Continuous Compliance Assurance for Trusted Information Sharing: A Research Framework

1
Continuous Compliance Assurance forTrusted
Information Sharing A Research Framework

• Bonnie W. MorrisCollege of Business
  EconomicsBonnie.Morris_at_mail.wvu.edu
• Cynthia Tanner George TrappLane Department
  of Computer Science and Electrical
  EngineeringCollege of Engineering and Mineral
  ResourcesWest Virginia University
• Geoffrey ShawSenior VP, Risk Assessment and
  Policy ComplianceVIACK Corporation

2
Trusted Information Sharing

• There are many situations where it is mutually
  beneficial for two or more organizations to share
  information to improve operational efficiency and
  to reduce risk
• Businesse.g. Supply Chain
• Law Enforcement
• Security and intelligence analysis (connect the
  dots)

3
Impediments to Sharing

• Concerns about
• Opportunistic behavior by sharing partners
• Antitrust issues
• Privacy policy violations
• Inadequate security over shared data

4
Sharing without a Trusted Enclave
Provider 1 Provider 2 Provider 3
User1
User2
User3
-Datasets are sent to information sharing
partners -Risk of misuse is the sum of the risk
at each remote site.
5
The Real Problem

• Information Asymmetry
• Inability to verify compliance with information
  sharing terms and conditions
• Too many ways for data to leak out or be misused
• Stolen laptops, hackers
• Poor access controls
• USB drives, printers, email
• Fused with other data and disconnected from info
  about source and use restrictions

6
Trusted Enclave

• Shared data are stored within the enclave.
• Data fusion and analysis applications run within
  the trusted enclave.
• Access to data by applications or users is
  mediated by automated sharing policy enforcement
  and is logged into immutable audit logs.
• The results of fusion and analysis applications
  sent to users are also mediated by sharing policy
  enforcement and logged in immutable audit logs.
• Data access by individuals and applications may
  be continuously verified for compliance with the
  information sharing rules through assurance
  provider access to the audit logs.
• Users cannot view the entire dataset

7
User1
User2
8
Information Sharing

• Need to define conditions for sharing
• More than just access controls
• It is an economic exchange--Data providers GIVE
  data and expect to GET something of equal value.
• Suggests the need to provide assurance about data
  quality as well as access control aspects of
  information sharing policies

9
Data Quality Metrics

• What are the relevant data quality criteria?
• What are the relevant data quality metrics?
• How can measures of data quality criteria be
  combined for concepts such as best available
  data and minimally acceptable level of
  quality?
• How can we measure data fusion gain?
• What are the dimensions of data provenance that
  are needed to measure quality?
• Can data quality requirements be specified
  indirectly (i.e., inferred from the data fusion
  application or from information about the other
  data available)?

10
Information Sharing Policy Representation

• How should we represent information sharing
  policies?
• Can we develop an information sharing ontology?
• How should data quality requirements be
  incorporated into the sharing policies?
• Can we identify a semantic model of sharing
  types, participants, purposes, conditions, using
• methods of meta data extraction,
• ontology merging and related semantic integration
  concepts
• automatic classification of data
• How do we specify conflict remediation strategies
• Can we identify prototypical sharing rules and
  create a repository to reduce the policy
  negotiation burden.

11
Continuous Compliance Assurance

• Will independent Continuous Compliance Assurance
  increase trust among potential information
  sharing partners and the public?
• If so, who will they trust to provide the
  assurance? In the private sector, CPAs have
  several advantages
• A reputation for providing assurance on financial
  statements and other matters
• Professional Standards for providing assurance
  services including Trust Services
• Knowledge of privacy principles as demonstrated
  by the promulgation of Generally Accepted Privacy
  Principles
• Potentially deep pockets (important as these
  assurance services are a means of sharing risk)
• Who will government and law enforcement trust to
  provide assurances? Will the CPAs advantages
  hold for the public sector? What alternatives
  are there?

12
Continuous Compliance Assurance

• What type of assurance report should the
  assurance provider issue?
• Who should pay for the assurance service?
• What needs to be logged for testing by the
  auditors?
• What type of audit testing functionality is
  needed to ensure compliance?
• For assurances related to data quality metrics,
  how do we to define significant departure?
• Is the level of assurance just another policy
  that should be specified by the data provider and
  data user?
• Do we need new standards for auditor to auditor
  communications?
• What legal representations are required? How
  often will they be refreshed?

13
Conclusion

• Trusted information sharing is an excellent
  application for Continuous Compliance Assurance.
• The purpose of this paper is to identify some of
  the research opportunities in this area.
• Questions?