achieving traceable compliance using the ampersand method
Download
Skip this Video
Download Presentation
Achieving Traceable Compliance using the Ampersand Method

Loading in 2 Seconds...

play fullscreen
1 / 29

Achieving Traceable Compliance using the Ampersand Method - PowerPoint PPT Presentation


  • 101 Views
  • Uploaded on

Achieving Traceable Compliance using the Ampersand Method. Open University of the Netherlands TouW gathering March 6th 2010 Henriëtte Sangers. Different aspects research. IT systems development. Compliance. Business Ontologies. Ampersand Method. GAP. Mind the Gap. Obedience.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Achieving Traceable Compliance using the Ampersand Method' - giulio


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
achieving traceable compliance using the ampersand method

Achieving Traceable Compliance using the Ampersand Method

Open University of the Netherlands

TouW gathering March 6th 2010

Henriëtte Sangers

different aspects research
Different aspects research

IT systems

development

Compliance

Business

Ontologies

Ampersand

Method

GAP

mind the gap
Mind the Gap

Obedience

Follow rules

Compliance

Respect others

Do the right thing

The limits of our language mean the limits of our world

Wittgenstein (1922)

two gaps in it systems development
Two Gaps in IT Systems Development
  • Different use of concepts – misunderstandings about
  • desired functionality
  • Wrong implementation of correctly understood
  • desired functionality
  • Contribute to the bad track record of IT projects
the importance of being an ou student
The importance of being…an OU student
  • Usually you are older…what’s so great about that?
  • Let’s try: more mature? More experienced?

=> If you work in IT: you saw the gap

  • If you really want to know the gap crossit!

=> Use the opportunities to experience the other side

  • Chance to get better understanding of mutual dependency

Business - IT

compliance
Compliance

Organisations operating according to rules and regulations

set for this type of organisation.

Barings

ING

ABN AMRO

Financial World

IceSave

Lehman Brothers

New regulations to restore public trust in the financial system:

  • Basel II
  • SOx
  • MIFID
  • CDD

=> Focus now on ‘getting it right’

People, procedures and IT-systems all need to be compliant!

compliance challenge
Compliance Challenge
  • Adapt to rapidly changing ruling in a competitive market
    • stay flexible
    • change at low costs
  • Specific difficulties compliance:
    • translating compliance ruling into measures for organisation
    • many rules and regulations from different sources
    • traceability - ‘proving’ compliance
compliance challenge surveys
Compliance Challenge - surveys

Mercury

US and European businesses expect a large part of IT budgets will go to compliance projects in the coming years

Deloitte and Touche

Complexity of IT environments is seen as a major impediment

in compliance projects

Gartner

Organisations can experience a competitive advantage by

handling compliance issues more efficiently than others

the ampersand method i
The Ampersand Method I

Stef Joosten

  • Rule based Business Process Management
  • Formal approach to IT systems development
  • Succeeds/ incorporates:
    • Calculating with Concepts: finding and verifying business rules
    • ADL (A Description Language): capturing business rules
  • building blocks:
    • Concepts: entities which are important to users
    • Relations: associations between concepts
    • Rules: invariants, represent business logic
the ampersand method ii
The Ampersand Method II
  • Based on relation algebra, can be used to:
    • Get clarity about specifications (cycle chasing)
  • Specifying and even generating IT systems which can be proven
  • to implement business logic (as in business rules) correctly.
  • Business processes are derived from business rules,

not built with them.

bridging the gap ontologies
Bridging the Gap: Ontologies
  • How to represent the real world: ontologies, the silver bullet?
  • Everybody his own ontology: solving problems or raising

misunderstandings to a higher level?

  • Long history in IT Systems Analysis and Design (ISAD),

a.o. Bunge-Wand-Weber representation model

  • Why use ontologies in IT:
    • Enabling common understanding: sofa/couch, property/attribute
    • Reuse domain knowledge
    • Make domain knowledge explicit, support analysis
use of ontologies in it
Use of Ontologies in IT
  • Applications: information integration, P2P information sharing,

web service composition, ambient intelligence, web navigating

and querying (Marktplaats)

  • Recent developments in the area of automatedconcept matching

and ontology integration

ampersand business ontologies and compliance
Ampersand, Business Ontologies and Compliance
  • Business (compliance) rules can be used directly, no need to
  • program business processes
  • All business (compliance) logic in one place, easy to check by
  • users and auditors
  • Mathematical prove that functionality matches business
  • (compliance) rules can be provided
  • Business ontologies easy to use with Ampersand, help bridge
  • the gap between compliance ruling and business concepts
research at purdue university
Research at Purdue University
  • CERIAS program: Center for Education and Research in

Information Assurance and Security

  • Computer Science Research group dedicated to: Digital

Identity Management and Protection

  • Articles on:
    • traceable and flexible compliance with privacy ruling
    • use of ontologiesto support common understanding of concepts
articles purdue university
Articles Purdue University

Examples:

  • Achieving Privacy in Trust Negotiations with an Ontology-Based Approach.
  • IEEE Transactions on Dependable and Secure Computing, January-March 2006
  • Traceable and Automatic Compliance of Privacy Policies in Federated Digital
  • Identity Management. 6th Workshop on Privacy Enhancing Technologies.
  • Cambridge University UK, 2006.
the case
The Case
  • Federated environment of medical service providers and patients
  • Automated exchange of patients’ information among service providers
  • Compliance with patients’ privacy preferences
  • Breaches of trust need to be traceable
  • Other requirements:
    • common understanding of concepts (medical, privacy preferences)
    • automated matching of concepts
    • flexibility and traceability
purdue solution i
Purdue Solution I
  • Check isMoreStrict
  • A. Privacy preference templates
  • PPx stricter than Ppy if x < y
purdue solution ii
Purdue Solution II
  • B. Customized privacy preferences More complex checks / ordening.

