The Role of Law in Software Requirements Engineering

Similar documents
Prioritizing Legal Requirements

Towards Regulatory Compliance: Extracting Rights and Obligation to Align Requirements with Regulations

Early Studies in Acquiring Evidentiary, Reusable Business Process Models for Legal Compliance

Towards Regulatory Compliance: Extracting Rights and Obligations to Align Requirements with Regulations

On Efficient Collaboration between Lawyers and Software Engineers when Transforming Legal Regulations to Law-related Requirements

A Pattern-Based Method for Identifying and Analyzing Laws

INCREASINGLY, regulations in Canada, Europe, and the US

Regulatory Compliance and its Impact on Software Development

Business Process and Regulations Compliance Management Technology

Information Management & Data Governance

Knowledgent White Paper Series. Developing an MDM Strategy WHITE PAPER. Key Components for Success

Requirements Analysis Concepts & Principles. Instructor: Dr. Jerry Gao

Protecting Business Information With A SharePoint Data Governance Model. TITUS White Paper

Network Analysis of Regulations

Policy Modeling and Compliance Verification in Enterprise Software Systems: a Survey

Master Data Management Architecture

An Empirical Investigation of Software Engineers Ability to Classify Legal Cross-References

What s a BA to do with Data? Discover and define standard data elements in business terms. Susan Block, Program Manager The Vanguard Group

Whitepaper Data Governance Roadmap for IT Executives Valeh Nazemoff

Digital Policy Management Framework for Attribute-Based Access Control

How To Audit Personal Data Through Requirements Engineering

Ubiquitous, Pervasive and Mobile Computing: A Reusable-Models-based Non-Functional Catalogue

MDA and Financial Services: A Governance, Risk, and Compliance case study

DATA GOVERNANCE AT UPMC. A Summary of UPMC s Data Governance Program Foundation, Roles, and Services

Knowledge Management

Real World Strategies for Migrating and Decommissioning Legacy Applications

Training Management System for Aircraft Engineering: indexing and retrieval of Corporate Learning Object

1 Abstract. 3 Document Repository

Washington State s Use of the IBM Data Governance Unified Process Best Practices

Realizing business flexibility through integrated SOA policy management.

EIM Strategy & Data Governance

Background: Business Value of Enterprise Architecture TOGAF Architectures and the Business Services Architecture

Ten Steps to Quality Data and Trusted Information

To Comply Software and IT System Development with Related Laws Abstract. Keywords: 1. PROBLEM STATEMENT

Foundations of Business Intelligence: Databases and Information Management

Data Governance Center Positioning

Introduction. Chapter 1. Introducing the Database. Data vs. Information

JOURNAL OF OBJECT TECHNOLOGY

3. Ensure the management of information is compliant with legislative requirements to maximise the benefits and minimise risks;

A Practical Guide to Legacy Application Retirement

How To Develop A Data Warehouse

ACEDS Membership Benefits Training, Resources and Networking for the E-Discovery Community

EU CUSTOMS BUSINESS PROCESS MODELLING POLICY

10 Building Blocks for Securing File Data

Natural Language to Relational Query by Using Parsing Compiler

How To Write A Cybersecurity Framework

Enterprise Data Governance

11 Tips to make the requirements definition process more effective and results more usable

Data Modeling in the Age of Big Data

SOA Success is Not a Matter of Luck

ECM Governance Policies

Guidelines for Best Practices in Data Management Roles and Responsibilities

Requirements Engineering Process

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

SOLUTION BRIEF CA ERwin Modeling. How can I understand, manage and govern complex data assets and improve business agility?

Appendix B Data Quality Dimensions

Five best practices for deploying a successful service-oriented architecture

Ecom Infotech. Page 1 of 6

Development of an Ontology for the Document Management Systems for Construction

Improving Traceability of Requirements Through Qualitative Data Analysis

Overview. The Knowledge Refinery Provides Multiple Benefits:

To introduce software process models To describe three generic process models and when they may be used

Legal Requirements Acquisition for the Specification of Legally Compliant Information Systems. by Travis Durand Breaux

72. Ontology Driven Knowledge Discovery Process: a proposal to integrate Ontology Engineering and KDD

The Value of Vulnerability Management*

A Systemic Artificial Intelligence (AI) Approach to Difficult Text Analytics Tasks

