An Audit Method of Personal Data Based on
Requirements Engineering
1
Miguel A. Martínez
1
, Joaquín Lasheras
1
, Ambrosio Toval
1
, Mario Piattini
2
1
Grupo de Investigación de Ingeniería del Software. Dep. Informática y Sistemas.
University of Murcia. Campus de Espinardo. 30071. Murcia. Spain.
2
ALARCOS Research Group. Information Systems and Technologies Department.
UCLM-Soluziona Research and Development Institute. University of Castilla-La Mancha.
Paseo de la Universidad, 4 - 13071. Ciudad Real. Spain.
Abstract. Security analysis of computer systems studies the vulnerabilities that
affect an organization from various points of view. In recent years, a growing
interest in guaranteeing that the organization makes a suitable use of personal
data has been identified. Furthermore, the privacy of personal data is regulated
by the Law and is considered important in a number of Quality Standards. This
paper presents a practical proposal to make a systematic audit of personal data
protection - within the framework of CobiT audit - based on SIREN. SIREN is
a method of Requirements Engineering based on standards of this discipline and
requirements reuse. The requirements predefined in the SIREN catalog of
Personal Data Protection (PDP), along with a method of data protection audit,
based on the use of this catalog, can provide organizations with a guarantee of
ensuring the privacy and the good use of personal data. The audit method
proposed in this paper has been validated following the Action Research
method, in a case study of a medical center, which has a high level of protection
in the personal data that it handles.
1 Introduction
Information Systems (IS) audit has become increasingly more common in recent
years, in order to analyze and to evaluate the planning, control, effectiveness, security,
economy and adjustment of the computer infrastructure of the company.
A security audit according to ISO 7498-2:1989 (Information Processing Systems -
Open Systems Interconnection - Basic Reference Model) is: "An independent review
and examination of system records and operations in order to test for adequacy of
1
Partially financed by the Spanish Ministry of Science and Technology, project PRESSURE
(PREcise Software modelS and reqUirements ReusE), TIC2003-07804-C05-05 and by the
Junta de Castilla-La Mancha (Spain), project DESERT (DEveloping Secure systEms through
Requirements and Tools), PBC-05-012-3, and the the RETISTIC network (TIC2002-12487-
E) financed by the “Dirección General de Investigación” of the Spanish Ministry of Science
and Education.
A. Mart
´
ınez M., Lasheras J., Toval A. and Piattini M. (2006).
An Audit Method of Personal Data Based on Requirements Engineering.
In Proceedings of the 4th International Workshop on Security in Information Systems, pages 217-231
Copyright
c
SciTePress
system controls, to ensure compliance with established policy and operational
procedures, to detect breaches in security, and to recommend any indicated changes in
control, policy, and procedures”.
A security audit can include many aspects, such as the level of protection of the
facilities or the people. In this paper, however, we focus on the security related to data
and information (privacy) of a personal nature, within the framework of the Spanish
Personal Data Privacy Law [32, 33], which is an adaptation of the EU Legislation [8].
This law has been similarly adapted by other European countries, for example in Italy
the law that regulates the personal data protection is the Italian Law No. 196, of 30th
June 2003 [18], and in the UK, it is the Data Protection Act of 24th October 1998 [4].
In the US, the approach is "sectorial" and has as source a mixture of legislation,
regulation and self-regulation. Privacy rights of information have been granted in a
variety of sectorial laws, as for example, The Privacy Act of 1974, the Fair Credit
Reporting Act of 1970, or the Electronic Communications Privacy Act of 1986. In the
US, there is no national authority of data protection. The Department of Commerce of
the USA (Federal Trade Commission [12]) is in charge of regulating personal data
transfer from the European Union to the US.
Within the scope of the electronic communications, privacy is defined as the right
to keep our personal data and communications secret [19]. At the moment, even in
existing laws that regulate this aspect, we found a serious threat to privacy, which is
why it is important to confront this problem.
Another aspect that emphasizes the importance of the treatment of the privacy of
information, and therefore the legal requirements and the audit process implied, is that
these requirements are considered important in Quality Standards like ISO 9001:2000
(Quality Management Systems - Requirements). Specifically, in ISO 9004:2000
(Quality Management Systems - Guidelines for performance improvements), section
5.2.3 “Statutory and Regulatory Requirements” appears: “Management should ensure
that the organization has knowledge of the statutory and regulatory requirements that
apply to its products, processes and activities and should include such requirements
as part of the quality management system”. In particular, and very recently, the US
National Science Foundation-dependent Computing Research Association (CRA,
www.cra.org) determined that the security of IS and the privacy of the end-users
constitute one of the four biggest global security-related challenges [25].
