Compliance In e-government Service Engineering: State Of The Art

1. IESS 1.0 - First International Conference on Exploring Services Sciences
17-18-19 February 2010, Geneva, Switzerland
Compliance in e-government
service engineering
State-of-the-art
Slim Turki, Marija Bjeković-Obradović
{slim.turki, marija.bjekovic}@tudor.lu
CRP Henri Tudor, Luxembourg
24-Mar-10 IESS 1.0 1

2. Context
Organisations faced with need to conform to various laws and
regulations governing their domain of activity
Obligation of compliance particularly stressed in e-government.
e-government: “the use of ICT systems and tools to provide better
public services to citizens and other businesses” [EC]
administrative laws regulate the activities and decision-making of
governmental institutions.
Regulation
extensive source of requirements to be respected when designing IS
that support institutional activities and (e-)services to public.
Approaches aiming to achieve and maintain regulatory compliance
of IS and services with given regulations
24-Mar-10 IESS 1.0 2

3. Overview
Compliance in the business process research area
Extracting compliance requirements from legal texts
Deontic logic - Extracting rights and obligations
Modeling regulations with goal-oriented models
Traceability support for compliance
24-Mar-10 IESS 1.0 3

4. Compliance in the business process
research area
(Kharbili et al., 2008)
Ontologies for formal modeling of regulations, to resolve
inconsistency of legal definitions and regulatory information
fragments.
Coupled with business processes, basis for compliance
management framework, to manage evolution in both business
process and legislation.
(Karagiannis et al., 2007, 2008)
Meta-modeling based approach: regulatory aspects expressed in
models, and included into business processes models, to improve
or redesign them for compliance with corresponding regulations.
Applied to Sarbanes-Oxley (SOX) act.
24-Mar-10 IESS 1.0 4

5. Compliance in the business process
research area
(Rifaut, 2005)
PRM / PAM
Support for financial business process design (compliant to Basel
II), and for assessment of compliance and its improvement.
Goal-oriented models and ISO/IEC 15504 process assessment
standard used for structuring requirements for business process,
and together compose a formal framework according to which
compliance of business process is assessed.
24-Mar-10 IESS 1.0 5

6. Deontic logic (1/2)
Extracting rights and obligations from regulations
(Kiyavitskaya et al., 2007) (Zeni et al., 2008)
Extraction of “objects of concern” (right, anti-right, obligation, anti-
obligation, and exception) from legal texts
Semantic annotation tool Cerno: Obligations, constraints and
condition keywords are highlighted in a regulation and a list of
constraints and obligations are obtained (including traceability
markers).
(Biagioli et al.) (Palmirani, 2003)
Automated extraction of normative references, such as specific
rights and obligations, detailed in legal texts
Address problem of law’s evolution by tracking changes over time.
24-Mar-10 IESS 1.0 6

7. Deontic logic (2/2)
(Breaux and Antón, 2006), (Breaux and Antón , 2008)
Extract and balance formal descriptions of rules (rights and
obligations) that govern actors' actions from regulation.
Combines goal-oriented analysis of legal documents and
techniques for extracting rights, obligations, constraints, rules from
natural language statements in legal text.
Strength: resolving the problems of ambiguity, polysemy, cross-
references when analyzing legal text, and maintaining traceability
across all the artefacts in the process.
Has been applied to US regulation governing information privacy
in health care domain.
24-Mar-10 IESS 1.0 7

8. Modeling regulations with goal-
oriented models
SecureTropos (Giorgini et al., 2005)
Goal-oriented techniques to model security requirements
Assessing organization's compliance with Italian Data Protection
Act.
Manual extraction of concepts from law, coverage of legal
documents limited only to security aspect.
(Ghanavati et al., 2007)
Tracking compliance of business processes to legislation,
Combines goal-oriented requirement language (GRL), user
requirements notation (URN), and use case maps (UCM).
Links between models of legislation, organisation policy and
processes, to enable examining the influence of evolving
legislations on organizational policies and business processes..
Applied in the domain of information privacy in healthcare in
Canada.
24-Mar-10 IESS 1.0 8

9. Extracting compliance requirements
from legal texts - Challenges
Modeling regulations and extracting key concepts recognized
as challenging tasks for requirements engineers, system
developers and compliance auditors (Otto et Antón, 2007)
(Kiavitskaya et al., 2008)
the very nature of language in which laws are written, containing
many ambiguities, cross-references, domain-specific definitions,
acronyms etc.,
overlapping or complementing regulations at different level of
authority,
frequent changes or amendment of regulations over time, etc.
Law analysis prone to interpretations and misunderstandings
24-Mar-10 IESS 1.0 9

10. Traceability support for compliance
Traceability gaining on significance
Ability to maintain links between originating laws and derived
artefacts (requirements, IS specifications etc.) as measure to
enable better understanding of legal documents and to prevent
non-compliance of produced specifications.
(Ghanavati et al., 2007)
Set of links to establish between legislation and organizational
models.
(Breaux and Antón)
Traceability maintained across all the artefacts produced from
legal text to the corresponding software requirements.
Most of the traceability links to be established manually.
24-Mar-10 IESS 1.0 10

11. Conclusion
RE community
Elaborated techniques, concepts and tool support.
Assumption: compliance can be achieved at the requirements
level, through the harmonization between IS requirements and
those derived from legislation.
Address compliance regarding specific security and privacy
regulations.
Approaches centred on business process
More at the level of organization, its strategy, policies and
process, rather than on the underlying IS level.
Including requirements imposed by specific regulation, to existing
business processes, to ensure or assess their compliance.
Focus on modeling dynamic aspects of organization
Service engineering requires more aspects, not only business
processes, be covered.
No method, in the literature, specific to the design of compliant
e-government services.
24-Mar-10 IESS 1.0 11

12. IESS 1.0 - First International Conference on Exploring Services Sciences
17-18-19 February 2010, Geneva, Switzerland
Compliance in e-government
service engineering
State-of-the-art
Thank you for your attention!
Slim Turki, Marija Bjeković-Obradović
{slim.turki, marija.bjekovic}@tudor.lu
CRP Henri Tudor, Luxembourg
24-Mar-10 IESS 1.0 12