Top

WIRTSCHAFTSINFORMATIK

Published in:

01-10-2008 | WI – Schwerpunktaufsatz

ExPDT: A Policy-based Approach for Automating Compliance

Authors: Dr. Stefan Sackmann, Dipl.-Inf. Martin Kähmer

Published in: WIRTSCHAFTSINFORMATIK | Issue 5/2008

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Remaining in compliance with growing requirements from new laws, regulations, standards, or contracts demands increasing IT support beyond simple reporting tools or archiving solutions. However, an efficient IT support of compliance management requires a more general approach. In this contribution, a framework for automating compliance is introduced. Policies are seen as the key to aligning non-technical compliance requirements to a technical IT system. The policy language ExPDT is presented and evaluated with regard to maintaining flexibility of business processes and validating compliance.

previous article Governance im IT-Portfoliomanagement – Ein Ansatz zur Berücksichtigung von Strategic Alignment bei der Bewertung von IT

next article Compliance Monitor for Early Warning Risk Determination

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

WIRTSCHAFTSINFORMATIK

WI – WIRTSCHAFTSINFORMATIK – ist das Kommunikations-, Präsentations- und Diskussionsforum für alle Wirtschaftsinformatiker im deutschsprachigen Raum. Über 30 Herausgeber garantieren das hohe redaktionelle Niveau und den praktischen Nutzen für den Leser.

inform now

Business & Information Systems Engineering

BISE (Business & Information Systems Engineering) is an international scholarly and double-blind peer-reviewed journal that publishes scientific research on the effective and efficient design and utilization of information systems by individuals, groups, enterprises, and society for the improvement of social welfare.

inform now

Wirtschaftsinformatik & Management

Texte auf dem Stand der wissenschaftlichen Forschung, für Praktiker verständlich aufbereitet. Diese Idee ist die Basis von „Wirtschaftsinformatik & Management“ kurz WuM. So soll der Wissenstransfer von Universität zu Unternehmen gefördert werden.

inform now

Accorsi, R. (2008): Automated Privacy Audits to Complement the Notion of Control for Identity Management. In: Proceedings of the IFIP Conference on Policies and Research in Identity Management, Springer, Berlin, pp. 39–48.

Agrawal, R.; Johnson, C.; Kiernan, J.; Leymann, F. (2006): Taming Compliance with Sarbanes-Oxley Internal Controls Using Database Technology. In: Proceedings of the 22nd International Confeence on Data Engineering (ICDE’06). IEEE Computer Society, Washington, DC.

Ashley, P.; Hada, S.; Karjoth, G.; Powers, C.; et al. (2003): Enterprise Privacy Authorization Language (EPAL 1.2). Submission to W3C.

Bace, J.; Rozwell, C. (2006): Understanding the Components of Compliance. Gartner, Report G00137902.

Backes, M.; Karjoth, G.; Bagga, W.; Schunter, M. (2004): Efficient comparison of enterprise privacy policies. In: Proceedings of ACM Symposium on Applied Computing (SAC’04), Nicosia, pp. 375–382.

Bajaj, S; Box, D; et al. (2006): Web Services Policy 1.2 – Framework (WS-Policy). http://www.w3.org/Submission/WS-Policy/, last access 2008-06-27.

Botan, I; Kossmann, D.; et al. (2007): Extending XQuery with Window Functions. In: Proceedings of the 33rd International Conference on Very Large Data Bases, VLDB Endowment, Vienna, pp. 75–86.

Breaux, T. D.; Anton, A. I.; Karat, C.-M.; Karat, J. (2005): Enforceability vs. Accountability in Electronic Policies. Report TR-2005–47, North Carolina State University Computer Science.

Cannon, J. C.; Byers, M. (2006): Compliance deconstructed. In: CACM Queue 4 (7), pp. 30–37.

Cranor, L. F.; Dobbs, B; et al. (2006): The Platform for Privacy Preferences 1.1 (P3P1.1). W3C specification. http://www.w3.org/TR/P3P11/, last access 2008-06-27.

Cranor, L. F.; Langheinrich, M.; Marchiori, M. (2005): A P3P Preference Exchange Language 1.0 (APPEL). W3C Working Draft.

Delbaere, M.; Ferreira, R. (2007): Addressing the data aspects of compliance with industry models. In: IBM Systems Journal 46 (2), pp. 319–334.

Gallier, J. H. (1988): Logic for Computer Science. John Wiley and Sons, New York.

Giblin, C.; Muller, S.; Pfitzmann, B. (2006): From regulatory policies to event monitoring rules: Towards model driven compliance automation. IBM Research Zurich, Report RZ 3662.

Goedertier, S.; Vanthienen, J. (2006): Designing Compliant Business Processes with Obligations and Permissions. In: Proceedings of International Conference on Business Process Management (BPM06) Workshops. LNCS 4103, Springer, Berlin, pp. 5–14.

Hilty, M.; Basin, D.; Pretschner A. (2005): On Obligations. In: Proceedings of 10th European Symposium on Research in Computer Security (ESORICS 2005). LNCS 3679, Springer, Berlin, pp. 98–117.

Iliev, A.; Smith, S. (2005): Protecting Client Privacy with Trusted Computing at the Server. Proceedings of IEEE Security & Privacy 3 (2), pp. 20–28.

ITGI (2007): COBIT 4.1, Framework, Control Objectives, Management Guidelines, Maturity Models. http://www.isaca.org/AMTemplate.cfm?Section=Downloads&Template=/MembersOnly.cfm&ContentFileID=14002, last access 2007-12-01 (free registration required).