The audit method presented in this paper is based on SIREN (SImple REuse of
software requiremeNts), a general method of Requirements Engineering [29]. The
requirements management process is obligatory for organizations which seek to reach
levels 2 and 3 in CMMI [6]. SIREN is a practical approach to select and specify the
requirements of a software system based on requirements reuse and software
engineering standards [15, 16]. SIREN encompasses a spiral process model,
requirements document templates and a reusable requirements repository, which is
organized by catalogs. Currently, the only SIREN catalog related with privacy aspects
is the personal data protection one (PDP) [30].
Several studies [5] emphasize the benefits of considering security in the early
phases of the system development (in particular, phase of requirements specification
of the system). In issues specifically related to personal data protection, the inclusion
of these requirements from the first stages of the system life cycle means that the
systems are developed according to the requirements of the law from the beginning,
and not as a later addition. Thus security and productivity are improved. Likewise, the
218
reuse of these requirements helps to increase quality by detecting and correcting
errors of inconsistency and ambiguity and favoring later use in new projects [29].
We present an approach for making an audit of data protection based on the use of
a reusable requirements catalog of data protection [30] developed according to
SIREN. This research arises from the experience acquired after applying this audit
method of personal data protection at a medical center using the Action Research
methodology [2].
Our IS audit proposal, has a direct correspondence with the CobiT Framework
(Control Objectives for Information Technologies), in its latest version (2005) [7],
which is widely accepted by the international community of IS auditors and CIOs.
This proposal is expected to help fulfil those CobiT control objectives that deal
with issues of privacy, since the use of the SIREN PDP requirements catalog
facilitates identification and verification of the fulfilment of the requirements related
to these aspects.
The paper is structured as follows: in Section 2 the CobiT Framework is explained
briefly. In Section 3, the audit method proposed is described, including a section
where the SIREN method is described briefly, together with the improvements made
to the personal data protection requirements catalog. In Section 4, the phase of
practical application of our study case is described. In Section 5, some related works
are presented and compared to our proposal. Finally Section 6 shows the conclusions,
indicating the lessons learned after this application, and some further work.
2 CobiT Framework
The principal objective of the CobiT project [7] is the development of clear policies
and good practices for the security and the control of Information Technologies (IT),
with the purpose of obtaining worldwide approval and support of commercial,
governmental and professional organizations. CobiT has been developed by the
ISACA [17], the most important professional association for the regulation of the
practice of the computer audit in the world. CobiT is designed to be used by three
types of different users: Management, Users and Auditors. CobiT can be seen as a
"bucket" of 3 dimensions: Business Requirements, IT Resources and IT Processes.
Fig.1 shows this bucket where the parts related to our work are shaded.
E
f
f
e
c
t
i
v
e
n
e
s
s
E
f
f
i
c
i
e
n
c
y
C
o
n
f
i
d
e
n
t
i
a
l
i
t
y
I
n
t
e
g
r
i
t
y
A
v
a
i
l
a
b
i
l
i
t
y
C
o
m
p
l
i
a
n
c
e
R
e
l
i
a
b
i
l
i
t
y
DOMAINS
ACTIVITIES
PROCESSES
Business Requirements
I
T
R
e
s
o
u
r
c
e
s
Fig. 1. The CobiT Cube (CobiT 4.0).
219
The proposed methodology in this audit work follows the same structure and
processes proposed in CobiT, since we offer requirements documents with direct
correspondence with CobiT Control Objectives that will help the accomplishment of
the audit and also a procedure to follow, which is compatible with the CobiT process.
Our main contribution is the use of a PDP requirements catalog, elaborated according
to the method of Requirements Engineering SIREN. It helps to specify the
requirements corresponding to the control objectives related to legal aspects of
Personal Data Protection and also helps in the later verification of its fulfilment.
Corresponding to each of the 34 high level control objectives defined in CobiT,
there exists an audit guide that allows the checking of the IT processes against the 214
detailed control objectives recommended by CobiT and thus provides the
Management with confirmation of its fulfilment and/or suggestions for its
improvement.
Some correspondences between the CobiT Control Objectives and the
requirements of our SIREN PDP catalog are the following (examples of requirements
can be seen in section 4.2):
The Control Objective DS 5.3. Identity Management, is audited by verifying the
fulfilment of requirements SyRSL13, SyRSL14, SyRSL15, SyRSL16, SyRSL17,
SyRSL18, SyRSL19, SyRSL20, SRSL4, SRSL6 and SRSL9.
