Achieving Traceable Compliance using the Ampersand Method - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Achieving Traceable Compliance using the Ampersand Method

Description:

Title: Thesis Author: Henriette Sangers Last modified by: Henriette Created Date: 1/7/2004 6:39:28 PM Document presentation format: Diavoorstelling – PowerPoint PPT presentation

Number of Views:61
Avg rating:3.0/5.0
Slides: 30
Provided by: Henriett3
Category:

less

Transcript and Presenter's Notes

Title: Achieving Traceable Compliance using the Ampersand Method


1
Achieving Traceable Compliance using the
Ampersand Method
  • Open University of the Netherlands
  • TouW gathering March 6th 2010
  • Henriëtte Sangers

2
Different aspects research
IT systems development
Compliance
Business Ontologies
Ampersand Method
GAP
3
Mind the Gap
Obedience
Follow rules
Compliance
Respect others
Do the right thing
The limits of our language mean the limits of our
world Wittgenstein (1922)
4
Two Gaps in IT Systems Development
  • Different use of concepts misunderstandings
    about
  • desired functionality
  • Wrong implementation of correctly understood
  • desired functionality
  • Contribute to the bad track record of IT projects

5
The importance of beingan OU student
  • Usually you are olderwhats so great about that?
  • Lets try more mature? More experienced?
  • gt If you work in IT you saw the gap
  • If you really want to know the gap cross it!
  • gt Use the opportunities to experience the other
    side
  • Chance to get better understanding of mutual
    dependency
  • Business - IT

6
Compliance
Organisations operating according to rules and
regulations set for this type of organisation.
Barings
ING
ABN AMRO
Financial World
IceSave
Lehman Brothers
New regulations to restore public trust in the
financial system
  • Basel II
  • SOx
  • MIFID
  • CDD

gt Focus now on getting it right
People, procedures and IT-systems all need to be
compliant!
7
Compliance Challenge
  • Adapt to rapidly changing ruling in a
    competitive market
  • stay flexible
  • change at low costs
  • Specific difficulties compliance
  • translating compliance ruling into measures for
    organisation
  • many rules and regulations from different
    sources
  • traceability - proving compliance

8
Compliance Challenge - surveys
Mercury US and European businesses expect a
large part of IT budgets will go to compliance
projects in the coming years
Deloitte and Touche Complexity of IT environments
is seen as a major impediment in compliance
projects
Gartner Organisations can experience a
competitive advantage by handling compliance
issues more efficiently than others
9
The Ampersand Method I
Stef Joosten
  • Rule based Business Process Management
  • Formal approach to IT systems development
  • Succeeds / incorporates
  • Calculating with Concepts finding and verifying
    business rules
  • ADL (A Description Language) capturing business
    rules
  • building blocks
  • Concepts entities which are important to users
  • Relations associations between concepts
  • Rules invariants, represent business logic

10
The Ampersand Method II
  • Based on relation algebra, can be used to
  • Get clarity about specifications (cycle chasing)
  • Specifying and even generating IT systems which
    can be proven
  • to implement business logic (as in business
    rules) correctly.
  • Business processes are derived from business
    rules,
  • not built with them.

11
Bridging the Gap Ontologies
  • How to represent the real world ontologies, the
    silver bullet?
  • Everybody his own ontology solving problems or
    raising
  • misunderstandings to a higher level?
  • Long history in IT Systems Analysis and Design
    (ISAD),
  • a.o. Bunge-Wand-Weber representation model
  • Why use ontologies in IT
  • Enabling common understanding sofa/couch,
    property/attribute
  • Reuse domain knowledge
  • Make domain knowledge explicit, support analysis

12
Use of Ontologies in IT
  • Applications information integration, P2P
    information sharing,
  • web service composition, ambient
    intelligence, web navigating
  • and querying (Marktplaats)
  • Recent developments in the area of automated
    concept matching
  • and ontology integration

13
Ampersand, Business Ontologies and Compliance
  • Business (compliance) rules can be used
    directly, no need to
  • program business processes
  • All business (compliance) logic in one place,
    easy to check by
  • users and auditors
  • Mathematical prove that functionality matches
    business
  • (compliance) rules can be provided
  • Business ontologies easy to use with Ampersand,
    help bridge
  • the gap between compliance ruling and business
    concepts

14
Research at Purdue University
  • CERIAS program Center for Education and
    Research in
  • Information Assurance and Security
  • Computer Science Research group dedicated to
    Digital
  • Identity Management and Protection
  • Articles on
  • traceable and flexible compliance with privacy
    ruling
  • use of ontologies to support common
    understanding of concepts

15
Articles Purdue University
Examples
  • Achieving Privacy in Trust Negotiations with an
    Ontology-Based Approach.
  • IEEE Transactions on Dependable and Secure
    Computing, January-March 2006
  • Traceable and Automatic Compliance of Privacy
    Policies in Federated Digital
  • Identity Management. 6th Workshop on Privacy
    Enhancing Technologies.
  • Cambridge University UK, 2006.

