skip to main content
10.1145/3078861.3078879acmconferencesArticle/Chapter ViewAbstractPublication PagessacmatConference Proceedingsconference-collections
short-paper

Security Analysis and Legal Compliance Checking for the Design of Privacy-friendly Information Systems

Published: 07 June 2017 Publication History

Abstract

Nowadays, most of business practices involve personal data-processing of customers and employees. This is strictly regulated by legislation to protect the rights of the data subject. Enforcing regulation into enterprise information system is a non-trivial task that requires an interdisciplinary approach. This paper presents a declarative framework to support the specification of information system designs, purpose-aware access control policies, and the legal requirements derived from the European Data Protection Directive. This allows for compliance checking via a reduction to policy refinement that is supported by available automated tools. We briefly discuss the results of the compliance analysis with a prototype tool on a simple but realistic scenario about the processing of personal data to produce salary slips of employees in an Italian organization.

References

[1]
C. A. Ardagna, M. Cremonini, S. De Capitani di Vimercati, and P. Samarati. 2008. A Privacy-Aware Access Control System. JCS 16, 4 (2008), 369--392.
[2]
A. Armando, S. Oudkerk, S. Ranise, and K. Wrona. 2014. Formal Modelling of Content-Based Protection and Release for Access Control in NATO Operations. In FPS 2013 (LNCS), Vol. 8352. 227--244.
[3]
A. Armando, S. Ranise, R. Traverso, and K. Wrona. 2016. SMT-based Enforcement and Analysis of NATO Content-based Protection and Release Policies. In ABAC@CODASPY. ACM, 35--46.
[4]
A. Datta Barth, J. C. Mitchell, and H. Nissenbaum. 2006. Privacy and contextual integrity: Framework and applications. In IEEE Symp. on S&P.
[5]
Travis D Breaux and Annie I Antón. 2008. Analyzing regulatory rules for privacy and security requirements. Software Engineering, IEEE Transactions on 34, 1 (2008), 5--20.
[6]
Travis D. Breaux, Matthew W. Vail, Annie Antón, and others. 2006. Towards regulatory compliance: Extracting rights and obligations to align requirements with regulations. In Req. Eng., 14th Int. Conf. IEEE, 49--58.
[7]
Omar Chowdhury, Haining Chen, Jianwei Niu, Ninghui Li, and Elisa Bertino. 2012. On XACML's adequacy to specify and to enforce HIPAA. In USENIX Ws. on Health S&P.
[8]
Omar Chowdhury, Andreas Gampe, Jianwei Niu, Jeffery von Ronne, Jared Bennatt, Anupam Datta, Limin Jia, and William H. Winsborough. 2013. Privacy promises that can be kept: A policy analysis method with application to the HIPAA privacy rule. In SACMAT. ACM, 3--14.
[9]
A. Cimatti, S. Mover, and S. Tonetta. 2011. Proving and explaining the unfeasibility of message sequence charts for hybrid systems. In FMCAD. 54--62.
[10]
J. Crampton. 2005. A reference monitor for workflow systems with constrained task execution. In SACMAT.
[11]
G. Danezis, J. Domingo-Ferrer, M. Hansen, J.-H. Hoepman, D. Le Métayer, R. Tirtea, and S. Schiffner. 2014. Privacy and Data Protection by Design - from policy to engineering. ENISA. (2014).
[12]
S. De Capitani di Vimercati, S. Foresti, S. Jajodia, and P. Samarati. 2007. Access Control Policies and Languages. IJCSE 3, 2 (2007), 94--102.
[13]
Herbert Enderton and Herbert B. Enderton. 2001. A mathematical introduction to logic. Academic press.
[14]
K. Fatema, D. W Chadwick, and B. Van Alsenoy. 2012. Extracting Access Control and Conflict Resolution Policies from European Data Protection Law. In Privacy and Identity Management for Life. 59--72.
[15]
K. Fatema, C. Debruyne, D. Lewis, D. O'Sullivan, J. P Morrison, and A. Mazed. 2016. A Semi-Automated Methodology for Extracting access control rules from the European Data Protection Directive. In SPW, 2016 IEEE. 25--32.
[16]
D. Garg, L. Jia, and A. Datta. 2011. Policy auditing over incomplete logs: theory, implementation and applications. In ACM CCS.
[17]
P. Guarda and N. Zannone. 2009. Towards the development of privacy-aware systems. Inf. and Sw. Tech. 51, 2 (2009), 337--350.
[18]
V. C Hu, D. Ferraiolo, R. Kuhn, A. R. Friedman, A. J Lang, M. M Cogdell, A. Schnitzer, K. Sandlin, R. Miller, and K. Scarfone. 2013. Guide to Attribute Based Access Control (ABAC) Definition and Considerations (Draft). Number 800-162 in NIST.
[19]
T. Jaeger and J. E. Tidswell. 2001. Practical Safety in Flexible Access Control Models. ACM Trans. Inf. Syst. Secur. 4, 2 (May 2001), 158--190.
[20]
X. Jin, R. Krishnan, and R. Sandhu. 2012. A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC. In DBSec (LNCS). 41--55.
[21]
V. Khatri and C. V. Brown. 2010. Designing Data Governance. Comm. of the ACM 53, 1 (2010), 148--152.
[22]
E. Lam, J. C. Mitchell, A. Scedrov, S. Sundaram, and F. Wang. 2012. Declarative privacy policy: finite models and attribute-based encryption. In ACM IHI.
[23]
N. Li and J.C. Mitchell. 2003. Datalog with constraints: a foundation for trust management languages. In Proc. of PADL. 58--73.
[24]
A. Siena, I. Jureta, S. Ingolfo, A. Susi, A. Perini, and J. Mylopoulos. 2012. Capturing Variability of Law with Nómos 2. Springer, 383--396.
[25]
M. C. Tschantz, A. Datta, and J. M. Wing. 2012. Formalizing and enforcing purpose restrictions in privacy policies. In IEEE Symp. on S&P. 176--190.
[26]
F. Turkmen, J. den Hartog, S. Ranise, and N. Zannone. 2015. Analysis of XACML Policies with SMT. Springer, 115--134.