The Control Objective PO 2.3. Data Classification Scheme, is audited by verifying
the fulfilment of requirements SyRSL8, SyRSL21, SyRSL36, SyRSL49,
SyRSL55, SyRSL80, SyRSL81 and SyRSL82.
The Control Objective DS 11.5. Backup and restoration, is audited by verifying
the fulfilment of requirements SyRSL25, SyRSL26, SyRSL27, SyRSL28,
SyRSL29, SyRSL30, SyRSL31, SyRSL32, SyRSL33, SyRSL34, and SyRSL35.
The Control Objectives related to the data encoding (DS 5.3, DS 5.8, DS 5.11), are
audited verifying the fulfilment of requirements SRSL3, SRSL8 and SRSL11.
3 Audit Method of Personal Data Based on Requirements
Engineering
In this section we present a practical method to perform an audit of personal data on
an IS. This method is an extension of a general audit process, based on CobiT, with
the use of a requirements SIREN catalog of Personal Data Protection. In the following
two sections we show how a method of Requirements Engineering based on
reusability, as SIREN, contributes to improving the audit process (section 3.1) and to
defining the explicit phases to carry out this personal data audit (section 3.2).
3.1 SIREN: a Method of Requirements Engineering
Starting from a set of requirements which have been specified for other projects or
domains, we can improve the precision and efficiency of the requirements
specification for the current project and we can also reduce the time to elaborate this
specification. In order to explore the benefits of requirements reuse, our group has
220
proposed SIREN (SImple REuse of software requiremeNts) [30] as a practical way to
deal with requirements reuse. Specifically, we distinguish in SIREN a double process
model:
SIRENc, which considers pre-existing catalogs of reusable requirements in a
repository and obtains the requirements specification of the current project from
them.
SIRENp, which is the necessary process model for the creation of these
requirements catalogs, i.e. the reusable products.
SIREN requirements catalogs contain reusability requirements organized within a
hierarchy of requirements specification documents which is structured according to
IEEE standards [15, 16]. One of the catalogs related to this proposal is the PDP
catalog [30].
In SIREN, each requirement has a minimal and common set of attributes (i.e.
source, state, etc.). Additional attributes can be defined depending on the type of the
requirement. Requirements are organized in the catalogs by means of types. For
example, the types SRSP and SYRSP refer -respectively- to the PDP requirements
contained in the SRS (Software Requirements Specification) and SyRS (System
Requirements Specification) documents that correspond to the PDP catalog.
Additionally, other two requirements documents exist in the PDP catalog: the
Software Test Specification (STS) document and the System Test Specification
(SyTS) document.
In order to be able to validate the requirements, these must be quantified in the
SyRS and the SRS. In test specification documents (SyTS or STS) testing criteria will
be specified to ensure that the system or software fulfils the requirements specified.
This way, for each one of the requirements identified in the SyRS is necessary also
to specify how that requirement can be checked, by means of a textual description of
the process to follow. We think that the SyTS could be very useful in the PDP catalog
because the privacy policy of the organization can be defined directly from the SyTS.
This policy will include a list of questions related to the data protection, which could
be easily checked. The role of the STS document is to define when a requirement
included in the SRS is fulfilled. This document helps to study if the requirements are
fulfilled with the purpose of taking the measures to correct them and/or to verify its
degree of fulfilment.
One of the common attributes is the exclusive traceability relationship, which
means that the requirements involved in the relationships are mutually alternative. In
SIREN we also have parameterized requirements, which contain some parts that have
to be adapted to each application or system and have to be instantiated when it is
reused.
The Personal Data Protection Requirements Catalog
The PDP catalog is compatible with PDP Spanish legislation, namely the
Constitutional Law 15/1999, (LOPD) [27], the Security Measures Regulations of
Automated Files which contain personal data (RMS) [28], Directive 1995/46/CE [8],
Regulation 45/2001/CE [22] and Directive 2002/58/CE [9].
The LOPD seeks to gather the requirements for an IS to guarantee protection in
issues relating to the handling of personal data, civil rights and the fundamental rights
221
of the individual, and especially those relating to individuals’ honor and personal
privacy. On the other hand, the RMS seeks to determine the measures of a technical
and organizational kind that guarantee the confidentiality and integrity of information
in order to preserve honor, personal and familial privacy and the full exercising of
personal rights against any alteration, loss, handling or non authorized access.
