Interdisciplinary Research Group in Socio-technical Cybersecurity
A Framework to Reason about the Legal Compliance of Security Standards
Achieving compliance with legal regulations is no easy task. Normally, laws state general requirements but do not provide clear parameters to determine when such requirements are met. On a different level, industrial standards and best practices define specific objectives that can be certified by means of auditing procedures from qualified bodies. Implementing a standard does not per se guarantee legal compliance, with the rare exception when the standard is also endorsed by the law itself. But standards and laws in the same domain may have overlaps and correlations, so adopting the former may provide an argument to demonstrate that adequate measures were taken to achieve legal compliance. In this paper, we introduce a framework that, using state-of-the-art Natural Language Semantics techniques, helps process legal documents and standards to build a knowledge base to store their logic representations, and the correlations between them. The knowledge base will help legal experts assess what requirements of the law are met by the standard and, consequently, recognize what requirements still need to be implemented to fill the remaining gaps. An application of the framework is exemplified by comparing a provision of the European General Data Protection Regulation against the ISO/IEC 27001:2013 standard.
Bartolini Cesare, Giurgiu Andra, Lenzini Gabriele, Robaldo Livio
Proceedings of the Tenth International Workshop on Juris-informatics
Bartolini, C., Giurgiu, A., Lenzini, G., & Robaldo, L. (2016). A framework to reason about the legal compliance of security standards. In Proceedings of the Tenth International Workshop on Juris-informatics (JURISIN).
Get in touch with us
SnT – Interdisciplinary Centre for Security, Reliability and Trust
Maison du Nombre, 6, avenue de la Fonte L-4364 Esch-sur-Alzette