nach oben

Software and Systems Modeling

Erschienen in:

08.02.2014 | Regular Paper

Formalizing and appling compliance patterns for business process compliance

verfasst von: Amal Elgammal, Oktay Turetken, Willem-Jan van den Heuvel, Mike Papazoglou

Erschienen in: Software and Systems Modeling | Ausgabe 1/2016

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Today’s enterprises demand a high degree of compliance of business processes to meet diverse regulations and legislations. Several industrial studies have shown that compliance management is a daunting task, and organizations are still struggling and spending billions of dollars annually to ensure and prove their compliance. In this paper, we introduce a comprehensive compliance management framework with a main focus on design-time compliance management as a first step towards a preventive lifetime compliance support. The framework enables the automation of compliance-related activities that are amenable to automation, and therefore can significantly reduce the expenditures spent on compliance. It can help experts to carry out their work more efficiently, cut the time spent on tedious manual activities, and reduce potential human errors. An evident candidate compliance activity for automation is the compliance checking, which can be achieved by utilizing formal reasoning and verification techniques. However, formal languages are well known of their complexity as only versed users in mathematical theories and formal logics are able to use and understand them. However, this is generally not the case with business and compliance practitioners. Therefore, in the heart of the compliance management framework, we introduce the Compliance Request Language (CRL), which is formally grounded on temporal logic and enables the abstract pattern-based specification of compliance requirements. CRL constitutes a series of compliance patterns that spans three structural facets of business processes; control flow, employed resources and temporal perspectives. Furthermore, CRL supports the specification of compensations and non-monotonic requirements, which permit the relaxation of some compliance requirements to handle exceptional situations. An integrated tool suite has been developed as an instantiation artefact, and the validation of the approach is undertaken in several directions, which includes internal validity, controlled experiments, and functional testing.

Vorheriger Artikel SAMM: an architecture modeling methodology for ship command and control systems

Nächster Artikel A profile and tool for modelling safety information with design information in SysML

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

BPCM Business Process Compliance Management Tool Suite: http://eriss.uvt.nl/compas/.

Ongoing work in Governance, Risk and Compliance Technology Centre (GRCTC), Ireland, http://www.grctc.com/, the first author is affiliated to.

BPCM—Business Process Compliance Management Tool Suite: http://eriss.uvt.nl/compas/.

SOX: Sarbanes-Oxley Act of 2002. In: Congress, U.S. (ed.), (2002)

Bank for International Settlements: Basel III: International framework for liquidity risk measurement, standards and monitoring (2010)

Accutiy. Visualising trends in anti-money laundering compliance. http://www.accuity.com/industry-updates/free-resources/trends-in-aml-compliance-infographic/. Accessed 28 Nov 2013

Ernst & Young: The Top 10 Risks For Business. The Ernst & Young Business Risk Report (2010)

Hartman, T.: The Cost of Being Public in the ERA of Sarbanes-Oxley. Foley & Lardner LLP (2006)

Goedertier, S., Vanthienen, J.: Designing compliant business processes with obligations and permissions. In: International Business Process Management Workshops (BPM), Austria, pp. 5–14 (2006)

Sadiq, S., Governatori, G., Naimiri, K.: Modeling control objectives for business process compliance. In: Business Process Management-BPM’09 Proceedings, pp. 149–164 (2007)

Holzmann, G.: The model checker SPIN. IEEE Trans. Softw. Eng. 23, 279–295 (1997)CrossRef

Ly, L.T., Rinderle-Ma, S., Göser, K., Dadam, P.: On enabling integrated process compliance with semantic constraints in process management systems. Inf. Syst. Front. 14(2), 195–219 (2012)

10.

Halle, S., Villemaire, R., Cherkaoui, O.: Specifying and validating data-aware temporal web service properties. IEEE Trans. Softw. Eng. 35, 669–683 (2009)CrossRef

11.

Giblin, C., Liu, A., Muller, S., Pfitzmann, B., Zhou, X.: Regulations expressed as logical models. In: 18th International Annual Conference of Legal Knowledge and Information Systems, Belgium, pp. 37–48 (2005)

12.

