Projet de recherche doctoral numero :3022

Description

Date depot: 1 janvier 1900
Titre: Process and rules integration: towards semi-unattended compliance management
Directeur de thèse: Engin KIRDA (PC_Curie)
Domaine scientifique: Sciences et technologies de l'information et de la communication
Thématique CNRS : Non defini

Resumé: 1 Problem description The need to model the organizational or business setting, in which information systems are intended to operate, is nowadays well recognized. The design process of business processes requires several different experts/stakeholders to be involved as business processes cover different aspects of an enterprise [14, 29]. Business managers, technical and business experts, juridical experts and operators that handle day-to-day operations are typically involved in the design and analysis phase of the Business Process Management (BPM) life cycle. The different people involved in the design process think and describe the same process in a complete different way. This requires different view/perspectives on the system and at the same time the stakeholders need to communicate with each other using one common language [30]. Designing a business process that satisfies the requirements of all the different persons involved is not a trivial task [31]. The result of the design process are models that support different perspectives [32]; for example the functional, behavioral, organizational and the informational perspectives [10, 7]. Designing and implementing a business process that is compliant with regulations and legislations such as those described in Basel II, COBIT, COSO, ISO and Sarbanes-Oxley is especially difficult. These regulations and legislations are often imposed by external entities such as the government. Implementing these regulations and legislations is difficult as they are expressed at an high-level of abstraction that is organization-centric, businesscentric, information-centric, legal-aspects centric and human-centric [15]. This means that the abstract and high-level requirements need to be translated into business rules, compliance and security policies that can be enforced by the underlying infrastructure. This mapping is always done manually as there are no tools available to automate this process. For these reasons, designing a business process that satisfies laws, rules and legislations and implementing it on top of an IT-infrastructure is a time consuming, costly and error-prone process. 1 In order to survive in today’s business world which is characterized by fact-paced market development, sudden emergence of disruptive technologies, increased time-to-market pressure and shortened product life cycles, enterprises need to be agile with respect to business processes, partners and relations. Thus, business processes are continuously adapted as business objectives and the environment are continuously evolving. In many cases, regulations, legislations and business objectives change independently. Business processes that are compliant to rules and regulations, are designed and managed through separate activities and by several different experts which have different domain knowledge [13]. Furthermore, the mapping of abstract and high-level compliance requirements to implementable rules and policies is a manual process. Therefore, managing compliance in an ‘agile’ company is not only time consuming, costly and error-prone but also maintenanceintensive [15]. A scalable, robust and powerful solution is desired to solve the above issues. 2 Approach Several approaches exist for achieving and maintaining compliance. Broadly speaking, we can distinguish two main approaches of compliance management. The first approach is a reactive based solution. In this approach, traditional audits are carried out resulting in audit reports. Non-compliant behavior is detected after it has happened; detection takes place ”after the fact”. This reporting approach can be done manually; this requires many audit checks which have to be performed by expensive consultants. In recent years, software solutions came on the market that provide some automation of this process (e.g. SAP Governance Risk and Compliance). The software solutions hook into existing ERP systems and hard-coded checks are performed against the systems [28]. Business activity monitoring and data mining are technologies used in this approach. The second main approach has a preventative focus meaning that the intention is to avoid non-compliant behavior by collecting compliance requirements using a generic requirements engineering framework and propagating these requirements into the business processes and the underlying IT-landscape, thus the approach focuses on achieving compliance by design [17]. Formal methods, tools and languages are used in this approach to check whether the business process model satisfies the compliance rules. We believe that the two approaches are complementary. A reactive based solution can detect non-compliant behavior at runtime while a preventive based solution is not able to do that; due to the inherent possibility of human or system error, compliance must also be monitored and enforced at run-time. In this thesis, we will focus on preventive based solution(s) as we believe that a compan

Doctorant.e: Scholte Theodoor