A Model-Based Privacy Compliance Checker

Increasingly, e-business organisations are coming under pressure to be compliant to a range of privacy legislation, policies and best practice. There is a clear need for high-level management and administrators to be able to assess in a dynamic, customisable way the degree to which their enterprise complies with these. We outline a solution to this problem in the form of a model-driven automated privacy process analysis and configuration checking system. This system models privacy compliance constraints, automates the assessment of the extent to which a particular computing environment is compliant and generates dashboard-style reports that highlight policy failures. We have developed a prototype that provides this functionality in the context of governance audit; this includes the development of software agents to gather information on-the-fly regarding selected privacy enhancing technologies and other aspects of enterprise system configuration. This approach may also be tailored to enhance the assurance provided by existing governance tools.

[1]  G. Sampson Electronic Business , 2008 .

[2]  Lorrie Faith Cranor,et al.  Web Privacy with P3p , 2002 .

[3]  M. Rundle International Personal Data Protection and Digital Identity Management Tools , 2006 .

[4]  Ninghui Li,et al.  DATALOG with Constraints: A Foundation for Trust Management Languages , 2003, PADL.

[5]  H. P Gassmann,et al.  OECD guidelines governing the protection of privacy and transborder flows of personal data , 1981 .

[6]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[7]  Mahesh Babu Gandra eXtensible Markup Language - An extensive study , 2002 .

[8]  Paul R. Ashley,et al.  Enterprise Privacy Authorization Language , 2003 .

[9]  Isfol,et al.  1: Research report , 2008 .

[10]  Marco Casassa Mont,et al.  A Systemic Approach to Automate Privacy Policy Enforcement in Enterprises , 2006, Privacy Enhancing Technologies.

[11]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[12]  J. Camenisch,et al.  Title: First Annual Research Report the Prime Project Receives Research Funding from the Community's Sixth Framework Programme and the Swiss Federal Office for Education and Science. Privacy and Identity Management for Europe Prime Privacy and Identity Management for Europe , 2005 .

[13]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[14]  Chris I. Dalton,et al.  Towards Trustworthy Virtualisation Environments : Xen Library OS Security Service Infrastructure , 2007 .

[15]  Marco Casassa Mont,et al.  Handling privacy obligations in enterprises: important aspects and technical approaches , 2005, Comput. Syst. Sci. Eng..

[16]  Malcolm Crompton,et al.  Web Seals: A Review of Online Privacy Programs , 2006 .

[17]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[18]  Graham Greenleaf New Dimensions in Privacy Law: APEC's privacy framework sets a new low standard for the Asia-Pacific , 2006 .

[19]  C. M. Sperberg-McQueen,et al.  Extensible markup language , 1997 .