Tough Problems Solved

Following a recent wave of identity theft, spamware and online fraud, consumers are demanding that businesses safeguard their personal information from exploitation by cybercriminals and government officials have responded with stringent legislation mandating effective privacy policies. But while consumers expect the companies they do business to protect their data with the same zeal that they do their own assets, the reality is that many organizations store personal identifiable information (PII) in heterogeneous server system environments, making data privacy management difficult.

To help businesses manage and enforce their privacy policies, IBM Research has developed the SPARCLE (Server Privacy Architecture and Capability Enablement) policy management workbench. The goal is to help privacy professionals in any industry create policies in natural language, translate those policies into system readable commands, implement them with an enforcement engine and run reports to audit the effectiveness of the of the policy implementation. These capabilities will not only help protect the personal information of customers, but also will help reduce risk for organizations.

Currently, most privacy policy management is carried out through non-technical processes such as documentation and training for people who handle personal information. Because the people responsible for implementing privacy policies can vary widely in their technical skill levels, SPARCLE is designed to allow them to define policies using natural language. The tool then automatically parses the text to extract the elements of the rules and allows the user to review and modify those rules. SPARCLE then transforms the rules into XML machine-readable code.

To assist with monitoring activities after the privacy policy is in place, SPARCLE provides internal auditing capabilities to help managers ascertain whether the policies are correctly enforced and spot possible violations. SPARCLE assists policy authors in creating and modifying policies by identifying missing rule elements. SPARCLE helps organizations improve and streamline their policies through a policy critic analysis capability that identifies conflicts and redundancies between rules within and across policies and provides the methods to resolve them. SPARCLE also includes a visualization utility for helping users understand the implications of new and existing policies, allowing them to test out "what if" scenarios ahead of time. A template feature enables users to import policy files from other sources and to modify those files, creating a central repository for larger corporate policies or laws.

In coordination with IBM Research, IBM Global Business Services (GBS) has used the SPARCLE policy management workbench to help clients with a variety of policy-related issues, ranging from policy definition to policy templates for mandated compliance requirements such as HIPAA and SOX. In addition, GBS clients have used SPARCLE to assist in policy gap analysis, policy conflict resolution and streamlining, and verification of policy consistency. Future plans call for expanding the SPARCLE approach into other policy areas including a wide range of security policies, networking, systems management and business operations, helping individuals and organizations write high quality policy rules that can be implemented with technology and verified for compliance with regulations and legislation.

IBM Research and IBM Global Business Services work with clients and industry experts to deliver this and other groundbreaking approaches and technologies. To find out more about the research and explore innovative ways to add the SPARCLE policy management workbench to your IT portfolio, contact IBM Research Services today.