Any IS that incorporates the requirements defined in this catalog will be able to
successfully meet the demands of the Spanish Legislation [32, 33] as regards the
processing of personal data, and in accordance with the level of protection demanded.
In the same way, this is applicable to any member state of the EU, since a shared base
[8, 9 and 26] for the development of its own laws is established.
Therefore, the application of the PDP catalog for a personal data audit on a certain
organization is simple, because it is sufficient to verify that the audited organization
fulfils one by one the requirements established in the PDP catalog.
The PDP catalog proposed in this work, is more powerful than traditional
checklists used to perform audits, since the information associated in form of attribute
to each requirement, provides to the auditor a more complete guide to carry out the
audit. In addition, thanks to the reusability, the catalog can be updated and revised in
a continuous way. Furthermore, by means of, traceability, requirements with a
dependency relationship can be easily tracked.
Additionally to the presented advantages of the use of PDP catalog for an auditor, a
requirements engineer who has to develop a software system that must fulfil privacy
legal requirements, will also take advantage of it, because of having gathered, in an
understandable language for him, those requirements imposed in the different laws
which regulate this matter, normally in more legal terms.
The sources used to write the present requirements of the PDP catalog, in addition
to the directives mentioned, LOPD and RMS, were the directives and regulations of
communitarian right related to electronic communication and data processing [9, 22],
and CobiT [7].
Another aspect that improves the catalog is the handling of exceptional cases,
which occur with some frequency in texts of a legislative nature. These exceptions are
reflected in the attribute exception, associated to each of the requirements of the
catalog, to ensure that the catalog is complete and self-sufficient.
The PDP catalog used for the audit presented in this work is currently composed of
150 requirements, and has 75 traceability relationships between the requirements
defined. The requirements of the catalog, in addition to the text itself, have associated
self-information (attributes with information on each requirement) which enriches the
requirement. At the moment there are 18 attributes defined, among which stand out:
source, exceptions, security level, motivation and fulfilment.
3.2 Phases of the Audit Method
The personal data audit method proposed in this paper consists of the phases
described in Fig 2. The phases are detailed as follows:
Phase 1.- Previous analysis of the company’s situation.
222
This consists of an initial interview in which it will be necessary to specify the
reach of the audit in order to draw up an initial budget. The aim is to obtain all types
of information on the handling of the data that the company uses.
Phase 2.- Activities of the audit.
Activity 2.1.- Requirements verification with initial questionnaires (checklists).
After various interviews with personnel of the organization, the auditor fills out
initial questionnaires (checklists) with questions related to security, with emphasis
on aspects of personal data protection. The auditor weighs up the value of the
answers, and draws his own conclusions.
Activity 2.2.- Requirements verification with SIREN PDP catalog. The auditor will
make verifications in the system of the audited organization to verify the fulfilment
or non fulfilment of the requirements contained in the catalog. These verifications
will be made with the support of the personnel responsible for the organization,
who, as far as possible, facilitate the task of the auditor. This verification is simple,
because it is sufficient to choose those requirements of catalog that are of
application in the audited organization and to verify one by one if they are fulfilled
or not in the IS of this organization. For example, if a high level of protection is
demanded of an organization in its data, the auditor will extract from the catalog
those requirements necessary to reach this level of protection and will verify if
these requirements are present in the organization. This extraction or filtrate of
requirements of the catalog is possible thanks to the use of the self-information that
a requirement has associated, in this case through the attribute security level.
Phase 3.- Fulfilment tests.
In this phase it has to be proved if the system is working as expected. The risk that
exists to the organization if some of the evaluated measures are not fulfilled also has
to be checked. To carry out the tests, the SyTS and STS documents of the SIREN
PDP catalog will be used, which offers the advantage that any person (just
incorporated or inexperience), could make the tests in a simple and systematic way.
For example, for a requirement of the SyRS which specifies the system performance
when it is performing a concrete operation, the test requirement, included in the SyTS
document, that check it, has the following textual description: "the person in charge of
security of the organization will execute [Number of applications simultaneously] in
[Number of computers], and will observe the behaviour of the system, measuring the
used time to execute all these applications".
Phase 4.- Preparation and writing of the final report.
The function of the audit will be exclusively in writing. Therefore, the writing of
the report must be the final item, as a result of the evaluation made.
223
Fig. 2. Phases of the Audit Method of Personal Data.
