TY - STD TI - Amazon. Amazon web services: risk and compliance. http://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf. UR - http://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf ID - ref1 ER - TY - STD TI - Amazon. AWS compliance. https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf. UR - https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf ID - ref2 ER - TY - STD TI - Amazon Web Services. Risk and compliance. https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf. UR - https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf ID - ref3 ER - TY - STD TI - Avgeriou P. Describing, instantiating and evaluating a reference architecture: a case study. Enterp Archit J. 2003. Available online:http://www.rug.nl/research/portal/files/14407113/2003EnterpArchitJAvgeriou.pdf. Accessed 22 Apr 2016. UR - http://www.rug.nl/research/portal/files/14407113/2003EnterpArchitJAvgeriou.pdf ID - ref4 ER - TY - STD TI - Booch G, Rumbaugh J, Jacobson I. The unified modeling language user guide. 2nd ed: Addison-Wesley; 2005. ID - ref5 ER - TY - STD TI - Brandic I, Dustdar S, Anstett T, Schuman D, Leymann F, Konrad R. Compliant Cloud Computing (C3): architecture and language support for user-driven compliance management in clouds, Proceeding CLOUD ‘10 Proceedings of the 2010 IEEE 3rd International Conference on Cloud Computing. Miami, Florida, USA: 2010; 244–51. ID - ref6 ER - TY - JOUR AU - Breaux, T. D. AU - Anton, A. I. PY - 2008 DA - 2008// TI - Analyzing regulatory rules for privacy and security requirements JO - IEEE Trans Soft Eng VL - 34 UR - https://doi.org/10.1109/TSE.2007.70746 DO - 10.1109/TSE.2007.70746 ID - Breaux2008 ER - TY - STD TI - Buschmann F, Meunier R, Rohnert H, Sommerlad P, Stal M. Pattern-Oriented Software Architecture: A System of Patterns, vol. 1.Wiley; 1996 ID - ref8 ER - TY - STD TI - Cisco. Cisco compliance solutions. http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/pci-compliance/pci-dss-30-wp.pdf. Accessed 22 Apr 2016. UR - http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/pci-compliance/pci-dss-30-wp.pdf ID - ref9 ER - TY - STD TI - Cisco. The risk management framework: building a secure and regulatory compliant trading architecture. http://www.cisco.com/web/strategy/docs/finance/risk_mgmt_C11-521656_wp.pdf. UR - http://www.cisco.com/web/strategy/docs/finance/risk_mgmt_C11-521656_wp.pdf ID - ref10 ER - TY - STD TI - COBIT. IT Governance Framework - Information Assurance Control, ISACA. http://www.isaca.org/Knowledge-Center/cobit/Pages/Overview.aspx. UR - http://www.isaca.org/Knowledge-Center/cobit/Pages/Overview.aspx ID - ref11 ER - TY - STD TI - Dasgupta D, Naseem D. Security and compliance testing strategies for cloud computing. https://umdrive.memphis.edu/g-mis/www/memphis/step/STEP2012/STEP2012Proceedings3.pdf. UR - https://umdrive.memphis.edu/g-mis/www/memphis/step/STEP2012/STEP2012Proceedings3.pdf ID - ref12 ER - TY - STD TI - Dasgupta D, Naseem D. A framework for estimating security coverage for cloud service insurance, Proceedings 7th Cyber-Security and Information Intelligence Reserach Workshop, Oak Ridge, TN, October 12-14, 2011. ID - ref13 ER - TY - JOUR AU - Elgammal, A. AU - Turekten, O. AU - Heuvel, W. -. J. AU - Papazoglou, M. PY - 2016 DA - 2016// TI - Formalizing and applying compliance patterns for business process compliance JO - J Softw