Compliance In e-government Service Engineering


Published on

Compliance In e-government Service Engineering: State Of The Art

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Compliance In e-government Service Engineering

  1. 1. IESS 1.0 - First International Conference on Exploring Services Sciences 17-18-19 February 2010, Geneva, Switzerland Compliance in e-government service engineering State-of-the-art Slim Turki, Marija Bjeković-Obradović {slim.turki, marija.bjekovic} CRP Henri Tudor, Luxembourg 24-Mar-10 IESS 1.0 1
  2. 2. Context Organisations faced with need to conform to various laws and regulations governing their domain of activity Obligation of compliance particularly stressed in e-government. e-government: “the use of ICT systems and tools to provide better public services to citizens and other businesses” [EC] administrative laws regulate the activities and decision-making of governmental institutions. Regulation extensive source of requirements to be respected when designing IS that support institutional activities and (e-)services to public. Approaches aiming to achieve and maintain regulatory compliance of IS and services with given regulations 24-Mar-10 IESS 1.0 2
  3. 3. Overview Compliance in the business process research area Extracting compliance requirements from legal texts Deontic logic - Extracting rights and obligations Modeling regulations with goal-oriented models Traceability support for compliance 24-Mar-10 IESS 1.0 3
  4. 4. Compliance in the business process research area (Kharbili et al., 2008) Ontologies for formal modeling of regulations, to resolve inconsistency of legal definitions and regulatory information fragments. Coupled with business processes, basis for compliance management framework, to manage evolution in both business process and legislation. (Karagiannis et al., 2007, 2008) Meta-modeling based approach: regulatory aspects expressed in models, and included into business processes models, to improve or redesign them for compliance with corresponding regulations. Applied to Sarbanes-Oxley (SOX) act. 24-Mar-10 IESS 1.0 4
  5. 5. Compliance in the business process research area (Rifaut, 2005) PRM / PAM Support for financial business process design (compliant to Basel II), and for assessment of compliance and its improvement. Goal-oriented models and ISO/IEC 15504 process assessment standard used for structuring requirements for business process, and together compose a formal framework according to which compliance of business process is assessed. 24-Mar-10 IESS 1.0 5
  6. 6. Deontic logic (1/2) Extracting rights and obligations from regulations (Kiyavitskaya et al., 2007) (Zeni et al., 2008) Extraction of “objects of concern” (right, anti-right, obligation, anti- obligation, and exception) from legal texts Semantic annotation tool Cerno: Obligations, constraints and condition keywords are highlighted in a regulation and a list of constraints and obligations are obtained (including traceability markers). (Biagioli et al.) (Palmirani, 2003) Automated extraction of normative references, such as specific rights and obligations, detailed in legal texts Address problem of law’s evolution by tracking changes over time. 24-Mar-10 IESS 1.0 6
  7. 7. Deontic logic (2/2) (Breaux and Antón, 2006), (Breaux and Antón , 2008) Extract and balance formal descriptions of rules (rights and obligations) that govern actors' actions from regulation. Combines goal-oriented analysis of legal documents and techniques for extracting rights, obligations, constraints, rules from natural language statements in legal text. Strength: resolving the problems of ambiguity, polysemy, cross- references when analyzing legal text, and maintaining traceability across all the artefacts in the process. Has been applied to US regulation governing information privacy in health care domain. 24-Mar-10 IESS 1.0 7
  8. 8. Modeling regulations with goal- oriented models SecureTropos (Giorgini et al., 2005) Goal-oriented techniques to model security requirements Assessing organization's compliance with Italian Data Protection Act. Manual extraction of concepts from law, coverage of legal documents limited only to security aspect. (Ghanavati et al., 2007) Tracking compliance of business processes to legislation, Combines goal-oriented requirement language (GRL), user requirements notation (URN), and use case maps (UCM). Links between models of legislation, organisation policy and processes, to enable examining the influence of evolving legislations on organizational policies and business processes.. Applied in the domain of information privacy in healthcare in Canada. 24-Mar-10 IESS 1.0 8
  9. 9. Extracting compliance requirements from legal texts - Challenges Modeling regulations and extracting key concepts recognized as challenging tasks for requirements engineers, system developers and compliance auditors (Otto et Antón, 2007) (Kiavitskaya et al., 2008) the very nature of language in which laws are written, containing many ambiguities, cross-references, domain-specific definitions, acronyms etc., overlapping or complementing regulations at different level of authority, frequent changes or amendment of regulations over time, etc. Law analysis prone to interpretations and misunderstandings 24-Mar-10 IESS 1.0 9
  10. 10. Traceability support for compliance Traceability gaining on significance Ability to maintain links between originating laws and derived artefacts (requirements, IS specifications etc.) as measure to enable better understanding of legal documents and to prevent non-compliance of produced specifications. (Ghanavati et al., 2007) Set of links to establish between legislation and organizational models. (Breaux and Antón) Traceability maintained across all the artefacts produced from legal text to the corresponding software requirements. Most of the traceability links to be established manually. 24-Mar-10 IESS 1.0 10
  11. 11. Conclusion RE community Elaborated techniques, concepts and tool support. Assumption: compliance can be achieved at the requirements level, through the harmonization between IS requirements and those derived from legislation. Address compliance regarding specific security and privacy regulations. Approaches centred on business process More at the level of organization, its strategy, policies and process, rather than on the underlying IS level. Including requirements imposed by specific regulation, to existing business processes, to ensure or assess their compliance. Focus on modeling dynamic aspects of organization Service engineering requires more aspects, not only business processes, be covered. No method, in the literature, specific to the design of compliant e-government services. 24-Mar-10 IESS 1.0 11
  12. 12. IESS 1.0 - First International Conference on Exploring Services Sciences 17-18-19 February 2010, Geneva, Switzerland Compliance in e-government service engineering State-of-the-art Thank you for your attention! Slim Turki, Marija Bjeković-Obradović {slim.turki, marija.bjekovic} CRP Henri Tudor, Luxembourg 24-Mar-10 IESS 1.0 12