Continuous Compliance Assurance for Trusted Information Sharing: A Research Framework Bonnie W. Morris College of Business & Economics Cynthia Tanner & George Trapp Lane Department of Computer Science and Electrical Engineering College of Engineering and Mineral Resources West Virginia University Geoffrey Shaw Senior VP, Risk Assessment and Policy Compliance VIACK Corporation

Trusted Information Sharing There are many situations where it is mutually beneficial for two or more organizations to share information to improve operational efficiency and to reduce risk There are many situations where it is mutually beneficial for two or more organizations to share information to improve operational efficiency and to reduce risk Business—e.g. Supply Chain Business—e.g. Supply Chain Law Enforcement Law Enforcement Security and intelligence analysis (“connect the dots”) Security and intelligence analysis (“connect the dots”)

Impediments to Sharing Concerns about: Opportunistic behavior by sharing partners Opportunistic behavior by sharing partners Antitrust issues Antitrust issues Privacy policy violations Privacy policy violations Inadequate security over shared data Inadequate security over shared data

Provider 1 Provider 2 Provider 3 User1 User2 User3 - Datasets are sent to information sharing partners -Risk of misuse is the sum of the risk at each remote site. Sharing without a Trusted Enclave –

The Real Problem Information Asymmetry Information Asymmetry Inability to verify compliance with information sharing terms and conditions Inability to verify compliance with information sharing terms and conditions Too many ways for data to leak out or be misused Too many ways for data to leak out or be misused Stolen laptops, hackers Stolen laptops, hackers Poor access controls Poor access controls USB drives, printers, USB drives, printers, Fused with other data and disconnected from info about source and use restrictions Fused with other data and disconnected from info about source and use restrictions

Trusted Enclave Shared data are stored within the enclave. Shared data are stored within the enclave. Data fusion and analysis applications run within the trusted enclave. Data fusion and analysis applications run within the trusted enclave. Access to data by applications or users is mediated by automated sharing policy enforcement and is logged into immutable audit logs. Access to data by applications or users is mediated by automated sharing policy enforcement and is logged into immutable audit logs. The results of fusion and analysis applications sent to users are also mediated by sharing policy enforcement and logged in immutable audit logs. The results of fusion and analysis applications sent to users are also mediated by sharing policy enforcement and logged in immutable audit logs. Data access by individuals and applications may be continuously verified for compliance with the information sharing rules through assurance provider access to the audit logs. Data access by individuals and applications may be continuously verified for compliance with the information sharing rules through assurance provider access to the audit logs. Users cannot view the entire dataset Users cannot view the entire dataset

User1 User2 Audit Testing Audit log Policies Data Fusion/ analysis Trusted Enclave User Provider 1 Provider 2 Provider 3.

Information Sharing Need to define conditions for sharing Need to define conditions for sharing More than just access controls More than just access controls It is an economic exchange--Data providers GIVE data and expect to GET something of equal value. It is an economic exchange--Data providers GIVE data and expect to GET something of equal value. Suggests the need to provide assurance about data quality as well as access control aspects of information sharing policies Suggests the need to provide assurance about data quality as well as access control aspects of information sharing policies

Data Quality Metrics What are the relevant data quality criteria? What are the relevant data quality criteria? What are the relevant data quality metrics? What are the relevant data quality metrics? How can measures of data quality criteria be combined for concepts such as “best available data” and “minimally acceptable level” of quality? How can measures of data quality criteria be combined for concepts such as “best available data” and “minimally acceptable level” of quality? How can we measure data fusion gain? How can we measure data fusion gain? What are the dimensions of data provenance that are needed to measure quality? What are the dimensions of data provenance that are needed to measure quality? Can data quality requirements be specified indirectly (i.e., inferred from the data fusion application or from information about the other data available)? Can data quality requirements be specified indirectly (i.e., inferred from the data fusion application or from information about the other data available)?

Information Sharing Policy Representation How should we represent information sharing policies? How should we represent information sharing policies? Can we develop an information sharing ontology? Can we develop an information sharing ontology? How should data quality requirements be incorporated into the sharing policies? How should data quality requirements be incorporated into the sharing policies? Can we identify a semantic model of sharing types, participants, purposes, conditions, using Can we identify a semantic model of sharing types, participants, purposes, conditions, using methods of meta data extraction, methods of meta data extraction, ontology merging and related semantic integration concepts ontology merging and related semantic integration concepts automatic classification of data automatic classification of data How do we specify conflict remediation strategies How do we specify conflict remediation strategies Can we identify prototypical sharing rules and create a repository to reduce the policy negotiation burden. Can we identify prototypical sharing rules and create a repository to reduce the policy negotiation burden.

Continuous Compliance Assurance Will independent Continuous Compliance Assurance increase trust among potential information sharing partners and the public? Will independent Continuous Compliance Assurance increase trust among potential information sharing partners and the public? If so, who will they trust to provide the assurance? In the private sector, CPAs have several advantages If so, who will they trust to provide the assurance? In the private sector, CPAs have several advantages A reputation for providing assurance on financial statements and other matters A reputation for providing assurance on financial statements and other matters Professional Standards for providing assurance services including Trust Services Professional Standards for providing assurance services including Trust Services Knowledge of privacy principles as demonstrated by the promulgation of Generally Accepted Privacy Principles Knowledge of privacy principles as demonstrated by the promulgation of Generally Accepted Privacy Principles Potentially deep pockets (important as these assurance services are a means of sharing risk) Potentially deep pockets (important as these assurance services are a means of sharing risk) Who will government and law enforcement trust to provide assurances? Will the CPAs’ advantages hold for the public sector? What alternatives are there? Who will government and law enforcement trust to provide assurances? Will the CPAs’ advantages hold for the public sector? What alternatives are there?

Continuous Compliance Assurance What type of assurance report should the assurance provider issue? What type of assurance report should the assurance provider issue? Who should pay for the assurance service? Who should pay for the assurance service? What needs to be logged for testing by the auditors? What needs to be logged for testing by the auditors? What type of audit testing functionality is needed to ensure compliance? What type of audit testing functionality is needed to ensure compliance? For assurances related to data quality metrics, how do we to define “significant departure”? For assurances related to data quality metrics, how do we to define “significant departure”? Is the level of assurance just another policy that should be specified by the data provider and data user? Is the level of assurance just another policy that should be specified by the data provider and data user? Do we need new standards for auditor to auditor communications? Do we need new standards for auditor to auditor communications? What legal representations are required? How often will they be refreshed? What legal representations are required? How often will they be refreshed?

Conclusion Trusted information sharing is an excellent application for Continuous Compliance Assurance. The purpose of this paper is to identify some of the research opportunities in this area. Questions?