1. IESS 1.0 - First International Conference on Exploring Services Sciences
17-18-19 February 2010, Geneva, Switzerland
Compliance in e-government
service engineering
State-of-the-art
Slim Turki, Marija Bjeković-Obradović
{slim.turki, marija.bjekovic}@tudor.lu
CRP Henri Tudor, Luxembourg
2/18/10 IESS 1.0 1
2. Context
➤ Organisations faced with need to conform to various laws and
regulations governing their domain of activity
➤ Obligation of compliance particularly stressed in e-government.
➤ e-government: “the use of ICT systems and tools to provide better
public services to citizens and other businesses” [EC]
➤ administrative laws regulate the activities and decision-making of
governmental institutions.
➤ Regulation
➤ extensive source of requirements to be respected when designing IS
that support institutional activities and (e-)services to public.
➤ Approaches aiming to achieve and maintain regulatory compliance
of IS and services with given regulations
2/18/10 IESS 1.0 2
3. Overview
➤ Compliance in the business process research area
➤ Extracting compliance requirements from legal texts
➤ Deontic logic - Extracting rights and obligations
➤ Modeling regulations with goal-oriented models
➤ Traceability support for compliance
2/18/10 IESS 1.0 3
4. Compliance in the business process
research area
➤ (Kharbili et al., 2008)
● Ontologies for formal modeling of regulations, to resolve
inconsistency of legal definitions and regulatory information
fragments.
● Coupled with business processes, basis for compliance
management framework, to manage evolution in both business
process and legislation.
➤ (Karagiannis et al., 2007, 2008)
● Meta-modeling based approach: regulatory aspects expressed in
models, and included into business processes models, to improve
or redesign them for compliance with corresponding regulations.
● Applied to Sarbanes-Oxley (SOX) act.
2/18/10 IESS 1.0 4
5. Compliance in the business process
research area
➤ (Rifaut, 2005)
● PRM / PAM
● Support for financial business process design (compliant to Basel
II), and for assessment of compliance and its improvement.
● Goal-oriented models and ISO/IEC 15504 process assessment
standard used for structuring requirements for business process,
and together compose a formal framework according to which
compliance of business process is assessed.
2/18/10 IESS 1.0 5
6. Deontic logic (1/2)
➤ Extracting rights and obligations from regulations
➤ (Kiyavitskaya et al., 2007) (Zeni et al., 2008)
● Extraction of “objects of concern” (right, anti-right, obligation, anti-
obligation, and exception) from legal texts
● Semantic annotation tool Cerno: Obligations, constraints and
condition keywords are highlighted in a regulation and a list of
constraints and obligations are obtained (including traceability
markers).
➤ (Biagioli et al.) (Palmirani, 2003)
● Automated extraction of normative references, such as specific
rights and obligations, detailed in legal texts
● Address problem of law’s evolution by tracking changes over time.
2/18/10 IESS 1.0 6
7. Deontic logic (2/2)
➤ (Breaux and Antón, 2006), (Breaux and Antón , 2008)
● Extract and balance formal descriptions of rules (rights and
obligations) that govern actors' actions from regulation.
● Combines goal-oriented analysis of legal documents and
techniques for extracting rights, obligations, constraints, rules from
natural language statements in legal text.
● Strength: resolving the problems of ambiguity, polysemy, cross-
references when analyzing legal text, and maintaining traceability
across all the artefacts in the process.
● Has been applied to US regulation governing information privacy
in health care domain.
2/18/10 IESS 1.0 7
8. Modeling regulations with goal-
oriented models
➤ SecureTropos (Giorgini et al., 2005)
● Goal-oriented techniques to model security requirements
● Assessing organization's compliance with Italian Data Protection
Act.
● Manual extraction of concepts from law, coverage of legal
documents limited only to security aspect.
➤ (Ghanavati et al., 2007)
● Tracking compliance of business processes to legislation,
● Combines goal-oriented requirement language (GRL), user
requirements notation (URN), and use case maps (UCM).
● Links between models of legislation, organisation policy and
processes, to enable examining the influence of evolving
legislations on organizational policies and business processes..
● Applied in the domain of information privacy in healthcare in
Canada.
2/18/10 IESS 1.0 8
9. Extracting compliance requirements
from legal texts - Challenges
➤ Modeling regulations and extracting key concepts recognized
as challenging tasks for requirements engineers, system
developers and compliance auditors (Otto et Antón, 2007)
(Kiavitskaya et al., 2008)
● the very nature of language in which laws are written, containing
many ambiguities, cross-references, domain-specific definitions,
acronyms etc.,
● overlapping or complementing regulations at different level of
authority,
● frequent changes or amendment of regulations over time, etc.
➤ Law analysis prone to interpretations and misunderstandings
2/18/10 IESS 1.0 9
10. Traceability support for compliance
➤ Traceability gaining on significance
● Ability to maintain links between originating laws and derived
artefacts (requirements, IS specifications etc.) as measure to
enable better understanding of legal documents and to prevent
non-compliance of produced specifications.
➤ (Ghanavati et al., 2007)
● Set of links to establish between legislation and organizational
models.
➤ (Breaux and Antón)
● Traceability maintained across all the artefacts produced from
legal text to the corresponding software requirements.
● Most of the traceability links to be established manually.
2/18/10 IESS 1.0 10
11. Conclusion
➤ RE community
● Elaborated techniques, concepts and tool support.
● Assumption: compliance can be achieved at the requirements
level, through the harmonization between IS requirements and
those derived from legislation.
● Address compliance regarding specific security and privacy
regulations.
➤ Approaches centred on business process
● More at the level of organization, its strategy, policies and
process, rather than on the underlying IS level.
● Including requirements imposed by specific regulation, to existing
business processes, to ensure or assess their compliance.
● Focus on modeling dynamic aspects of organization
● Service engineering requires more aspects, not only business
processes, be covered.
➤ No method, in the literature, specific to the design of compliant
e-government services.
2/18/10 IESS 1.0 11
12. IESS 1.0 - First International Conference on Exploring Services Sciences
17-18-19 February 2010, Geneva, Switzerland
Compliance in e-government
service engineering
State-of-the-art
Thank you for your attention!
Slim Turki, Marija Bjeković-Obradović
{slim.turki, marija.bjekovic}@tudor.lu
CRP Henri Tudor, Luxembourg
2/18/10 IESS 1.0 12