The University of Southampton
University of Southampton Institutional Repository

Regulatory compliance modelling using risk management techniques

Regulatory compliance modelling using risk management techniques
Regulatory compliance modelling using risk management techniques
We describe a novel approach to regulatory compliance decision support that leverages an asset-based cyber security risk management approach following ISO 27005, and illustrate this with an example based on the General Data Protection Regulation (GDPR). Previous work in regulatory compliance modelling and decision support utilises semantic vocabularies and reasoning techniques, and our approach has the primary benefit that regulatory compliance is integrated with other domains of risk management, so that insight from domains such as cyber security combined with regulatory compliance for privacy can be gained based on a single model of the user’s socio-technical infrastructure. The main contributions of this paper are: to show how regulatory requirements may be modelled as “compliance threats” in an asset-based risk management framework; to illustrate mapping from the GDPR’s legal text to domain assets, processes and relationships, compliance threats and control strategies to mitigate the threats; to show how the threats are trigged via recognition patterns based on asset configurations; to illustrate how the different types of regulatory requirement, e.g. obligations, prohibitions and derogating conditions, are represented in such a scheme; and finally to describe how to model causal dependencies between choices made to address a compliance threat and downstream additional compliance requirements.
Regulatory Compliance, Cyber Security, Decision support, Risk management, GDPR, Modelling, Compliance Threat
Taylor, Steve
9ee68548-2096-4d91-a122-bbde65f91efb
Surridge, Michael
3bd360fa-1962-4992-bb16-12fc4dd7d9a9
Pickering, Brian
225088d0-729e-4f17-afe2-1ad1193ccae6
Taylor, Steve
9ee68548-2096-4d91-a122-bbde65f91efb
Surridge, Michael
3bd360fa-1962-4992-bb16-12fc4dd7d9a9
Pickering, Brian
225088d0-729e-4f17-afe2-1ad1193ccae6

[Unknown type: UNSPECIFIED]

Record type: UNSPECIFIED

Abstract

We describe a novel approach to regulatory compliance decision support that leverages an asset-based cyber security risk management approach following ISO 27005, and illustrate this with an example based on the General Data Protection Regulation (GDPR). Previous work in regulatory compliance modelling and decision support utilises semantic vocabularies and reasoning techniques, and our approach has the primary benefit that regulatory compliance is integrated with other domains of risk management, so that insight from domains such as cyber security combined with regulatory compliance for privacy can be gained based on a single model of the user’s socio-technical infrastructure. The main contributions of this paper are: to show how regulatory requirements may be modelled as “compliance threats” in an asset-based risk management framework; to illustrate mapping from the GDPR’s legal text to domain assets, processes and relationships, compliance threats and control strategies to mitigate the threats; to show how the threats are trigged via recognition patterns based on asset configurations; to illustrate how the different types of regulatory requirement, e.g. obligations, prohibitions and derogating conditions, are represented in such a scheme; and finally to describe how to model causal dependencies between choices made to address a compliance threat and downstream additional compliance requirements.

This record has no associated files available for download.

More information

Submitted date: 21 October 2020
Accepted/In Press date: 22 October 2020
Keywords: Regulatory Compliance, Cyber Security, Decision support, Risk management, GDPR, Modelling, Compliance Threat

Identifiers

Local EPrints ID: 444532
URI: http://eprints.soton.ac.uk/id/eprint/444532
PURE UUID: d5c4f6f6-c704-4dbf-b000-226afb62bb72
ORCID for Steve Taylor: ORCID iD orcid.org/0000-0002-9937-1762
ORCID for Michael Surridge: ORCID iD orcid.org/0000-0003-1485-7024
ORCID for Brian Pickering: ORCID iD orcid.org/0000-0002-6815-2938

Catalogue record

Date deposited: 23 Oct 2020 16:30
Last modified: 26 Aug 2024 01:32

Export record

Contributors

Author: Steve Taylor ORCID iD
Author: Michael Surridge ORCID iD
Author: Brian Pickering ORCID iD

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×