Software Engineering for Business Information Systems (sebis)

Department of Informatics

Technische Universität München, Germany

wwwmatthes.in.tum.de

Deriving and Modelling Compliance

Requirements from Legal Audits Bernhard Waltl, 18. November 2014

Agenda

1. Introduction and Motivation

2. Research Questions

3. Risk Assessment Areas of IT Architectures in Legal Audits

4. Modeling of Compliance Requirements

ArchiMate

Implicit vs. Explicit Modeling

5. Example: User Authorization ArchiMate Model

6. Conclusion

© sebis141118 Waltl Bernhard - Deriving and Modelling Compliance Requirements from Legal Audits 2

Regulation

Basel II: a legal regulation in the financial sector

• Obligatory guidelines for supervision and controlling of banks

„The supervisory review process of the framework is intended […] to encourage

banks to develop and use better risk management techniques in monitoring and

managing their risks.” [1, §720]

Basel II as a driver for national legal regulations

• The Banking Act (KWG)

• Minimum Requirements for Risk Management (MaRisk)

• Journals of BaFin

• Federal Financial Supervisory Authority

© sebis141118 Waltl Bernhard - Deriving and Modelling Compliance Requirements from Legal Audits 3

Legal Obligations arising from the Banking Act

Banking Act

“A proper business organization encompasses, in particular, appropriate and

effective risk management, which includes the definition of an adequate

contingency plan, especially for IT systems.” [2, §25a.1]

Principle of double proportionality

“The risk management structure shall depend on the type, scope, complexity and

risk content of the business operations performed.” [2, §25a.1]

Banking Act (Auditing)

“An institution […], shall, upon request, provide information about all business

activities and submit documentation to BaFin, […].

BaFin may perform inspections at the institutions and superordinated enterprises,

with or without a special reason.” [2, §44.1]

© sebis 4141118 Waltl Bernhard - Deriving and Modelling Compliance Requirements from Legal Audits

Risk Management in IT systems

Risk management in IT systems

• “appropriate” and “effective”

• Assessment (auditing) as the supervisory measure (BaFin)

• Requirements depend on business operations

• Type

• Scope

• Complexity

• Content:

• Staff

• Technical-organization equipment

• Emergency plans

© sebis 5141118 Waltl Bernhard - Deriving and Modelling Compliance Requirements from Legal Audits

http://w

ww

.welt.d

e/p

rint/

welt_kom

pakt/

print_

wir

tscha

ft/a

rtic

le130

6540

96

/Ruege

n-v

on

-der-

Fin

an

zaufs

icht.

htm

l, l

ast

access

14.1

1.2

014

• Software Engineers (SE) and Enterprise Architects (EA) like to have

• clear,

• well formulated,

• concrete,

• unambiguous, and

• deterministic requirements

• Dealing with indeterminate (vague) legal terms does not belong to their core

competence, which is

• Software Engineering: Design and development of software applications

• Managing Enterprise Architecture: Plan, design, development, control, and

transform of an enterprise architecture

© sebis141122 Waltl Bernhard - Deriving and Modelling Compliance Requirements from Legal Audits 6

Current State in Computer Science

Attention

© sebis7141122 Waltl Bernhard - Deriving and Modelling Compliance Requirements from Legal Audits

http://w

ww

.welt.d

e/p

rint/

welt_kom

pakt/

print_

wir

tscha

ft/a

rtic

le130

6540

96

/Ruege

n-v

on

-der-

Fin

an

zaufs

icht.

htm

l, l

ast

access

14.1

1.2

014

Research Questions

I. How can requirements be derived from legal audits, respectively regulations?

II. What are risk assessment areas of IT Architectures in legal audits?

III. What requirements can be derived and how can they be represented?

IV. Can modeling support the audit process and how can normative models look

like?

© sebis 8141118 Waltl Bernhard - Deriving and Modelling Compliance Requirements from Legal Audits

Idea

• Extracting requirements arising from laws, comments, and journals

• Analyzing the assessment (auditing) of IT systems and architectures

• Associating legal requirements with concrete IT objects

• Creation of a common language by harmonizing terms from the legal domain with the

terms from the IT domain

• Support the audit process (auditor and auditee) by providing normative

models representing the „should-be“ state

• „blueprints“

• Supporting the implementation (creation and changes) of compliant processes in

the financial sector

© sebis 9141118 Waltl Bernhard - Deriving and Modelling Compliance Requirements from Legal Audits

Identification of IT requirements arising from law

© sebis 10

• Identification is challenging

• Legal texts lack concreteness and interpretation is not uncontroversial

• Principle of double proportionality

• Analytical: Objective artifacts (e.g. legal texts, comments, reports etc. )

• Empirical: Subjective experiences (e.g. interviews, examination questions etc.)

Enhancement of existing EA models with legal requirements

141118 Waltl Bernhard - Deriving and Modeling Compliance Requirements from Legal Audits

EA [models] (including legal

requirements)

empirical

EA and IT architects, software engineers, legal experts, …

Artifacts (e.g., reports, official recommendations,…)

Experiences (e.g., examination questions, method,…)

Laws, reports,

literature, …analytical

IT audit

IT-, business-, legal experts,

….

Core examination areas

• BaFin states out seven significant examination areas [8]:

I. IT strategy

II. IT risk management

III. IT revision

IV. IT outsourcing

V. Emergency management

VI. Application development

VII. User authorization

• Analysis of laws and texts lead to legal obligations

• Implicit: EA objects (processes, functions etc.) as described in the normative source

• Explicit: concrete requirement as „requirement“, „principle“ and „goal“ element

© sebis 11141118 Waltl Bernhard - Deriving and Modelling Compliance Requirements from Legal Audits

Modeling IT architecture and legal requirements

ArchiMate 2.1 [7]

• Open and independent modeling languages for enterprise architectures

• Business objects (process, role, service etc.)