Eshuis, R.: Symbolic model checking of UML activity diagrams. ACM Trans. Softw. Eng. Methodol. 15, 1–38 (2006)CrossRef

13.

Wang, H.J., Leon Zhao, J.: Constraint-centric workflow change analytics. Decis. Support Syst. 51, 562–575 (2011)CrossRef

14.

Abouzaid, F., Mullins, J.: A calculus for generation, verification, and refinement of BPEL specifications. Electron. Notes Theor. Comput. Sci. (ENTCS) 200, 43–65 (2008)CrossRef

15.

Awad, A., Gore, R., Thomson, J., Weidlich, M.: An iterative approach for business process template synthesis from compliance rules. In: 23rd International Conference on Advanced Information Systems, Engineering, pp. 406–421 (2011)

16.

Yu, J., Han, Y., Han, J., Jin, Y., Falcarin, P., Morisio, M.: Synthesizing service composition models on the basis of temporal business rules. J. Comput. Sci. Technol. 23, 885–894 (2008)CrossRef

17.

Liu, Y., Muller, S., Xu, K.: A static compliance-checking framework for business process models. IBM Syst. J. 46, 335–361 (2007)

18.

Awad, A., Weidlich, M., Weske, M.: Specification, verification and explanation of violation for data aware compliance rules. In: 7th International Conference on Service Oriented Computing (ICSOC- Service Wave’09), vol. 5900, pp. 500–515. Springer, Berlin (2009)

19.

Geist, D.: The PSL/sugar specification language: a language for all seasons. In: The Correct Hardware Design and Verification Methods Conference, pp. 21–24 (2003)

20.

Khaluf, L., Gerth, C., Engels, G.: Pattern-based modeling and formalizing of business process quality constraints. In: CAiSE’11, pp. 521–535 (2011)

21.

Yu, J., Manh, T., Han, J., Jin, Y.: Pattern based property specification and verification for service composition. In: K.A. et al. (eds) WISE 2006, LNCS-4255, pp. 156–168. Springer, Berlin (2006)

22.

Dwyer, M., Avrunin, G., Corbett, J.: Property specification patterns for finite-state verification. In: 2nd International Workshop on Formal Methods on Software, Practice, pp. 7–15 (1998)

23.

Pelliccione, P., Inverardi, P., Muccini, H.: CHARMY: a framework for designing and verifying architectural specifications. IEEE Trans. Softw. Eng. 35, 325–346 (2009)CrossRef

24.

Ramezani, E., Fahland, D., van der Aalst, W.: Where did i misbehave? Diagnostic information in compliance checking. In: 10th International Conference on Business Process Management (BPM), pp. 262–278. Springer, Berlin (2012)

25.

Accorsi, R., Sato, Y.: Automated certification for compliant cloud-based business processes. Bus. Inf. Syst. Eng. (BISE) 3, 145–154 (2011)CrossRef

26.

Accorsi, R., Lehmann, A.: Automatic information flow analysis of business process models. In: 10th International Conference on Business Process Management (BPM), pp. 172–187. Springer, Berlin (2012)

27.

Pesic, M., Schonenberg, H., van der Aalst, W.M.P.: DECLARE: full support for loosely-structured processes. In: EDOC’07, pp. 287–300 (2007)

28.

Pesic, M., van der Aalst, W.: A declarative approach for flexible business processes management. In: BPM’06 Workshops (2006)

29.

Konrad, S., Cheng, B.: Real-time specification patterns. In: International Conference on Software Engineering (ICSE’05), USA, pp. 15–21 (2005)

30.

Giblin, C., Muller, S., Pfitzmann, B.: From Regulatory Policies to Event Monitoring Rules. Zurich Research Laboratory, Zurich (2006)

31.

Gruhn, V., Laue, R.: Specification patterns for time-related properties. In: 12th Int’l Symposium on Temporal Representation and Reasoning, pp. 198–191 (2005)

32.

Wolter, C., Schaad, A.: Modeling of task-based authorization constraints in BPMN. In: Business Process Management (BPM 2007), pp. 64–79. Springer, Berlin (2007)

33.

