1 / 29

Achieving Traceable Compliance using the Ampersand Method

Achieving Traceable Compliance using the Ampersand Method. Open University of the Netherlands TouW gathering March 6th 2010 Henriëtte Sangers. Different aspects research. IT systems development. Compliance. Business Ontologies. Ampersand Method. GAP. Mind the Gap. Obedience.

rickeyfrederick
Download Presentation

Achieving Traceable Compliance using the Ampersand Method

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Achieving Traceable Compliance using the Ampersand Method Open University of the Netherlands TouW gathering March 6th 2010 Henriëtte Sangers

  2. Different aspects research IT systems development Compliance Business Ontologies Ampersand Method GAP

  3. Mind the Gap Obedience Follow rules Compliance Respect others Do the right thing The limits of our language mean the limits of our world Wittgenstein (1922)

  4. Two Gaps in IT Systems Development • Different use of concepts – misunderstandings about • desired functionality • Wrong implementation of correctly understood • desired functionality • Contribute to the bad track record of IT projects

  5. The importance of being…an OU student • Usually you are older…what’s so great about that? • Let’s try: more mature? More experienced? => If you work in IT: you saw the gap • If you really want to know the gap crossit! => Use the opportunities to experience the other side • Chance to get better understanding of mutual dependency Business - IT

  6. Compliance Organisations operating according to rules and regulations set for this type of organisation. Barings ING ABN AMRO Financial World IceSave Lehman Brothers New regulations to restore public trust in the financial system: • Basel II • SOx • MIFID • CDD => Focus now on ‘getting it right’ People, procedures and IT-systems all need to be compliant!

  7. Compliance Challenge • Adapt to rapidly changing ruling in a competitive market • stay flexible • change at low costs • Specific difficulties compliance: • translating compliance ruling into measures for organisation • many rules and regulations from different sources • traceability - ‘proving’ compliance

  8. Compliance Challenge - surveys Mercury US and European businesses expect a large part of IT budgets will go to compliance projects in the coming years Deloitte and Touche Complexity of IT environments is seen as a major impediment in compliance projects Gartner Organisations can experience a competitive advantage by handling compliance issues more efficiently than others

  9. The Ampersand Method I Stef Joosten • Rule based Business Process Management • Formal approach to IT systems development • Succeeds/ incorporates: • Calculating with Concepts: finding and verifying business rules • ADL (A Description Language): capturing business rules • building blocks: • Concepts: entities which are important to users • Relations: associations between concepts • Rules: invariants, represent business logic

  10. The Ampersand Method II • Based on relation algebra, can be used to: • Get clarity about specifications (cycle chasing) • Specifying and even generating IT systems which can be proven • to implement business logic (as in business rules) correctly. • Business processes are derived from business rules, not built with them.

  11. Bridging the Gap: Ontologies • How to represent the real world: ontologies, the silver bullet? • Everybody his own ontology: solving problems or raising misunderstandings to a higher level? • Long history in IT Systems Analysis and Design (ISAD), a.o. Bunge-Wand-Weber representation model • Why use ontologies in IT: • Enabling common understanding: sofa/couch, property/attribute • Reuse domain knowledge • Make domain knowledge explicit, support analysis

  12. Use of Ontologies in IT • Applications: information integration, P2P information sharing, web service composition, ambient intelligence, web navigating and querying (Marktplaats) • Recent developments in the area of automatedconcept matching and ontology integration

  13. Ampersand, Business Ontologies and Compliance • Business (compliance) rules can be used directly, no need to • program business processes • All business (compliance) logic in one place, easy to check by • users and auditors • Mathematical prove that functionality matches business • (compliance) rules can be provided • Business ontologies easy to use with Ampersand, help bridge • the gap between compliance ruling and business concepts

  14. Research at Purdue University • CERIAS program: Center for Education and Research in Information Assurance and Security • Computer Science Research group dedicated to: Digital Identity Management and Protection • Articles on: • traceable and flexible compliance with privacy ruling • use of ontologiesto support common understanding of concepts

  15. Articles Purdue University Examples: • Achieving Privacy in Trust Negotiations with an Ontology-Based Approach. • IEEE Transactions on Dependable and Secure Computing, January-March 2006 • Traceable and Automatic Compliance of Privacy Policies in Federated Digital • Identity Management. 6th Workshop on Privacy Enhancing Technologies. • Cambridge University UK, 2006.

