Analyzing Regulatory Rules for Privacy and Security Requirements

Information practices that use personal, financial, and health-related information are governed by US laws and regulations to prevent unauthorized use and disclosure. To ensure compliance under the law, the security and privacy requirements of relevant software systems must properly be aligned with these regulations. However, these regulations describe stakeholder rules, called rights and obligations, in complex and sometimes ambiguous legal language. These "rules" are often precursors to software requirements that must undergo considerable refinement and analysis before they become implementable. To support the software engineering effort to derive security requirements from regulations, we present a methodology for directly extracting access rights and obligations from regulation texts. The methodology provides statement-level coverage for an entire regulatory document to consistently identify and infer six types of data access constraints, handle complex cross references, resolve ambiguities, and assign required priorities between access rights and obligations to avoid unlawful information disclosures. We present results from applying this methodology to the entire regulation text of the US Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.     

A cross-domain empirical study and legal evaluation of the requirements water marking method

Companies that own, license, or maintain personal information face a daunting number of privacy and security regulations. Companies are subject to new regulations from one or more governing bodies, when companies introduce new or existing products into a jurisdiction, when regulations change, or when data are transferred across political borders. To address this problem, we developed a framework called “requirements water marking” that business analysts can use to align and reconcile requirements from multiple jurisdictions (municipalities, provinces, nations) to produce a single high or low standard of care. We evaluate the framework in two empirical case studies covering a subset of U.S. data breach notification laws and medical record retention laws. In these studies, applying our framework reduced the number of requirements a company must comply with by 76 % across 8 jurisdictions and 15 % across 4 jurisdictions, respectively. We show how the framework surfaces critical requirements trade-offs and potential regulatory conflicts that companies must address during the reconciliation process. We summarize our results, including surveys of information technology law experts to contextualize our empirical results in legal practice.     

Planning Local E-Government

User requirements, organizational change, government regulations, and politics are all factors that any organization embarking on a systems development project must take into consideration. These factors, plus that of general societal trends, have an even greater significance for governmental IT organizations that are planning to implement new applications. IS managers in government, as well as those in industry, can use the planning framework presented in this article to manage these factors, as well as the overall requirements and systems planning process.     

Integrated Enterprise Balancing mit integrierten Ertrags- und Risikodatenbanken

To support a value-based management and to satisfy regulatory transparency requirements and legal reporting obligations, corporations require a corporate-wide consistent database with return and risk information. Despite existing technical integration approaches, such as data warehouse or OLAP solutions, the development of corporate-wide consistent return and risk databases is so far impossible, as adequate financial methods and performance measurement systems are lacking. Integrated Enterprise Balancing enables corporations of all industries to control their business activities with corporate-wide consistent return and risk measures. The presented performance measurement system enables corporations to additively connect return and risk measures on arbitrary aggregation levels and to perform such an aggregation also within multiple dimensions. Hence, it is a conceptual solution for the development of integrated return and risk databases.     

服务组件架构的框架元模型及实现扩展点研究

软件框架为特定领域内的软件重用带来了极大的便利,然而随着业务系统的发展,传统的基于组件的软件框架已经越来越难以满足业务系统发展的需要.面向服务架构作为新型的软件架构,具有极大的灵活性和扩展能力来支持业务系统的发展需要,在没有具体的指导规范下,SOA开发是相当困难的。服务组件架构作为目前SOA最佳的编程模型,对其深入研究和理解,将有助于快速开发基于SOA的应用。从SCA的基本概念出发,分析了SCA的组成结构,在此基础上给出了SCA框架元模型,分析研究了实现扩展类型,并给出了具体应用示例。     

Methoden zum Management von Informationsquellen für die Unterstützung von Softwareproduktmanagern in der Energiewirtschaft

The German energy market is facing several challenges due to changes in regulation, technical advancements as well as increasing energy costs and climate achievements like CO₂ reduction. This results in changing requirements for companies in the energy market and thus business information systems, which support their core tasks and processes. Software product managers in energy and software developing companies in charge of driving the functional development of information systems have to deal with these challenges and need to develop new information systems or enhance existing ones. Conceptual models proved helpful to design and implement information systems within several industries. However, identification and management of models as well as impact analysis of model changes results difficult. This contribution describes methods to construct, use and maintain a domain specific reference model catalog to support requirements analysis for software product manager in the German electricity and gas market.     

Eliciting and prioritizing quality requirements supported by ontologies: a case study using the ElicitO framework and tool

As software complexity grows and clients demand higher quality software, quality requirements can no longer be considered to be of secondary importance. Thus, eliciting, specifying, prioritizing and validating quality requirements is a prerequisite to the development of effective and efficient information systems. Despite the critical importance of quality requirements, there is a considerable gap in the breadth and depth of quality requirements engineering (RE) support in most RE approaches. In practice, it is often the case to have quality requirements considered as an afterthought in the systems development process. While there is a wealth of modelling techniques and tools for functional requirements, there is very limited support for quality requirements in RE. Support for quality requirements is usually ad‐hoc, without clear guidelines on how to capture, specify and manage quality requirements and also without proper usage of standardized terminologies based on established quality models such as the ISO/IEC 9126 quality model. In this paper, we discuss a quality‐driven RE framework and tool that applies knowledge management techniques and quality ontologies to support RE activities. The ontology implements the quality characteristics and metrics prescribed by the ISO/9126 quality model, providing a common vocabulary to address quality concerns/aspects across RE activities. We empirically validate how the framework and tool can be used to effectively support the requirements elicitation and prioritization activities through a case study addressing the development of an intranet portal project at the University of Manchester.     

