Software practitioners must implement a growing list of regulatory and security mandates, but have no established tool or mechanism for demonstrating their due diligence or compliance efforts exists. Providing an approach does more than help software practitioners. External agencies and auditors also need tools or mechanisms to enforce compliance requirements. Consumers also benefit. Standardized approaches a mechanism for accountability regarding compliance without software organizations compromising its proprietary or sensitive information. Currently, perceptions, practices, or decision making on regulatory or security standard compliance is not a well researched area in academia.

Our research aims to understand the practices and decision making software organizations apply toward regulatory compliance requirements during the software development process. Then, we take this improved understanding and apply it to building an approach that auditors or regulators can use to validate regulatory compliance throughout the entire SDLC.