  16. The Case • Federated environment of medical service providers and patients • Automated exchange of patients’ information among service providers • Compliance with patients’ privacy preferences • Breaches of trust need to be traceable • Other requirements: • common understanding of concepts (medical, privacy preferences) • automated matching of concepts • flexibility and traceability

  17. Purdue Solution I • Check isMoreStrict • A. Privacy preference templates • PPx stricter than Ppy if x < y

  18. Purdue Solution II • B. Customized privacy preferences More complex checks / ordening. 3. Check logging - trace back

  19. Ampersand SolutionConcepts, Relations and Rules • Concepts: entities which are important to users • CONCEPT "Participant" "party in federated service network, person or service provider." • CONCEPT "PrivacyPreference" "a policy statement about how to deal with information" • CONCEPT "Data" "the type of data that can be stored of a person." • Relations: associations between concepts • belongsTo :: PrivacyPreference => Participant • subsumes :: PrivacyPreference * PrivacyPreference [TRN,ASY] • PRAGMA "" " subsumes, is less strict than “ • requestsInformationFrom :: Participant * Participant • Rules: invariants, represent business logic • requestsInformationFrom -: (hasPrivacyPreference; hasPrivacyPreference~) • \/ (hasPrivacyPreference; subsumes~; hasPrivacyPreference~) • EXPLANATION "Information can only be requested from a party with an equally • or less strict privacy policy."

  20. Ampersand Solution - base possible occurrences allowed occurrences actual occurrences x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x xx x x x x x x x x x x x x x x x xx x x x x x x x x x x x x x x x x x x x x xxx x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x requestsInformationFrom -: (hasPrivacyPreference; hasPrivacyPreference~) \/ (hasPrivacyPreference; subsumes~; hasPrivacyPreference~)

  21. Ampersand Solution - flexibility possible occurrences allowed occurrences special permission actual occurrences x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x xx x x x x x x x x x x x x x x x xx x x x x x x x x x x x x x x x x x x x x xxx x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x requestsInformation -: ((belongsTo~; hasPurpose; subsPurpose~; hasPurpose~) /\ (belongsTo~; refersToData; subsData~; refersToData~)) \/ (permissionTo~; permissionConcerns)

  22. Ampersand - ontologies subsPurpose :: Purpose * Purpose [TRN,ASY] PRAGMA "" " subsumes, is less strict than" = [ ("General-purpose", "Treatment") ; ("General-purpose", "Insurance") ; ("General-purpose", "Research") ; ("Research", "Teaching") ; ("Research", "Development") ; ("Research", "Marketing") ].

  23. Ampersand - ontology integration possible occurrences allowed occurrences out of bound occurrences x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x xx x x x x x x x x x x x x x x x xx x x x x x x x x x x x x x x x x x x x x xxx x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x requestsInformationFrom -: hasPrivacyPreference; hasPurpose; subsPurpose~; hasPurpose~; hasPrivacyPreference~ EXPLANATION "Information can only be requested from a party with an equally or less strict purpose policy."

  24. Ampersand - screen

  25. Solutions Compared Purdue Ampersand • programming business processes • deriving business processes from rules • business logic in systems coding • business logic in rule base • mathematical prove not provided • mathematical prove provided • more familiar to most IT staff • less well known

  26. Conclusions I • Ampersand method offers advantages in achieving compliance in IT • business rules used directly to generate IT system • all business logic in one place, easy to check • correct implementation can be proven • Business ontologies enhance usability Ampersand • easy to integrate with Ampersand / ADL • help bridge gap between compliance- and business concepts • allow combination of rule patterns / compliance patterns

  27. Conclusions II • Advantages Ampersand method combined with business ontologies reach beyond compliance • help get clarity about desired functionality • less discussion about implementation issues • increase IT developers productivity • enhance flexibility

  28. Further Research • Automated matching of business logic and (compliance) ruling, supported by business ontologies • Integrating Ampersand compliance- and business rule patterns to offer extended functionality in IT systems development • Generating a ‘compliance certificate’ based on correct matching of compliance ruling and business concepts

  29. Master Thesis • Choose a subject you like, after all you are stuck with it! • Choose a subject which is doable in the time you want to spend • Watch out for dependencies • Combine with job or join existing research, take into account: • Level of freedom • Academic level • Time efficiency • Say good bye to your friends and go for IT! QUESTIONS?

More Related