Security Analysis and Legal Compliance Checking for the Design of Privacy-friendly Information Systems

Nowadays, most of business practices involve personal data-processing of customers and employees. This is strictly regulated by legislation to protect the rights of the data subject. Enforcing regulation into enterprise information system is a non-trivial task that requires an interdisciplinary approach. This paper presents a declarative framework to support the specification of information system designs, purpose-aware access control policies, and the legal requirements derived from the European Data Protection Directive. This allows for compliance checking via a reduction to policy refinement that is supported by available automated tools. We briefly discuss the results of the compliance analysis with a prototype tool on a simple but realistic scenario about the processing of personal data to produce salary slips of employees in an Italian organization.

[1]  Helen Nissenbaum,et al.  Privacy and contextual integrity: framework and applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[2]  Sushil Jajodia,et al.  Access control policies and languages , 2007, Int. J. Comput. Sci. Eng..

[3]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[4]  Josep Domingo-Ferrer,et al.  Privacy and Data Protection by Design - from policy to engineering , 2014, ArXiv.

[5]  John Mylopoulos,et al.  Capturing Variability of Law with Nómos 2 , 2012, ER.

[6]  David W. Chadwick,et al.  Extracting Access Control and Conflict Resolution Policies from European Data Protection Law , 2011, PrimeLife.

[7]  Alessandro Cimatti,et al.  Proving and explaining the unfeasibility of Message Sequence Charts for hybrid systems , 2011, 2011 Formal Methods in Computer-Aided Design (FMCAD).

[8]  Annie I. Antón,et al.  Towards Regulatory Compliance: Extracting Rights and Obligations to Align Requirements with Regulations , 2006, 14th IEEE International Requirements Engineering Conference (RE'06).

[9]  Christophe Debruyne,et al.  A Semi-Automated Methodology for Extracting Access Control Rules from the European Data Protection Directive , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[10]  Carol V. Brown,et al.  Designing data governance , 2010, CACM.

[11]  Michael Carl Tschantz,et al.  Formalizing and Enforcing Purpose Restrictions in Privacy Policies , 2012, 2012 IEEE Symposium on Security and Privacy.

[12]  Jason Crampton A reference monitor for workflow systems with constrained task execution , 2005, SACMAT '05.

[13]  Limin Jia,et al.  Policy auditing over incomplete logs: theory, implementation and applications , 2011, CCS '11.

[14]  Alessandro Armando,et al.  Formal Modelling of Content-Based Protection and Release for Access Control in NATO Operations , 2013, FPS.

[15]  Nicola Zannone,et al.  Towards the development of privacy-aware systems , 2009, Inf. Softw. Technol..

[16]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[17]  Frank Wang,et al.  Declarative privacy policy: finite models and attribute-based encryption , 2012, IHI '12.

[18]  Ninghui Li,et al.  DATALOG with Constraints: A Foundation for Trust Management Languages , 2003, PADL.

[19]  Alessandro Armando,et al.  SMT-based Enforcement and Analysis of NATO Content-based Protection and Release Policies , 2016, ABAC '16.

[20]  Elisa Bertino,et al.  On XACML's Adequacy to Specify and to Enforce HIPAA , 2012, HealthSec.

[21]  Jerry den Hartog,et al.  Analysis of XACML Policies with SMT , 2015, POST.

[22]  Jeffery von Ronne,et al.  Privacy promises that can be kept: a policy analysis method with application to the HIPAA privacy rule , 2013, SACMAT '13.

[23]  Herbert B. Enderton,et al.  A mathematical introduction to logic , 1972 .

[24]  Xin Jin,et al.  A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC , 2012, DBSec.

[25]  Trent Jaeger,et al.  Practical safety in flexible access control models , 2001, TSEC.

[26]  Sabrina De Capitani di Vimercati,et al.  A privacy-aware access control system , 2008, J. Comput. Secur..