Ahn, G., Sandhu, R., Kang, M., Park., J.: Injecting RBAC to secure a web-based workflow system. In: RBAC ’00, pp. 1–10 (2000)

34.

Governatori, G., Milosevic, Z., Sadiq, S.: Compliance checking between business processes and business contracts. In: 10th International Enterprise Distributed Object Computing Conference (EDOC 2006), pp. 221–232 (2006)

35.

Governatori, G., Rotolo, A.: Justice delayed is justice denied: logics for a temporal account of reparations and legal compliance. In: Computational Logic in Multi-Agent Systems, vol. 6814, pp. 364–382 (2011)

36.

Thomas, F.: Constructing legal arguments with rules in the legal knowledge interchange format (LKIF). In: Computable Models of the Law, Languages, Dialogues, Games, Ontologies, vol. 4884, pp. 162–184 (2008)

37.

Palmirani, M., Governatori, G., Contissa, G.: Modelling temporal legal rules. In: International Conference on Artificial Intelligence and Law, pp. 131–135 (2011)

38.

Governatori, G., Olivieri, F., Scannapieco, S., Cristani, M.: Designing for compliance: norms and goals. In: 5th International Conference on Rule-Based Modeling and Computing on the Semantic Web, pp. 282–297 (2011)

39.

Governatori, G., Rotolo, A.: Bio logical agents: norms, beliefs, intentions in defeasible logic. J. Auton. Agents Multi Agent Syst. 17, 36–69 (2008)CrossRef

40.

Markovic, I., Pereira, A.C., Stojanovic, N.: A framework for querying in business process modelling. International Multikonferenz Wirtschaftsinformatik, Germany, pp. 1703–1714 (2008)

41.

Beeri, C., Eyal, A., Kamenkovich., S.: Querying business processes. In: 32nd International VLDB Conference, Korea, pp. 343–354 (2006)

42.

Kühne, S., Kern, H., Gruhn, V., Laue, R.: Business process modeling with continuous validation. J. Softw. Evol. Process 22, 547–566 (2010)CrossRef

43.

Delfmann, P., Herwig, S., Lis, L., Stein, A., Tent, K., Becker, J.: Pattern specification and matching in conceptual models: a generic approach based on set operations. Enterp. Modell. Inf. Syst. Arch. 5, 24–43 (2010)

44.

Awad, A.: BPMN-Q: A language to query business processes. In: 2nd International Workshop on Enterprise Modelling and Information Systems Architectures: Concepts and Applications (EMISA), Germany, pp. 115–128 (2007)

45.

Elgammal, A., Turetken, O., van den Heuvel, W., Papazoglou, M.: Towards a comprehensive design-time compliance management: a roadmap. In: 15 International Business Information Management Conference (15th IBIMA), Egypt, pp. 1480–1484 (2010)

46.

Fu, X., Bultan, T., Su, J.: Analysis of Interacting BPEL Web Services. World Wide Web (WWW), pp. 621–630. ACM Press, USA (2004)

47.

Fu, X., Bultan, T., Su, J.: WSAT: a tool for formal analysis of web services. In: 16th International Conference on Computer Aided Verification, USA, pp. 510–514 (2004)

48.

Turetken, O., Elgammal, A., van den Heuvel, W.J., Papazoglou, M.: Enforcing compliance on business processes through the use of patterns. In: 19th European Conference on Information Systems (ECIS 2011), Finland (2011)

49.

Turetken, O., Elgammal, A., van den Heuvel, W., Papazoglou, M.: Capturing compliance requirements: a pattern-based approach. IEEE Softw. 29, 28–36 (2012)CrossRef

50.

COSO: Internal Control: Integrated Framework. The Committee of Sponsoring Organizations of the Treadway Commission (1994)

51.

Elgammal, A., Turetken, O., van den Heuvel, W., Papazoglou, M.: Root-cause analysis of design-time compliance violations on the basis of property patterns. In: 8th International Conference on Service-Oriented Computing (ICSOC’10), USA, pp. 17–31 (2010)

52.