Modelling Off-the-Shelf Information Systems Requirements: An Ontological Approach

Requirements for choosing off-the-shelf information systems (OISR) differ from requirements for development of new information systems in that they do not necessarily provide complete specifications, thus allowing flexibility in matching an existing IS to the stated needs. We present a framework for OISR conceptual models that consists of four essential elements: business processes, business rules, information objects and required system services. We formalise the definitions of these concepts based on an ontological model. The ontology-based OISR model provides a framework to evaluate modelling languages on how appropriate they are for OISR requirements specifications. The evaluation framework is applied to the Object-Process Methodology, and its results are compared with a similar evaluation of ARIS. This comparison demonstrates the effectiveness of the ontological framework for evaluating modelling tools on how well they can guide selection, implementation and integration of purchased software packages.     

基于软件构件技术的多租户个性化框架

共享应用实例的应用级多租户模式是成熟度等级最高的软件即服务模式,能够提高资源利用率、降低应用升级维护成本,但是面临着不同租户的个性化需求支撑的技术难题。已有的研究和工业实践已经在多租户个性化方面进行了尝试,从实践项目中提炼出了基于构件软件开发（Component Based Software Development,CBSD）的多租户个性化方法框架,包括流程、扩展类型和技术支撑等,对多租户应用系统的业务逻辑、界面逻辑和数据实体三个部分的个性化扩展提出了解决方案。通过一个现实应用中的产品验证了框架的有效性。     

Strategy, networks and systems in the global translation services market

The globalisation of markets has led to an increased demand for language translation services that support and enable communication between economic partners. For example, technical documents, software systems, business documents and web sites all need to be translated into multiple languages for individual national markets, and the information that they contain changes periodically. This paper sets out a theoretical framework that describes the architectures of business processes within and between separate firms that are used to support the delivery and management of services. This is done by coordinating the fit between externally generated problem complexity, from customers, and the internally generated complexity of different potential network configuration solutions. The theoretical framework is an architecture of how complexity is generated and managed at the different structural levels and across the different processual stages of an industry. A case study of thebigword, a major international translation services company, illustrates how the framework is applied in practice. The case study analyses the implementation of an electronic market platform which enables the coordination of the different stakeholders involved in the translation services market. These stakeholders include translators, translation services companies and their clients in a global business network.     

Matching Process Requirements with Information Technology to Assess the Efficiency of Web Information Systems

Emerging information technologies play an increasingly important role, not only to automate tasks within organizations but also to provide the infrastructure to facilitate communication across organizational boundaries, to implement one-to-one marketing strategies, or to manage business relationships. Web Information Systems (WIS) provide a platform that can help establish and manage customer relationships in ways that were not feasible with traditional business models and architectures. They facilitate the delivery of customized content to end consumers, reflecting their unique needs and individual preferences. In order to establish electronic commerce as a new business paradigm, corresponding changes in information technology, organizational structure, and the corporate value chain are critical. This paper proposes a conceptual model to support the task of balancing flexibility needs with the specific requirements of electronic transactions.     

An evaluation framework for deploying Web Services in the next generation manufacturing enterprise

In today's competitive manufacturing environment, the ability to effectively and efficiently manage the flow of information is a vital competency. Manufacturing enterprises must be able to integrate their internal business processes horizontally and vertically, and they are increasingly required to support federated business processes with other members of their respective virtual value chains. Web Services, an emerging form of service-oriented architecture for distributed computing, have the potential to serve as a key enabling technology to support these requirements. Leveraging the inherent interoperability of Internet and Worldwide Web technologies, they enable cooperative processing across heterogeneous computing environments. This paper presents a framework for evaluating the viability of Web Services technologies to be incorporated into enterprise information architectures to support the business needs and requirements of next generation manufacturing enterprises. It examines economic, technical, and organizational contexts that will influence the ability of manufacturing-related enterprises to deploy advanced information architectures based on Web Services to support the complex business processes needed to collaborate with suppliers, customers, and other stakeholders in virtual enterprise environments.     

The Spiral of Change Model for Coping with Changing and Ongoing Requirements

This paper is a discussion on the problem of establishing information requirements in changing and ongoing business organisations. Attempts within existing software development paradigms to cope with business change are identified and discussed, and their problems concerning business change are highlighted. The alternative spiral of change model of tailorable information systems is proposed for thinking about establishing changing and ongoing information systems requirements. It is also proposed that information should be reconceptualised as tailorable. Such a reconceptualisation would allow us to explore ways of establishing information systems requirements that cope with business change. Deferred system’s design is proposed as a form of business software design and development that can cope with business change, as well as with the contextual and situational nature of tailorable information.     

