SoD: Collaborative Research: Transparency and Legal Compliance in Software Systems

SoD：协作研究：软件系统的透明度和法律合规性

• 批准号: 0725144
• 负责人: Ana Anton
• 金额: $ 27.04万
• 依托单位: North Carolina State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2007
• 资助国家: 美国
• 起止时间: 2007-08-01 至 2011-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0725144&HistoricalAwards=false
• 关键词: SoD; Collaborative; Research; Transparency; Legal

This project, involving collaboration between North Carolina State University and Purdue University, addresses the design of Healthcare information systems. Such systems are becoming ubiquitous and thus increasingly subject to attack, misuse and abuse. Specifications and designs of these systems often neglect security and privacy concerns. Moreover, regulations such as HIPAA (Health Insurance Portability and Accountability Act) as well as security and privacy policies are difficult for users to understand and complex for software engineers to use as guides when designing and implementing systems. This project defines mechanisms that are needed to help analysts disambiguate regulations so that they may be clearly specified as software requirements. In addition, regulations are increasingly requiring organizations to comply with the law and account for their actions. Individuals responsible for ensuring compliance and accountability currently lack sufficient guidance and support to manage their legal obligations within relevant information systems. Software controls are needed to provide assurances that business processes adhere to specific requirements, especially those derived from government regulations.To address these challenges, the proposed work takes a holistic view of the design of transparent and legally compliant software systems. Key research questions that are addressed include: -How should system requirements be specified so they may be realized in design and implementation to ensure legal and regulatory compliance? -Given that software designs need to satisfy multiple stakeholders (organizations, law/policy makers, government agencies, public citizens, etc.) having contradictory, inconsistent and difficult to understand objectives, how can the design process of these systems be improved to lead to convergence and satisfaction of these requirements in a transparent and auditable fashion? This project articulates a requirements management framework that enables executives, business managers, software developers and auditors to distribute legal obligations across business units and/or personnel with different roles and technical capabilities. This framework improves accountability by integrating traceability throughout the policy and requirements lifecycle. The broader impacts of this project are expected to be far reaching as law and regulations govern the collection, use, transfer and removal of information from software systems in many spheres of society.

该项目涉及北卡罗来纳州州立大学和普渡大学之间的合作，涉及医疗保健信息系统的设计。这种系统正变得无处不在，因此越来越容易受到攻击、误用和滥用。这些系统的规格和设计往往忽视安全和隐私问题。此外，诸如HIPAA（健康保险可携性和责任法案）以及安全和隐私政策等法规对于用户来说难以理解，并且对于软件工程师来说在设计和实现系统时用作指南是复杂的。该项目定义了帮助分析师消除法规歧义所需的机制，以便将法规明确指定为软件需求。此外，法规越来越多地要求各组织遵守法律并对其行为负责。负责确保合规和问责的个人目前缺乏足够的指导和支持，无法在相关信息系统内管理其法律的义务。需要软件控制来保证业务流程符合特定要求，特别是来自政府法规的要求。为了应对这些挑战，拟议的工作从整体上考虑了透明和合法的软件系统的设计。解决的关键研究问题包括：-应如何指定系统的要求，使他们可以实现在设计和实施，以确保法律的和法规的遵守？- 鉴于软件设计需要满足多个利益相关者（组织、法律/政策制定者、政府机构、公众公民等）由于这些系统的目标相互矛盾、不一致和难以理解，如何改进这些系统的设计过程，以透明和可审计的方式使这些要求趋于一致并得到满足？该项目阐明了一个需求管理框架，使执行人员、业务经理、软件开发人员和审计人员能够在具有不同角色和技术能力的业务单位和/或人员之间分配法律的义务。该框架通过在整个策略和需求生命周期中集成可追溯性来提高可问责性。由于社会许多领域的软件系统中信息的收集、使用、转移和删除受到法律和条例的制约，预计该项目的广泛影响将是深远的。