André Rifaut

Using Goal-Oriented Requirements Engineering for Improving the Quality of ISO/IEC 15504 based Compliance Assessment Frameworks

Within the context of business processes design and deployment we introduce and illustrate the use of goal models for capturing compliance requirements applicable over business processes configurations. More specifically we explain how a goal-oriented approach can be used together with the ISO/IEC 15504 standard in order to provide a formal framework according to which the compliance of business processes against regulations and their associated requirements can be assessed and measured. The overall approach is discussed and illustrated through the handling of a real business case related to the Basel II Accords on operational risk management in the financial sector.

Legal goal-oriented requirement language (legal GRL) for modeling regulations

Every year, governments introduce new or revised regulations that are imposing new types of requirements on software development. Analyzing and modeling these legal requirements is time consuming, challenging and cumbersome for software and requirements engineers. Having regulation models can help understand regulations and converge toward better compliance levels for software and systems. This paper introduces a systematic method to extract legal requirements from regulations by mapping the latter to the Legal Profile for Goal-oriented Requirements Language (GRL) (Legal GRL). This profile provides a conceptual meta-model for the anatomy of regulations and maps its elements to standard GRL with specialized annotations and links, with analysis techniques that exploit this additional information. The paper also illustrates examples of Legal GRL models for The Privacy and Electronic Communications Regulations. Existing tool support (jUCMNav) is also extended to support Legal GRL modeling.

Goal-oriented compliance with multiple regulations

Most systems and business processes in organizations need to comply with more than one law or regulation. Different regulations can partially overlap (e.g., one can be more detailed than the other) or even conflict with each other. In addition, one regulation can permit an action whereas the same action in another regulation might be mandatory or forbidden. In each of these cases, an organization needs to take different strategies. This paper presents an approach to handle different situations when comparing and attempting to comply with multiple regulations as part of a goal-oriented modeling framework named LEGAL-URN. This framework helps organizations find suitable trade-offs and priorities when complying with multiple regulations while at the same time trying to meet their own business objectives. The approach is illustrated with a case study involving a Canadian health care organization that must comply with four laws related to privacy, quality of care, freedom of information, and care consent.

Requirements Engineering for Improving Business/IT Alignment in Security Risk Management Methods

Information systems (IS) security within organizations is more and more focused around risk management approaches. Central to these approaches is the need for a better understanding of the required alignment between the business view of the organization and the architecture of its underlying IS. Through the use of requirements engineering techniques, the paper suggests how this business/IT interoperability issue is tackled together with the clarification of the underlying security risk management ontology.

Elaborating, structuring and expressing formal requirements of composite systems

In this paper, we propose a formal specification language supporting activities performed during the initial requirements engineering phase of the software lifecycle. During this phase, those activities include (i) the elicitation and the capture of the initial description of a given problem, (ii) the expression of requirements associated with a ‘composite system’ (i.e. a system including manual procedures, hardware devices and software components interacting together) providing a solution to the original problem and (iii) the organization of the requirements document in order to enhance its readibility and to promote its maintenance and reusability.

Measurement-oriented comparison of multiple regulations with GRL

In recent years, intentional models have been adapted to capture and analyze compliance needs and requirements. Furthermore, intentional models have been used to identify the impact of regulations on organizational goals by helping to elicit different alternatives about the business operations supported by compliant business processes and services. In other works, intentional models based on measurement-frameworks have provided well-structured models of regulations and compliance alternatives. This paper integrates Goal-Oriented Requirements Language (GRL)-based methodologies with measurement-based methodologies to improve support for comparing regulations sharing the same concerns via the (measurement) objectivity.

Integrating Legal-URN and Eunomos: Towards a Comprehensive Compliance Management Solution

Business process compliance with regulations has been a topic of many research areas in Computer Science such as Requirements Engineering RE, Artificial Intelligence AI, Logic and Natural Language Processing NLP. This work aims to provide a systematic way of establishing and managing compliance to assist decision-making and reporting. Despite many notable advances, few systems deal adequately with legal interpretation and modeling norms in an expressive way that is well-integrated with business modeling practices. In this paper, we bring together two leading systems, Legal-URN and Eunomos, for a comprehensive compliance management solution.

Compliance management with measurement frameworks

New regulatory regimes advocate the use of “goaloriented” regulations that are more flexible during regulatory conversations occurring between the regulators and the regulatees when new regulations are introduced. In that context, long-term “compliance agreements” between regulators and regulatees are needed. Using recent developments of the Measurement Theory, this paper shows that the concept of Measurement Framework (MF) for soft-systems is of particular importance for providing those compliance agreements. We show that with two kinds of goals and softgoals based on MF, one can improve (a) the elicitation of compliance requirements, (b) the structure of the compliance arguments for compliant requirements, and (c) the consistency between actual compliance at run-time and the intentional compliance at early stages of Requirements Engineering.

Managing the Alignment between Business and Software Services Requirements from a Capability Model Perspective

In this paper we introduce a framework for capturing and managing the requirements associated with the non-functional part of the services like service management, security management, assurance, for which norms, recommendations and good practices exist. The proposed framework considers these service requirements both from a business and a software perspective. The elicitation, the capture and the traceability issues related to these requirements are solved with goal-oriented requirements engineering techniques, while the structuring and the assessment of the requirements is based on the ISO/IEC-15504 standard. The overall framework is illustrated with a business case run by our research centre in a public/private partnership. It is associated with the design of project management services delivered through a portal and is focusing on the services management requirements in relation with the IT service management ISO/IEC 20000 norm.

Capturing and Aligning Assurance Requirements for Business Services Systems

In this chapter we introduce and illustrate a systematic and rigorous approach for the elicitation and the modelling of assurance requirements inherent to business services offered by a service system. The approach is based on guidelines provided by the ISO 15504 norm, which is applicable for the assessment of any type of process in order to check its compliance against assurance requirements. We explain how 15504 can be applied in the context of business services with the support provided by goal-oriented requirements engineering techniques like i*. Its use is illustrated through the handling of an excerpt of a real case from the construction sector complemented with expertise developed in IT service level management. While this chapter is focusing on the capture of business requirements and their transformation into a business oriented solution, we also briefly explain how this business view is part of a more complete methodology also encompassing the service value and the service software views associated with a service system.