Formalizing and appling compliance patterns for business process compliance

Today’s enterprises demand a high degree of compliance of business processes to meet diverse regulations and legislations. Several industrial studies have shown that compliance management is a daunting task, and organizations are still struggling and spending billions of dollars annually to ensure and prove their compliance. In this paper, we introduce a comprehensive compliance management framework with a main focus on design-time compliance management as a first step towards a preventive lifetime compliance support. The framework enables the automation of compliance-related activities that are amenable to automation, and therefore can significantly reduce the expenditures spent on compliance. It can help experts to carry out their work more efficiently, cut the time spent on tedious manual activities, and reduce potential human errors. An evident candidate compliance activity for automation is the compliance checking, which can be achieved by utilizing formal reasoning and verification techniques. However, formal languages are well known of their complexity as only versed users in mathematical theories and formal logics are able to use and understand them. However, this is generally not the case with business and compliance practitioners. Therefore, in the heart of the compliance management framework, we introduce the Compliance Request Language (CRL), which is formally grounded on temporal logic and enables the abstract pattern-based specification of compliance requirements. CRL constitutes a series of compliance patterns that spans three structural facets of business processes; control flow, employed resources and temporal perspectives. Furthermore, CRL supports the specification of compensations and non-monotonic requirements, which permit the relaxation of some compliance requirements to handle exceptional situations. An integrated tool suite has been developed as an instantiation artefact, and the validation of the approach is undertaken in several directions, which includes internal validity, controlled experiments, and functional testing.     

A framework for visually monitoring business process compliance

Any enterprise must ensure that its business processes comply with imposed compliance rules. The latter stem, for example, from corporate guidelines, legal regulations, and best practices. In general, a compliance rule may constrain multiple perspectives of a business process, including behavior (i.e. control flow), data, time, resources, and interactions with business partners. As a particular challenge, compliance cannot be completely ensured at design time, but needs to be continuously monitored during process enactment as well, i.e., it has to be dynamically checked whether compliance rules are satisfied or temporarily/permanently violated. This paper presents a comprehensive framework for visually monitoring business process compliance. As opposed to existing approaches, the framework supports the visual monitoring of all relevant process perspectives based on the extended Compliance Rule Graph (eCRG) language. Furthermore, it not only allows for the detection of violations, but additionally highlights their causes. Finally, the framework assists users in both monitoring business process compliance and ensuring the compliant continuation of running business processes. Overall, the framework provides a fundamental contribution towards the real-time monitoring of compliance in process-driven enterprises.     

An OWL-based semantic business process monitoring framework

Process monitoring phase is one of the service-oriented business process (SOBP) lifecycle phases. Traditional process monitoring approaches have been only achieved at the syntactic level of the process monitoring contexts, which causes the communication problems such as ambiguous understandings and divergent interpretations. To solve the problems, the process monitoring should be achieved at the semantic level as well as at the syntax level of the process monitoring context. In order to support semantic monitoring operations, an ontology-based monitoring framework for the SOBP execution is suggested in this paper. The suggested framework combines a BPEL4WS process model with the semantic monitoring context which is expressed with OWL.     

Decision-enabled dynamic process management for networked enterprises

Enterprises in today’s networked economy face numerous information management challenges, both from a process management perspective as well as a decision support perspective. While there have been significant relevant advances in the areas of business process management as well as decision sciences, several open research issues exist. In this paper, we highlight the following key challenges. First, current process modeling and management techniques lack in providing a seamless integration of decision models and tools in existing business processes, which is critical to achieve organizational objectives. Second, given the dynamic nature of business processes in networked enterprises, process management approaches that enable organizations to react to business process changes in an agile manner are required. Third, current state-of-the-art decision model management techniques are not particularly amenable to distributed settings in networked enterprises, which limits the sharing and reuse of models in different contexts, including their utility within managing business processes. In this paper, we present a framework for decision-enabled dynamic process management that addresses these challenges. The framework builds on computational formalisms, including the structured modeling paradigm for representing decision models, and hierarchical task networks from the artificial intelligence (AI) planning area for process modeling. Within the framework, interleaved process planning (modeling), execution and monitoring for dynamic process management throughout the process lifecycle is proposed. A service-oriented architecture combined with advances from the semantic Web field for model management support within business processes is proposed.     