Corralling Data for Business Insights. The difference data relationship management can make. Part of the Rolta Managed Services Series

META DATA QUALITY CONTROL ARCHITECTURE IN DATA WAREHOUSING

Paper DM10 SAS & Clinical Data Repository Karthikeyan Chidambaram

New York Health Benefit Exchange

Software Requirements Specification (SRS)

A Knowledge-based Product Derivation Process and some Ideas how to Integrate Product Development

Accessing Private Network via Firewall Based On Preset Threshold Value

Office of Compliance and Ethics Introductory Report. Lynette Fons, Chief Compliance Officer

Resource Management on Computational Grids

Data Governance Primer. A PPDM Workshop. March 2015

Important dimensions of knowledge Knowledge is a firm asset: Knowledge has different forms Knowledge has a location Knowledge is situational Wisdom:

NASCIO EA Development Tool-Kit Solution Architecture. Version 3.0

Bringing agility to Business Intelligence Metadata as key to Agile Data Warehousing. 1 P a g e.

Putting IT at e s: Considerations for ediscovery, ECM, & ERM

A Business Analysis Perspective on Business Process Management

Principal MDM Components and Capabilities

Architecture Centric Development in Software Product Lines

Quest for a Business Rules Management Environment (BRME) in the Internal Revenue Service

Project Knowledge Management Based on Social Networks

Patterns of Information Management

Data Governance Maturity Model Guiding Questions for each Component-Dimension

CISM (Certified Information Security Manager) Document version:

Encoding Library of Congress Subject Headings in SKOS: Authority Control for the Semantic Web

Agile Master Data Management A Better Approach than Trial and Error

CFPB Consumer Laws and Regulations

Artificial Intelligence

Integrated archiving: streamlining compliance and discovery through content and business process management

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

The Role of Metadata in a Data Governance Strategy

Smarter Balanced Assessment Consortium. Request for Information Test Delivery Certification Package

Key Issues for Data Management and Integration, 2006

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

PALANTIR & LAW ENFORCEMENT

Transcription:

The Role of Law in Software Requirements Engineering Paul Otto Advisor: Annie Antón CSC 890 Written Qualifier Exam Why should computer scientists study the law? Regulatory compliance is the primary driver of information security policy 1 The cost of non-compliance is high HIPAA: civil money penalty up to $25K per violation 2 FCRA: ChoicePoint fined a civil penalty of $10M and $5M consumer redress fund 3 Regulations dictate many aspects of software and system requirements 2 1

ChoicePoint Data Flows 3 3 HIPAA stakeholder hierarchy 4 2

How regulations impact requirements engineering Elicitation: determining the stakeholders and requirements Regulatory texts specify requirements that need to be incorporated into system development Stakeholders require answers to specific queries about what is allowed or not allowed 4,5 : resolving ambiguities, contradictions, omissions : documenting and tracking requirements Monitoring software systems for compliance with requirements and policies identified as a challenging and important problem 6 5 What is required for legal compliance? Traditional software engineering activities: Modeling Development Traditional security activities: Policy enforcement 6 3

Overview Why regulations are relevant to computer scientists The nature of regulations Survey of past work with regulations Requirements for handling regulations Discussion and future work 7 Key characteristics of regulatory texts Factors that make regulations difficult to model and use in development: Overlapping, contradictory hierarchies Frequent amendments and revisions Cross-references: internal and external Definitions and acronyms Case law and supplemental documents Ambiguities: intentional and unintentional 8 4

The influence of supplemental documents HIPAA: 90 pages in the Code of Federal Regulations Privacy Rule: 55 pages Security Standards: 16 pages U.S. Department of Health and Human Services publishes supplemental documents Summary of the HIPAA Privacy Rule: 25 pages Guidance for HIPAA Security Standards: 7 pages Numerous unofficial guides available online - third parties providing HIPAA interpretations Software engineers currently rely on these texts and may never reference original regulations! 9 Examples of legal ambiguity Intentional ambiguity: HIPAA 164.306(a)(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information Language ambiguity: HIPAA 164.530(i)(3) the covered entity must promptly document and implement the revised policy or procedure 10 5

