Abstract
Information technology (IT) controls are reusable system requirements that IT managers, administrators and developers use to demonstrate compliance with international standards, such as ISO 27000 standard. As controls are reusable, they tend to cover best practice independently from what specific government laws may require. However, because considerable effort has already been invested by IT companies in linking controls to their existing systems, aligning controls with regulations can yield important savings by avoiding noncompliance or unnecessary redesign. We report the results of a case study to align legal requirements from the U.S. and India that govern healthcare systems with three popular control catalogues: the NIST 800-53, ISO/IEC 27002:2009 and the Cloud Security Alliance CCM v1.3. The contributions include a repeatable protocol for mapping controls, heuristics to explain the types of mappings that may arise, and guidance for addressing incomplete mappings. © 2013 IEEE.
Author supplied keywords
Cite
CITATION STYLE
Breaux, T. D., Gordon, D. G., Papanikolaou, N., & Pearson, S. (2013). Mapping legal requirements to IT controls. In 2013 6th International Workshop on Requirements Engineering and Law, RELAW 2013 - Proceedings (pp. 11–20). IEEE Computer Society. https://doi.org/10.1109/RELAW.2013.6671341
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