• Application objects (interface, component, data object etc.)

• Technology objects (artifact, system software, device etc.)

• Provides a motivation extension

• Requirements, principles and goals representing the intentions of the model

• Can be used for modeling risks and counter-measures [5]

• Tool-support: Archi –The Free ArchiMate Modelling Tool, Version: 2.7.1

• Negative aspects

• Not that easy to understand (variety of different elements, colors and arrows)

• Not very common in the IT of financial industry

• Not used by auditors

© sebis 12141118 Waltl Bernhard - Deriving and Modelling Compliance Requirements from Legal Audits

ISSRM

• ISSRM: Information System Security Risk Management (Nicolas Mayer, 2009)

• Risk treatment related concepts (Green)

• Risk related concepts (Orange)

• Asset related concepts (Yellow)

© sebis 13141118 Waltl Bernhard - Deriving and Modelling Compliance Requirements from Legal Audits

ArchiMate Motivation Concept

ISSRM Compliance Element

Control ↔ Goal

Security requirement ↔ IT principle

Risk treatment ↔ IT requirement

© sebis 14141118 Waltl Bernhard - Deriving and Modelling Compliance Requirements from Legal Audits

• Goal

The general idea of requirements is that they - if fulfilled - lead to “better”

systems and the materialization of improvements can be specified in goals.

• Principles

… are generalizations of requirements. Based on those principles it is possible

to derive relationships between requirements.

• Requirements

… can be assigned to objects and elements. Those represent the original idea

of software requirements.

Implicit Modelling

Analysis of laws and texts lead to legal obligations

• Implicit

EA objects (processes, functions etc.) as model elements

© sebis 15141118 Waltl Bernhard - Deriving and Modelling Compliance Requirements from Legal Audits

Right Identification

Process

Right Assignment

Process

Assignment

Tracking

Explicit Modelling

Analysis of laws and texts lead to legal obligations

• Explicit

EA objects (processes, functions etc.)

as model elements

© sebis 16141118 Waltl Bernhard - Deriving and Modelling Compliance Requirements from Legal Audits

Provide Temporal

Resolution of User Rights Requirement

Temporal

Historization

!Principle

Increased

Transparency in IT Goal

Right Assignment

Process

Assignment

Tracking

Right Identification

Process

Separate Identification

and Assignment of

Rights

User Authorization Management

© sebis 17141118 Waltl Bernhard - Deriving and Modelling Compliance Requirements from Legal Audits

Critical remarks

1. Provision of normative models for IT assessments may be irritating

• No blueprint of the „correct“ solution

• Acceptance and usability of models

2. Modeling with respect to the level of granularity

• At which stage should the modelling end?

• E.g. User Authorization

• No operational user should have root rights!

• How could this be prevented?

3. A more structured way to extract requirements needs to be developed

• Considering the empirical and the analytical approach

© sebis 18141118 Waltl Bernhard - Deriving and Modelling Compliance Requirements from Legal Audits

Conclusion

• Drawbacks

• the level of granularity provided by normative models

• the blueprint character of the models

• the compliance as process not as static state

• Interpreting legal texts and associating obligations with real-world objects

is a relevant problem (not only for the financial sector!)

• Modelling languages with proper elements can help

• Legal audits can serve as an information source for concretization of

requirements based on legal texts

• Requirements can either be analytically or empirically derived

• Existing EA models can be enhanced with proper elements and objects

© sebis 19141118 Waltl Bernhard - Deriving and Modelling Compliance Requirements from Legal Audits

Technische Universität München

Department of Informatics

Chair of Software Engineering for

Business Information Systems

Boltzmannstraße 3

85748 Garching bei München

Tel +49.89.289.

Fax +49.89.289.17136

wwwmatthes.in.tum.de

Bernhard Waltl

M.A, M.Sc.

17124

b.waltl@tum.de

Thank you for your attention!

References

[1] Basel Committee on Banking Supervision. International Convergence of Capital Measurement and Capital Standards: A Revised Framework Comprehensive Version, June 2006.

[2] Deutsche Bundesbank. Banking Act, 2009.

[3] Federal Financial Supervisory Institution. Minimum requirements for risk management (MaRisk). 2012.

[4] Klaus Schmidt and Dirk Brand. IT-Revision in der Praxis: Nach den Grundsätzen einer ordnungsgemäßen IT. Carl-Hanser Verlag, Munich, 2011.

[5] Gerben Wierda. Mastering ArchiMate: A serious introduction to the ArchiMate Enterprise Architecture Modeling Language. R&A, Heerlen, 2012

[7] The Open Group. ArchiMate 2.1 Specification. 2013.

[8] Jörg Bretz. Prüfung IT im Fokus von MaRisk und Bundesbank: Verstärkter IT-Fokus in Sonderprüfungen. Finanz Colloquium Heidelberg, 2012.

[9] Marc Lankhorst. Enterprise Architecture at Work: Modelling, Communication, and Analysis, Berlin, Springer 2005.

[10] Eric Yu, Markus Strohmaier, and Xiaoxue Deng. Exploring Intentional Modeling and Analysis for Enterprise Architecture. 10th IEEE International Enterprise Distributed ObjectComputing Conference Workshops, 2006.

© sebis 21141118 Waltl Bernhard - Deriving and Modelling Compliance Requirements from Legal Audits