Page 6 - bookofabstract_vj5_final(1)
P. 6
Towards Compliance Management Automation thru Ontology mapping of
Requirements to Activities and Controls
Danny C. Cheng, Jod B. Villamarin, Gregory Cu & Nathalie Rose Lim-Cheng
Abstract
In recent years, the complexity and scale of compliance requirements has grown
significantly due to globalization as well as maturing of different fields and regulations.
However, there remains a gap between compliance management tools and security
management tools whereby the later cannot be directly linked to the former as the focus
and terminologies used are very different. The tasks of mapping security
implementations to compliance requirements that will allow compliance monitoring and
management is therefore performed manually and repeatedly across multiple
standards, regulations, and organizations. This process is highly inefficient, costly, and
does not allow for management to determine compliance levels and gaps in a
continuous and automated manner. In this paper, we present an approach that
combines ontology mapping, natural language processing, secure systems
development lifecycle, and heuristics to allow for mapping of security controls and
activities to compliance documents such as standards and regulations to focus on
compliance and support continuous compliance management and monitoring as well as
reduce the compliance efforts needed in multiple standards compliance by allowing
reusability via conceptual mapping of multiple standards and requirements. Practices
such as unit testing and continuous integration from secure systems development life
cycle are also incorporated to allow for flexibility of the automation process while at the
same time using it to support the mapping between compliance requirements.
2
