Compliance Analysis Based on a Goal-oriented Requirement Language Evaluation Methodology Sepideh Ghanavati, Daniel Amyot, Liam Peyton University of Ottawa {sghanava, damyot, lpeyton}@site.uottawa.ca Abstract In recent years, many governmental regulations have been introduced to protect the privacy of person- al information. As a result, organizations must take a systematic approach to ensure that their business processes comply with these regulations. In the past, we introduced a requirements framework that mapped regulations documents and goals to goal and scenario models of organizational processes. The intent was to help organizations document and manage the com- pliance of their processes in the face of evolutionary changes. In this paper, we extend our framework by incorporating regulation scenario models and by add- ing the notion of contribution link level to the com- pliance link types. These extensions result in a frame- work that is more aligned to the needs of an organiza- tion when it must evaluate and ensure the legal com- pliance of its organizational processes. 1. Introduction Governments have introduced many new regula- tions in order to protect the privacy of personal infor- mation. As a result, organizations have to update their policies and business processes in order to align them with these regulations. The new regulations are com- plex, and unfortunately are still fairly volatile in terms of amendments and updates. In order to manage the complexity and continuous evolution of both regula- tions and organizational business processes, a syste- matic methodology with tool support would be benefi- cial in order to ensure compliance on an ongoing basis. Furthermore, organizations would like to be able to track overall compliance of the organization with regu- lations as well as line item by line item compliance for individual business processes. Being able to measure the degree of compliance, quantitatively or qualitative- ly, would also be useful in order to measure progress towards complete compliance and to evaluate risk. Approaches based on requirements engineering methodologies have been used to model law and doc- ument compliance [1][2][3][4]. Such work has concen- trated on complete compliance in which the links doc- ument a compliance relationship. None of these ap- proaches have provided support for a quantitative or qualitative analysis of the degree of compliance to the law. We introduced a compliance framework in which both the organization and the relevant laws are mod- eled and compliance links are drawn to show the rela- tionship between the law and the organization. In this paper, we extend our previous compliance framework [3][4] to show how such support can be added to the framework based on the User Require- ments Notation (URN) standard [5]. We do this by extending the link type between two models in our framework to support either a quantitative measure of the “degree of impact” or a qualitative measure of this degree of impact (i.e. make, help, some positive, none, some negative, hurt and break). The concept of degree of impact is identical to that supported for the contri- bution link type used in the Goal-oriented Require- ments Language notation (GRL), a sub-language of URN [5]. The use of these types of links makes it poss- ible to find out to what degree the organization satis- fies the law, that is, to differentiate between satisfied and partially satisfied goals or requirements in the law. With this new addition, it becomes possible to custom- ize a model of the law that applies to an organization by specifying a set of rules to which a company must comply. Our framework therefore supports three dif- ferent types of goal model analysis, namely quantita- tive, qualitative and hybrid. In addition to partial compliance, we also extend our framework to support Use Case Maps (UCM), another sub-language of URN, for the modeling of legislation. This enables the modeling of an explicit sequence of activities, in the cases where the legisla- tion specifies procedural constraints. URN is one of the few languages for requirements modeling which