Regulatory Compliance (Computer Science)

There has been an extensive amount of research conducted internationally over the last four decades in the area of automated and semi-automated regulatory compliance checking for the Architecture, Engineering, and Construction (AEC) industry. This paper summarises the earlier research initiatives, explores common themes and different approaches used, as well as comparing the strengths and limitations of a number of major code compliance checking tools. Some of these tools have been implemented commercially and others are beginning to be adopted or are in their final stages of development. The paper also examines how readily these tools can be applied in the context of a performance-based code as found in New Zealand. Due to a recent push for innovation and productivity improvement in the AEC industry, there is an increased uptake of building information modelling (BIM) and the Industry Foundation Classes (IFC) open standard data model for interoperability. The availability of high p...

The integration of governance, risk, and compliance (GRC) activities has gained importance over the last years. This paper presents an analysis of the GRC integration efforts in information technology departments of three large enterprises. Action design research is used to organize the research in order to assess IT GRC activities based on a model with five dimensions. By means of semi-structured interviews key findings concerning the status quo of the three IT GRC disciplines, their integration and their relation to GRC on the corporate level are identified and rated. Five key findings explain the main commonalities and differences observed.

There has been an extensive amount of research conducted internationally over the last four decades in the area of automated and semi-automated regulatory compliance checking for the Architecture, Engineering, and Construction (AEC) industry. This paper summarises the earlier research initiatives, explores common themes and different approaches used, as well as comparing the strengths and limitations of a number of major code compliance checking tools. Some of these tools have been implemented commercially and others are beginning to be adopted or are in their final stages of development. The paper also examines how readily these tools can be applied in the context of a performance-based code as found in New Zealand.

The security of monitoring systems is critical for maintaining an accurate view of the state of infrastructure systems such as enterprise networks and critical infrastructure systems. A malicious user that controls a monitoring system has the ability of delaying the detection of security attacks and sabotages, and can acquire information about the infrastructure that can enable additional attacks. In this paper we present a distributed architecture that increases the resilient of monitoring systems to attacks against their availability, integrity, and confidentiality. Our approach is based on distributing the knowledge of the state of the infrastructure to a large number of non-dedicated servers, so that the compromise of any limited number of hosts does not cause a compromise of the entire monitoring system. We present an algorithm able to integrate information across the distributed servers to evaluate complex security policies. We analyze the security properties of our approach, and we experimentally evaluate the performance and the resilience of our architecture. We show that, compared to current solutions, our solution increases the resilience of a monitoring system while reducing the load on each monitoring machine.

Security policy conformance is a crucial issue in large-scale critical cyber-infrastructure. The complexity of these systems, insider attacks, and the possible speed of an attack on a system necessitate an automated approach to assure a basic level of protection. This paper presents Odessa, a resilient system for monitoring and validating compliance of networked systems to complex policies. To manage the scale of infrastructure systems and to avoid single points of failure or attack, Odessa distributes policy validation across many network nodes. Partial delegation enables the validation of component policies and of liveness at the edge nodes of the network using redundancy to increase security. Redundant distributed servers aggregate data to validate more complex policies. Our practical implementation of Odessa resists Byzantine failure of monitoring using an architecture that significantly increases scalability and attack resistance.

There has been an extensive amount of research conducted internationally over the last four decades in the area of automated and semi-automated regulatory compliance checking for the Architecture, Engineering, and Construction (AEC) industry. This paper summarises the earlier research initiatives, explores common themes and different approaches used, as well as comparing the strengths and limitations of a number of major code compliance checking tools. Some of these tools have been implemented commercially and others are beginning to be adopted or are in their final stages of development. The paper also examines how readily these tools can be applied in the context of a performance-based code as found in New Zealand. Due to a recent push for innovation and productivity improvement in the AEC industry, there is an increased uptake of building information modelling (BIM) and the Industry Foundation Classes (IFC) open standard data model for interoperability. The availability of high p...