Overview Why regulations are relevant to computer scientists The nature of regulations Survey of past work with regulations Requirements for handling regulations Discussion and future work 11 Survey methodology Searched literature for papers involving some combination of compliance, modeling regulations, privacy, security, requirements Discovered and read over 150 relevant papers Cited 41 papers in CSC 890 written examination My methodology: 1. Identified main contributions in papers 2. Consolidated criticisms and observations regarding the difficulty of working with legal texts 3. Extracted common themes in handling regulatory texts and supporting compliance efforts 4. Classified each approach based on primary implementation 5. Analyzed the pros and cons of each approach 12 6

Previous work in modeling and using regulations Logic Based Approaches Symbolic logic Logic Programming (Expert Systems) Deontic Logic Defeasible Logic First-Order Temporal Logic Software Engineering Approaches Access Control Markup-based Representations Goal Modeling Reusable Requirements Catalog 13 Elicitation Symbolic Logic One of the first efforts in modeling regulations Main idea: translate natural language into logical statements 7 Eliminates unintended ambiguities Provides machine-readable representations Does not leverage computers for data processing Requires manually encoding N.L. to logic Not designed to aid software engineers 14 7

Logic Programming Elicitation Main idea: represent and utilize legal knowledge through an expert system Many research efforts undertaken (e.g. representing the U.S. Internal Revenue Code in Prolog 8 ) Identifies unintended ambiguities Supports queries on the regulatory text Many projects, yet no fully working systems Requires manually encoding natural language to logic 15 Elicitation Deontic Logic Main idea: capture the rights and obligations present in legal texts Answers specific queries Supports development and requirement monitoring 9 Maintains traceability 9 Limited implementation efforts to date Requires manually encoding rights and obligations Only capturing subset of legal requirements 16 8

Elicitation Defeasible Logic Main idea: strict rules, defeasible rules, and defeaters used to represent legal texts Rights and obligations are just two of the eight fundamental legal conceptions 10 Accommodates hierarchical, conflicting nature of regulations Supports legal reasoning and queries High computational complexity Requires numerous enhancements to represent various aspects of legal texts (e.g. arithmetic and temporal operators) 17 First-Order Temporal Logic Elicitation Main idea: extract and represent certain key concepts (e.g. context, roles, type of info) 11 Based on contextual integrity framework, which is a narrow conceptualization of privacy 12 Captures most privacy elements of the law Supports compliance checks between specific regulations and organizational privacy policies Limited applicability - only privacy regulations 18 9

Elicitation Access Control Main idea: derive privacy-focused access control rules directly from regulatory text Provides an auditable privacy system 13 Enables formal model checking Supports queries support Abstracts away many key details of legal texts (e.g. assuming external and ambiguous references satisfied by default) Omits many low-level system requirements specified by law Largely focused on rights and obligations 19 Markup-Based Representations Elicitation Main idea: mimic nature of regulations by encoding in semi-structured markup languages (e.g. XML) REGNET: major research effort to support compliance efforts through an XML framework 14 Supports locating and analyzing regulatory texts Automatically converts legal texts to XML Provides semi-automatic generation of metadata support Only applied to limited domain areas No working systems available 20 10

Elicitation Goal Modeling Main idea: extract goals, soft goals, tasks, resources, and social relationships from regulatory text SecureTropos used to model the relationships between actors, trust, delegation 15 Italian Data Protection Act used as proof of concept Supports requirements engineering activities Identifies relationships between stakeholders Requires manually extracting elements from law No support for queries 21 Reusable Requirements Catalog Elicitation Main idea: analysts extract legal requirements once, then reuse in future projects 16 Spanish Personal Data Protection Act is legal testbed Identifies unintended ambiguities through process of mining for requirements Quality of the catalog improves with each usage Requires manually extracting requirements from law No evaluation of time spent or requirements coverage Would require manual updates each time the law changed 22 11

Overview Why regulations are relevant to computer scientists The nature of regulations Survey of past work with regulations Requirements for handling regulations Discussion and future work 23 Requirements for systems handling regulations Requirements Elicitation 1. Identification of Relevant Regulations 2. Classification of Regulations with Metadata 3. Management of Evolving Regulations and Law - Antón extensively evaluated requirements evolution 17 Supporting 4. between References and Requirements - Active RE research topic for 15 years - still an unsolved problem! 5. Data Dictionary and Glossary to Ensure Consistency - Active RE research area, but not applied to regulatory domain Requirements 6. Prioritization of Regulations and Exceptions - Breaux and Antón looked at handling exceptions 9 7. Disambiguation of Regulatory Statements 24 12

