Towards Variability-Aware Legal-GRL Framework for Modeling Compliance Requirements

The increasing adoption of cloud computing is making operating environments highly dynamic and changing. Once an operating environment condition (e.g., geographical location of data) changes, the compliance requirements might alsochange. To ensure that compliance requirements are continuouslymet, there is a need for frameworks that not only support modeling regulations, but also capture the potential environment variabilities and conditions in a systematic way. This paper introduces Variability-Aware Legal-GRL (Goal-oriented Requirements Language) framework for modeling compliance requirements in the presence of runtime changes. We extend the Goal-oriented Requirements Language (GRL) with new elements and model construction rules to model context-aware privacy policies for dynamic multi-jurisdictional domains as well as features for monitoring changes that trigger adaptation. We motivate and illustrate the proposed framework using Health Insurance Portability and Accountability Act (HIPAA) and Personal Health Information Protection Act (PHIPA) statements. The proposed modeling framework allows software engineers to automatically quantify and analyze satisfaction level of security and privacy related top level goals for multiple software design alternatives and thus, choose the best set of privacy measures.

[1]  Daniel Amyot,et al.  Goal and scenario modeling, analysis, and transformation with jUCMNav , 2009, 2009 31st International Conference on Software Engineering - Companion Volume.

[2]  Bashar Nuseibeh,et al.  Engineering adaptive privacy: On the role of privacy awareness requirements , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[3]  Liliana Pasquale,et al.  Towards Adaptive Compliance , 2016, 2016 IEEE/ACM 11th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS).

[4]  Daniel Amyot,et al.  Legal goal-oriented requirement language (legal GRL) for modeling regulations , 2014, MiSE 2014.

[5]  John Mylopoulos,et al.  Goal-Oriented Requirements Engineering: A Systematic Literature Map , 2016, 2016 IEEE 24th International Requirements Engineering Conference (RE).

[6]  Sepideh Ghanavati,et al.  Impact of Legal Interpretation in Business Process Compliance , 2015, 2015 IEEE/ACM 1st International Workshop on TEchnical and LEgal aspects of data pRivacy and SEcurity.

[7]  Daniel Amyot,et al.  Modeling and Analysis of URN Goals and Scenarios with jUCMNav , 2009, 2009 17th IEEE International Requirements Engineering Conference.

[8]  Bashar Nuseibeh,et al.  Adaptive security and privacy in smart grids: A software engineering vision , 2012, 2012 First International Workshop on Software Engineering Challenges for the Smart Grid (SE-SmartGrids).

[9]  Anna Perini,et al.  Nòmos 3: Legal Compliance of Roles and Requirements , 2014, ER.

[10]  Lynn A. Karoly,et al.  Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification , 2010, Practice Management Consultant.

[11]  Jorge Lobo,et al.  Privacy-Aware Role-Based Access Control , 2007, IEEE Security & Privacy.

[12]  Bashar Nuseibeh,et al.  Privacy Dynamics: Learning Privacy Norms for Social Software , 2016, 2016 IEEE/ACM 11th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS).

[13]  Daniel Amyot,et al.  Goal-oriented compliance with multiple regulations , 2014, 2014 IEEE 22nd International Requirements Engineering Conference (RE).

[14]  Daniel Amyot,et al.  Evaluating goal models within the goal‐oriented requirement language , 2010, Int. J. Intell. Syst..

[15]  Annie I. Antón,et al.  Goal-based requirements analysis , 1996, Proceedings of the Second International Conference on Requirements Engineering.

[16]  Rogério de Lemos,et al.  Software Engineering for Self-Adaptive Systems: Research Challenges in the Provision of Assurances , 2013, Software Engineering for Self-Adaptive Systems.

[17]  Cynthia J. Larose,et al.  Children's Online Privacy Protection Act , 2015 .

[18]  Bashar Nuseibeh,et al.  Caprice: a tool for engineering adaptive privacy , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[19]  John Mylopoulos,et al.  Awareness requirements for adaptive systems , 2011, SEAMS '11.