On compliance checking for clausal constraints in annotated process models

Compliance management is important in several industry sectors where there is a high incidence of regulatory control. It must be ensured that business practices, as reflected in business processes, comply with the rules. Such compliance checks are challenging due to (1) the different life cycles of rules and processes, and (2) their disparate representations. (1) requires retrospective checking of process models. To address (2), we herein devise a framework where processes are annotated to capture the semantics of task execution, and compliance is checked against a set of constraints posing restrictions on the desirable process states. Each constraint is a clause, i.e., a disjunction of literals. If a process can reach a state that falsifies all literals of one of the constraints, then that constraint is violated in that state, and indicates non-compliance. Naively, such compliance can be checked by enumerating all reachable states. Since long waiting times are undesirable, it is important to develop efficient (low-order polynomial time) algorithms that (a) perform exact compliance checking for restricted cases, or (b) perform approximate compliance checking for more general cases. Herein, we observe that methods of both kinds can be defined as a natural extension of our earlier work on semantic business process validation. We devise one method of type (a), and we devise two methods of type (b); both are based on similar restrictions to the processes, where the restrictions made by methods (b) are a subset of those made by method (a). The approximate methods each guarantee either of soundness (finding only non-compliances) or completeness (finding all non-compliances). We describe how one can trace the state evolution back to the process activities which caused the (potential) non-compliance, and hence provide the user with an error diagnosis.     

Semantic information assurance for secure distributed knowledge management: a business process perspective

Secure knowledge management for eBusiness processes that span multiple organizations requires intraorganizational and interorganizational perspectives on security and access control issues. There is paucity in research on information assurance of distributed interorganizational eBusiness processes from a business process perspective. This paper presents a framework for secure semantic eBusiness processes integrating three streams of research, namely: 1) eBusiness processes; 2) information assurance; and 3) semantic technology. This paper presents the conceptualization and analysis of a secure semantic eBusiness process framework and architecture, and provides a holistic view of a secure interorganizational semantic eBusiness process. This paper fills a gap in the existing literature by extending role-based access control models for eBusiness processes that are done by using ontological analysis and semantic Web technologies to develop a framework for computationally feasible secure eBusiness process knowledge representations. An integrated secure eBusiness process approach is needed to provide a unifying conceptual framework to understand the issues surrounding access control over distributed information and knowledge resources.     

An iterative approach to synthesize business process templates from compliance rules

Companies have to adhere to compliance requirements. The compliance analysis of business operations is typically a joint effort of business experts and compliance experts. Those experts need to create a common understanding of business processes to effectively conduct compliance management. In this paper, we present a technique that aims at supporting this process. We argue that process templates generated out of compliance requirements provide a basis for negotiation among business and compliance experts. We introduce a semi-automated and iterative approach to the synthesis of such process templates from compliance requirements expressed in Linear Temporal Logic (LTL). We show how generic constraints related to business process execution are incorporated and present criteria that point at underspecification. Further, we outline how such underspecification may be resolved to iteratively build up a complete specification. For the synthesis, we leverage existing work on process mining and process restructuring. However, our approach is not limited to the control-flow perspective, but also considers direct and indirect data-flow dependencies. Finally, we elaborate on the application of the derived process templates and present an implementation of our approach.     