Limitations and future work Only surveyed research within computer science and artificial intelligence domains - compliance is a broader engineering problem Did not consider research into natural language processing in general Need to consider how system developers currently handle legal texts Study how regulations are structured and how requirements can be extracted 25 Upcoming research to evaluate legal compliance itrust: existing system with fully documented requirements specification, use cases, and source code Develop tests for HIPAA compliance Establish traceability between requirements specification and regulatory text Evaluate preliminary ideas for a legal compliance system Discussions with health care organizations Determine current processes for HIPAA compliance Evaluate user requirements for working with regulations and organizational policies 26 13

References 1. Ernst & Young. 2006 Global Information Security Survey, November 2006. 2. Code for Federal Regulations, Amount of a civil money penalty, Title 45, Subtitle A, 160.404, last updated October 2006. 3. P.N. Otto, A.I. Antón, D.L. Baumer. The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of Personal Information, Technical Report TR-2006-18, July 2006. 4. G. Antoniou, D. Billington, M.J. Maher. "On the of Regulations using Defeasible Rules," Proc. of the 32nd Hawaii Int l Conf. on Sys. Sci., pp. 1-7, January 1999. 5. M.-F. Moens. "Combining Structured and Unstructured Information in a Retrieval Model for Accessing Legislation," Proc. of the 10th Int'l Conf. on AI and Law, pp. 141-145, June 2005. 6. W.N. Robinson. "Implementing Rule-Based Monitors within a Framework for Continuous Requirements Monitoring," Proc. of the 38th Hawaii Int l Conf. on Sys Sci., January 2005. 7. L.E. Allen. "Symbolic Logic: A Razor-Edged Tool for Drafting and Interpreting Legal Documents," Yale Law Journal 66(6), pp. 833-879, May 1957. 8. L.T. McCarty. "The TAXMAN Project: Towards a Cognitive Theory of Legal Argument," Computer Science and Law, B. Niblett Ed., Cambridge Press: New York, pp. 23-43, June 1980. 9. T.D. Breaux, M.W. Vail, A.I. Antón. "Towards Regulatory Compliance: Extracting Rights and Obligations to Align Requirements with Regulations," Proc. of the 13th IEEE Int'l Conf. on Req'ts Eng., September 2006. 10. W.N. Hohfeld. Some Fundamental Legal Conceptions as Applied in Judicial Reasoning, Yale Law Journal 23(1), pp. 16-59, November 1913. 11. A. Barth et al. "Privacy and Contextual Integrity: Framework and Applications," Proc. of the 2006 IEEE Symp. on Security and Privacy, May 2006. 12. H. Nissenbaum. "Privacy as Contextual Integrity," Washington Law Review 79(1), pp. 119-157, February 2004. 13. M.J. May, C.A. Gunter, I. Lee. Privacy APIs: Access Control Techniques to Analyze and Verify Legal Privacy Policies, Proc. of the 19th Computer Security Foundations Workshop, July 2006. 14. S. Kerrigan, K.H. Law. "Logic-Based Regulation Compliance-Assistance," Proc. of the 9th Int'l Conf. on AI and Law, pp. 126-135, June 2003. 15. F. Massacci, M. Prest, N. Zannone. "Using a Security Requirements Engineering Methodology in Practice: The compliance with the Italian Data Protection Legislation," Technical Report DIT-04-103, 2004. 16. A. Toval, A. Olmos, M. Piattini. Legal Requirements Reuse: A Critical Success Factor for Requirements Quality and Personal Data Protection, Proc. Of the IEEE Joint Int l Conf. on Req ts Eng., pp. 95-103, September 2002. 17. A.I. Antón, C. Potts. Functional Paleontology: The Evolution of User-Visible System Services, IEEE Transactions on Software Engineering, 29(2), pp. 151-166, February 2003. 27 Thank you! Thanks to Dr. Antón for her guidance Work supported by NSF Cyber Trust grant #0430166 28 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information