Powered by
Conference Publishing Consulting

2013 6th International Workshop on Requirements Engineering and Law (RELAW), July 16, 2013, Rio de Janeiro, Brasil

RELAW 2013 – Proceedings

Contents - Abstracts - Authors

2013 6th International Workshop on Requirements Engineering and Law (RELAW)

Preface

Title Page

Foreword
Software professionals build complex software systems in an increasingly regulated environment. Recent compliance challenges include balancing privacy and security, protecting patient medical records, complying with corporate governance policies, and managing uncertainty from evolving regulations, technologies, and societies. These requirements engineering challenges must be addressed to the satisfaction of regulators, lawyers, and engineers. The sixth Requirements Engineering and Law (RELAW) workshop was a multi-disciplinary, one-day workshop that brought together practitioners and researchers from two domains: Requirements Engineering and Law. Participants investigated and discussed how requirements engineers and legal professionals can build systems that meet the needs of the modern regulatory environment for software systems. This report summarizes the workshop structure, research presentations, and panel discussions that took place in our ongoing effort to understand the historical and social impact of existing laws and regulations on emerging technology.

Research Papers

Regulation-Based Dimensional Modeling for Regulatory Intelligence
Omar Badreddin, Gunter Mussbacher, Daniel Amyot, Saeed Ahmadi Behnam, Rouzbahan Rashidi-Tabrizi, Edna Braun, Mohammad Alhaj, and Gregory Richards
(University of Ottawa, Canada; Carleton University, Canada)
Regulations are a source of evolving requirements for products and organizations. As regulatory institutions shift towards outcome-based regulations, they increasingly adopt legislation performance modeling, at the basis of regulatory intelligence. In this context, performance modeling refers to the measuring of important business aspects in a coordinated manner and the use of these measurements for improved decision making. Considering that in many cases regulatory texts already exist, it is necessary to build a performance model based on existing regulations that may be still prescriptive rather than outcome-based. The process of turning the underlying textual legislation into a formal performance model that can be assessed by Business Intelligence (BI) tools is complicated due to organizational, cultural, and technological reasons. In this paper, we present a methodology from a technical perspective that enables regulatory institutions to reason about regulations and compliance with regulations as new dimensions. We demonstrate the methodology using traffic law as an example regulation, jUCMNav for performance modeling, and IBM Cognos for BI reporting.
Article Search
Mapping Legal Requirements to IT Controls
Travis D. Breaux, David G. Gordon, Nick Papanikolaou, and Siani Pearson
(Carnegie Mellon University, USA; HP Labs, UK)
Information technology (IT) controls are reusable system requirements that IT managers, administrators and developers use to demonstrate compliance with international standards, such as ISO 27000 standard. As controls are reusable, they tend to cover best practice independently from what specific government laws may require. However, because considerable effort has already been invested by IT companies in linking controls to their existing systems, aligning controls with regulations can yield important savings by avoiding non-compliance or unnecessary redesign. We report the results of a case study to align legal requirements from the U.S. and India that govern healthcare systems with three popular control catalogues: the NIST 800-53, ISO/IEC 27002:2009 and the Cloud Security Alliance CCM v1.3. The contributions include a repeatable protocol for mapping controls, heuristics to explain the types of mappings that may arise, and guidance for addressing incomplete mappings.
Article Search
Eros: An Approach for Ensuring Regulatory Compliance of Process Outcomes
Quanjun Yin, Nazim H. Madhavji, and Mahesh Pattani
(University of Western Ontario, Canada; BestCare, UK)
In the service industry, such as healthcare, catering, tourism, and others, there exist regulations that require organisations to provide service outcomes that comply with the regulations. More and more regulations in the service sector are, or are aimed to be, outcome-focused regulations. An outcome prescribed in the regulation is what users should experience or achieve when the regulated business processes are compliant. Service providers need to proactively ensure that the outcomes specified in the regulations have been achieved prior to conducting the relevant part of the business or prior to inspectors discovering noncompliance. Published approaches check requirements or business processes, not outcomes, against regulations and thus this still leaves uncertain as to whether what the users actually experience is what is prescribed in the regulations. In this research preview paper, we propose a method for assessing the compliance of process outcomes. Actual outcomes from business processes are checked against prescribed outcomes from the regulations. The method is illustrated by an example from the U.K.’s CQC regulations in the care-home environment. The key contribution of this paper is a preliminary approach for proactively checking the compliance of process outcomes.
Article Search
Toward Benchmarks to Assess Advancement in Legal Requirements Modeling
Ivan Jureta, Travis D. Breaux, Alberto Siena, and David G. Gordon
(University of Namur, Belgium; Carnegie Mellon University, USA; University of Trento, Italy)
As software engineers create and evolve information systems to support business practices, these engineers need to address constraints imposed by laws, regulations and policies that govern those business practices. Requirements modeling can be used to extract important legal constraints from laws, and decide how, and evaluate if an information system design complies to applicable laws. To advance research on evaluating requirements modeling formalisms for the representation of legal information, we propose several benchmarks that we believe represent important challenges in modeling laws and requirements governing information systems, and evaluating the compliance of these requirements with laws. While incomplete, the proposed set of benchmarks covers a range of challenges in modeling laws and requirements that we observed in privacy and security law: from the possibility to trace model fragments to law fragments, to the ability to distinguish modalities in law, and to model relations between requirements and law fragments, needed when evaluating compliance. Benchmarks can be used as a checklist when designing and discussing requirements formalisms that support legal requirements modeling. Each benchmark is motivated by related work, a brief legal excerpt, and our experience in modeling regulations.
Article Search
Transforming Regulations into Performance Models in the Context of Reasoning for Outcome-Based Compliance
Rouzbahan Rashidi-Tabrizi, Gunter Mussbacher, and Daniel Amyot
(University of Ottawa, Canada)
Recently, interest in performance modeling of outcome-based regulations has grown in the regulatory community. In this context, performance modeling refers to the measuring of important business aspects in a coordinated manner and the use of these measurements for improved decision making. Goal modeling techniques have shown to be beneficial when expressing and analyzing performance models. Since most regulations are still written in natural language, support for the transformation of regulatory text into performance models is needed. This allows regulators and regulated parties to keep working with familiar natural language regulations and to use goal models indirectly while avoiding a potentially significant learning curve for goal-modeling techniques. In this paper, we present such a tool-supported transformation to goal models expressed with the User Requirements Notation that enables reasoning about outcome-based regulations via widely available evaluation mechanism for goal models. The transformation is implemented in the jUCMNav goal modeling tool and illustrated with an example from the banking domain.
Article Search
Towards a Process for Legally Compliant Software
Waël Hassan and Luigi Logrippo
(Privacy in Design, Canada; University of Quebec at Outaouais, Canada; University of Ottawa, Canada)
We propose a method and a process for legal software requirements extraction and compliance checking. We describe a requirements extraction model, a set of rules for specifying the format of the extracted information, a set of UML-based principles for translating the extracted information into a language based on predicate logic, and finally, a tool that analyzes the resulting logic model and displays the results of the analysis. The translation principles are based on a Governance Analysis Model (GAM) which is described in UML; the language is our Governance Analysis Language (GAL) and the tool is our Governance Analysis Tool (GAT). MIT’s logic analyzer Alloy is the engine on which GAT runs. GAL is translated into assertions in Alloy’s language and the Alloy tool can find counterexamples indicating situations of non-compliance. Index Terms— Software requirements, formal method, legal compliance, logic analysis, software design process, privacy law
Article Search