Compliance monitoring in business processes: Functionalities,application, and tool-support

In recent years, monitoring the compliance of business processes with relevant regulations, constraints, and rules during runtime has evolved as major concern in literature and practice. Monitoring not only refers to continuously observing possible compliance violations, but also includes the ability to provide fine-grained feedback and to predict possible compliance violations in the future. The body of literature on business process compliance is large and approaches specifically addressing process monitoring are hard to identify. Moreover, proper means for the systematic comparison of these approaches are missing. Hence, it is unclear which approaches are suitable for particular scenarios. The goal of this paper is to define a framework for Compliance Monitoring Functionalities (CMF) that enables the systematic comparison of existing and new approaches for monitoring compliance rules over business processes during runtime. To define the scope of the framework, at first, related areas are identified and discussed. The CMFs are harvested based on a systematic literature review and five selected case studies. The appropriateness of the selection of CMFs is demonstrated in two ways: (a) a systematic comparison with pattern-based compliance approaches and (b) a classification of existing compliance monitoring approaches using the CMFs. Moreover, the application of the CMFs is showcased using three existing tools that are applied to two realistic data sets. Overall, the CMF framework provides powerful means to position existing and future compliance monitoring approaches.     

A business repository enrichment process: A case study for manufacturing execution systems

A key characteristic of the software applications supporting manufacturing business processes is their heterogeneity. This is due not only to differences in their development and deployment, but also to the variety of processes and actors in complex organizations. Heterogeneity at the semantic level is one of the major problems in any process of interoperability and/or integration. There is therefore a need for developing new approaches and methods to ensure interoperability between different software solutions. In the context of a case study with a consortium of MES (Manufacturing Execution Systems) publishers, we propose a semantic alignment process of repositories used in the construction of a MES solution called “MES On Demand”, using multiple applications and driven by business processes. Through the study of semantic heterogeneities, we use an enrichment-based alignment for business repositories applied to ISO/IEC 62264. Finally, we evaluate the contribution of this approach to enterprise maturity in the application of standards and reference models, using Nascio’s Enterprise Architecture Maturity Model. This proposal, which is useful for practitioners and experts, is a contribution to academic study on semantic alignment for master interoperability.     

An analysis of web services support for dynamic business process outsourcing

Outsourcing of business processes is crucial for organizations to be effective, efficient and flexible. In fast changing markets, dynamic outsourcing is required, in which business relationships are established and enacted on-the-fly in an adaptive, fine-grained way. This requires automated means for the establishment of outsourcing relationships and for the enactment of services performed in these relationships. Due to wide industry support and their model of loose coupling, Web Services have become the mechanism of choice to interconnect organizations. This paper analyzes Web Services support for the dynamic process outsourcing paradigm. We discuss contract-based outsourcing to define requirements, introduce the Web Services framework and investigate the match between the two. We observe that the framework requires further support for cross-organizational business processes and mechanisms for contracting, QoS management and transaction management. We suggest an approach to fill these gaps based on a business process support application layer implemented on Web Service technology.     

A conceptual framework for understanding business processes and business process modelling

It is increasingly common to describe organizations as sets of business processes that can be analysed and improved by approaches such as business process modelling. Successful business process modelling relies on an adequate view of the nature of business processes, but there is a surprising divergence of opinion about the nature of these processes. This paper proposes a conceptual framework to organize different views of business processes under four headings. It also aims at providing an integrated discussion of the different streams of thought, their strengths and limitations, within business process modelling. It argues that the multifaceted nature of business processes calls for pluralistic and multidisciplinary modelling approaches.     

Self-adaptive middleware: Supporting business process priorities and service level agreements

This paper deals with quality of service, defined at the application level, with respect to business constraints expressed in terms of business processes. We present a set of adaptive methods and rules for routing messages in an integration infrastructure which yields a form of autonomic behavior, namely the ability to dynamically optimize the flow of messages in order to comply with SLAs according to business priorities. EAI (Enterprise Application Integration) infrastructures may be seen as component systems that exchange asynchronous messages over an application bus, under the supervision of a processflow engine that orchestrates the messages. The QoS (Quality of Service) of the global IT system is defined and monitored with SLAs (Service Level Agreements) that apply to each business process. The goal of this paper is to propose routing strategies for message handling that maximize the ability of the EAI system to meet these requirements in a self-adaptive and self-healing manner, i.e., its ability to cope with sudden variations of the event flow or temporary failures of a component system. These results are a first contribution towards deployment of autonomic computing concepts into BPM (Business Process Management) architectures. This approach marks a departure from previous approaches in which QoS constraints are pushed to the lower level (e.g., the network). Although the techniques, such as adaptive queuing, are similar, managing QoS at the business process level yields more flexibility and robustness.     

