@article{BAS_COSE08,
 author = {Travis D. Breaux and Annie I. Ant'{o}n and Eugene H. Spafford},
 affiliation = {North Carolina State University},
 title = {A Distributed Requirements Management Framework for Compliance and Accountability},
 year = {2008},
 month = {},
 journal = {Computers and Security},
 volume = {},
 number = {},
 publisher = {Elsevier},
 address = {New York, New York},
 abstract = {Increasingly, regulations are requiring organizations to comply with the law and account for their actions. Individuals responsible for ensuring compliance and accountability currently lack sufficient guidance and support to manage their legal obligations within relevant information systems. Software controls provide assurances that business processes adhere to specific requirements, such as those derived from government regulations. We propose a requirements management framework that enables executives, business managers, software developers and auditors to distribute legal obligations across business units and/or personnel with different roles and technical capabilities. This framework improves accountability by integrating traceability throughout the policy and requirements lifecycle. We illustrate the framework within the context of a concrete healthcare scenario in which obligations incurred from the Health Insurance Portability and Accountability Act (HIPAA) are delegated and refined into software requirements. Additionally, we show how auditing mechanisms can be integrated into the framework and how auditors can certify that specific chains of delegation and refinement decisions comply with government regulations.},
 }