 
    
        
Software Quality as a Foundation for Security. SWQD 2024, pp. 135–152
April 2024 · doi: 10.1007/978-3-031-56281-5_8
Assuring regulatory compliance of information systems (IS), as a bundle of software systems and business processes, is an important, but costly and continuous effort. Laws formulate demands for quality properties in ambiguous language, requiring substantial interpretation. Industry standards provide support, but remain generic and applicable to heterogeneous company IS contexts. Before compliance measures can be implemented in software assets and processes, a specific interpretation based on the context of each company is a prerequisite. Compliance experts such as auditors support this process by accounting for the perspectives of company stakeholders. Ultimately, however, the complexity of the required knowledge, legal and technical facets prevents organizations from continuously establishing situational awareness or guarantees, and answering the question: is the company currently compliant? We illustrate the complexity of assuring compliance in a qualitative case study with a European, software-driven corporation in the financial industry. Through modeling of an example of annual audits and analyzing literature, we describe the perspectives of the involved stakeholders with their roles, knowledge needs and facets. We observe six challenges: (1) large number of items and links; (2) unclear and implicit links; (3) siloing of knowledge; (4) multiple sources of truth; (5) high costs of learning from audits; and (6) uncertain results of traditional auditing. We discuss the implications of these observed challenges, and briefly explore potential avenues for resolution.
subject terms: peng