Legal Requirements: Type 17

Previous page
Table of content
Next page

The cost of litigation is one of the major risks for software-for-sale, and it can be expensive for other kinds of software as well. You must make yourself aware of the laws that apply to your kind of product, and write requirements for the product to comply with these laws. Even if you are building software for use inside your own organization, be aware that laws applying to the workplace may be relevant.

Start with your company's lawyers. They have far more experience with the law than you. Here are several things that you can do to facilitate compliance:

Adjacent systems and actors are defined in Chapters 3 and 4.


  • Examine adjacent systems or actors. These are the entities that have contact with your product.

  • Consider their legal requirements and rights. For example, are any of the disabled-access laws applicable? Does the adjacent system have any rights to privacy for the data that you hold? Do you need proof of transaction? Or nondisclosure of the information your product has about the adjacent system?

  • Determine whether any laws are relevant to your product (or to the use case or the requirement). For example, are data protection, privacy laws, guarantees, consumer protection, consumer credit, or "right to information" laws applicable?

A legal requirement is written like this:

The product shall comply with the Americans with Disabilities Act.


You need help from your lawyers to know which law is applicable. The law itself may also specify its own requirements. For example, automated products built for drug development use by the pharmaceutical industry must be self-documenting. The precise nature of this self-documentation varies. Nevertheless, you (or anybody writing requirements for these applications) have to understand that these legal requirements exist and write them into your specification.

You are required by law to display copyright notices, particularly if you are using other people's products. Take a moment to look at the splash screens of software running on your personal computer as an example of how this works.

Products are required by law to display warning messages if there is any danger that some dim-witted user might do the wrong thing with it. For example, a blanket made in a southeast Asian country carries this warning:

Warning: Do not use blanket as a hurricane shelter.


A label on a child's scooter reads:

This product moves when used.


Sarbanes-Oxley Act

The Sarbanes-Oxley Act (SOX; officially titled the Public Company Accounting Reform and Investor Protection Act of 2002) marks a significant change to the U.S. securities laws. This legislation was enacted following a number of large-scale corporate financial scandals involving WorldCom, Enron, Arthur Andersen, and Global Crossing. The act requires all publicly traded companies to report on the effectiveness of their internal accounting controls.

SOX has an indirect impact on the requirements activity. That is, it makes it a criminal offense for CEOs and CFOs to neglect the integrity of the internal controls of their companies. This means that there must be traceability between the source of the information and the company's financial reports. In effect, the executive needs to be able to review your product at some level (presumably not the code) to determine that it presents fair and accurate data about the financial status of the company. To satisfy this need, you may have to present your requirements to the executive. It certainly means that for all internal financial reporting, you must be able to produce the requirements.

Section 404 of SOX is the part most closely tied to IT security. This section aims to strengthen internal controls over financial reporting, thereby minimizing material weaknesses in the reporting process.

Other Legal Obligations

If you are reading this book in the United States, you should also be aware of the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act. The former restricts access and disclosure of personally identifiable medical records. That is, not only must you not disclose personal medical information, but also no third party must be able to reengineer statistical data to identify any individual. Gramm-Leach-Bliley applies to financial institutions and likewise prohibits the disclosure of personal information.

In the United Kingdom, the Data Protection Act of 1998 prohibits using dataand this includes disclosing itin any manner that does not comply with your organization's registration. The act prohibits most personal disclosure, but also provides for an individual's access to personal data held about them.

In all cases, we urge you to consult your organization's lawyers. After all, they are paid to give advice on matters of legal compliance.

Standards

Legal requirements are not limited to the law of the land. Some products must comply with standards. For example:

The product shall comply with our ISO 9001 certification.


Now that we have considered the content of the nonfunctional requirements, let's look at how we find them.



Previous page
Table of content
Next page
Mastering the Requirements Process
Mastering the Requirements Process (2nd Edition)
ISBN: 0321419499
EAN: 2147483647
Year: 2006
Pages: 371
Authors: Suzanne Robertson, James C. Robertson
BUY ON AMAZON
CISSP Exam Cram 2
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
A+ Fast Pass
WebLogic: The Definitive Guide
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Ruby Cookbook (Cookbooks (OReilly))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy