Privacy Policy Specification and Audit in a Fixed-Point Logic
نویسندگان
چکیده
Organizations such as hospitals and banks that collect and use personal information are required tocomply with privacy regulations like the Health Insurance Portability and Accountability Act (HIPAA)and the Gramm-Leach-Bliley Act (GLBA). With the goal of specification and enforcement of such prac-tical policies, we develop the logic PrivacyLFP, whose syntax is an extension of the fixed point logicLFP with operators of linear temporal logic. We model organizational processes by assigning role-basedresponsibilities to agents that are also expressed in the same logic. To aid in designing such processes,we develop a semantic locality criterion to characterize responsibilities that agents (or groups of agents)have a strategy to discharge, and easily checkable, sound syntactic characterizations of responsibilitiesthat meet this criterion. Policy enforcement is achieved through a combination of techniques: (a) adesign-time analysis of the organizational process to show that the privacy policy is respected if allagents act responsibly, using a sound proof system we develop for PrivacyLFP; and (b) a posthoc auditof logs of organizational activity that identifies agents who did not live up to their responsibilities, usinga model checking procedure we develop for PrivacyLFP. We illustrate these enforcement techniques usinga representative example of an organizational process.
منابع مشابه
Privacy Policy Specification and Audit in a Fixed-Point Logic - How to enforce HIPAA, GLBA and all that (CMU-CyLab-10-008)
Organizations such as hospitals and banks that collect and use personal information are required tocomply with privacy regulations like the Health Insurance Portability and Accountability Act (HIPAA)and the Gramm-Leach-Bliley Act (GLBA). With the goal of specification and enforcement of such prac-tical policies, we develop the logic PrivacyLFP, whose syntax is an extension of the fi...
متن کاملA Logical Method for Policy Enforcement over Evolving Audit Logs (CMU-CyLab-11-002)
We present an iterative algorithm for enforcing policies represented in a first-order logic,which can, in particular, express all transmission-related clauses in the HIPAA Privacy Rule.The logic has three features that raise challenges for enforcement — uninterpreted predicates(used to model subjective concepts in privacy policies), real-time temporal properties, and quan-tifica...
متن کاملA Logical Method for Policy Enforcement over Evolving Audit Logs
We present an iterative algorithm for enforcing policies represented in a first-order logic,which can, in particular, express all transmission-related clauses in the HIPAA Privacy Rule.The logic has three features that raise challenges for enforcement — uninterpreted predicates(used to model subjective concepts in privacy policies), real-time temporal properties, and quan-tifica...
متن کاملConformance Verification of Privacy Policies
Web applications are both the consumers and providers of information. To increase customer confidence, many websites choose to publish their privacy protection policies. However, policy conformance is often neglected. We propose a logic based framework for formally specifying and reasoning about the implementation of privacy protection by a web application. A first order extension of computatio...
متن کاملPrivacy through Accountability: A Computer Science Perspective
Privacy has become a significant concern in modern society as personal information about individuals is increasingly collected, used, and shared, often using digital technologies, by a wide range of organizations. To mitigate privacy concerns, organizations are required to respect privacy laws in regulated sectors (e.g., HIPAA in healthcare, GLBA in financial sector) and to adhere to self-decla...
متن کامل