Mapping Legal Requirements to IT Controls

by Travis Breaux, David Gordon, Nick Papanikolaou, Siani Pearson
Abstract:
Information technology (IT) controls are reusable system requirements that IT managers, administrators and developers use to demonstrate compliance with international standards, such as ISO 27000 standard. As controls are reusable, they tend to cover best practice independently from what specific government laws may require. However, because considerable effort has already been invested by IT companies in linking controls to their existing systems, aligning controls with regulations can yield important savings by avoiding non- compliance or unnecessary redesign. We report the results of a case study to align legal requirements from the U.S. and India that govern healthcare systems with three popular control catalogues: the NIST 800-53, ISO/IEC 27002:2009 and the Cloud Security Alliance CCM v1.3, as well as the CCHIT EHR Certification Criteria. The contributions include a repeatable protocol for mapping controls, heuristics to explain the types of mappings that may arise, and guidance for addressing incomplete mappings.
Reference:
Mapping Legal Requirements to IT Controls (Travis Breaux, David Gordon, Nick Papanikolaou, Siani Pearson), Technical report, HP Laboratories, 2013.
Bibtex Entry:
@TECHREPORT{breaux-techrep,
  author = {Travis Breaux and David Gordon and Nick Papanikolaou and Siani Pearson},
  title = {Mapping Legal Requirements to IT Controls},
  institution = {HP Laboratories},
  year = {2013},
  type = {HP Labs Technical Report},
  number = {HPL-2013-39},
  month = {June},
  abstract = {Information technology (IT) controls are reusable system requirements
	that IT managers, administrators and developers use to demonstrate
	compliance with international standards, such as ISO 27000 standard.
	As controls are reusable, they tend to cover best practice independently
	from what specific government laws may require. However, because
	considerable effort has already been invested by IT companies in
	linking controls to their existing systems, aligning controls with
	regulations can yield important savings by avoiding non- compliance
	or unnecessary redesign. We report the results of a case study to
	align legal requirements from the U.S. and India that govern healthcare
	systems with three popular control catalogues: the NIST 800-53, ISO/IEC
	27002:2009 and the Cloud Security Alliance CCM v1.3, as well as the
	CCHIT EHR Certification Criteria. The contributions include a repeatable
	protocol for mapping controls, heuristics to explain the types of
	mappings that may arise, and guidance for addressing incomplete mappings.},
  booktitle = {Proceedings of the Sixth International Workshop on Requirements Engineering
	and Law (RELAW)},
  owner = {nikos},
  timestamp = {2013.06.11},
  url = {../files/relaw13.pdf}
}