Legal Compliance Support with an Ontology-based Information System Albert Meroño-Peñuela Núria Casellas Sergi Torralba Institute of Law & Technology Institute of Law & Technology Institute of Law & Technology U. Autònoma de Barcelona U. Autònoma de Barcelona U. Autònoma de Barcelona Faculty of Law, Campus UAB Faculty of Law, Campus UAB Faculty of Law, Campus UAB Bellaterra (08193), Spain Bellaterra (08193), Spain Bellaterra (08193), Spain albert.merono@uab.cat nuria.casellas@uab.cat sergi.torralba@uab.cat Mario Reyes Pompeu Casanovas S21sec. C/ Alcalde Barnils, Institute of Law & Technology 64-6, Bg. Testa, D, 1st floor U. Autònoma de Barcelona Sant Cugat Vallès (08174), Faculty of Law, Campus UAB Spain Bellaterra (08193), Spain mreyes@s21sec.com pompeu.casanovas@uab.cat ABSTRACT perspectives: on the one hand, IT compliance of industry The Internet and Information Systems evolution have dra- best practices and guidelines and, on the other hand, com- matically increased the amount of information hold by gov- pliance of legal regulations. Currently, IT and legal com- ernments and companies. This information can be very sen- pliance are verified mostly by experts, usually auditors or sitive, specially regarding personal data, so governments and consultants, and it is still a manual task. This compliance industries promote acts and guidelines in order to ensure pri- assessment process can be extraordinarily expensive. vacy and data security. Thus, companies have to consider legal and Information Technology (IT) compliance. Never- In the Information Era, one can think of an automated pro- theless, compliance assessment is still a manual task per- cess that could perform some compliance assessment steps formed by experts, but steps towards an automated compli- automatically, reducing associated costs. In [7] a logical for- ance assessment, both in IT and legal, are in progress. In malism that specifies privacy policies is depicted; these poli- this paper we introduce the Neurona framework, a software cies can be verified in a federated digital identity scenario. application based on legal and security ontologies that aims Security companies such as RSA2 and Cornerstone OnDe- at providing organizations with legal compliance support. mand3 also offer some tools as a proposal to solve the IT compliance problem, with emphasis on policies and guide- lines that usually emerge from industry best practices. Pro- 1. INTRODUCTION posals for solving the legal compliance perspective are scarce Internet Information Systems have grown in complexity and or focused on access to data [3]. performance featuring real time transactions, high band- width data flows and large databases. Furthermore, remote The aim of this work is to describe the Neurona4 framework, connections and distributed processes increase the risk of a software application that uses OWL ontologies modeling network attacks and accidental data losses. In this scenario, legal knowledge to generate legal compliance reports of a compromising information security may have critical conse- company’s state regarding privacy regulations, specifically quences for customers and companies1 . the Spanish Personal Data Protection Act5 (LOPD). Governments and industries follow instruments from regula- The paper is organized as follows. In section 2, we briefly tory bodies and standardization institutions to ensure infor- introduce the legal knowledge methodologies applied, and mation security. Thus, companies face compliance from two some non-functional requirements found. In section 3, the 1 system behaviour and its main use cases are described. Fi- In 2009, the Spanish Data Protection Agency (Agencia Es- pañola de Protección de Datos, AEPD) imposed penalties nally, in section 4, we give a set of conclusions. for a total of 24.8Me[1]. 2 SIEM Automatic Compliance Reports, http://www.rsa. com/node.aspx?id=3182 3 Enterprise Compliance Reporting, http://www. cornerstoneondemand.com/compliance-reporting-tools 4 The Neurona project is funded by the Spanish Ministry of Industry, Tourism and Commerce and is developed by the Institute of Law and Technology (IDT-UAB) and S21sec. 5 Ley Orgánica 15/99 de 13 de Diciembre de Protección de Datos de Carácter Personal. 2. LEGAL KNOWLEDGE Second, an operative-level user (e.g. a security controller) There are deep semantic differences between legal regula- runs some operative use case, in which instances of some tions and guidelines or best practices. There are existing or company assets (e.g. files or employees) and its state are on-progress solutions for the IT compliance problem, such created transparently into active ontologies. This can be as UCF6 or SCAP7 . In IT regulations, very deterministic performed manually or automatically, filling forms or exe- concepts such as controls or safeguards are specified, often cuting net bots for data discovery, respectively. Finally, a in a logical formalism that can be checked in a real scenario strategic-level user (e.g. a Chief Compliance Officer) runs with an algorithm. On the other hand, in legal regulations, some intelligence use case, and reasoner classification results like