Std 1233-1998 Guide for Developing System Requirements Specifications. In Volume 1: Customer and Terminology Standards The Institute of Electrical and Electronics Engineers, Inc. IEEE Software Engineering Standards Collection.
  17. ISACA. Information Systems Audit and Control Association. http://www.isaca.org/
  18. Italy Authority of Data Protection. http://www.garanteprivacy.it/garante/navig/jsp/index.jsp
  19. Kenny, S. Assuring Data Privacy Compliance. Information Systems Control Journal, Volume 4, 2004.
  20. Lusignan, S., Chan, T., Theadom, A., Dhoul, N. (2006) The roles of policy and professionalism in the protection of processed clinical data: A literature review. International Journal of Medical Informatics.
  21. Massacci, F., Prest, M., Zannone, N. Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation. Computer Standards & Interfaces 27 (2005) 445-455.
  22. Regulation (EC) Nº 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data.
  23. Rindfleisch, T. Privacy, Information Technology, and Health Care. Communications of the ACM. Volume 40, Issue 8. Pages: 92-100. August, 1997.
  24. Sandhu, R., Samarati, P. Authentication. Access Control and Audit. ACM Computing Surveys (CSUR). Volume 28, Issue 1. Pages: 241-243. March, 1996. ISBN: 0360-0300.
  25. Smith, S. W. and Spafford, E. H. (2004) Grand Challenges in Information Security: Process and Output, IEEE Security & Privacy, 2, 69-71.
  26. Spanish Agency of Data Protection. http://www.agpd.es
  27. Spanish Constitutional Law 15/1999, December 13th, on Personal Data Protection. BOE no. 298, 14/12/1999 (In Spanish).
  28. Spanish Royal Decree 994/1999, June 11th, by means of which the Security Measures Regulations of Automated Files which contain personal data is approved. BOE no. 151, 25/06/1999, page 24241 (In Spanish).
  29. Toval, A., Nicolás, J., Moros, B., Baidez, F. Requirements Reuse for Improving Information Systems Security: A Practitioner's Approach. Requirements Engineering Journal (2002) 6:205-219.
  30. Toval, A., Olmos, A., Piattini, M. Legal Requirements Reuse: A Critical Success Factor for Requirements Quality and Personal Data Protection. Proceedings of the IEEE Joint International Conference on Requirements Engineering (ICRE'02 and RE'02), pp: 9-13, September 2002.
  31. Van der Haak, M., Wolff, A., Brandner, R., Drings, P., Wannenmacher, M., Wetter, Th. Data security and protection in cross-institutional electronic patient records. International Journal of Medical Informatics (2003) 70, 117-130.
Download


Paper Citation


in Harvard Style

A. Martínez M., Lasheras J., Toval A. and Piattini M. (2006). An Audit Method of Personal Data Based on Requirements Engineering . In Proceedings of the 4th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2006) ISBN 978-972-8865-52-8, pages 217-231. DOI: 10.5220/0002500502170231


in Bibtex Style

@conference{wosis06,
author={Miguel A. Martínez and Joaquín Lasheras and Ambrosio Toval and Mario Piattini},
title={An Audit Method of Personal Data Based on Requirements Engineering},
booktitle={Proceedings of the 4th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2006)},
year={2006},
pages={217-231},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002500502170231},
isbn={978-972-8865-52-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 4th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2006)
TI - An Audit Method of Personal Data Based on Requirements Engineering
SN - 978-972-8865-52-8
AU - A. Martínez M.
AU - Lasheras J.
AU - Toval A.
AU - Piattini M.
PY - 2006
SP - 217
EP - 231
DO - 10.5220/0002500502170231