The main contribution of this paper to a common audit method is centred in
Activity 2.2, where a verification of the systems of the audited organization is made,
based on reusability requirements SIREN PDP catalog [30]. Our correspondence with
the CobiT Framework is determined by the following:
Catalog SIREN (document of requirements) is compatible with CobiT documents.
Process SIREN is compatible with the process defined in CobiT.
Catalog SIREN includes requirements extracted from the LOPD (related to CobiT
control objectives) and others directly take out from CobiT, among other sources.
4 Practical Application of the Audit Method of Personal Data
Based on Requirements Engineering
The results shown in this work have been validated in a real practical case used to
define a generic personal data audit method. The use of our catalog in the personal
data audit method has been put into practice in an organization with 60 employers
approximately, within the health sector (a clinic), which is subject to a high level of
protection, according to the RMS. For the sake of confidentiality, the name of the
organization is not included. For the design of this study case we have decided to use
a qualitative investigation method in software engineering, called Action Research
(AR) [2], which is explained below.
4.1 Design of the Study Case
The application of AR implies a cyclical process where the different parts implied
participate in the investigation, which examines the existing situation (considered
224
problematic) with the aim of changing and improving it. AR is one of the few valid
approaches for studying the effects of specific alterations in development and
maintenance methodologies of systems in human organizations [3].
Using the terminology of AR the following roles and participants have been
considered in this study case:
The ‘researcher’ is the Software Engineering Research Group of the University of
Murcia.
The ‘object under research’ is the application of the PDP catalog in an audit
process in a health sector organization with a high level of protection in the files of
personal data it handles.
The ‘critical reference group’ (CRG), in other words, the one for which the
research is made because it has a problem that needs to be solved. This group is
formed by the members of the audited organization, which in this case is the
medical center. According to AR, the CRG also has to participate in the research
process, although in a less active way than the researcher.
The ‘stakeholders’ are organizations who can obtain benefits from the results of the
research, in particular, the members themselves of the CRG and, in general, other
organizations whose activity is similar to that of the audited organization.
In this research, a participative application of AR has been made, in which the
CRG puts into practice the recommendations made by the researcher, and shares its
effects and results.
4.2 Practical Application of the Audit Method
The organization object of the study has offered, since 1988, all health care services,
including therapeutic and diagnosis surgery related to different medical specialties, in
response to demands of the more than 5000 patients who visit its facilities monthly
(according to data collected from the personnel of the organization). This organization
has held the certificate of quality according to standard UNE-EN-ISO 9001:2000, for
all the clinic's activities (consultancy and medical clinic) and for all the areas
(commercial, marketing, management, etc.), since May of 2004.
Once the information obtained from the personnel of the audited organization,
through the different interviews made in Phase 1 of the audit has been analysed, Phase
2 can be completed, using two work tools:
Questionnaires. After the interview to fill out these, and a weighting of the
answers, we conclude that the organization has, at first sight, an acceptable level of
security. We can not be more precise at the moment because this is a subjective
point of view. With the next activity we will be able to be more objective.
SIREN Personal Data Protection Catalog. In order to carry out this activity, a
meeting with the personnel was held, where fulfilment, or non fulfilment, of the
requirements of the SIREN PDP catalog was reviewed individually.
The results obtained after this verification were satisfactory for both parts (audited
Organization/Research Group), with a 61% fulfilment of the requirements contained
in the catalog relative to organizations of high level of security LOPD/RMS.
225
Some examples of the fulfilment or non fulfilment of the requirements of the
catalog in the system of the audited organization are the following:
Requirement 61. High level of security: The backup copies and procedures of data
recovery will be conserved in a different place from that of the computer equipment
that handles them.
Not fulfilled. The backups are conserved in a hard non-flammable box that is in the
same location as the computer systems.
Requirement 62. High level of security: The transmission of data of a personal
nature through telecommunications networks will be made by encoding these data or
using any other mechanism that guarantees that the information is neither intelligible
to nor manipulated by third parties.
Fulfilled. This is done by means of connections encoded through Lotus Notes
clients or Remote control software (Remote Administrator).
Once the two first stages of the audit method have been completed, the appropriate
tests to verify the operation of the system were made. Finally, the Final Report was
written as result of the evaluation made.
Lastly, and after the audit, the organization will implant the solutions and proposed
security measures in our audit. It is important to emphasize that the implantation of
such measures is not part of the audit method, since a basic principle of the audits, is
that these finish with conclusions and possible solutions, but never implement
solutions themselves.