Special Session on Convergent Challenges in Legal Requirements Analysis and Modeling

Legal Requirements Analysis and Modeling with the Measured Compliance Profile for the Goal-oriented Requirement Language
Rouzbahan Rashidi-Tabrizi, Gunter Mussbacher, and Daniel Amyot
(University of Ottawa, Canada)
As demonstrated by a benchmark HIPPA case study, the Measured Compliance Profile for the Goal-oriented Requirement Language (GRL) is used to formalize legal text with GRL in order to make it amenable to compliance analysis. This formalization is based on guidelines yielding a goal model that can be analyzed for compliance with the jUCMNav tool with the help of real-world measurements captured by indicators in the goal model. For usability reasons, the legal text may also be specified in a tabular representation and subsequently transformed into a goal model by jUCMNav.
Article Search
Preserving Traceability and Encoding Meaning in Legal Requirements Extraction
Travis D. Breaux and David G. Gordon
(Carnegie Mellon University, USA)
Information system developers must ensure that their systems comply with government laws and regulations. To demonstrate compliance, developers can trace from statements in law to their system specifications while preserving how they identify and interpret ambiguity. In this paper, we present an application of the legal requirements specification language (LRSL) as a means to encode laws into a machine-readable specification. The encoding reduces ambiguity by making relations between requirements statements explicit. These relations include refinement, pre- and post-conditions, and exceptions that shape the environment in which the developer’s system must operate and limiting the behavior of the system to a set of mandatory and discretionary actions. We illustrate the LRSL using a legal excerpt from Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, §164.512(f) governing disclosures of protected health information to law enforcement in the United States.
Article Search
Applying CoReL to an Excerpt of HIPAA: A Critical Discussion
Marwane El Kharbili
(University of Luxembourg, Luxembourg)
CoReL is a visual business policy modelling language which was proposed in recent research by the author. In this paper, we make an initial attempt at studying the modeling support that CoReL provides to real-world regulations, in particular, the HIPAA Act.
Article Search
Applying GaiusT for Extracting Requirements from Legal Documents
Nicola Zeni, Luisa Mich, John Mylopoulos, and James R. Cordy
(University of Trento, Italy; Queen's University, Canada)
In this paper we describe the architecture and application of GaiusT, a multi-phase framework for extracting requirements from legal documents. GaiusT aims to cover the extraction process from the very first steps, pre-processing the input texts and supporting structural and semantic annotation of legal documents. The annotated information is recorded in a database facilitating both retrieval and evaluation of the results. Existing linguistic tools and resources have been applied whenever possible. A post-analysis of the ongoing implementation of the modules in the GaiusT architecture is given as a preliminary understanding of how much existing tools can be adopted and how much they had to be adapted.
Article Search
Modeling Laws with Nomos 2
Silvia Ingolfo, Alberto Siena, Angelo Susi, Anna Perini, and John Mylopoulos
(University of Trento, Italy; Fondazione Bruno Kessler, Italy)
Nòmos is a framework for modelling law-compliant solutions in software system design. It provides a core set of concepts to enable exploring and selecting alternatives in a variability space defined by laws, a graphical notation to visualize models, and tool support for compliance analysis. This short paper illustrates the features above and sketches some of the research challenges ahead.
Article Search

proc time: 0.24