Description
Date depot: 1 janvier 1900
Titre: Process and rules integration: towards semi-unattended compliance management
Directeur de thèse:
Engin KIRDA (PC_Curie)
Domaine scientifique: Sciences et technologies de l'information et de la communication
Thématique CNRS : Non defini
Resumé:
1 Problem description
The need to model the organizational or business setting, in which information
systems are intended to operate, is nowadays well recognized. The
design process of business processes requires several different experts/stakeholders
to be involved as business processes cover different aspects of an
enterprise [14, 29]. Business managers, technical and business experts, juridical
experts and operators that handle day-to-day operations are typically
involved in the design and analysis phase of the Business Process Management
(BPM) life cycle. The different people involved in the design process
think and describe the same process in a complete different way. This requires
different view/perspectives on the system and at the same time the
stakeholders need to communicate with each other using one common language
[30]. Designing a business process that satisfies the requirements of
all the different persons involved is not a trivial task [31]. The result of
the design process are models that support different perspectives [32]; for
example the functional, behavioral, organizational and the informational
perspectives [10, 7].
Designing and implementing a business process that is compliant with
regulations and legislations such as those described in Basel II, COBIT,
COSO, ISO and Sarbanes-Oxley is especially difficult. These regulations and
legislations are often imposed by external entities such as the government.
Implementing these regulations and legislations is difficult as they are expressed
at an high-level of abstraction that is organization-centric, businesscentric,
information-centric, legal-aspects centric and human-centric [15].
This means that the abstract and high-level requirements need to be translated
into business rules, compliance and security policies that can be enforced
by the underlying infrastructure. This mapping is always done manually
as there are no tools available to automate this process. For these
reasons, designing a business process that satisfies laws, rules and legislations
and implementing it on top of an IT-infrastructure is a time consuming,
costly and error-prone process.
1
In order to survive in today’s business world which is characterized by
fact-paced market development, sudden emergence of disruptive technologies,
increased time-to-market pressure and shortened product life cycles,
enterprises need to be agile with respect to business processes, partners and
relations. Thus, business processes are continuously adapted as business
objectives and the environment are continuously evolving. In many cases,
regulations, legislations and business objectives change independently. Business
processes that are compliant to rules and regulations, are designed and
managed through separate activities and by several different experts which
have different domain knowledge [13]. Furthermore, the mapping of abstract
and high-level compliance requirements to implementable rules and policies
is a manual process. Therefore, managing compliance in an ‘agile’ company
is not only time consuming, costly and error-prone but also maintenanceintensive
[15]. A scalable, robust and powerful solution is desired to solve
the above issues.
2 Approach
Several approaches exist for achieving and maintaining compliance. Broadly
speaking, we can distinguish two main approaches of compliance management.
The first approach is a reactive based solution. In this approach,
traditional audits are carried out resulting in audit reports. Non-compliant
behavior is detected after it has happened; detection takes place ”after the
fact”. This reporting approach can be done manually; this requires many
audit checks which have to be performed by expensive consultants. In recent
years, software solutions came on the market that provide some automation
of this process (e.g. SAP Governance Risk and Compliance). The software
solutions hook into existing ERP systems and hard-coded checks are performed
against the systems [28]. Business activity monitoring and data mining
are technologies used in this approach. The second main approach has a
preventative focus meaning that the intention is to avoid non-compliant behavior
by collecting compliance requirements using a generic requirements
engineering framework and propagating these requirements into the business
processes and the underlying IT-landscape, thus the approach focuses
on achieving compliance by design [17]. Formal methods, tools and languages
are used in this approach to check whether the business process
model satisfies the compliance rules. We believe that the two approaches
are complementary. A reactive based solution can detect non-compliant behavior
at runtime while a preventive based solution is not able to do that;
due to the inherent possibility of human or system error, compliance must
also be monitored and enforced at run-time. In this thesis, we will focus on
preventive based solution(s) as we believe that a compan
Doctorant.e: Scholte Theodoor