Search for: All records

Rapid expansion in the manufacture and use of Internet of Things (IoT) devices has introduced significant challenges in ensuring compliance with cybersecurity standards. To protect user data and privacy, all organizations providing IoT devices must adhere to complex guidelines such as the National Institute of Standards and Technology Inter agency Report (NIST IR) 8259, which defines essential cybersecurity guidelines for IoT manufacturers. However, interpreting and applying these rules from these guidelines and the privacy policies remains a significant challenge for companies. Thus, this project presents a novel approach to extract knowledge from NIST 8259 for creating semantically rich ontology mappings. Our ontology captures key compliance rules, which are stored in a knowledge graph (KG) that allows organizations to crosscheck and update privacy policy documents with ease. The KG also enables real-time querying using SPARQL and offers a transparent view of regulatory adherence for IoT manufacturers and users. By automating the process of verifying cybersecurity compliance, the framework ensures that companies remain aligned with NIST standards, eliminating manual checks and reducing the risk of non-compliance. We also demonstrate that compared to the baseline Large Language Models (LLMs), our proposed framework has more compliance accuracy, and is more efficient and scalable. 

Regulatory documents are complex and lengthy, making full compliance a challenging task for businesses. Similarly, privacy policies provided by vendors frequently fall short of the necessary legal standards due to insufficient detail. To address these issues, we propose a solution that leverages a Large Language Model (LLM) in combination with Semantic Web technology. This approach aims to clarify regulatory requirements and ensure that organizations’ privacy policies align with the relevant legal frameworks, ultimately simplifying the compliance process, reducing privacy risks, and improving efficiency. In this paper, we introduce a novel tool, the Privacy Policy Compliance Verification Knowledge Graph, referred to as PrivComp-KG. PrivComp-KG is designed to efficiently store and retrieve comprehensive information related to privacy policies, regulatory frameworks, and domain-specific legal knowledge. By utilizing LLM and Retrieval Augmented Generation (RAG), we can accurately identify relevant sections in privacy policies and map them to the corresponding regulatory rules. Our LLM-based retrieval system has demonstrated a high level of accuracy, achieving a correctness score of 0.9, outperforming other models in privacy policy analysis. The extracted information from individual privacy policies is then integrated into the PrivComp-KG. By combining this data with contextual domain knowledge and regulatory rules, PrivComp-KG can be queried to assess each vendor’s compliance with applicable regulations. We demonstrate the practical utility of PrivComp-KG by verifying the compliance of privacy policies across various organizations. This approach not only helps policy writers better understand legal requirements but also enables them to identify gaps in existing policies and update them in response to evolving regulations.