Elgammal, A., Turetken, O., van den Heuvel, W.: Using patterns for the analysis and resolution of compliance violations. Int. J. Coop. Inf. Syst. 21, 31–54 (2012)CrossRef

53.

COMPAS Project, Deliverable 2.1: State-of-the-Art in the Field of Compliance Languages (2008)

54.

IFRS: International Financial Reporting Standards. International Accounting Standards Board (2001)

55.

FINRA: The Financial Industry Regulatory Authority, “FINRA Manual” (2008)

56.

COBIT: Control Objectives for Information and related Technology: COBIT, 4.1. IT Governance Institute (2007)

57.

OCEG: GRC Capability Model, Ver 2.0. Open Compliance and Ethics Group (2009)

58.

Elgammal, A., Turetken, O., van den Heuvel, W., Papazoglou, M.: On the formal specification of regulatory compliance: a comparative analysis. In: International Performance Assessment and Auditing in Service Computing Workshop, ICSOC’10 workshops, USA (2010)

59.

Elgammal, A., Turetken, O., van den Heuvel, W., Papazoglou, M.: On the formal specification of business contracts and regulatory compliance. In: 4th Workshop on Formal Languages and Analysis of Contract-Oriented Software, EPTCS, Pisa, Italy. pp. 33–36 (2010)

60.

Elgammal, A.: Towards a comprehensive framework for business process compliance. Ph.D. Dissertation. Information Management Department, Tilburg University, Tilburg University Press, pp. 284 (April 2012)

61.

Pnueli, A.: The temporal logic of programs. In: 18th IEEE Symposium on Foundations of Computer, Science, pp. 46–57 (1977)

62.

Armoni, R., Fix, L., Flaisher, A., Gerth, R., Ginsburg, B., Kanza, T., Landver, A., Mador-Haim, S., Singerman, E., Tiemeyer, A., Vardi, M., Zbar, Y.: The ForSpec temporal logic: a new temporal property-specification language. Lecture Notes In Computer Science, vol. 2280 (2002)

63.

Alur, R., Henzinger, T.: Real-time logics: complexity and expressiveness. Inf. Comput. 104, 35–77 (1993)CrossRefMathSciNetMATH

64.

Baral, C., Zhoa, J.: Non-monotonic temporal logics for goal specifications. In: 20th International Intelligence Conference on Artificial Intelligence (IJCAI-07), India, pp. 236–242 (2007)

65.

Hevner, A., March, S., Park, J., Ram, S.: Design science in information systems research. MIS Q. 28, 75–105 (2004)

66.

Sebahi, S.: Business process compliance monitoring: a view based approach. Laboratoire d’InfoRmatique en Image et Systèmes d’information (LIRIS), Ph.D. University Lyon 1, Lyon (2012)

67.

OMG: Semantics Of Business Vocabulary And Business Rules (SBVR), Version 1.0. (2008)

68.

Abi-Lahoud, E., Butler, T., Chapin, D., Hall, J.: Interpreting regulations in SBVR. In: RuleML (2013)

Titel: Formalizing and appling compliance patterns for business process compliance
verfasst von: Amal Elgammal
Oktay Turetken
Willem-Jan van den Heuvel
Mike Papazoglou
Publikationsdatum: 08.02.2014
Verlag: Springer Berlin Heidelberg
Erschienen in: Software and Systems Modeling / Ausgabe 1/2016
Print ISSN: 1619-1366
Elektronische ISSN: 1619-1374
DOI: https://doi.org/10.1007/s10270-014-0395-3

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Weitere Artikel der Ausgabe 1/2016

Goal-oriented modeling and verification of feature-oriented product lines

Industry 4.0 as a Cyber-Physical System study

Evaluating the appropriateness of the BPMN 2.0 standard for modeling service choreographies: using an extended quality framework

Cyber-physical systems challenges: a needs analysis for collaborating embedded software systems

Synthesizing object life cycles from business process models

Systematic literature review of the objectives, techniques, kinds, and architectures of models at runtime