Towards Adaptive Compliance

Mission critical software is often required to comply with multiple regulations, standards or policies. Recent paradigms, such as cloud computing, also require software to operate in heterogeneous, highly distributed, and changing environments. In these environments, compliance requirements can vary at runtime and traditional compliance management techniques, which are normally applied at design time, may no longer be sufficient. In this paper, we motivate the need for adaptive compliance by illustrating possible compliance concerns determined by runtime variability. We further motivate our work by means of a cloud computing scenario, and present two main contributions. First, we propose and justify a process to support adaptive compliance that extends the traditional compliance management lifecycle with the activities of the Monitor-Analyse-Plan-Execute (MAPE) loop, and enacts adaptation through re-configuration. Second, we explore the literature on software compliance and classify existing work in terms of the activities and concerns of adaptive compliance. In this way, we determine how the literature can support our proposal and what are the open research challenges that need to be addressed in order to fully support adaptive compliance.

[1]  Daniel Amyot,et al.  Goal-oriented compliance with multiple regulations , 2014, 2014 IEEE 22nd International Requirements Engineering Conference (RE).

[2]  Marco Montali,et al.  Compliance monitoring in business processes: Functionalities, application, and tool-support , 2015, Inf. Syst..

[3]  Guido Boella,et al.  Managing legal interpretation in regulatory compliance , 2013, ICAIL.

[4]  Annie I. Antón,et al.  Addressing Legal Requirements in Requirements Engineering , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[5]  Schahram Dustdar,et al.  Compliance in service-oriented architectures: A model-driven and view-based approach , 2012, Inf. Softw. Technol..

[6]  Frank Leymann,et al.  Maintaining Compliance in Customizable Process Models , 2009, OTM Conferences.

[7]  John Mylopoulos,et al.  Automated Reasoning for Regulatory Compliance , 2013, ER.

[8]  Ayse Basar Bener,et al.  Guest Editors' Introduction: Software Engineering for Compliance , 2012, IEEE Softw..

[9]  Peter Dadam,et al.  On enabling integrated process compliance with semantic constraints in process management systems , 2012, Inf. Syst. Frontiers.

[10]  State-ofthe-art in the field of compliance languages , 2008 .

[11]  Guido Governatori,et al.  Business Process Regulatory Compliance is Hard , 2015, IEEE Transactions on Services Computing.

[12]  Mario Piattini,et al.  Legal requirements reuse: a critical success factor for requirements quality and personal data protection , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[13]  José Miguel Pérez-Álvarez,et al.  Compliance validation and diagnosis of business data constraints in business processes at runtime , 2015, Inf. Syst..

[14]  Stefanie Rinderle-Ma,et al.  Detecting the Effects of Changes on the Compliance of Cross-Organizational Business Processes , 2015, ER.

[15]  Santosh K. Shrivastava,et al.  A Model for Checking Contractual Compliance of Business Interactions , 2012, IEEE Transactions on Services Computing.

[16]  Mathias Weske,et al.  Efficient Compliance Checking Using BPMN-Q and Temporal Logic , 2008, BPM.

[17]  Kincho H. Law,et al.  Logic-based regulation compliance-assistance , 2003, ICAIL.

[18]  Mehrdad Sabetzadeh,et al.  Supporting the verification of compliance to safety standards via model-driven engineering: Approach, tool-support and empirical validation , 2013, Inf. Softw. Technol..

[19]  Maike Gilliot,et al.  Automating Privacy Compliance with ExPDT , 2008, 2008 10th IEEE Conference on E-Commerce Technology and the Fifth IEEE Conference on Enterprise Computing, E-Commerce and E-Services.

[20]  Dirk Fahland,et al.  Where Did I Misbehave? Diagnostic Information in Compliance Checking , 2012, BPM.

[21]  Xavier Franch,et al.  Comprehensive Explanation of SLA Violations at Runtime , 2014, IEEE Transactions on Services Computing.

[22]  Aditya K. Ghose,et al.  Auditing Business Process Compliance , 2007, ICSOC.

[23]  Jan Martijn E. M. van der Werf,et al.  Context-Aware Compliance Checking , 2012, BPM.

[24]  Mike P. Papazoglou,et al.  Formalizing and appling compliance patterns for business process compliance , 2016, Software & Systems Modeling.

[25]  Mike P. Papazoglou,et al.  Capturing Compliance Requirements: A Pattern-Based Approach , 2012, IEEE Software.

[26]  Fabio Casati,et al.  An Integrated Solution for Runtime Compliance Governance in SOA , 2010, ICSOC.

[27]  Frank Leymann,et al.  Integrating Compliance Requirements across Business and IT , 2014, 2014 IEEE 18th International Enterprise Distributed Object Computing Conference.

[28]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[29]  Annie I. Antón,et al.  Assessing identification of compliance requirements from privacy policies , 2012, 2012 Fifth IEEE International Workshop on Requirements Engineering and Law (RELAW).

[30]  Frank Teuteberg,et al.  Risk and Compliance Management for Cloud Computing Services: Designing a Reference Model , 2011, AMCIS.

[31]  Annie I. Antón,et al.  Managing changing compliance requirements by predicting regulatory evolution , 2012, 2012 20th IEEE International Requirements Engineering Conference (RE).

[32]  Frank Leymann,et al.  Integrating Compliance into Business Processes: Process Fragments as Reusable Compliance Controls , 2010 .

[33]  Travis D. Breaux,et al.  Reconciling multi-jurisdictional legal requirements: A case study in requirements water marking , 2012, 2012 20th IEEE International Requirements Engineering Conference (RE).

[34]  Manuel Resinas,et al.  Exploring Features of a Full-Coverage Integrated Solution for Business Process Compliance , 2011, CAiSE Workshops.

[35]  Dirk Fahland,et al.  Supporting Domain Experts to Select and Configure Precise Compliance Rules , 2013, Business Process Management Workshops.

[36]  Fabio Casati,et al.  Business Compliance Governance in Service-Oriented Architectures , 2009, 2009 International Conference on Advanced Information Networking and Applications.

[37]  Sepideh Ghanavati,et al.  Impact of Legal Interpretation in Business Process Compliance , 2015, 2015 IEEE/ACM 1st International Workshop on TEchnical and LEgal aspects of data pRivacy and SEcurity.

[38]  Michael Fellmann,et al.  State-of-the-art of Business Process Compliance Approaches: A Survey (Extended Abstract) , 2014, EMISA.