Internet Information Systems have grown in complexity and performance featuring real time transactions, high bandwidth data ows and large databases. Furthermore, remote connections and distributed processes increase the risk of network attacks and accidental data losses. In this scenario, compromising information security may have critical consequences for customers and companies1.

Governments and industries follow instruments from regulatory bodies and standardization institutions to ensure information security. Thus, companies face compliance from two 1In 2009, the Spanish Data Protection Agency (Agencia Espan~ola de Proteccion de Datos, AEPD ) imposed penalties for a total of 24.8Me[ 1 ]. perspectives: on the one hand, IT compliance of industry best practices and guidelines and, on the other hand, compliance of legal regulations. Currently, IT and legal compliance are veri ed mostly by experts, usually auditors or consultants, and it is still a manual task. This compliance assessment process can be extraordinarily expensive. In the Information Era, one can think of an automated process that could perform some compliance assessment steps automatically, reducing associated costs. In [ 7 ] a logical formalism that speci es privacy policies is depicted; these policies can be veri ed in a federated digital identity scenario. Security companies such as RSA2 and Cornerstone OnDemand3 also o er some tools as a proposal to solve the IT compliance problem, with emphasis on policies and guidelines that usually emerge from industry best practices. Proposals for solving the legal compliance perspective are scarce or focused on access to data [ 3 ].

The aim of this work is to describe the Neurona4 framework, a software application that uses OWL ontologies modeling legal knowledge to generate legal compliance reports of a company's state regarding privacy regulations, speci cally the Spanish Personal Data Protection Act5 (LOPD). The paper is organized as follows. In section 2, we brie y introduce the legal knowledge methodologies applied, and some non-functional requirements found. In section 3, the system behaviour and its main use cases are described. Finally, in section 4, we give a set of conclusions. 2SIEM Automatic Compliance Reports, http://www.rsa. com/node.aspx?id=3182 3Enterprise Compliance Reporting, http://www. cornerstoneondemand.com/compliance-reporting-tools 4The Neurona project is funded by the Spanish Ministry of Industry, Tourism and Commerce and is developed by the Institute of Law and Technology (IDT-UAB) and S21sec. 5Ley Organica 15/99 de 13 de Diciembre de Proteccion de Datos de Caracter Personal.

There are deep semantic di erences between legal regulations and guidelines or best practices. There are existing or on-progress solutions for the IT compliance problem, such as UCF6 or SCAP7. In IT regulations, very deterministic concepts such as controls or safeguards are speci ed, often in a logical formalism that can be checked in a real scenario with an algorithm. On the other hand, in legal regulations, like LOPD, more uncertain and open-textured concepts are found. These are much more di cult to implement in a way they can be checked by a validation algorithm. Ontologies were found suitable for this legal compliance scenario because concepts described in them can be de ned in an expressive and more relaxed way that avoids subjective interpretations of legal regulations. Basics for ontology construction [ 5 ], legal requirements for compliance [ 6 ] and legal knowledge representations [ 2, 4 ] were applied.

In order to maintain reusable and changeable knowledge, the domain representation was split into two ontologies. The rst one, DPCO8, would de ne legal concepts contained in LOPD and relationships between them. Changes in this ontology may occur rarely, and its contents may be used only as an organizational taxonomy. The second one, DPRO9, would specify a classi cation of possible desired or undesired situations regarding the application of the legal regulation, and their rules and constraints. DPRO imports DPCO for entity relationship discovery, but user instances and reasoning processes are entirely done in DPRO.

With the data structure depicted in section 2, we developed an OWL API-based tool to perform three basic use cases required for an automated ontology-based legal compliance assessment: operative, knowledge management and intelligence. The operative use cases gather information from company's assets and use it to generate ontology instances, which represent the company's current state regarding its assets and the dependency relationships between them. The knowledge management use cases require a maintainer role to load di erent versions of DPCO & DPRO in the OWL format when necessary (e.g. after a change in the Act). The intelligence use cases generate a legal compliance report, after having accessed OWL ontologies in a transparent way and having run the Pellet reasoner, which performs a classi cation of individuals in situations modeled in DPRO. The starting scenario consists of a company that holds some les containing personal data of employees or customers (such as name, ID, address, salary, account number and purchase history ), and wants to know its compliance state regarding those les and the LOPD normative.

First, a system administrator runs some knowledge management use case, in which a pair of OWL ontologies are loaded in the system and become the active legal knowledge base. 6Uni ed Compliance Framework, http://www. unifiedcompliance.com 7The Security Content Automation Protocol, http://scap. nist.gov 8Data Protection Conceptual Ontology 9Data Protection Reasoning Ontology Second, an operative-level user (e.g. a security controller) runs some operative use case, in which instances of some company assets (e.g. les or employees) and its state are created transparently into active ontologies. This can be performed manually or automatically, lling forms or executing net bots for data discovery, respectively. Finally, a strategic-level user (e.g. a Chief Compliance O cer) runs some intelligence use case, and reasoner classi cation results are shown in a report (e.g. if security measures of les are whether appropriate or not regarding the LOPD act).

We have shown a summary of the Neurona project, focusing our interest on legal compliance assessment of the LOPD act, applicable to most companies in Spain. We brie y discussed di erences between existing IT compliance implementations based on control tables and policy speci cations, and suitability of ontologies for the legal compliance.

In spite of system accuracy inherited from legal texts' opentextured concepts, ontologies allow us extracting basic concepts contained in legal texts without falling in interpretations and judicial decisions. Moreover, the use of ontologies has provided desirable software quality features: reusability (concept ontologies, for instance DPCO, can be used in a number of contexts outside the original application), changeability (changes in the domain only imply changes in ontologies, not in the program source code) and ease of use (almost any critical stakeholder can perform updates in the data model). With the use of ontologies, this tool could provide organizations with up-to-date monitoring of data protection regulations compliance. The work to evolve this system into a continuous report system for the company's legal compliance situation is still in progress.