Johnson, C. M.; Grandison, T. W. A. (2007): Compliance with data protection laws using Hippocratic Database active enforcement and auditing. IBM Systems Journal 46 (2), pp. 255–264.

Kähmer, M. (2007): ExPDT Ontologies and Examples. http://www.telematik.uni-freiburg.de/mitarbeiter/kaehmer/expdt/, last access 2008-06-27.

Kähmer, M. (2008): Extended Privacy Definition Tool – A Formalism for Specification and Comparison of Privacy Policies. PhD Thesis, University of Freiburg, to appear.

Kähmer, M.; Gilliot, M. (2008): Extended Privacy Definition Tool. In: Proceedings of the Multikonferenz Wirtschaftsinformatik (MKWI 2008), LNI, Springer, Berlin.

Karagiannis, D. (2008): A Business Process-Based Modelling Extension for Regulatory Compliance. In: Proceedings of the Multikonferenz Wirtschaftsinformatik (MKWI 2008), LNI, Springer, Berlin.

Klempt, P.; Schmidpeter, H.; Sowa, S.; Tsinas, L. (2007): Business Oriented Information Security Management – A Layered Approach. In: Proceedings of the 2nd International Symposium on Information Security (IS’07), Vilamoura, pp. 1835–1852.

Liebenau, J.; Kärrberg, P. (2006): International Perspectives on Information Security Practices. London School of Economics and Political Science, McAfee.

McGuinness, D. L.; van Harmelen, F. (2004): OWL Web Ontology Language – Overview. W3C recommendation. http://www.w3.org/TR/2004/REC-owl-features-20040210/, last access 2008.06.27.

Moses, T. (2005): eXtensible Access Control Markup Language (XACML), version 2.0, Oasis Standard. http://xml.coverpages.org/xacml.html, last access 2008-06-27.

Muehlen, M. zur; Rosemann, M. (2005): Integrating Risks in Business Process Models. In: Proceedings of the 16th Australasian Conference on Information Systems (ACIS 2005), Sydney.

Müller, G.; Sackmann, S.; Prokein, O. (2008): IT Security: New Requirements, Regulations and Approaches. In: Frank-Schlottmann, F. et al. (Eds.): Handbook on Information Technology in Finance, Springer, Berlin, pp. 711–730.

Namiri, D.; Stojanovic, N. (2008): Towards a Formal Framework for Business Process Compliance. In: Proceedings of the Multikonferenz Wirtschaftsinformatik (MKWI 2008), LNI, Springer, Berlin.

OCG (2007): ITIL V3 – Service Life Cycle, Office of Governance Commerce, http://www.itil.org/en/itilv3-servicelifecycle/index.php, last access 2008-06-27.

Raghupathi, W. R. P. (2007): Corporate governance of IT: a framework for development. In: Communications of the ACM 50 (8), pp. 94–99.

Raub, D. (2004): Algebraische Spezifikation von Privacy Policies. Master’s thesis, Uni. Karlsruhe (in German).

Raub, D.; Steinwandt, R. (2006): An Algebra for Enterprise Privacy Policies Closed Under Composition and Conjunction. In: Proceedings of International Conference on Emerging Trends in Information and Communication Security (ETRICS), LNCS 3995, Springer, Berlin, pp. 130–144.

Sackmann, S.; Kähmer, M.; Gilliot, M.; Lowis, L. (2008): A Classification Model for Automating Compliance. In: Proceedings of the IEEE Conference on E-Commerce Technology (CEC08), to appear.

Sackmann, S.; Strücker, J.; Accorsi, R. (2006): Personalization in Privacy-Aware Highly Dynamic Systems. In: Communications of the ACM 49 (9), pp. 32–38.

Sadiq, S. W.; Governatori, G.; Namiri, K. (2007): Modeling Control Objectives for Business Process Compliance. In: Proceedings of the 5th International Conference Business Process Management (BPM 2007). LNCS 4714, Springer, Berlin, pp. 149–164.

Schneider, F. B.; Morrisett, G.; Harper, R. (2001): A Language-Based Approach to Security. In: Informatics: 10 Years Back, 10 Years Ahead. LNCS 2000, Springer, Berlin, pp. 86–101.

Schneider, F. B. (2006): Computability classes for enforcement mechanisms. In: ACM Transactions on Programming Languages and Systems 28 (1), pp. 175–205.

Title: ExPDT: A Policy-based Approach for Automating Compliance
Authors: Dr. Stefan Sackmann
Dipl.-Inf. Martin Kähmer
Publication date: 01-10-2008
Publisher: Vieweg Verlag
Published in: WIRTSCHAFTSINFORMATIK / Issue 5/2008
Print ISSN: 0937-6429
Electronic ISSN: 1861-8936
DOI: https://doi.org/10.1007/s11576-008-0078-1

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

WIRTSCHAFTSINFORMATIK

Business & Information Systems Engineering

Wirtschaftsinformatik & Management

Other articles of this Issue 5/2008

Towards Systematic Achievement of Compliance in Service-Oriented Architectures: The MASTER Approach

WI – Vergleichende Literaturstudie

WI – Call for Papers, Heft 5/2009, Internet der Dienste

Governance im IT-Portfoliomanagement – Ein Ansatz zur Berücksichtigung von Strategic Alignment bei der Bewertung von IT

IT-Compliance und IT-Governance

Compliance Monitor for Early Warning Risk Determination

Premium Partner