Stochastic programming and scenario generation within a simulation framework: An information systems perspective

Stochastic programming brings together models of optimum resource allocation and models of randomness to create a robust decision-making framework. The models of randomness with their finite, discrete realisations are called scenario generators. In this paper, we investigate the role of such a tool within the context of a combined information and decision support system. We explain how two well-developed modelling paradigms, decision models and simulation models can be combined to create “business analytics” which is based on ex-ante decision and ex-post evaluation. We also examine how these models can be integrated with data marts of analytic organisational data and decision data. Recent developments in on-line analytical processing (OLAP) tools and multidimensional data viewing are taken into consideration. We finally introduce illustrative examples of optimisation, simulation models and results analysis to explain our multifaceted view of modelling. In this paper, our main objective is to explain to the information systems (IS) community how advanced models and their software realisations can be integrated with advanced IS and DSS tools.     

Integrating technologies to support action

As computer supported co-operative work (CSCW) becomes of increasing practical significance in business and public sector organisations, there is a need to develop a framework which can embed CSCW within the wider needs of the organisation. It is proposed here, based on specific study into the group working of executives, that such a framework needs to draw on the four domains of business drivers, information, human and social aspects, and technology. In much of the work to date for executives, there has been a preoccupation with their decision support needs. It is proposed that ‘systems to support action’ (SSA) should be given greater significance. The framework to underpin SSA could be based on one of the systems approaches, and that particularly examined here is managerial cybernetics, as developed by Stafford Beer.     

Commitment analysis to operationalize software requirements from privacy policies

Online privacy policies describe organizations’ privacy practices for collecting, storing, using, and protecting consumers’ personal information. Users need to understand these policies in order to know how their personal information is being collected, stored, used, and protected. Organizations need to ensure that the commitments they express in their privacy policies reflect their actual business practices, especially in the United States where the Federal Trade Commission regulates fair business practices. Requirements engineers need to understand the privacy policies to know the privacy practices with which the software must comply and to ensure that the commitments expressed in these privacy policies are incorporated into the software requirements. In this paper, we present a methodology for obtaining requirements from privacy policies based on our theory of commitments, privileges, and rights, which was developed through a grounded theory approach. This methodology was developed from a case study in which we derived software requirements from seventeen healthcare privacy policies. We found that legal-based approaches do not provide sufficient coverage of privacy requirements because privacy policies focus primarily on procedural practices rather than legal practices.     

Formal enforcement and management of obligation policies

Obligations are generally actions that users are required to take and are essential for the expression of a large number of requirements. For instance, obligation actions may represent prerequisites to gain some privilege (pre obligations), to satisfy some ongoing or post requirement for resource usage (ongoing and post obligations), or to adhere to some privacy or availability policy. Obligations may also define states of affairs which should be maintained. An example of such obligations is the obligation “doctors should remain alert while in the operating room”. In this paper, we introduce a formal framework for the management and enforcement of obligation policies. The framework is formalized using concepts from action specification languages and the Event Condition Action paradigm of active databases. Therefore, our framework allows reasoning about change in the state of obligations and, at the same time, provides declarative formal semantics for their enforcement. In this framework, we support many types of obligations and show how to manage obligation activation, fulfillment and violation.     

Embedding requirements within Model-Driven Architecture

Model-Driven Architecture (MDA) brings benefits to software development, among them the potential for connecting software models with the business domain. This paper focuses on the upstream or Computation-Independent Model (CIM) phase of MDA. Our contention is that, whilst there are many models and notations available within the CIM phase, those that are currently popular and supported by the Object Management Group (OMG) may not be the most useful notations for business analysts nor sufficient to fully support software requirements and specification. Therefore, with specific emphasis on the value of the Business Process Modelling Notation (BPMN) for business analysts, this paper provides an example of a typical CIM approach before describing an approach that incorporates specific requirements techniques. A framework extension to MDA is then introduced, which embeds requirements and specification within the CIM, thus further enhancing the utility of MDA by providing a more complete method for business analysis.     

An overview of workflow management: From process modeling to workflow automation infrastructure

Today's business enterprises must deal with global competition, reduce the cost of doing business, and rapidly develop new services and products. To address these requirements enterprises must constantly reconsider and optimize the way they do business and change their information systems and applications to support evolving business processes. Workflow technology facilitates these by providing methodologies and software to support (i) business process modeling to capture business processes as workflow specifications, (ii) business process reengineering to optimize specified processes, and (iii) workflow automation to generate workflow implementations from workflow specifications. This paper provides a high-level overview of the current workflow management methodologies and software products. In addition, we discuss the infrastructure technologies that can address the limitations of current commercial workflow technology and extend the scope and mission of workflow management systems to support increased workflow automation in complex real-world environments involving heterogeneous, autonomous, and distributed information systems. In particular, we discuss how distributed object management and customized transaction management can support further advances in the commercial state of the art in this area. Recomended by: Omran Bukhres and e. Kühn