Formal certification and compliance for run-time service environments

With the increased awareness of security and safety of services in on-demand distributed service provisioning (such as the recent adoption of Cloud infrastructures), certification and compliance checking of services is becoming a key element for service engineering. Existing certification techniques tend to support mainly design-time checking of service properties and tend not to support the run-time monitoring and progressive certification in the service execution environment. In this paper we discuss an approach which provides both design-time and runtime behavioural compliance checking for a services architecture, through enabling a progressive event-driven model-checking technique. Providing an integrated approach to certification and compliance is a challenge however using analysis and monitoring techniques we present such an approach for on-going compliance checking

Cyber Babel: Finding the Lingua Franca in Cybersecurity Regulation

Cybersecurity regulations have proliferated over the past few years as the significance of the threat has drawn more attention. With breaches making headlines, the public and their representatives are imposing requirements on those that hold sensitive data with renewed vigor. As high-value targets that hold large amounts of sensitive data, financial institutions are among the most heavily regulated. Regulations are necessary. However, regulations also come with costs that impact both large and small companies, their customers, and local, national, and international economies. As the regulations have proliferated so have those costs. The regulations will inevitably and justifiably diverge where different governments view the needs of their citizens differently. However, that should not prevent regulators from recognizing areas of agreement. This Note examines the regulatory regimes governing the data and cybersecurity practices of financial institutions implemented by the Securities and Exchange Commission, the New York Department of Financial Services, and the General Data Protection Regulations of the European Union to identify areas where requirements overlap, with the goal of suggesting implementations that promote consistency, clarity, and cost reduction

Automated Measurement of Adherence to Traumatic Brain Injury (TBI) Guidelines using Neurological ICU Data

Using a combination of physiological and treatment information from neurological ICU data-sets, adherence to traumatic brain injury (TBI) guidelines on hypotension, intracranial pressure (ICP) and cerebral perfusion pressure (CPP) is calculated automatically. The ICU output is evaluated to capture pressure events and actions taken by clinical staff for patient management, and are then re-expressed as simplified process models. The official TBI guidelines from the Brain Trauma Foundation are similarly evaluated, so the two structures can be compared and a quantifiable distance between the two calculated (the measure of adherence). The methods used include: the compilation of physiological and treatment information into event logs and subsequently process models; the expression of the BTF guidelines in process models within the real-time context of the ICU; a calculation of distance between the two processes using two algorithms (“Direct” and “Weighted”) building on work conducted in th e business process domain. Results are presented across two categories each with clinical utility (minute-by-minute and single patient stays) using a real ICU data-set. Results of two sample patients using a weighted algorithm show a non-adherence level of 6.25% for 42 mins and 56.25% for 708 mins and non-adherence of 18.75% for 17 minutes and 56.25% for 483 minutes. Expressed as two combinatorial metrics (duration/non-adherence (A) and duration * non-adherence (B)), which together indicate the clinical importance of the non-adherence, one has a mean of A=4.63 and B=10014.16 and the other a mean of A=0.43 and B=500.0

AI management an exploratory survey of the influence of GDPR and FAT principles

As organisations increasingly adopt AI technologies, a number of ethical issues arise. Much research focuses on algorithmic bias, but there are other important concerns arising from the new uses of data and the introduction of technologies which may impact individuals. This paper examines the interplay between AI, Data Protection and FAT (Fairness, Accountability and Transparency) principles. We review the potential impact of the GDPR and consider the importance of the management of AI adoption. A survey of data protection experts is presented, the initial analysis of which provides some early insights into the praxis of AI in operational contexts. The findings indicate that organisations are not fully compliant with the GDPR, and that there is limited understanding of the relevance of FAT principles as AI is introduced. Those organisations which demonstrate greater GDPR compliance are likely to take a more cautious, risk-based approach to the introduction of AI

Distributed aspect-oriented service composition for business compliance governance with public service processes

Service-Oriented Architecture (SOA) offers a technical foundation for Enterprise Application Integration and business collaboration through service-based business components. With increasing process outsourcing and cloud computing, enterprises need process-level integration and collaboration (process-oriented) to quickly launch new business processes for new customers and products. However, business processes that cross organisations’ compliance regulation boundaries are still unaddressed. We introduce a distributed aspect-oriented service composition approach, which enables multiple process clients hot-plugging their business compliance models (business rules, fault handling policy, and execution monitor) to BPEL business processes