SoD: Collaborative Research: Transparency and Legal Compliance in Software Systems

SoD：协作研究：软件系统的透明度和法律合规性

• 批准号: 0725152
• 负责人: Eugene Spafford
• 金额: $ 22.96万
• 依托单位: Purdue University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2007
• 资助国家: 美国
• 起止时间: 2007-08-01 至 2011-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0725152&HistoricalAwards=false
• 关键词: SoD; Collaborative; Research; Transparency; Legal

This project, involving collaboration between North Carolina State University and Purdue University, addresses the design of Healthcare information systems. Such systems are becoming ubiquitous and thus increasingly subject to attack, misuse and abuse. Specifications and designs of these systems often neglect security and privacy concerns. Moreover, regulations such as HIPAA (Health Insurance Portability and Accountability Act) as well as security and privacy policies are difficult for users to understand and complex for software engineers to use as guides when designing and implementing systems. This project defines mechanisms that are needed to help analysts disambiguate regulations so that they may be clearly specified as software requirements. In addition, regulations are increasingly requiring organizations to comply with the law and account for their actions. Individuals responsible for ensuring compliance and accountability currently lack sufficient guidance and support to manage their legal obligations within relevant information systems. Software controls are needed to provide assurances that business processes adhere to specific requirements, especially those derived from government regulations. To address these challenges, the proposed work takes a holistic view of the design of transparent and legally compliant software systems. Key research questions that are addressed include: -How should system requirements be specified so they may be realized in design and implementation to ensure legal and regulatory compliance? -Given that software designs need to satisfy multiple stakeholders (organizations, law/policy makers, government agencies, public citizens, etc.) having contradictory, inconsistent and difficult to understand objectives, how can the design process of these systems be improved to lead to convergence and satisfaction of these requirements in a transparent and auditable fashion? This project articulates a requirements management framework that enables executives, business managers, software developers and auditors to distribute legal obligations across business units and/or personnel with different roles and technical capabilities. This framework improves accountability by integrating traceability throughout the policy and requirements lifecycle. The broader impacts of this project are expected to be far reaching as law and regulations govern the collection, use, transfer and removal of information from software systems in many spheres of society.

该项目涉及北卡罗来纳州立大学和普渡大学之间的合作，致力于医疗保健信息系统的设计。此类系统变得无处不在，因此越来越容易受到攻击、误用和滥用。这些系统的规格和设计常常忽视安全和隐私问题。此外，HIPAA（健康保险流通与责任法案）等法规以及安全和隐私政策对于用户来说很难理解，并且对于软件工程师在设计和实现系统时用作指南来说也很复杂。该项目定义了帮助分析师消除法规歧义所需的机制，以便将它们明确指定为软件需求。此外，法规越来越要求组织遵守法律并对其行为负责。负责确保合规和问责的个人目前缺乏足够的指导和支持来管理相关信息系统内的法律义务。需要软件控制来保证业务流程遵守特定要求，尤其是来自政府法规的要求。为了应对这些挑战，拟议的工作对透明且合法的软件系统的设计进行了全面的审视。解决的关键研究问题包括： - 应如何指定系统要求，以便在设计和实施中实现这些要求，以确保法律和法规的合规性？ - 鉴于软件设计需要满足多个利益相关者（组织、法律/政策制定者、政府机构、公众公民等）的需求，这些利益相关者的目标相互矛盾、不一致且难以理解，如何改进这些系统的设计过程，以透明和可审计的方式实现这些要求的融合和满足？该项目阐明了一个需求管理框架，使管理人员、业务经理、软件开发人员和审计员能够在具有不同角色和技术能力的业务部门和/或人员之间分配法律义务。该框架通过在整个策略和需求生命周期中集成可追溯性来提高问责制。由于法律和法规管辖社会许多领域的软件系统中的信息收集、使用、传输和删除，因此该项目预计将产生深远的影响。