Norms modeling constructs of business process compliance management frameworks: a conceptual evaluation

The effectiveness of a compliance management framework (CMF) can be guaranteed only if the framework is based on sound conceptual and formal foundations. In particular, the formal language used in the CMF is able to expressively represent the specifications of normative requirements (hereafter, norms) that impose constraints on various activities of a business process. However, if the language used lacks expressiveness and the modelling constructs proposed in the CMF are not able to properly represent different types of norms, it can significantly impede the reliability of the compliance results produced by the CMF. This paper investigates whether existing CMFs are able to provide reasoning and modeling support for various types of normative requirements by evaluating the conceptual foundations of the modeling constructs that existing CMFs use to represent a specific type of norm. The evaluation results portray somewhat a bleak picture of the state-of-the-affairs when it comes to represent norms as none of the existing CMFs is able to provide a comprehensive reasoning and modeling support. Also, it points to the shortcomings of the CMFs and emphasises exigent need of new modeling languages with sound theoretical and formal foundations for representing legal norms.     

A distributed architecture for reconfigurable control of continuous process operations

This paper considers a new distributed approach to reconfigurable control of continuous process operations such as in chemical plants. The research is set on a premise that emerging business pressures of product customization and industrial globalization will lead to increased need for reconfigurability in process plants. The ability of processes to support dynamic and smooth reorganization of process schemes in tandem with the changing requirements of supply chains will become important in future. Conventional control approaches based on hierarchical architectures are limited in dealing with such emerging requirements due to their inflexible structures and operating rules. Instead, more distributed approaches are required which can support increased level of reconfigurability in control systems, especially at the lower levels in hierarchy where the visibility to disturbances remains high. In this paper, one such distributed approach is considered based on the concepts of holonic manufacturing and supply chain management. The proposed approach distributes the functionality of process control into several reconfigurable process elements. These elements, while having a stand-alone capability for making their own control decisions, are also able to reconfigure themselves into alternative process schemes which evolve with the changing requirements of production. An analogy between process plants and so-called dynamic supply networks or virtual enterprises is used in this paper to define the composition of reconfigurable process elements and their operations. The proposed approach is shown to offer improved process control system reconfigurability and a control architecture which is compatible with the supply chain management needs at the next higher level. The purpose of this paper is qualitative and motivational. It is aimed to propose a new research direction in the field of reconfigurable process control.     

Semantic business process integration based on ontology alignment

Innovation and agility should be provided to businesses by efficient collaboration (i.e., communication and sharing) between them. However, semantic heterogeneity between business processes is a serious problem for automatically supporting cooperation processes (e.g., knowledge sharing and querying-based interactions) between businesses. In order to overcome this problem, we propose a novel framework based on aligning business ontologies for integrating heterogeneous business processes. We can consider two types of alignment processes; (i) manual alignment for building a whole business process ontology in a business process management (BPM) system and (ii) automated alignment between business processes of different BPM systems. Thereby, the optimal integration between two business processes has to be discovered to maximize the summation of a set of partial similarities between semantic components consisting of the business processes. In particular, the semantic component are extracted from semantic annotations of business processes. For evaluating the proposed system, we have conducted experimentations by using 22 business process management systems, which are organized as six business alliances. We have assumed that business processes in a same BPM system should be built with a common ontologies. The proposed alignment method has shown about 71.3% of precision (65.4% of recall). In addition, we found out that alignment results are dependent on some characteristics of ontologies (e.g., depth and number of classes).     