To complete the implantation of the proposed security measures after a personal
data protection audit, the following activities have to be performed:
Declaration of files to the Data Protection Agency [26], which is the Spanish
institution that oversees the fulfilment of the legislation about data protection and
controls its application.
Elaboration of the security document, which is a document that must be implanted
by the person in charge of the file in which the security norm is reflected.
In this case, the audited organization is equipped with the measures required by
law, as regards security and personal data protection, except for small deficiencies
found, and these are the only ones that the system administrators of the organization
will try to correct. In the same way, the obligatory security document for an
organization which has a high level of protection is already written up suitably, so the
measures to implant in the Medical Center are minimum.
Requirements not fulfilled in the audited system, as well as several problems that
put the security of the system at risk, have been detected:
After classifying the different files and reviewing the current declaration of the
files with personal data, a deficiency in the procedure has been detected, since
there exist data (profession, situation...) gathered through the computer application
of the medical center, which have not been reflected in the files registered in the
Data Protection Agency.
After analyzing all the contracts by which the company can transfer personal data
or communicate them for management by third parties, we have found a
226
deficiency, because it is not reflected in the security document that the data can be
transferred or be communicated to third parties. This information would have to be
reflected in a visible form.
After obtaining and reviewing the file with the list of users with access to personal
data and their level of access, some incidences of security have been detected,
since some users have authorization to access all the files of the company, when
according to their position in the organization they should not.
Another aspect to consider in this study case is the biennial audit that has to be
made to fulfil the Security Measures Regulation. This audit was made in June of 2004
in the audited organization, with the next one in 2006. In this audit, 6 smaller
deficiencies were detected. After applying our method of audit we verified that all the
deficiencies except one had been corrected.
Finally, as a consequence of the information obtained, an improvement in the
requirements PDP catalog has been obtained [30], which as we already commented,
corresponds with one of the phases of method SIREN.
5 Related Work
Some studies related to our proposal, like for example the paper by Shandu and
Samarati [24], provide an introduction to the personal data audit, emphasizing its
importance in the organizations which deal with personal character data, and in the
paper by Hughes [14], which in addition, describes the importance of the audits in the
health sector. Nevertheless, in these papers, no application to a study case appears,
nor are the specific phases of an audit process distinguished.
In the paper by Baldwin and Shiu [1] the data audit is tackled but focuses on how
the data are stored and processed in the system, and on how these data are accessed to
make the audit. Dowie and Kennedy [10] analyse the audit processes used in several
clinics of British Health Service and come to the conclusion that there is a need for
strong staff involvement during the running of the audit, as well as highlighting the
importance of following audit standards. This practice, despite its importance, is not
widely extended according to the paper. These studies underline that improvement in
quality obtained in the systems of these organizations is due to accomplishment of the
audits. A further contribution of our work is the proposal of a concrete audit method,
compatible, among others, with the CobiT Framework, which is the international
standard most widely, accepted for the accomplishment of audits.
Lusignan et al. [20] makes a revision of the state of the art about the role of the
sanitary computers systems in the protection of the clinical data. This paper includes a
table with the chronological order of the different treaties of the EU, where the
fundamental principles of the personal data protection have been developed.
Furthermore, another table with a comparison of these principles, adding to this
comparison, the general principles of the ethics in health computer systems. In this
work, therefore, the general bases of the data protection in the EU are established, and
the main international work groups of informatics applied to the medicine, focused on
the security of the treated data, are identified.
227
In the papers by van der Haak et al. [31] and of Massacci et al. [21], practical
applications of personal data protection in different European countries, as they are
Germany and Italy, respectively, are described. First of them is centred in the
identification of specific legal requirements related to the data security and data
protection of medical patients, included in electronic clinical files. It is based on the
set of laws about data protection existing in Germany. The second paper presents a
practical case of the application of a requirements engineering methodology for the
fulfilment of the Italian legislation in privacy and data protection, developed by the
University of Trento. A contribution of our work with respect to these two is the use
of a requirement PDP catalog that gathers, in an understandable language for the
requirements engineer, all the requirements related to the privacy and the personal
data protection. This PDP catalog developed has validity, carrying out light
modifications, in any country of the EU, since it is based among others on the
Directive 1995/46/CE [8] and on the Directive 2002/58/CE [9], which are the base of
the privacy laws of any European country.
Duri et al. [11] published a data privacy paper in the domain of the automotive
where privacy is understood as the people capacity to decide, when, how and what
information about themselves, is accessible to others. This paper proposes different
models from policies models of personal data privacy and offers a framework that
provides confidentiality and integrity of the data in the telematics services of
automotive industry, but does not offer a systematic method to make the audit.
