|
The SPARCLE policy workbench will simplify how people manage organizational policies across the enterprise, improve the quality of policy rules, and enable those rules to be implemented through technology to ensure consistency, reliability, and compliance. This capability will reduce risk for organizations and internal and external users who interact with them. SPARCLE was originally created to help organizations manage the privacy of the personal information (PI) they store in their systems. Now, much broader applicability of the technology to other types of policies including security, systems management, autonomic computing, and compliance auditing is envisioned.
The SPARCLE Core Team - John Karat, Clare-Marie Karat and Carolyn Brodie
Currently privacy policy management in organizations is largely carried out through non-technology processes (documentation and training for people who handle information), with some use of inflexible applications which imbed privacy policy. SPARCLE builds on the last four years of research which identified customer requirements for privacy policy management within organizations.
Research in 2003 identified customer requirements in the area of privacy policy authoring, implementation, and compliance auditing. In 2004 our team developed a roadmap for privacy management and carried out research for a user-validated design of a privacy policy workbench. Research in 2005 developed a functional SPARCLE policy workbench for natural language policy authoring including transforming natural language rules to machine readable policies in standard form. Research is continuing, with work in 2006 and 2007 adding policy analysis functionality and grammar development tools to extend SPARCLE capabilities to new policy domains. The expanded SPARCLE team includes IBM Research collaborators in Systems, Unstructured Information Management, and Programming Models and Tools, as well as development partners in the IBM Systems and Technology Group and the Security and Privacy Practice consultants within IBM Global Business Services. These collaborators have provided significant contributions to the technologies used in SPARCLE. We have also started working with researchers outside IBM on two projects - the Open Collaborative Research Project on Policy Management for Security and Privacy (OCR) and the International Technical Alliance in Network and Information Sciences (ITA).
SPARCLE screen capture showing the natural language with a rule guide method for authoring policy rules
SPARCLE is a research prototype of a policy management workbench. SPARCLE allows the policy expert to write or import privacy policy rules in natural language. The tool automatically parses the text to extract the elements of the rules, and enables the expert to review and modify the rules. Then the tool transforms the rules into XML machine-readable code. The XML code output by the privacy workbench can be used by any enforcement engine that can handle the standardized XML format. The 2005 functional prototype is a significant subset of the proposed system we have designed with customer input during the last three years. In addition, SPARCLE provides internal auditing capabilities to allow the organization to ensure that the policies are correctly enforced and to highlight possible violations. In our research, we have taken an initial focus on privacy policies. Work is now underway to extend the workbench into security and other policy areas.
SPARCLE screen capture showing the structured list method of authoring policy rules
The goal of the proposed system is to enable a logical and verifiable flow from natural language rules written by policy experts within an organization, through the implementation of the rules in the organization’s configuration, to the compliance audits of the enforcement decision logs. The policy creation portion of SPARCLE provides multiple methods of policy creation using either natural language processing or a template format and then provides visualizations to help the creator ensure that the policy is what he intended. A mapping from the policy to the elements in the organization's configuration can be accomplished by members of the IT department. The logical flow continues through to the audit logs of the decisions made by an enforcement engine (there are many possible enforcement engines that might be employed). Compliance officers can use the tool to query the logs and complete general and data subject specific internal compliance audits of the real-time execution of the policy specification of access to personal information.
The tool will be beneficial for an organization as it keeps the natural language version of a policy and the implementation of the policy in synch. The system is intended to work across a heterogeneous configuration covering all data and reduce the organization's risk of data being misused. SPARCLE will increase productivity and reduce costs by providing a usable, effective, and efficient means of policy management for organizations.
The data from participants in our research illustrates the user requirements in the privacy policy domain and perspectives on the value of the SPARCLE capability. In our initial phase of research, we completed surveys and in-depth interviews with participants from industry and government organizations in North America, Europe, and Asia Pacific (Brodie, Karat, Karat, and Feng, 2005; Karat, Brodie, and Karat, 2005; Karat, Karat, Brodie, and Feng, 2005).
The participants reported that protecting their customers, patients, constituents, and employees PI requires a multifaceted approach. The organization must develop an implementable privacy policy, educate employees and the people they serve on that policy and the importance of privacy in general, identify where PI is stored and used within their business processes, and then develop both manual procedures and technological solutions to enforce the policy they have created. One of the main goals of this research was to help organizations in their efforts by identifying how technology could be used to assist them in protecting the PI they collect and use. Using the survey and interview data that we collected, we developed a set of five key privacy concepts that are important to meeting the needs of organizational users of privacy protecting technologies. They include:
It is important to provide users with one integrated solution for an organization’s heterogeneous configuration even if it consists of a set of utilities that provide users with a similar set of functionality and interaction methods for systems that are implemented differently on different technologies.
The privacy functionality must be separated from the application code for cost, consistency, and flexibility reasons – users do not want to have to modify all of their applications individually to ensure that PI is protected.
There needs to be the ability to support an appropriate level of granularity for applying the privacy policy. For example, the ability to control access at the field level in a database.