A distributed requirements management framework for legal compliance and accountability

Increasingly, new regulations are governing organizations and their information systems. Individuals responsible for ensuring legal compliance and accountability currently lack sufficient guidance and support to manage their legal obligations within relevant information systems. While software controls provide assurances that business processes adhere to specific requirements, such as those derived from government regulations, there is little support to manage these requirements and their relationships to various policies and regulations. We propose a requirements management framework that enables executives, business managers, software developers and auditors to distribute legal obligations across business units and/or personnel with different roles and technical capabilities. This framework improves accountability by integrating traceability throughout the policy and requirements lifecycle. We illustrate the framework within the context of a concrete healthcare scenario in which obligations incurred from the Health Insurance Portability and Accountability Act (HIPAA) are delegated and refined into software requirements. Additionally, we show how auditing mechanisms can be integrated into the framework and how auditors can certify that specific chains of delegation and refinement decisions comply with government regulations.     

Building an Application Security Program

As security professionals we have a good handle on securing our perimeters, yet security compromises continue to rise. Hackers have found a new attack vector and are successfully exploiting it. Application exploits are to blame for this rise in security compromises and security professionals need to identify and secure the application.

While risk cannot be completely eliminated, a strong Application Security Program can identify and mitigate these risks to a more manageable level. Organizational support, framework selection, and adherence to compliance and regulatory requirements are vital to the success of the program and the security of your applications. If you lack any of these elements the program will fail. There are many frameworks to choose from, so careful consideration must be taken to ensure the right framework is chosen for your organization.

A successful Application Security Program will be fully integrated within the SDLC. It will enable your organization to identify and remediate risks with applications. If implanted and executed effectively it will also meet the requirements for FISMA compliance.     

Data-driven and automated prediction of service level agreement violations in service compositions

Service Level Agreements (SLAs), i.e., contractually binding agreements between service providers and clients, are gaining momentum as the main discriminating factor between service implementations. For providers, SLA compliance is of utmost importance, as violations typically lead to penalty payments or reduced customer satisfaction. In this paper, we discuss approaches to predict violations a priori. This allows operators to take timely remedial actions, and prevent SLA violations before they have occurred. We discuss data-driven, statistical approaches for both, instance-level prediction (SLA compliance prediction for an ongoing business process instance) and forecasting (compliance prediction for future instances). We present an integrated framework, and numerically evaluate our approach based on a case study from the manufacturing domain.     

Requirements engineering for e-business advantage

As a means of contributing to the achievement of business advantage for companies engaging in e-business, we propose a requirements engineering framework that incorporates a business strategy dimension. We employ Jackson’s Problem Frames approach, goal modeling, and business process modeling (BPM) to achieve this. Jackson’s context diagrams, used to represent business model context, are integrated with goal models to describe the requirements of the business strategy. We leverage the paradigm of projection in both approaches as a means of simultaneously decomposing both the requirement and context parts, from an abstract business level to concrete system requirements. Our approach maintains traceability to high-level business objectives via contribution relationship links in the goal model. We integrate use of role activity diagrams to describe business processes in detail where needed. The feasibility of our approach is shown by a well-known case study taken from the literature.     

B-SCP: A requirements analysis framework for validating strategic alignment of organizational IT based on strategy,context, and process

Ensuring that organizational IT is in alignment with and provides support for an organization's business strategy is critical to business success. Despite this, business strategy and strategic alignment issues are all but ignored in the requirements engineering research literature. We present B-SCP, a requirements engineering framework for organizational IT that directly addresses an organization's business strategy and the alignment of IT requirements with that strategy. B-SCP integrates the three themes of strategy, context, and process using a requirements engineering notation for each theme. We demonstrate a means of cross-referencing and integrating the notations with each other, enabling explicit traceability between business processes and business strategy. In addition, we show a means of defining requirements problem scope as a Jackson problem diagram by applying a business modeling framework. Our approach is illustrated via application to an exemplar. The case example demonstrates the feasibility of B-SCP, and we present a comparison with other approaches.