Syst Model VL - 15 UR - https://doi.org/10.1007/s10270-014-0395-3 DO - 10.1007/s10270-014-0395-3 ID - Elgammal2016 ER - TY - STD TI - FedRAMP. FedRAMP compliant cloud systems. https://www.fedramp.gov/resources/documents/. UR - https://www.fedramp.gov/resources/documents/ ID - ref15 ER - TY - STD TI - FedRAMP. Federal Risk and Authorization Management Program (FedRAMP). https://www.fedramp.gov/resources/documents/. UR - https://www.fedramp.gov/resources/documents/ ID - ref16 ER - TY - STD TI - FedRAMP. FedRAMP Third Party Assessment Organizations (3PAOs). https://www.fedramp.gov/resources/documents/. UR - https://www.fedramp.gov/resources/documents/ ID - ref17 ER - TY - BOOK AU - Fernandez, E. B. PY - 2013 DA - 2013// TI - Security patterns in practice: building secure architectures using software patterns ID - Fernandez2013 ER - TY - STD TI - Fernandez EB, Yuan X. Semantic analysis patterns, Proceedings of the 19th Int. Conf. on Conceptual Modeling, ER2000. p. 183–95. ID - ref19 ER - TY - STD TI - Fernandez EB, Larrondo-Petrie MM, Sorgente T, Van Hilst M. A methodology to develop secure systems using patterns. In: Mouratidis H, Giorgini P, editors. Integrating security and software engineering: advances and future vision. IDEA Press; 2006. p. 107–26. ID - ref20 ER - TY - STD TI - Fernandez EB, Mujica S. Two patterns for HIPAA regulations, Procs. of AsianPLoP (Pattern Languages of Programs) 2014. Tokyo: 2014. ID - ref21 ER - TY - STD TI - Fernandez EB, Monge R, Hashizume K. Building a security reference architecture for cloud systems. Requir Eng. 2015; doi:10.1007/s00766-014-0218-7. ID - ref22 ER - TY - STD TI - Fernandez EB, Yimam D. Towards compliant reference architectures by finding analogies and overlaps in compliance regulations, Procs.12th Int. Conf. on Security and Cryptography (SECRYPT 2015), Colmar, France, July 2015. ID - ref23 ER - TY - STD TI - FISMA. Federal Information Security Management Act FISMA. http://www.healthinfolaw.org/federal-law/federal-information-security-management-act-fisma. UR - http://www.healthinfolaw.org/federal-law/federal-information-security-management-act-fisma ID - ref24 ER - TY - STD TI - Fowler M. Analysis patterns – reusable object models. Addison-Wesley; 1997. ID - ref25 ER - TY - BOOK AU - Gamma, E. AU - Helm, R. AU - Johnson, R. AU - Vlissides, J. PY - 1994 DA - 1994// TI - Design patterns: elements of reusable object-oriented software PB - Addison-Wesley CY - Boston ID - Gamma1994 ER - TY - STD TI - Gartner. http://www.gartner.com/newsroom/id/2352816. UR - http://www.gartner.com/newsroom/id/2352816 ID - ref27 ER - TY - JOUR AU - Gikas, C. PY - 2010 DA - 2010// TI - A General Comparison of FISMA, HIPAA, ISO 27000 and PCI-DSS Standards JO - Inf Secur J VL - 19 ID - Gikas2010 ER - TY - STD TI - GLBA. Gramm-Leach-Bliley Act. http://www.business.ftc.gov/privacy-and-security/gramm-leach-bliley-act. UR - http://www.business.ftc.gov/privacy-and-security/gramm-leach-bliley-act ID - ref29 ER - TY - STD TI - Hamdaqa M, Hamou-Lhadj A. Citation analysis: an approach for facilitating the analysis of regulatory compliance documents, Procs. 