Towards a process for legally compliant software

We propose a method and a process for legal software requirements extraction and compliance checking. We describe a requirements extraction model, a set of rules for specifying the format of the extracted information, a set of UML-based principles for translating the extracted information into a language based on predicate logic, and finally, a tool that analyzes the resulting logic model and displays the results of the analysis. The translation principles are based on a Governance Analysis Model (GAM) which is described in UML; the language is our Governance Analysis Language (GAL) and the tool is our Governance Analysis Tool (GAT). MIT's logic analyzer Alloy is the engine on which GAT runs. GAL is translated into assertions in Alloy's language and the Alloy tool can find counterexamples indicating situations of non-compliance.

[1]  Brian Subirana,et al.  Legal programming , 2004, CACM.

[2]  Guido Governatori,et al.  Law, logic and business processes , 2010, 2010 Third International Workshop on Requirements Engineering and Law.

[3]  Jan H. P. Eloff,et al.  Separation of duties for access control enforcement in workflow environments , 2001, IBM Syst. J..

[4]  Annie I. Antón,et al.  Addressing Legal Requirements in Requirements Engineering , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[5]  Hafedh Mili,et al.  Business process modeling languages: Sorting through the alphabet soup , 2010, CSUR.

[6]  Didar Zowghi,et al.  Erratum to "On the interplay between consistency, completeness, and correctness in requirements evolution" , 2004, Inf. Softw. Technol..

[7]  Guido Governatori,et al.  A methodological framework for aligning business processes and regulatory compliance , 2010 .

[8]  Annie I. Antón,et al.  Assessing identification of compliance requirements from privacy policies , 2012, 2012 Fifth IEEE International Workshop on Requirements Engineering and Law (RELAW).

[9]  Waël Hassan Validating legal compliance: governance analysis method , 2009 .

[10]  Elisa Bertino,et al.  A roadmap for comprehensive online privacy policy management , 2007, CACM.

[11]  Annie I. Antón,et al.  Towards Regulatory Compliance: Extracting Rights and Obligations to Align Requirements with Regulations , 2006, 14th IEEE International Requirements Engineering Conference (RE'06).

[12]  G. Sartor Legal Reasoning: A Cognitive Approach to Law , 2005 .

[13]  Guido Governatori,et al.  The Journey to Business Process Compliance , 2009, Handbook of Research on Business Process Modeling.

[14]  Leonid Stoimenov,et al.  Illustration by Gianpaolo Pagni , 2022 .

[15]  Sharad Malik,et al.  Boolean satisfiability from theoretical hardness to practical success , 2009, Commun. ACM.

[16]  Shin Saito,et al.  Best practices and tools for personal information compliance management , 2007, IBM Syst. J..

[17]  Daniel Jackson,et al.  Software Abstractions - Logic, Language, and Analysis , 2006 .

[18]  Luigi Logrippo,et al.  Requirements and compliance in legal systems: a logic approach , 2008, 2008 Requirements Engineering and Law.

[19]  Guido Governatori,et al.  Regorous: a business process compliance checker , 2013, ICAIL.

[20]  Annie I. Antón,et al.  Ensuring compliance between policies, requirements and software design: a case study , 2006, Fourth IEEE International Workshop on Information Assurance (IWIA'06).

[21]  J. C. Cannon,et al.  Compliance Deconstructed , 2006, ACM Queue.

[22]  Pavel Hruby,et al.  Model-Driven Design Using Business Patterns , 2011, J. Inf. Syst..

[23]  Marco Montali,et al.  Monitoring Business Constraints with Linear Temporal Logic: An Approach Based on Colored Automata , 2011, BPM.

[24]  Laurie A. Williams,et al.  Proposing regulatory-driven automated test suites for electronic health record systems , 2013, 2013 5th International Workshop on Software Engineering in Health Care (SEHC).

[25]  John Mylopoulos,et al.  Extracting rights and obligations from regulations: toward a tool-supported process , 2007, ASE.

[26]  Helen Nissenbaum,et al.  Privacy and contextual integrity: framework and applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[27]  G. Postema,et al.  A Treatise of Legal Philosophy and General Jurisprudence , 2011 .

[28]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[29]  Daniel Amyot,et al.  Integrating business strategies with requirement models of legal compliance , 2010, Int. J. Electron. Bus..

[30]  Annie I. Antón,et al.  Legal Requirements, Compliance and Practice: An Industry Case Study in Accessibility , 2008, 2008 16th IEEE International Requirements Engineering Conference.

[31]  Donald C. Hambrick,et al.  New Directions in Corporate Governance Research , 2008, Organ. Sci..

[32]  Mike P. Papazoglou,et al.  Capturing Compliance Requirements: A Pattern-Based Approach , 2012, IEEE Software.

[33]  Willem-Jan van den Heuvel,et al.  Using Patterns for the Analysis and Resolution of Compliance Violations , 2012, Int. J. Cooperative Inf. Syst..

[34]  Clare-Marie Karat,et al.  An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench , 2006, SOUPS '06.

[35]  Luigi Logrippo,et al.  Governance Requirements Extraction Model for Legal Compliance Validation , 2009, 2009 Second International Workshop on Requirements Engineering and Law.