An approach based on citation analysis to support effective handling of regulatory compliance

For most global software companies with a client base that covers a large number of regulated businesses, regulatory compliance represents a significant challenge. The world of compliance has become increasingly complex due to the overwhelming number of regulations, laws, and standards that are introduced every year. These laws may vary significantly in their scope and applicability depending on the industry sector and the geographical area of the end client. In addition, many of these laws are created by different legislative bodies resulting in overlapping and sometimes conflicting provisions. To further complicate matters, laws are often created based on existing ones, forming a complex set of interdependent rules where changes made in one place can propagate to affect, sometimes in an inconsistent manner, many other laws. There is clearly a need to investigate techniques and tools that can alleviate IT solution providers from the complexity of dealing with regulatory compliance. In this paper, we present an approach and a supporting tool that aim to facilitate the analysis of multiple regulations. Our approach is based on the exploration of the citation relationship that links various laws together. The citation relationship is represented by a citation graph that can be used by an analyst to navigate through the provisions of various interrelated laws to uncover overlaps and possible conflicts or to simply understand the content of specific law documents. We also present a tool called CompDSS (Compliance Decision Support System) that supports our approach. Finally, we show the effectiveness of the presented approach by applying it to three regulations, namely, SOX, HIPAA, and GLBA.

[1]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[2]  Michael J. Maher,et al.  On the analysis of regulations using defeasible rules , 1999, Proceedings of the 32nd Annual Hawaii International Conference on Systems Sciences. 1999. HICSS-32. Abstracts and CD-ROM of Full Papers.

[3]  Eric Brill,et al.  Transformation-Based Error-Driven Learning and Natural Language Processing: A Case Study in Part-of-Speech Tagging , 1995, CL.

[4]  Debra Herrmann,et al.  Complete Guide to Security and Privacy Metrics , 2007 .

[5]  Abdelwahab Hamou-Lhadj,et al.  Towards a compliance support framework for global software companies , 2007, ICSE 2007.

[6]  Elisabeth Logan,et al.  Citation analysis using scientific publications on the Web as data source: A case study in the XML research area , 2002, Scientometrics.

[7]  George A. Miller,et al.  WordNet: A Lexical Database for English , 1995, HLT.

[8]  Michael G. Silverman Compliance Management for Public, Private, or Nonprofit Organizations , 2008 .

[9]  Eric Brill,et al.  A Simple Rule-Based Part of Speech Tagger , 1992, HLT.

[10]  Annie I. Antón,et al.  Legal requirements acquisition for the specification of legally compliant information systems , 2009 .

[11]  Kincho H. Law,et al.  Locating related regulations using a comparative analysis approach , 2006, DG.O.

[12]  S. C. Hui,et al.  Mining a Web Citation Database for author co-citation analysis , 2002, Inf. Process. Manag..

[13]  Suzan A. Hebditch Canadian Guide to Uniform Legal Citation , 1969 .

[14]  Paul Zhang,et al.  Semantics-based legal citation network , 2007, ICAIL.

[15]  Rolf Oppliger Privacy protection and anonymity services for the World Wide Web (WWW) , 2000, Future Gener. Comput. Syst..

[16]  A. Tarantino Manager's guide to compliance : Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL II, OMB A-123, ASX 10, OECD principles, Turnbull guidance, best practices, and case studies , 2012 .

[17]  Dong-Soo Kim,et al.  Active security management based on Secure Zone Cooperation , 2004, Future Gener. Comput. Syst..

[18]  Debra Herrmann,et al.  Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI , 2007 .

[19]  Kincho H. Law,et al.  A relatedness analysis of government regulations using domain knowledge and structural organization , 2006, Information Retrieval.

[20]  Eugene H. Ehrlich,et al.  The Sociology of Law , 1922 .

[21]  Darby Dickerson ALWD Citation Manual: A Professional System of Citation , 2003 .

[22]  Abdelwahab Hamou-Lhadj,et al.  Citation Analysis: An Approach for Facilitating the Understanding and the Analysis of Regulatory Compliance Documents , 2009, 2009 Sixth International Conference on Information Technology: New Generations.

[23]  Linda J. Barris Understanding and Mastering the Bluebook: A Guide for Students and Practitioners , 2012 .

[24]  Sudhanshu Kairab,et al.  A practical guide to security assessments , 2004 .

[25]  Hangbae Chang,et al.  Design of Inside Information Leakage Prevention System in Ubiquitous Computing Environment , 2005, ICCSA.