2009 6th Int. Conf. on Information technology: New Generations. IEEE; 2009. p. 278–83. ID - ref30 ER - TY - JOUR AU - Hashizume, K. AU - Rosado, D. G. AU - Fernández-Medina, E. AU - Fernandez, E. B. PY - 2013 DA - 2013// TI - An analysis of security issues for cloud computing JO - J Internet Serv Appl VL - 4 UR - https://doi.org/10.1186/1869-0238-4-5 DO - 10.1186/1869-0238-4-5 ID - Hashizume2013 ER - TY - STD TI - HIPAA. HIPAA Administrative Simplification. https://www.fedramp.gov/resources/documents/. UR - https://www.fedramp.gov/resources/documents/ ID - ref32 ER - TY - STD TI - HIPAA. Understanding Health Information Privacy. http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/consumers/understanding-hipaa-notice.pdf. UR - http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/consumers/understanding-hipaa-notice.pdf ID - ref33 ER - TY - STD TI - Hitachi. Compliance architecture. http://hitachi-id.com/compliance/compliance-architecture.html. UR - http://hitachi-id.com/compliance/compliance-architecture.html ID - ref34 ER - TY - STD TI - IBM. IBM Cloud computing. http://www.ibm.com/cloud-computing/. UR - http://www.ibm.com/cloud-computing/ ID - ref35 ER - TY - STD TI - IBM. Security compliance services. http://www-935.ibm.com/services/us/en/it-services/security-services/compliance-and-regulatory-services/. UR - http://www-935.ibm.com/services/us/en/it-services/security-services/compliance-and-regulatory-services/ ID - ref36 ER - TY - STD TI - IDC. International Data Corporation. http://www.idc.com/prodserv/subservices.jsp. UR - http://www.idc.com/prodserv/subservices.jsp ID - ref37 ER - TY - STD TI - IEEE. IEEE 1471–2000 recommended practice for architectural description of software-intensive systems. 2000. https://standards.ieee.org/findstds/standard/1471-2000.html. UR - https://standards.ieee.org/findstds/standard/1471-2000.html ID - ref38 ER - TY - STD TI - ISO. ISO Information Security Standard. Available: http://www.iso27001security.com/. UR - http://www.iso27001security.com/ ID - ref39 ER - TY - STD TI - Kruchten P. The rational unified process, an introduction. 3rd ed. Addison-Wesley; 2003. ID - ref40 ER - TY - BOOK AU - Massey, A. K. AU - Smith, B. AU - Otto, P. N. AU - Anton, A. I. PY - 2011 DA - 2011// TI - Assessing the accuracy of legal implementation readiness decisions ID - Massey2011 ER - TY - STD TI - Mather T, Kumaraswamy S, Latif S. Cloud security and privacy: an enterprise perspective on risks and compliance. O’Relly Media; 2009. ID - ref42 ER - TY - STD TI - Microsoft Azure. Microsoft Azure Trust Center. http://azure.microsoft.com/en-us/support/trust-center/compliance/. UR - http://azure.microsoft.com/en-us/support/trust-center/compliance/ ID - ref43 ER - TY - STD TI - Millard C. Cloud computing law. Oxford University Press; 2013 ID - ref44 ER - TY - BOOK AU - Mirković, O. PY - 2008 DA - 2008// TI - Security - How to measure compliance ID - Mirković2008 ER - TY - STD TI - Netschert BM. Information security readiness and compliance in the healthcare industry. Stevens Institute of Technology; 2008 ID - ref46 ER - TY - JOUR AU - Ngugi, B. AU - Vega, G. AU - Dardick, G. PY - 2009 DA - 2009// TI - PCI compliance: overcoming the challenges. Journal of information security and privacy JO - Int J Inf Secur Priv VL - 3 UR - https://doi.org/10.4018/jisp.2009040104 DO - 10.4018/jisp.2009040104 ID - Ngugi2009 ER - TY - STD TI - NIST. Guidelines on security and privacy in public cloud computing. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf. Accessed on April 22, 2016. UR - http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf ID - ref48 ER - TY - STD TI - Oracle. Cloud reference architecture. