From Regulatory Policies to Event Monitoring Rules: Towards Model-Driven Compliance Automation

The complexity and costs of conforming to regulatory objectives in large enterprises has drastically heightened the need for consistent and automated approaches to managing compliance. To uniformly describe and manage compliance policies in distributed and heterogeneous IT environments, we have proposed a compliance metamodel for formally capturing regulatory requirements and managing them in a systematic lifecycle. A key aspect in automating compliance involves the monitoring of application events to determine whether business processes and applications operate within the parameters set forth in formal compliance policies. We show how subsets of the regulations, industry guidances or best practices that are expressed in terms of the metamodel can be (semi-)automatically transformed into event monitoring rules with the help of temporal rule patterns. Using examples of regulatory requirements, we demonstrate their formalization in compliance policies and their automated transformation into event correlation rules.

[1]  Xin Zhou,et al.  Regulations Expressed As Logical Models (REALM) , 2005, JURIX.

[2]  Thomas A. Henzinger,et al.  A really temporal logic , 1994, JACM.

[3]  Roy T. Fielding,et al.  Uniform Resource Identifiers (URI): Generic Syntax , 1998, RFC.

[4]  Thomas A. Henzinger,et al.  Real-time logics: complexity and expressiveness , 1990, [1990] Proceedings. Fifth Annual IEEE Symposium on Logic in Computer Science.

[5]  Thomas A. Henzinger,et al.  Real-Time Logics: Complexity and Expressiveness , 1993, Inf. Comput..

[6]  Frank Budinsky,et al.  Eclipse Modeling Framework , 2003 .

[7]  Alexander Pretschner,et al.  Distributed usage control , 2006, CACM.

[8]  Frank Leymann,et al.  Taming Compliance with Sarbanes-Oxley Internal Controls Using Database Technology , 2006, 22nd International Conference on Data Engineering (ICDE'06).