There must be the ability to work with both structured and unstructured information. This includes protecting field level data and handling PI within documents in appropriate ways.
There must be simple and flexible privacy functionality that is designed to meet the needs of the user community that owns each subtask in the privacy process. For example, CPO’s and/or business process owners often write the privacy policies. They must be able to author policies that will end up in machine readable form without having IT skills.
During the survey and interview research, many of the participants indicated that privacy policies in their organizations were created by committees made up of business process specialists, lawyers and security specialists as well as information technologists. Based on the range of skills generally possessed by people with these varied roles, we hypothesized that different methods of defining privacy policies would be necessary. The figure below shows the abstract architecture we created based on the user requirements. We identified three areas where highly usable privacy utilities were needed. The first is a utility to assist users in creating and understanding privacy policies. The second is a utility to assist users in implementing the privacy policy. The design of this utility is partially dependent on the choice of enforcement engines used. Finally the third utility enables organizations to conduct internal audits of their privacy policies.
The privacy policy creation utility is divided into three parts. There is a privacy policy authoring utility that uses and stores natural language policies, a transformation utility for translating the policy into machine readable policies, and a visualization utility for helping users understand the implications of new and existing policies. The architectural view of this utility was used to guide the design of a prototype privacy management tool.
Looking at the architectural diagram, one can also see the potential for generalizing the approach to other policy areas.
Abstract View of SPARCLE policy architecture
We completed evaluation sessions with participants in organizations in banking/finance, health care and government in North America in 2004. We created an initial version of the SPARCLE prototype for privacy policy authoring (including two methods – natural language with a rule guide and structured entry from lists), implementing the policies in the organization’s configuration, and compliance auditing of decision logs. This prototype was a Wizard-of-Oz prototype, meaning that the use of the prototype looked and felt real, however, the prototype was not functional. After reviewing the prototype with a number of target users, we took their feedback and iterated on the design and evaluated a second iteration of the prototype with another sample of target users. Participant data on the top rated features of SPARCLE are illustrated below. The value rating scale ranges from a low of 1 for “No Value” to 7 “Highest Value”.
Between iteration 1 and 2 of the prototype we added the template feature which enables users to import policy files from other sources and to modify those files. This enables localization of larger corporate policies or laws. This was seen as a highly valuable feature in itself, and we also believe that it led to a more positive evaluation of the natural language entry in the second iteration of SPARCLE. While structured rule entry seemed to be preferred in the first iteration, Natural Language and Structured List had equal ratings in the second iteration (these features were not altered substantially between iterations). It was also important to hear from the target users that they felt there was considerable value in the fairly simply policy table that we included in the prototype. We had viewed this two-dimensional representation as an initial design which we might need to change substantially, but found that users actually found it to be very clear and a powerful tool for understanding policy coverage. Additionally, target users responded very positively to the incremental authoring process which allowed high level specification in natural language followed by detail specification (possibly by a different person at a different time). Finally, the participants reported that the compliance checking capabilities we included in the prototype are likely to meet many of their needs regarding monitoring the use of PI within their organizations.
Quantitative Results for Top Five Rated SPARCLE Features
An empirical laboratory study was run to compare the two privacy policy authoring methods illustrated in the prototype (Karat, Karat, Brodie, and Feng, 2005). In order to provide a baseline comparison for the two methods (Natural Language with a Guide, and Structured Entry from Element Lists), we added a control condition that allowed users to enter privacy policies in text in any format that they were satisfied with (Unguided NL). Participants read scenarios and then created the privacy rules necessary for the situation. All participants completed all three conditions. No training was provided. The results were scored based on the pre-determined solutions and the percentage of elements correctly identified in rules for the scenario was computed. The figure below illustrates the results. The results are quite promising and show that users were able to write rules where they correctly identified about 80% of the necessary elements using either of the two methods provided by SPARCLE compared to correctly identifying about 40% of the elements using the baseline condition.
Average scores of the quality of the rules according to the quality evaluation metric in three conditions
In 2005, we created a fully functional version of the SPARCLE policy authoring capabilities tested in 2004. Our team is analyzing the participant data from the evaluation of this prototype now and making plans for future research to complete the policy workbench. This future research includes the design and development of the other utilities necessary for an end-to-end solution and the generalization of the SPARCLE approach into other policy areas.
The research and results to date on this innovative line of research are very exciting in terms of the potential for providing individuals and organizations the ability to write high quality policy rules that can be implemented with technology and verified for compliance with regulations and legislation. With increasing knowledge of the technical capabilities possible, elected officials and regulators may be able to write better legislation and regulations in the future.
Last updated 19 Oct 2007
|
|
Carolyn Brodie; Clare-Marie Karat; John Karat
Watson Research Center (Hawthorne)
Open Collaborative Research: Security & Privacy OCR Researchers Clare-Marie and John Karat: What users need from policy systems OCR Researcher Elisa Bertino: How we protect privacy and ensure security OCR Researcher Lorrie Cranor: Collaboration helps enterprises manage privacy and security policies IBM Secure Perspective (SPARCLE-based product) International Technical Alliance in Network and Information Sciences
|
