Presentation is loading. Please wait.

Presentation is loading. Please wait.

CONFORMANCE TO LEGAL REQUIREMENTS FOR E-SERVICES AND E-SYSTEMS Luigi Logrippo Université du Québec en Outaouais University of Ottawa 1 Invited Talk, KCESS2012.

Published byAlexina Jones Modified over 8 years ago

Similar presentations

Presentation on theme: "CONFORMANCE TO LEGAL REQUIREMENTS FOR E-SERVICES AND E-SYSTEMS Luigi Logrippo Université du Québec en Outaouais University of Ottawa 1 Invited Talk, KCESS2012."— Presentation transcript:

1 CONFORMANCE TO LEGAL REQUIREMENTS FOR E-SERVICES AND E-SYSTEMS Luigi Logrippo Université du Québec en Outaouais University of Ottawa 1 Invited Talk, KCESS2012

2 Towards a process for producing software from legal requirements

3 One of the last frontiers …  Last for two reasons:  In the end, IT systems must satisfy the law  This is a difficult goal Because of the need to bridge the long distance between legal language and IT language and implementations 3 A bridge? The law Software

4 Why IT isn’t very good at building bridges 4  Humankind has been building bridges for millions of years  But IT is fairly new at this … Vestiges of a bridge to Sri Lanka (30Km) Reputed to be 1,700,000 yrs old …

5 Framework  Legal requirements for e-services and e-systems exist in many areas:  Tax laws  E-governance  E-commerce  Accounting  Privacy protection  E-voting  …  Enterprises have their own software in these areas:  Does it comply with the law?  How can new software be built to comply with the law? 5

6 The islands and the bridges 6 Legal requirements for enterprise software Enterprise requirements for software Enterprise Law Enterprise Policy Enterprise software extract legal compliance logical compliance implement & verify validate Legal area Software area

7 7 Legal requirements for enterprise software Enterprise requirements for software Enterprise Law Enterprise Policy Enterprise software extract legal compliance logical compliance implement & verify validate Legal area Software area     

8 8

9 Legal processes 9  Formulating laws and policies  Normative text  Establishing legal compliance of enterprise policy to the law:  These processes are entirely in the legal domain, for lawyers Enterprise Law Enterprise Policy legal compliance Legal area

10 How many research areas remain for us? 10  At least five

11 Manual activities  At the interface of the legal world and the IT world  Extract from law   Determine what part of the law is relevant for IT implementation  Express that part of the law in IT terminology  Extract from enterprise policy   Determine what part of the enterprise policy is relevant for IT implementation  Express that part of the policy in IT terminology 11 

12 How are the manual activities done? 12  Since they are interface activities, they will require mixed teams of law experts and IT experts  It’s usual for IT people to work in this manner, at the requirement extraction phase

13 Current practice 13  Legal requirements are expanded into many detailed requirements  Legal offices are used to check that these detailed requirements represent a legally defendable implementation of the law  Long checklists result from this process, and the enterprises subject to the law will use the checklists rather than the original law  Checklists usually include all sorts of things, not only software requirements

14 Elements for requirement extraction 14  As always in computing, we have data structures and processes  Examples of relevant data structures: Enterprise organization diagrams Concept ontologies  Examples of processes: Business processes  These exist in law, as they exist in enterprise policies,  They may be difficult to find  They will be much more generic in law

15 Successful example: tax law  Predates computing …  Governments have mapped tax law into:  Ontologies, essentially represented by tax forms  Processes, essentially represented by calculation rules  There remain many areas where human intervention is necessary  Interpretation  Fact-finding  This is what we can expect to happen in other legal areas 15

16 Successful example: Mesopothamian law (4000 yrs ago)  One of Hammurabi’s almost 300 rules in Event-Condition-Action style: If anyone steals cattle or sheep, if it belongs to a god or to the court, the thief shall pay thirtyfold  Event: Anyone steals cattle or sheep or an ass  Condition: If it belongs to a god or to the court  Action: The thief shall pay thirtyfold  The event itself consists of three elements:  Subject: Anyone  Verb: Steals  Object: Cattle or sheep  ECA rules are very well known in IT  E.g. access control rules to data 16

17 High-level rules or Requirements  From the10 Commandments given to Moses: You shall not steal  This can be seen as a requirement to be translated into many ECA rules, such as the previous one  Needed: an ontology to identify the types of theft that are relevant; each type can be addressed by one or more ECA-type rules 17

18 Creating legal ontologies 18

19 Can we put order in something like this? 19  Royal Bank of Canada privacy policies:  “We use your personal and financial information for the purposes communicated to you in your agreement(s) with us, for example to: Verify your identity; Provide you with the financial products and services requested; Communicate to you any benefit, feature and other information about products and services you have with us; Respond to any special needs or inquiries you may have; Better understand your financial situation and determine your eligibility for products and services we offer; Manage our risks and operations; Meet regulatory and legal requirements; If we have your social insurance number or social security number, we may use it for tax related purposes if you hold a product generating income and share it with the appropriate government agencies. We may also share it with credit reporting agencies as an aid to identify you.”