3. Check logging - trace back

ampersand solution concepts relations and rules
Ampersand SolutionConcepts, Relations and Rules
  • Concepts: entities which are important to users
  • CONCEPT "Participant" "party in federated service network, person or service provider."
  • CONCEPT "PrivacyPreference" "a policy statement about how to deal with information"
  • CONCEPT "Data" "the type of data that can be stored of a person."
  • Relations: associations between concepts
  • belongsTo :: PrivacyPreference => Participant
  • subsumes :: PrivacyPreference * PrivacyPreference [TRN,ASY]
  • PRAGMA "" " subsumes, is less strict than “
  • requestsInformationFrom :: Participant * Participant
  • Rules: invariants, represent business logic
  • requestsInformationFrom -: (hasPrivacyPreference; hasPrivacyPreference~)
  • \/ (hasPrivacyPreference; subsumes~; hasPrivacyPreference~)
  • EXPLANATION "Information can only be requested from a party with an equally
  • or less strict privacy policy."
ampersand solution base
Ampersand Solution - base

possible occurrences

allowed occurrences

actual occurrences

x x x x x x x x

x x x x x x x x x x x x x x x x x

x x x x x x x x x x x x x x x x x x

x x x x x x x x x x x x x x x x x x x x

x x x x x x x x x x x x x x x x x x x x xx

x x x x x x x x x x x x x x x xx x x x

x x x x x x x x x x x x x x x x x xxx

x x x x x x x x x x x x x x x x

x x x x x x x x x x x x x x x x x x x x x

x x x x x x x x x x x x x x

requestsInformationFrom -: (hasPrivacyPreference; hasPrivacyPreference~)

\/ (hasPrivacyPreference; subsumes~; hasPrivacyPreference~)

ampersand solution flexibility
Ampersand Solution - flexibility

possible occurrences

allowed occurrences

special permission

actual occurrences

x x x x x x x x

x x x x x x x x x x x x x x x x x

x x x x x x x x x x x x x x x x x x

x x x x x x x x x x x x x x x x x x x x

x x x x x x x x x x x x x x x x x x x x xx

x x x x x x x x x x x x x x x xx x x x

x x x x x x x x x x x x x x x x x xxx

x x x x x x x x x x x x x x x x

x x x x x x x x x x x x x x x x x x x x x

x x x x x x x x x x x x x x

requestsInformation -: ((belongsTo~; hasPurpose; subsPurpose~; hasPurpose~)

/\ (belongsTo~; refersToData; subsData~; refersToData~))

\/ (permissionTo~; permissionConcerns)

ampersand ontologies
Ampersand - ontologies

subsPurpose :: Purpose * Purpose [TRN,ASY]

PRAGMA "" " subsumes, is less strict than"

= [ ("General-purpose", "Treatment")

; ("General-purpose", "Insurance")

; ("General-purpose", "Research")

; ("Research", "Teaching")

; ("Research", "Development")

; ("Research", "Marketing")

].

ampersand ontology integration
Ampersand - ontology integration

possible occurrences

allowed occurrences

out of bound occurrences

x x x x x x x x

x x x x x x x x x x x x x x x x x

x x x x x x x x x x x x x x x x x x

x x x x x x x x x x x x x x x x x x x x

x x x x x x x x x x x x x x x x x x x x xx

x x x x x x x x x x x x x x x xx x x x

x x x x x x x x x x x x x x x x x xxx

x x x x x x x x x x x x x x x x

x x x x x x x x x x x x x x x x x x x x x

x x x x x x x x x x x x x x

requestsInformationFrom -: hasPrivacyPreference; hasPurpose; subsPurpose~;

hasPurpose~; hasPrivacyPreference~

EXPLANATION "Information can only be requested from a party with an equally

or less strict purpose policy."

solutions compared
Solutions Compared

Purdue

Ampersand

  • programming business processes
  • deriving business processes from rules
  • business logic in systems coding
  • business logic in rule base
  • mathematical prove not provided
  • mathematical prove provided
  • more familiar to most IT staff
  • less well known
conclusions i
Conclusions I
  • Ampersand method offers advantages in achieving compliance in IT
  • business rules used directly to generate IT system
  • all business logic in one place, easy to check
  • correct implementation can be proven
  • Business ontologies enhance usability Ampersand
  • easy to integrate with Ampersand / ADL
  • help bridge gap between compliance- and business concepts
  • allow combination of rule patterns / compliance patterns
conclusions ii
Conclusions II
  • Advantages Ampersand method combined with business ontologies

reach beyond compliance

  • help get clarity about desired functionality
  • less discussion about implementation issues
  • increase IT developers productivity
  • enhance flexibility
further research
Further Research
  • Automated matching of business logic and (compliance) ruling,

supported by business ontologies

  • Integrating Ampersand compliance- and business rule patterns

to offer extended functionality in IT systems development

  • Generating a ‘compliance certificate’ based on correct matching

of compliance ruling and business concepts

master thesis
Master Thesis
  • Choose a subject you like, after all you are stuck with it!
  • Choose a subject which is doable in the time you want to spend
  • Watch out for dependencies
  • Combine with job or join existing research, take into account:
    • Level of freedom
    • Academic level
    • Time efficiency
  • Say good bye to your friends and go for IT!

QUESTIONS?

ad