SoD: Collaborative Research: Transparency and Legal Compliance in Software Systems

SoD：协作研究：软件系统的透明度和法律合规性

• 批准号: 0725152
• 负责人: Eugene Spafford
• 金额: $ 22.96万
• 依托单位: Purdue University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2007
• 资助国家: 美国
• 起止时间: 2007-08-01 至 2011-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0725152&HistoricalAwards=false
• 关键词: SoD; Collaborative; Research; Transparency; Legal

This project, involving collaboration between North Carolina State University and Purdue University, addresses the design of Healthcare information systems. Such systems are becoming ubiquitous and thus increasingly subject to attack, misuse and abuse. Specifications and designs of these systems often neglect security and privacy concerns. Moreover, regulations such as HIPAA (Health Insurance Portability and Accountability Act) as well as security and privacy policies are difficult for users to understand and complex for software engineers to use as guides when designing and implementing systems. This project defines mechanisms that are needed to help analysts disambiguate regulations so that they may be clearly specified as software requirements. In addition, regulations are increasingly requiring organizations to comply with the law and account for their actions. Individuals responsible for ensuring compliance and accountability currently lack sufficient guidance and support to manage their legal obligations within relevant information systems. Software controls are needed to provide assurances that business processes adhere to specific requirements, especially those derived from government regulations. To address these challenges, the proposed work takes a holistic view of the design of transparent and legally compliant software systems. Key research questions that are addressed include: -How should system requirements be specified so they may be realized in design and implementation to ensure legal and regulatory compliance? -Given that software designs need to satisfy multiple stakeholders (organizations, law/policy makers, government agencies, public citizens, etc.) having contradictory, inconsistent and difficult to understand objectives, how can the design process of these systems be improved to lead to convergence and satisfaction of these requirements in a transparent and auditable fashion? This project articulates a requirements management framework that enables executives, business managers, software developers and auditors to distribute legal obligations across business units and/or personnel with different roles and technical capabilities. This framework improves accountability by integrating traceability throughout the policy and requirements lifecycle. The broader impacts of this project are expected to be far reaching as law and regulations govern the collection, use, transfer and removal of information from software systems in many spheres of society.

该项目涉及北卡罗来纳州立大学和普渡大学之间的合作，介绍了医疗保健信息系统的设计。这样的系统变得无处不在，因此越来越受到攻击，滥用和滥用。这些系统的规格和设计通常会忽略安全性和隐私问题。此外，诸如HIPAA（健康保险可移植性和问责制）以及安全性和隐私政策等法规很难理解和复杂，让软件工程师在设计和实施系统时可以用作指南。该项目定义了所需的机制，这些机制可以帮助分析师消除歧义法规，以便可以清楚地将其指定为软件要求。此外，法规越来越多地要求组织遵守法律并说明其行为。负责确保合规性和问责制的个人缺乏足够的指导和支持，无法在相关信息系统中管理其法律义务。需要软件控件来提供保证业务流程符合特定要求，尤其是从政府法规中得出的要求。为了应对这些挑战，拟议的工作对透明且合法合法的软件系统的设计有了整体的看法。解决的关键研究问题包括： - 应如何指定系统要求，以便在设计和实施中实现它们以确保法律和法规合规性？ - 赋予软件设计需要满足多个利益相关者（组织，法律/政策制定者，政府机构，公民等），具有矛盾，不一致且难以理解目标，如何改善这些系统的设计过程以在透明和审计的方式中导致这些需求和满足这些需求？该项目阐明了一个要求管理框架，该框架使高管，业务经理，软件开发人员和审计师能够跨业务部门和/或具有不同角色和技术能力的人员分配法律义务。该框架通过在整个政策和需求生命周期中整合可追溯性来提高问责制。随着法律和法规控制着社会许多领域的软件系统的收集，使用，转移和删除信息，预计该项目的更广泛影响将是遥不可及的。