Ensuring compliance between policies, requirements and software design:: A case study

Specifying correct and complete access control policies is essential to secure data and ensure privacy in information systems. Traditionally, policy specification has not been an explicit part of the software development process. This isolation of policy specification from software development often results in policies that are not in compliance with system requirements and/or organizational security and privacy policies, leaving the system vulnerable to data breaches. This paper presents the results and lessons learned from a case study that employs the Requirements-based Access Control Analysis and Policy Specification (ReCAPS) method to specify access control policies for a web-based event registration system. The ReCAPS method aids software and security engineers in specifying access control policies derived from requirements specifications and other available sources. Our case study revealed that the ReCAPS method helps identify inconsistencies across various software artifacts, such as requirements specifcation, database design, and organizational security and privacy policies. Had these problems not been identified and resolved, they would have crippled later phases of software development, resulted in missing or incomplete system functionality, and compromised the system's security and privacy. This case study reinforces, validates, and extends our previous recommendations that access control policy specification should be an integral part of the software development process for information systems to achieve information assurance and improve the quality of the information system.