In the paper by Rindfleisch [23] methods and techniques are described to protect
the personal data of the medical patients. This work is focused on making the patients
aware of the necessity of the protection of their medical data, and of how the
technology threatens the privacy of their information. This work provides advice
about protecting oneself before these threats occur, but again without following any
specific methodology. Finally, in the line of Requirements Engineering, we
emphasize the work by Firesmith [13], which provides examples and directives for
requirements engineers to specify suitably security requirement. The different types of
security requirements are identified and defined, among which privacy, security audit
and physical protection requirements are highlighted. In this work, nevertheless, no
concrete methodology is followed to specify these requirements.
In contrast with the previously described works, our paper offers, an integrated
systematic method to make an audit of personal data based on international standards
of audit (CobiT) and good practices of Software Engineering (SIREN and
international standards of Requirements Engineering) and, it is validated in a real
study case. Our work completes other current proposals in the audit area.
6 Conclusions and Further Work
The immediate benefit for an IS that includes the requirements of the PDP catalog is
that it will fulfil the LOPD and the RMS “by definition”, thus passing the biennial
audit demanded by the RMS in organizations which deal with sensitive data (health,
beliefs, economy, etc.).
228
The requirements catalog presented in this paper fulfils the Spanish Constitutional
Law 15/1999, on Personal Data Protection (LOPD). The strategy presented can be
extended to the legislation of other countries, particularly to the member states of the
EU, because these share a common source, the Directive 95/46/CE [8].
The most important conclusions of this research are the following:
1. The method defined is easy and permits an audit of data protection in organizations
which deal specially with protected data, in a systematic way.
2. With the application of the proposed method the security measures are adapted to
the standards and regulations demanded by the law in the audited organization.
3. The use of "good practices" in Software Engineering considerably facilitates the
subsequent audit work.
4. The possibility of giving precise answers (in %) on the degree of fulfilment of the
organization with respect to the requirements document is settled as a result of the
audit. Therefore, the organization can ascertain its exact situation regarding this
issue, in a quantitative and precise way.
5. In addition to the described advantages directed to the audit and independently of
the legal aspects that it helps to fulfil, the application of the catalog in the
development of IS supposes, from its outset, an effective and systematic
improvement in the security of these.
One future work is the development of a more specific requirements catalog of
Medical Records, which will not only cover the legal aspects in the LOPD but would
also bring together the obligations imposed in the General Health Law (Law
14/1986), the regulating basic Law on the autonomy of the patient and rights and
obligations as regards clinical information and documentation (Law 41/2002), the
Law of the Insurance (Law 50/1980), and the Law of Arrangement and Supervision of
Private Insurances (Law 30/1995). These Medical Records are very important
documents in those organizations dealing with issues of health, and must be
maintained with integrity over many years.
Our method also would be applicable in other standards related to the security of IS
like ISO/IEC 17799:2005 (Information Technology - Security Techniques - Code
of practice for information security management). In this case it would be useful to
carry out the control objectives for “conformity” (described in section 12 of the
standard), in particular the objective of “conformity with the legal requirements” and
the subobjective of “personal character data protection and of the privacy of the
people”.
References
1. Baldwin, A., Shiu, S. Enabling shared audit data. International Journal of Information
Security. Springer-Verlag. Volume 4, Number 4. pp. 263 – 276. October 2005.
2. Baskerville, R. L. (1999) Investigating Information Systems with Action Research,
Communications of the Association for Information Systems, 2.
3. Baskerville, R. L. and Wood-Harper, A. T. (1996) A Critical Perspective on Action
Research. Communications of the Association for Information Systems, 2(19).
4. British Authority of Data Protection. http://www.informationcommissioner.gov.uk
229
5. Chung L. Dealing with Security Requirements during the development of Information
Systems. In: Rolland C, Bodat F. and Cauvert C. (eds). Advanced Information Systems
Eng., Proc., 5th Int. Conf. CAiSE ’93. Berlin: Springer Verlag. Paris. pp. 234-251.
6. CMMI. CAPABILITY MATURITY MODEL INTEGRATION, VERSION 1.1. Technical
Report. CMU/SEI-2002-TR-028. Carnegie Mellon. Software Engineering Institute. August.
7. CobiT. Control Objectives for Information and related Technology. Version 4.0. 2005.
http://www.isaca.org/cobit.htm
8. Directive 95/46/CE of the European Parliament and Council, dated October 24th: about
People protection regarding the personal data management and the free circulation of these
data. DOCE no. L281, 23/11/1995, P.0031-0050.
