Compliance Engineering: Aligning Software Requirements with Policies and Government Regulations

As information is increasingly managed electronically, policies and government regulations intended to protect personal privacy are increasing the requirements complexity of software systems. These regulations and policies are frequently developed by lawyers and domain experts – not engineers – resulting in complex and ambiguous legal language. To ensure software complies with the law, software developers face the perilous challenge of distilling regulations into implementable software requirements. Furthermore, because regulations describe business processes and not individual software systems, auditors, managers and developers are faced with a daunting traceability quagmire when aligning regulations, business practices and requirements across an organization. To address these two challenges, I propose a framework that includes a methodology to distill regulations into stakeholder rights and obligations and a formal model to align rights and obligations with requirements. The methodology includes techniques to systematically reduce complexity, identify ambiguities and infer implied rights and obligations to improve requirements coverage. The model employs delegation and ownership to track the refinement of rights and obligations into implementable requirements across an organization. The framework will enable auditors to certify that delegation and refinement decisions that result in requirements comply with the intent of the law; thus transferring liability from software validation to software verification.