16
The Case
  • Federated environment of medical service
    providers and patients
  • Automated exchange of patients information
    among service providers
  • Compliance with patients privacy preferences
  • Breaches of trust need to be traceable
  • Other requirements
  • common understanding of concepts (medical,
    privacy preferences)
  • automated matching of concepts
  • flexibility and traceability

17
Purdue Solution I
  • Check isMoreStrict
  • A. Privacy preference templates
  • PPx stricter than Ppy if x lt y

18
Purdue Solution II
  1. B. Customized privacy preferences More complex
    checks / ordening.

3. Check logging - trace back
19
Ampersand SolutionConcepts, Relations and Rules
  • Concepts entities which are important to users
  • CONCEPT "Participant" "party in federated service
    network, person or service provider."
  • CONCEPT "PrivacyPreference" "a policy statement
    about how to deal with information"
  • CONCEPT "Data" "the type of data that can be
    stored of a person."
  • Relations associations between concepts
  • belongsTo PrivacyPreference gt Participant
  • subsumes PrivacyPreference PrivacyPreference
    TRN,ASY
  • PRAGMA "" " subsumes, is less strict than
  • requestsInformationFrom Participant
    Participant
  • Rules invariants, represent business logic
  • requestsInformationFrom - (hasPrivacyPreference
    hasPrivacyPreference)
  • \/
    (hasPrivacyPreference subsumes
    hasPrivacyPreference)
  • EXPLANATION "Information can only be requested
    from a party with an equally
  • or less strict
    privacy policy."

20
Ampersand Solution - base
possible occurrences allowed occurrences actual
occurrences
x x x x x x x x
x x x x x x x x x x x x x x x x x x x
x x x x x x x x x x x x x x x x x x x x x
x x x x x x x x x x x x x x x x x x x x x x
x x x x x x x x x x x x x xx x x x x x x x x x
x x x x x x xx x x x x x x x x x x x x
x x x x x x x x xxx x x x x x x x x x x x
x x x x x x x x x x x x x x x x x x x
x x x x x x x x x x x x x x x x x x
x x x
requestsInformationFrom - (hasPrivacyPreference
hasPrivacyPreference)
\/ (hasPrivacyPreference
subsumes hasPrivacyPreference)
21
Ampersand Solution - flexibility
possible occurrences allowed occurrences special
permission actual occurrences
x x x x x x x x
x x x x x x x x x x x x x x x x x x x
x x x x x x x x x x x x x x x x x x x x x
x x x x x x x x x x x x x x x x x x x x x x
x x x x x x x x x x x x x xx x x x x x x x x x
x x x x x x xx x x x x x x x x x x x x
x x x x x x x x xxx x x x x x x x x x x x
x x x x x x x x x x x x x x x x x x x
x x x x x x x x x x x x x x x x x x
x x x
requestsInformation - ((belongsTo hasPurpose
subsPurpose hasPurpose)
/\ (belongsTo refersToData
subsData refersToData))
\/ (permissionTo
permissionConcerns)
22
Ampersand - ontologies
subsPurpose Purpose Purpose TRN,ASY
PRAGMA "" " subsumes, is less strict than"
("General-purpose", "Treatment")
("General-purpose", "Insurance")
("General-purpose", "Research") ("Research",
"Teaching") ("Research", "Development")
("Research", "Marketing") .
23
Ampersand - ontology integration
possible occurrences allowed occurrences out of
bound occurrences
x x x x x x x x
x x x x x x x x x x x x x x x x x x x
x x x x x x x x x x x x x x x x x x x x x
x x x x x x x x x x x x x x x x x x x x x x
x x x x x x x x x x x x x xx x x x x x x x x x
x x x x x x xx x x x x x x x x x x x x
x x x x x x x x xxx x x x x x x x x x x x
x x x x x x x x x x x x x x x x x x x
x x x x x x x x x x x x x x x x x x
x x x
requestsInformationFrom - hasPrivacyPreference
hasPurpose subsPurpose
hasPurpose
hasPrivacyPreference EXPLANATION
"Information can only be requested from a party
with an equally
or less strict purpose policy."
24
Ampersand - screen
25
Solutions Compared
Ampersand
Purdue
  • programming business processes
  • deriving business processes from rules
  • business logic in systems coding
  • business logic in rule base
  • mathematical prove provided
  • mathematical prove not provided
  • more familiar to most IT staff
  • less well known

26
Conclusions I
  • Ampersand method offers advantages in achieving
    compliance in IT
  • business rules used directly to generate IT
    system
  • all business logic in one place, easy to check
  • correct implementation can be proven
  • Business ontologies enhance usability Ampersand
  • easy to integrate with Ampersand / ADL
  • help bridge gap between compliance- and business
    concepts
  • allow combination of rule patterns / compliance
    patterns

27
Conclusions II
  • Advantages Ampersand method combined with
    business ontologies
  • reach beyond compliance
  • help get clarity about desired functionality
  • less discussion about implementation issues
  • increase IT developers productivity
  • enhance flexibility

28
Further Research
  • Automated matching of business logic and
    (compliance) ruling,
  • supported by business ontologies
  • Integrating Ampersand compliance- and business
    rule patterns
  • to offer extended functionality in IT systems
    development
  • Generating a compliance certificate based on
    correct matching
  • of compliance ruling and business concepts

29
Master Thesis
  • Choose a subject you like, after all you are
    stuck with it!
  • Choose a subject which is doable in the time you
    want to spend
  • Watch out for dependencies
  • Combine with job or join existing research, take
    into account
  • Level of freedom
  • Academic level
  • Time efficiency
  • Say good bye to your friends and go for IT!

QUESTIONS?
Write a Comment
User Comments (0)
About PowerShow.com