9. Directive 2002/58/CE, of the European Parliament and Council, of July 12, 2002, relative to
the processing of personal data and the protection of privacy in the electronic
communications industry (Official Gazette of the European Union L 201 of 31.7.2002).
10. Dowie, R., Kennedy, A. Clinical audit in NHS acute and community trusts: a comparative
analysis. British Journal of Clinical Governance, Volume 6, Number 2 (2001), pp. 94-101.
11. Duri, S., Elliott, J., Gruteser, M., Liu, X., Moskowitz, P., Perez, R., Singh, M., Tang, J.
Data Protection and Data Sharing in Telematics. Mobile Networks and Applications.
Volume 9, Issue 6. Pages: 693-701. December, 2004.
12. Federal Trade Commission. Protecting America’s Consumers. http://www.ftc.gov
13. Firesmith, D. Engineering Security Requirements. Journal of Object Technology (JOT),
2(1), Swiss Federal Institute of Technology (ETH), Zurich, Switzerland, pp. 53-68,
January/February 2003.
14. Hughes, R. Is audit research? The relationships between clinical audit and social research.
International Journal of Health Care Quality Assurance, Volume 18, Number 4 (April
2005), pp. 289-299.
15. IEEE (1999). Std 830-1998 Guide to Software Requirements Specifications (ANSI). In
Volume 4: Resource and Technique Standards The Institute of Electrical and Electronics
Engineers, Inc. IEEE Software Engineering Standards Collection.
16. IEEE (1999). Std 1233-1998 Guide for Developing System Requirements Specifications. In
Volume 1: Customer and Terminology Standards The Institute of Electrical and Electronics
Engineers, Inc. IEEE Software Engineering Standards Collection.
17. ISACA. Information Systems Audit and Control Association. http://www.isaca.org/
18. Italy Authority of Data Protection. http://www.garanteprivacy.it/garante/navig/jsp/index.jsp
19. Kenny, S. Assuring Data Privacy Compliance. Information Systems Control Journal,
Volume 4, 2004.
20. Lusignan, S., Chan, T., Theadom, A., Dhoul, N. (2006) The roles of policy and
professionalism in the protection of processed clinical data: A literature review.
International Journal of Medical Informatics.
21. Massacci, F., Prest, M., Zannone, N. Using a security requirements engineering
methodology in practice: The compliance with the Italian data protection legislation.
Computer Standards & Interfaces 27 (2005) 445-455.
22. Regulation (EC) Nº 45/2001 of the European Parliament and of the Council of 18
December 2000 on the protection of individuals with regard to the processing of personal
data by the Community institutions and bodies and on the free movement of such data.
23. Rindfleisch, T. Privacy, Information Technology, and Health Care. Communications of the
ACM. Volume 40, Issue 8. Pages: 92-100. August, 1997.
24. Sandhu, R., Samarati, P. Authentication. Access Control and Audit. ACM Computing
Surveys (CSUR). Volume 28, Issue 1. Pages: 241-243. March, 1996. ISBN: 0360-0300.
25. Smith, S. W. and Spafford, E. H. (2004) Grand Challenges in Information Security: Process
and Output, IEEE Security & Privacy, 2, 69-71.
26. Spanish Agency of Data Protection. http://www.agpd.es
27. Spanish Constitutional Law 15/1999, December 13th, on Personal Data Protection. BOE
no. 298, 14/12/1999 (In Spanish).
230
28. Spanish Royal Decree 994/1999, June 11th, by means of which the Security Measures
Regulations of Automated Files which contain personal data is approved. BOE no. 151,
25/06/1999, page 24241 (In Spanish).
29. Toval, A., Nicolás, J., Moros, B., Baidez, F. Requirements Reuse for Improving
Information Systems Security: A Practitioner's Approach. Requirements Engineering
Journal (2002) 6:205-219.
30. Toval, A., Olmos, A., Piattini, M. Legal Requirements Reuse: A Critical Success Factor for
Requirements Quality and Personal Data Protection. Proceedings of the IEEE Joint
International Conference on Requirements Engineering (ICRE'02 and RE'02), pp: 9-13,
September 2002.
31. Van der Haak, M., Wolff, A., Brandner, R., Drings, P., Wannenmacher, M., Wetter, Th.
Data security and protection in cross-institutional electronic patient records. International
Journal of Medical Informatics (2003) 70, 117-130.
231