20 Identifying the dependencies (Ghazinour and Barker, PAIS 2011) 20 Royal Bank of Canada privacy policies: “We use your personal and financial information for the purposes communicated to you in your agreement(s) with us, for example to: Verify your identity; Provide you with the financial products and services requested; Communicate to you any benefit, feature and other information about products and services you have with us; Respond to any special needs or inquiries you may have; Better understand your financial situation and determine your eligibility for products and services we offer; Manage our risks and operations; Meet regulatory and legal requirements; If we have your social insurance number or social security number, we may use it for tax related purposes if you hold a product generating income and share it with the appropriate government agencies. We may also share it with credit reporting agencies as an aid to identify you.” Purpose ontology lattice for RBC privacy policies

21 Why a lattice (Ghazinour and Barker, PAIS 2011) 21 This lattice arranges the purposes in an implication order. E.g. if one allows RBC to use personal information for mail distribution then one has also allowed them to use it for communication, marketing, and identity verification (more specific purposes)

22 Organization structure and scenarios in the law 22  Sarbanes Oxley - Section.2 : Audit (3) AUDIT COMMITTEE.  The term ‘‘audit committee’’ means a committee established by and amongst the board of directors of an issuer for the purpose of overseeing the accounting and financial reporting processes of the issuer and audits of the financial statements of the issuer, …. Issuer: company subject to SOX

23 IT interpretation 23  Sarbanes Oxley - Section.2 : Audit (3) AUDIT COMMITTEE.  The term ‘‘audit committee’’ means a committee established by and amongst the board of directors of an issuer for the purpose of overseeing the accounting and financial reporting processes of the issuer and audits of the financial statements of the issuer, …. Exercise: draw the class diagram

24 Processes 24  In law, they are usually defined only in terms of what they should achieve – Examples from SOX  (a) pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions …  (b) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements …  (c) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition …  Details are found in standards, professional and ‘best practices’ manuals  Broken down in checklists

25 Generic extraction model for enterprise governance (Hassan and Logrippo, RELAW2009) 25 Concepts found in normative text are to be mapped into these classes Note specific purpose!

26 Scanning normative text 26  The extraction process can be to carefully scan the law, standards, ‘best practices’, enterprise regulations, looking for elements that can be implemented in software  Concepts found should be mapped on an extraction model that can be the basis for software implementation  Conceptual graphs, lattices, UML

27 Joint work 27  The resulting formalized representations are interpretations of the original text  For IT specialists, the acceptance criterion is: can this interpretation be implemented in software?  For Law specialists, the criterion is: can this interpretation be defended in court?

28 We are interested in the intersection 28  Identify and formalize the intersection  Expand it as much as possible

29 Legal requirements for enterprise software Enterprise requirements for software Enterprise Law Enterprise Policy Enterprise software extract legal compliance logical compliance implement & verify validate Legal area Software area  Compliance of enterprise requirements to legal requirements 29 

30  What was a legal compliance process in the legal area becomes a logical compliance check in the software area  This can be performed by using model checkers of various kinds  Compliance of enterprise requirements to legal requirements 30 

31 Proposal: A Logic-Based Process (Hassan and Logrippo) 31 OK or counterexamples

32 Checking requirements on organization structure 32 Contains (Loans, PublishApplication) Contains (Loans, ReceiveFilledApp) Contains (Loans, Wapplication) Contains (Loans, JReceiveFilledApp) Contains (Loans, ConsentClient) Contains (Loans, LegalReasonException) Contains (Loans,ThankClient) Contains (Loans, DisposeData) Contains(OrderMgt, ReadApplication) Contains(OrderMgt, ValidateInfo) Contains(OrderMgt,SaveInfo ) The organization must include a process to dispose of data Formally defined Enterprise structure Legal Requirement An organization with two main departments, incl. several processes Model checker: yes, it is included

33 Checking requirements on process structure 33 Next (ValidateInfo,SaveInfo) Next(ReadApplication, ValidateInfo) Next(Wapplication, JreceivedApp) Next(JReceivedApp,ConsentClient) Next(JReceivedApp,LegalReasonException) Next(ThankClient,DisposeData) Next(PublishApplication, ReceiveFilledApp) Next(ReceiveFilledApp,Wapplication) Next(ValidateInfo,WApplication) Next(WApplication,ReadApplication ) Formally defined structure Legal requirement: Information received must later be disposed Model checker: following slide

34 Process non-compliance 34 A path is found where information rec’d is saved

35 Need of other approaches  Different approaches will reveal different issues  Physicists use different methods to view material structure different methods will show different things  E.g. the UCM-based approach proposed by Amyot et al. will lead to other discoveries  How can we put it all together  Do we need to put it all together? 35