LOPD, more uncertain and open-textured concepts are are shown in a report (e.g. if security measures of files are found. These are much more difficult to implement in a whether appropriate or not regarding the LOPD act). way they can be checked by a validation algorithm. On- tologies were found suitable for this legal compliance sce- 4. CONCLUSIONS nario because concepts described in them can be defined in We have shown a summary of the Neurona project, focusing an expressive and more relaxed way that avoids subjective our interest on legal compliance assessment of the LOPD act, interpretations of legal regulations. Basics for ontology con- applicable to most companies in Spain. We briefly discussed struction [5], legal requirements for compliance [6] and legal differences between existing IT compliance implementations knowledge representations [2, 4] were applied. based on control tables and policy specifications, and suit- ability of ontologies for the legal compliance. In order to maintain reusable and changeable knowledge, the domain representation was split into two ontologies. The In spite of system accuracy inherited from legal texts’ open- first one, DPCO8 , would define legal concepts contained in textured concepts, ontologies allow us extracting basic con- LOPD and relationships between them. Changes in this on- cepts contained in legal texts without falling in interpreta- tology may occur rarely, and its contents may be used only tions and judicial decisions. Moreover, the use of ontologies as an organizational taxonomy. The second one, DPRO9 , has provided desirable software quality features: reusabil- would specify a classification of possible desired or undesired ity (concept ontologies, for instance DPCO, can be used situations regarding the application of the legal regulation, in a number of contexts outside the original application), and their rules and constraints. DPRO imports DPCO for changeability (changes in the domain only imply changes entity relationship discovery, but user instances and reason- in ontologies, not in the program source code) and ease of ing processes are entirely done in DPRO. use (almost any critical stakeholder can perform updates in the data model). With the use of ontologies, this tool could provide organizations with up-to-date monitoring of data 3. KNOWLEDGE MANAGEMENT SYSTEM protection regulations compliance. The work to evolve this With the data structure depicted in section 2, we developed system into a continuous report system for the company’s an OWL API-based tool to perform three basic use cases legal compliance situation is still in progress. required for an automated ontology-based legal compliance assessment: operative, knowledge management and in- telligence. The operative use cases gather information from 5. REFERENCES company’s assets and use it to generate ontology instances, [1] Memoria 2009. Agencia Española de Protección de which represent the company’s current state regarding its as- Datos. sets and the dependency relationships between them. The [2] N. Casellas. Modelling Legal Knowledge through knowledge management use cases require a maintainer role Ontologies. OPJK: the Ontology of Professional to load different versions of DPCO & DPRO in the OWL Judicial Knowledge. PhD thesis, Universitat Autònoma format when necessary (e.g. after a change in the Act). The de Barcelona, 2008. intelligence use cases generate a legal compliance report, af- [3] D. el Diehn I. Abou-Tair, S. Berlik, and U. Kelter. ter having accessed OWL ontologies in a transparent way Enforcing privacy by means of an ontology driven xacml and having run the Pellet reasoner, which performs a clas- framework. Proceedings, 3rd International Symposium sification of individuals in situations modeled in DPRO. on Information Assurance and Security, 2007. [4] A. Gangemi, A. Prisco, M.-T. Sagri, G. Steve, and The starting scenario consists of a company that holds some D. Tiscornia. Some ontological tools to support legal files containing personal data of employees or customers regulatory compliance, with a case study. OTM (such as name, ID, address, salary, account number and Workshops, LNCS 2889:607–620, 2003. purchase history), and wants to know its compliance state [5] A. Gómez-Pérez, M. Fernández-López, and O. Corcho. regarding those files and the LOPD normative. Ontological Engineering. Springer Verlag, 2003. [6] A. K. Massey, P. N. Otto, L. J. Hayward, and A. I. First, a system administrator runs some knowledge manage- Anton. Evaluating existing security and privacy ment use case, in which a pair of OWL ontologies are loaded requirements for legal compliance. Requirements in the system and become the active legal knowledge base. Engineering, 2010. 6 [7] A. Squicciarini, M. C. Mont, A. Bhargav-Spantzel, and Unified Compliance Framework, http://www. E. Bertino. Automatic compliance of privacy policies in unifiedcompliance.com 7 federated digital identity management. IEEE Workshop The Security Content Automation Protocol, http://scap. nist.gov on Policies for Distributed Systems and Networks, 2008. 8 Data Protection Conceptual Ontology 9 Data Protection Reasoning Ontology