Compliance-Monitor zur Frühwarnung vor Risiken

ZusammenfassungDer Beitrag befasst sich mit der Entwicklung eines Frühwarnsystems zur vorzeitigen Entdeckung von Verletzungen der Privatsphäre in „Business Compliance“ und zeigt die Anwendbarkeit dieses Verfahrens am Beispiel der Anonymität. Hierzu wird ein Referenzmonitor vorgestellt, der das Risiko, ausgedrückt als Eintrittswahrscheinlichkeit, einer zukünftigen Regelverletzung vor ihrem Eintritt automatisch berechnet und warnt, wenn die Ausführung als gefährlich eingestuft wird.AbstractThe paper reports on a reference monitor for early warning risk determination for privacy violations in the context of business compliance and demonstrates its applicability in the particular case of anonymity. To this end, the monitor detects system executions that potentially lead to incompliant states before the actual violation by determining the risk they pose to compliance goals and warning officers responsible for compliance about risky executions. In doing so, the presented monitor is a novel technique to automate some of the tasks involved in guaranteeing compliance.

[1]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[2]  Alexander Pretschner,et al.  On Obligations , 2005, ESORICS.

[3]  L. Willenborg,et al.  Elements of Statistical Disclosure Control , 2000 .

[4]  Rafael Accorsi,et al.  Personalization in privacy-aware highly dynamic systems , 2006, CACM.

[5]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[6]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[7]  Kevin W. Hamlen,et al.  Computability classes for enforcement mechanisms , 2006, TOPL.

[8]  Akimichi Takemura,et al.  MINIMUM UNSAFE AND MAXIMUM SAFE SETS OF VARIABLES FOR DISCLOSURE RISK ASSESSMENT OF INDIVIDUAL RECORDS IN A MICRODATA SET , 2002 .

[9]  Siani Pearson,et al.  Towards Accountable Management of Privacy and Identity Information , 2003, ESORICS.

[10]  Karl N. Levitt,et al.  How to sanitize data? , 2004, 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[11]  ASHWIN MACHANAVAJJHALA,et al.  L-diversity: privacy beyond k-anonymity , 2006, 22nd International Conference on Data Engineering (ICDE'06).

[12]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[13]  Paulo Ferreira,et al.  Obligation policies: an enforcement platform , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[14]  Alexander Pretschner,et al.  Usage Control in Service-Oriented Architectures , 2007, TrustBus.

[15]  Martín Abadi,et al.  Authentication in distributed systems: theory and practice , 1991, SOSP '91.

[16]  André Zúquete,et al.  Enforcing Obligation with Security Monitors , 2001, ICICS.

[17]  Ting Yu,et al.  On the modeling and analysis of obligations , 2006, CCS '06.

[18]  Rafael Accorsi,et al.  On the Relationship of Privacy and Secure Remote Logging in Dynamic Systems , 2006, SEC.