CISMET: A Semantic Ontology Framework for Regulatory-Requirements-Compliant Information Systems Development and Its Application in the GDPR Case

CISMET: A Semantic Ontology Framework for Regulatory-Requirements-Compliant Information Systems Development and Its Application in the GDPR Case

M. Mahmudul Hasan, George Kousiouris, Dimosthenis Anagnostopoulos, Teta Stamati, Peri Loucopoulos, Mara Nikolaidou
Copyright: © 2021 |Pages: 24
DOI: 10.4018/IJSWIS.2021010101
OnDemand:
(Individual Articles)
Available
$37.50
No Current Special Offers
TOTAL SAVINGS: $37.50

Abstract

Compliance to regulatory requirements is a critical concern in information system development projects. Managing this aspect is increasingly challenging while failures impose costly consequence on the organizations world-wide. However, how a legislation may or may not affect information system development projects is often not easily identifiable due to lack of clear understanding and guidelines. This paper presents compliant information system development (CISMET) ontology, exploiting concepts from 21 existing ontologies (regarding regulatory compliance and information system development). The key findings are the six parent classes in the CISMET ontology describing the system development goals, services, process, activities, artifacts, and resources. Also, there are 26 sub classes and 21 class properties that describe various concepts and their relationships in regulatory compliant information system development. The General Data Protection Regulation (GDPR) of the European Union has been instantiated in the proposed framework to indicate how regulatory requirements compliance concepts are mapped to system development projects. Thus, involved stakeholders (information system researchers and system developers) may identify dependencies and actions needed with relation to various rules in the regulation and their link to the system elements through a relevant software application. The latter enables users to easily submit queries towards the backend ontology through a specialized front-end application that can aid in formulating and submitting these queries.
Article Preview
Top

Introduction

With the unprecedented opportunities of information technology, the revolution of the modern world is now focused on the information age from industrial age. The manifestation of this transformation is emerging in the field of electronic service development such as e-commerce, e-governance, e-learning which have become part of our daily lives (Almarabeh & AbuAli, 2010). The information system development projects often face uncertainties and problems in the grey regulation areas or are being constrained by existing regulations in adopting new technologies and solutions for new service development. Moreover, organizations are now facing difficulties to comply with a rapidly growing number and increasing complexities of new regulations, and standards. This has a significant impact on how the organizations develop an information system and adapt changes to its operations with the compliance of regulatory requirements (Yoon, 2018).

Regulatory requirements compliance essentially means ensuring that the system development and its operations are in accordance with prescribed guidelines and/or agreed set of rules. The introduction of regulations such as General Data Protection Regulation (GDPR), Sarbanes Oxley Act. (SOX), Health Insurance Portability and Accountability Act. (HIPAA) have made regulatory requirement compliance a pivotal point of information system research and development activities since non-compliance to the regulatory requirements of these regulations can have dire consequences (Abdullah et al., 2010). Regulatory requirement compliance has become a critical concern nowadays for public and private organizations since failing to comply with the regulations is no longer an option (OECD, 2020). The organizations are increasingly concerned with high investment for compliance management emerging as a result of events that led to some of the largest disasters in the corporate usage of information technology, such as Cambridge Analytica case 2018 (UK), WorldCom, Tricare, Choice Point (USA), HIH (Australia), Société General (France) (The Guardian, 2018; Braganza & Franken, 2007; Bace et al., 2006). Furthermore, the current globalized ecosystem, via the potential use of distributed computing resources such as cloud solutions (Khan et al., 2019) or cross-border offering of the information system services, amplifies and complicates the cases of what rules apply, in which cases, for which roles and subjects.

There are several studies discussing regulation compliance in the literature. Soliman et al. (2020) discuss a semantic based framework to systematically classify the regulatory information for automated rule checking purpose. Xu & Cai (2019) presents a semantic frame-based method for extracting regulatory information based on lexical and domain semantics using natural language processing and machine learning techniques. Zhang & El-Gohary (2016) also present a rule based natural language processing approach to automatically process the regulation documents for pattern matching in information extraction. However, it is reported in the literature that the semi-automated process often may provide greater performance as most of the regulations rely on subjective nature of the regulation context. Muthuri et al. (2017) present a legal interpretation model to interpret legal provisions in determining business process compliance. DeVos et al. (2019) present Open Digital Rights Language (ODRL) profile to capture semantics of the policies for business process compliance checking. Hale & Gamble (2019) present a semantic hierarchy based stepwise process to extract security provisions from security control standards in preparing service agreements for organizations. Therefore, the limitations of existing works from the above literature review can be summarized as follows:

  • The proposed methods and techniques in existing literature are only focused on extracting the regulatory rules from various regulations. There is a research gap describing how a legislation may or may not affect the information system development projects, which is often not easily identifiable due to lack of clear understanding of the regulatory requirements compliance as well as the domain gap between legal sciences and IT (Soliman et al., 2020; Hale & Gamble, 2019).

  • The organizations struggle with finding proper guidelines and framework for understanding compliance management in information system development for assistance in their compliance management activities in the project (Mustapha et al., 2020; Zarrabi & Tawil, 2019).

Complete Article List

Search this Journal:
Reset
Volume 20: 1 Issue (2024)
Volume 19: 1 Issue (2023)
Volume 18: 4 Issues (2022): 2 Released, 2 Forthcoming
Volume 17: 4 Issues (2021)
Volume 16: 4 Issues (2020)
Volume 15: 4 Issues (2019)
Volume 14: 4 Issues (2018)
Volume 13: 4 Issues (2017)
Volume 12: 4 Issues (2016)
Volume 11: 4 Issues (2015)
Volume 10: 4 Issues (2014)
Volume 9: 4 Issues (2013)
Volume 8: 4 Issues (2012)
Volume 7: 4 Issues (2011)
Volume 6: 4 Issues (2010)
Volume 5: 4 Issues (2009)
Volume 4: 4 Issues (2008)
Volume 3: 4 Issues (2007)
Volume 2: 4 Issues (2006)
Volume 1: 4 Issues (2005)
View Complete Journal Contents Listing