A Method for Identifying Software Requirements Based on Policy Commitments

摘要

Online policy documentsȁ4;such as privacy policies, notices of privacy practices, and terms of useȁ4;describe organizationsȁ9; information practices for collecting, storing, and using consumersȁ9; personal information. Organizations need to ensure that the commitments they express in their policy documents reflect their actual business practices. This compliance is significant in the United States where the Federal Trade Commission regulates fair business practices. Therefore, the requirements engineers developing systems for organizations need to understand the policy documents in order to know the information practices with which the software must comply. The requirements engineers also must ensure that the commitments expressed in these policy documents are incorporated into the software requirements. In this paper, we present a summative case study of a commitment analysis approach. The approach was developed during a formative case study of four healthcare organizationsȁ9; policy documents. Within this approach, we obtain requirements from policy documents based on our theory of commitments, privileges, and rights. During our summative case study we applied our commitment analysis approach to eight healthcare organizationsȁ9; policy documents in order to validate the methodology. We discuss the results of the summative study, in which we found that most of the statements express organizational practices or procedures. The top seen classification conveys pledges made by the organization based on organizational practices. The second most seen classification expresses actions that the user is entitled to perform based on organizational practices.