Laws set requirements that force organizations to assess the security and privacy of their IT systems and impose the adoption of the implementation of minimal precautionary security measures. Several frameworks have been proposed to deal with thii issue. For instance, purpose-based access control is normally considered a good solution for meeting the requirements of privacy legislation. Yet, understanding why, how, and when such solutions to security and privacy problems have to be deployed is often unanswered.

In this paper, we look at the problem from a broader perspective, accounting for legal and organizational issues. Security engineers and legal experts should be able to start from the organizational model and derive from there the points where security and privacy problems may arise and determine which solutions best fit the (legal) problems that they face. In particular, we investigate the methodology needed to capture security and privacy requirements for a Health Care Centre using a smart items infrastructure.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	T. J. M. Bench-Capon , G. O. Robinson , T. W. Routen , M. J. Sergot, Logic programming for large scale applications in law: A formalisation of supplementary benefit legislation, Proceedings of the 1st international conference on Artificial intelligence and law, p.190-198, May 27-29, 1997, Boston, Massachusetts, United States  [doi>10.1145/41735.41757]
	2	Trevor Bench-Capon , Giovanni Sartor, A model of legal reasoning with cases incorporating theories and values, Artificial Intelligence, v.150 n.1-2, p.97-143, November 2003  [doi>10.1016/S0004-3702(03)00108-5]
	3	K. D. M. and E. M. C. Final technical report: Security patterns for web application development. Technical report, 2002. Available at http://www.scrypt.net/
	4	E. Fernandez and R. Pan. A Pattern Language for Security Models. In In Proc. of PLoP'01, 2001.
	5	Erich Gamma , Richard Helm , Ralph Johnson , John Vlissides, Design patterns: elements of reusable object-oriented software, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1995
	6	P. Giorgini, F. Massacci, and N. Zannone. Security and Trust Requirements Engineering. In FOSAD 2004/2005, LNCS 3655, pages 237--272. Springer-Verlag, 2005.
	7	ISO. Quality Management Systems: Requirements. ISO 9001:2000, 2000.
	8	S. Kanger. Law and logic. Theoria, 38(3):105--132, 1972.
	9	S. Konrad, B. H. C. Cheng, L. A. Campbell, and R. Wassermann. Using security patterns to model and analyze security requirements. In Proc. of RHAS'03. IEEE Press, 2003.
	10	R. A. Kowalski and M. J. Sergot. Computer Representation of the Law. In Proc. of IJCAI'05, pages 1269--1270. Morgan Kaufmann, 1985.
	11	L. Lamport. How to write a long formula. Formal Aspects of Comp., 6(5):580--584, 1994.
	12	F. Massacci, J. Mylopoulos, and N. Zannone. An Ontology for Secure Socio-Technical Systems. In Handbook of Ontologies for Business Interaction. The IDEA Group, 2007.
	13	H. Mouratidis, M. Weiss, and P. Giorgini. Security patterns meet agent oriented software engineering: a complementary solution for developing security information systems. In In Proc. of ER'05, 2005.
	14	Markus Schumacher, Security Engineering with Patterns: Origins, Theoretical Models, and New Applications, Springer-Verlag New York, Inc., Secaucus, NJ, 2003
	15	J. Yoder and J. Barcalow. Architectural Patterns for Enabling Application Security. In In Proc. of PLoP'97, 1997.