36  Implement &verify 36 

37  We are here in a familiar territory:  We have compliant software requirements and we must implement them and verify the implementation  Use existing software methods  But: are the enterprise requirements that were obtained so far sufficient to derive an implementation? A lot of practical domain knowledge may still be necessary Probably it cannot be assumed that inexperienced software developers can do this  Implement &verify 37 

38 Maturity of SE methods 38  Unfortunately, the study of techniques to go from requirements to implementations is fairly recent and so not very mature IMOMO  Requirements engineering  We have been doing this for only about half a century …

39 Generic SE development method 39 Requirements (in natural or logic language) Specification of behavior 39 Specification of implementation 39 Implementation  Major errors can be injected at every step  especially between requirements and behavior specs  Legal knowledge is probably still needed between steps

40  Validate implementation 40 

41  Validate implementation 41  Is the resulting enterprise software compliant with the law?  This must be checked since errors can be injected in the implementation process  Existing software methods can be used to validate the implementation wrt legal requirements, perhaps the most practical is testing  Final testing is part of every engineering process  But, exactly what should be tested and how ?  The checklists mentioned are not constructed as software test suites 

42 Certification 42  The end result should be certified software  Certified to be conformant to the law  What should the certification process be? Most probably, test suites derived from checklists  Many software vendors produce software that is claimed to be compliant  But can hardly be certified

43 Privacy by Design 43  P b D is embedded into the design and architecture of IT systems and business practices  It is not bolted on as an add-on  Privacy becomes an essential component of the core functionality being delivered  Privacy is integral to the system, without diminishing functionality (source: Information and Privacy Commissioner of Ontario, Canada)  How can we build P b D in the software process?

44 How can we move forward? 44  It would help if normative text to be implemented in software was written in a different style …  E.g. legal text leaves much unspecified  The complex ontologies on which its interpretation depends are rarely specified  The increasing dependence on IT systems will lead legislators to include more IT language and structure in their normative style  Thus facilitating the extraction process  Compliance checklists will have to become more specific in terms of software requirements

45 More mind-expanding ideas 45  Formalizing Privacy agreements  P3P and extensions  Developments in legal theory and practice  Legal formalization necessary to expand e-Business  e-Contracts, internationally formalized  e-Judgments Privacy violations to be proved automatically by using automatically obtained factual evidence Amends to be determined automatically, on the basis of objective law

46 Many open areas of research 46  Formal semantics of normative languages  Methods to extract ontologies and processes from normative text (see RELAW workshop series)  Methods to validate the result of the extraction process  Such methods will be domain-specific  Software Engineering issues, instantiated to the legal domain  Methods for validating compliance of an implementation to legal requirements  Leading to certification  The P b D software process

47 Conclusions 47  I have attempted to identify the main issues related to the problem of software compliance to legal requirements  Classified the issues, by means of a proposed ‘reference model’  Some preliminary solutions and research ideas were also presented, as possible starting points

Download ppt "CONFORMANCE TO LEGAL REQUIREMENTS FOR E-SERVICES AND E-SYSTEMS Luigi Logrippo Université du Québec en Outaouais University of Ottawa 1 Invited Talk, KCESS2012."

Similar presentations

An Introduction to professional services. The professional services The professional services support businesses of all sizes across the economy, providing.

An Introduction to professional services. The professional services The professional services support businesses of all sizes across the economy, providing.
Sarbanes-Oxley Act of 2002 UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.

Sarbanes-Oxley Act of 2002 UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.
Financial Statements Audit

Financial Statements Audit
ITAuditing Using GAS & CAATs

ITAuditing Using GAS & CAATs
CONFORMANCE TO LEGAL REQUIREMENTS The last frontier for privacy research Luigi Logrippo Université du Québec en Outaouais University of Ottawa 1 Keynote.

CONFORMANCE TO LEGAL REQUIREMENTS The last frontier for privacy research Luigi Logrippo Université du Québec en Outaouais University of Ottawa 1 Keynote.
Discussion on SA-500 – AUDIT EVIDENCE

Discussion on SA-500 – AUDIT EVIDENCE
Chapter 20 Additional Assurance Services: Other Information

Chapter 20 Additional Assurance Services: Other Information
The Islamic University of Gaza

The Islamic University of Gaza
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais.

Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais.
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
The Demand for Audit and Other Assurance Services Chapter 1.

The Demand for Audit and Other Assurance Services Chapter 1.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
Chapter 4 Internal Control Bus 319 Accounting Information Systems.

Chapter 4 Internal Control Bus 319 Accounting Information Systems.
Software Requirements

Software Requirements
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
ISO 9001 Interpretation : Exclusions

ISO 9001 Interpretation : Exclusions
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
NATIONAL BOARD OF ACCOUNTANTS AND AUDITORS

NATIONAL BOARD OF ACCOUNTANTS AND AUDITORS

Similar presentations

Ads by Google