Cited By

View all
  • (2022)A Survey on Empirical Security Analysis of Access-control Systems: A Real-world PerspectiveACM Computing Surveys10.1145/353370355:6(1-28)Online publication date: 27-Apr-2022
  • (2022)Compliance checking of software processes: A systematic literature reviewJournal of Software: Evolution and Process10.1002/smr.244034:5Online publication date: 14-Mar-2022
  • (2021)A Survey of Methodologies for Protecting Privacy of User Data Within Enterprise Information InfrastructureResearch Anthology on Privatizing and Securing Data10.4018/978-1-7998-8954-0.ch025(546-568)Online publication date: 2021
  • Show More Cited By

Index Terms

  1. Security Analysis and Legal Compliance Checking for the Design of Privacy-friendly Information Systems

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies
      June 2017
      276 pages
      ISBN:9781450347020
      DOI:10.1145/3078861
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 07 June 2017

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. access control policies
      2. eu dpd
      3. legal compliance

      Qualifiers

      • Short-paper

      Conference

      SACMAT'17
      Sponsor:

      Acceptance Rates

      SACMAT '17 Abstracts Paper Acceptance Rate 14 of 50 submissions, 28%;
      Overall Acceptance Rate 177 of 597 submissions, 30%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)14
      • Downloads (Last 6 weeks)0
      Reflects downloads up to 20 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2022)A Survey on Empirical Security Analysis of Access-control Systems: A Real-world PerspectiveACM Computing Surveys10.1145/353370355:6(1-28)Online publication date: 27-Apr-2022
      • (2022)Compliance checking of software processes: A systematic literature reviewJournal of Software: Evolution and Process10.1002/smr.244034:5Online publication date: 14-Mar-2022
      • (2021)A Survey of Methodologies for Protecting Privacy of User Data Within Enterprise Information InfrastructureResearch Anthology on Privatizing and Securing Data10.4018/978-1-7998-8954-0.ch025(546-568)Online publication date: 2021
      • (2021)Modeling data protection and privacy: application and experience with GDPRSoftware and Systems Modeling10.1007/s10270-021-00935-5Online publication date: 17-Nov-2021
      • (2021)Privacy as a Service (PraaS): A Conceptual Model of GDPR to Construct Privacy ServicesBusiness Modeling and Software Design10.1007/978-3-030-79976-2_10(170-189)Online publication date: 2-Jul-2021
      • (2021)A risk‐based methodology for privacy requirements elicitation and control selectionSECURITY AND PRIVACY10.1002/spy2.1885:1Online publication date: 17-Sep-2021
      • (2020)A Survey of Methodologies for Protecting Privacy of User Data Within Enterprise Information InfrastructureHandbook of Research on Cyber Crime and Information Privacy10.4018/978-1-7998-5728-0.ch003(43-65)Online publication date: 21-Aug-2020
      • (2020)TR-Model. A Metadata Profile Application for Personal Data TransparencyIEEE Access10.1109/ACCESS.2020.29885668(75184-75209)Online publication date: 2020
      • (2020)Tool-Assisted Risk Analysis for Data Protection Impact AssessmentPrivacy and Identity Management. Data for Better Living: AI and Privacy10.1007/978-3-030-42504-3_20(308-324)Online publication date: 6-Mar-2020
      • (2019)Using Models to Enable Compliance Checking Against the GDPR: An Experience Report2019 ACM/IEEE 22nd International Conference on Model Driven Engineering Languages and Systems (MODELS)10.1109/MODELS.2019.00-20(1-11)Online publication date: Sep-2019
      • Show More Cited By

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media