Assessing frameworks for eliciting privacy & security requirements from laws and regulations

Abstract

The processing of personal data has become a prominent concern for stakeholders when selecting software or service providers to serve their needs. Different laws and legislation have been introduced to standardize and strengthen data protection policies across different countries to protect such data. Therefore, businesses and organizations responsible for managing personal data are obligated to implement the privacy and security requirements established by these laws and legislation. Different methods and tools have been provided for eliciting requirements for legally compliant software based on the relevant data protection laws and legislation. However, little has been done in assessing these methodologies on regulations outside the EU and the US. This paper aims to assess these methodologies on other information security laws and regulations beyond the General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA) by eliciting security requirements explicitly focusing on the Nigerian data protection regulation. To investigate the applicability of these methodologies, we use the extracted privacy and security requirements with information communication protocols in verifying compliance in procedural practices of products and services in the financial technology sector. The analysis reports on the completeness, consistency, and utility of the frameworks. Finally, foundational research directions for interoperable standards for eliciting software requirements from legal texts are proposed.