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf. Accessed April 22, 2016. UR - http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf ID - ref49 ER - TY - STD TI - OWASP. Cloud-10 regulatory compliance. https://www.owasp.org/index.php/Cloud-10_Regulatory_Compliance. UR - https://www.owasp.org/index.php/Cloud-10_Regulatory_Compliance ID - ref50 ER - TY - STD TI - PCI-DSS RA. PCI-compliant cloud reference architecture. http://www.hytrust.com/solutions/compliance/. UR - http://www.hytrust.com/solutions/compliance/ ID - ref51 ER - TY - STD TI - PCI DSS standard. Official source of PCI DSS Data Security Standards. https://www.pcisecuritystandards.org/security_standards/index.php. UR - https://www.pcisecuritystandards.org/security_standards/index.php ID - ref52 ER - TY - STD TI - PCI guidelines. PCI cloud guidelines. https://www.pcisecuritystandards.org/documents/PCI_DSS_V3.0_Third_Party_Security_Assurance.pdf. UR - https://www.pcisecuritystandards.org/documents/PCI_DSS_V3.0_Third_Party_Security_Assurance.pdf ID - ref53 ER - TY - BOOK AU - Ruiter, J. AU - Warnier, M. PY - 2011 DA - 2011// TI - Computers, privacy and data protection: an element of choice UR - https://doi.org/10.1007/978-94-007-0641-5_17 DO - 10.1007/978-94-007-0641-5_17 ID - Ruiter2011 ER - TY - JOUR AU - Silva, C. M. R. AU - Silva, J. L. C. AU - Rodrigues, R. B. AU - Nascimento, L. M. AU - Garcia, V. C. PY - 2013 DA - 2013// TI - Systematic mapping study on security threats in cloud computing JO - IJCSIS VL - 11 ID - Silva2013 ER - TY - STD TI - Sony. Sony freezes 93,000 online accounts after security breach. http://www.forbes.com/sites/parmyolson/2011/10/12/sony-freezes-93000-online-accounts-after-security-breach/. UR - http://www.forbes.com/sites/parmyolson/2011/10/12/sony-freezes-93000-online-accounts-after-security-breach/ ID - ref56 ER - TY - STD TI - SOX law. The Sarbanes-Oxley Act. http://www.soxlaw.com/. UR - http://www.soxlaw.com/ ID - ref57 ER - TY - STD TI - Stricker V, Lauenroth K, Corte P, Gittler F, De Panfilis S, Pohl K. Creating a reference architecture for service-based systems a pattern-based approach. 2010; doi:10.3233/978-1-60750-539-6-149. IOS Press. ID - ref58 ER - TY - STD TI - Target. Response & resources related to Target’s data breach. https://corporate.target.com/about/payment-card-issue.aspx. UR - https://corporate.target.com/about/payment-card-issue.aspx ID - ref59 ER - TY - STD TI - Taylor RN, Medvidovic N, Dashofy N. Software architecture: foundation, theory, and practice. Wiley; 2010. ID - ref60 ER - TY - STD TI - VMware. Compliance reference architecture framework. https://solutionexchange.vmware.com/store/products/vmware-compliance-cyber-risk-solutions. UR - https://solutionexchange.vmware.com/store/products/vmware-compliance-cyber-risk-solutions ID - ref61 ER - TY - STD TI - Walker M. Architecting regulatory-compliant architectures. https://msdn.microsoft.com/en-us/library/bb233047.aspx. UR - https://msdn.microsoft.com/en-us/library/bb233047.aspx ID - ref62 ER - TY - STD TI - Warmer J, Kleppe A. The object constraint language. 2nd ed. Addison-Wesley; 2003. ID - ref63 ER - TY - BOOK AU - Yimam, D. AU - Fernandez, E. B. PY - 2016 DA - 2016// TI - Building Compliance and Security Reference Architectures (CSRA) for cloud systems ID - Yimam2016 ER -