A UML Extension for the Model-Driven Specification of Audit Rules

In recent years, a number of laws and regulations (such as the Basel II accord or SOX) demand that organizations record certain activities or decisions to fulfill legally enforced reporting duties. Most of these regulations have a direct impact on the information systems that support an organization’s business processes. Therefore, the definition of audit requirements at the modeling-level is an important prerequisite for the thorough implementation and enforcement of corresponding policies in a software system. In this paper, we present a UML extension for the specification of audit properties. The extension is generic and can be applied to a wide variety of UML elements. In a model-driven development (MDD) approach, our extension can be used to generate corresponding audit rules via model transformations.

[1]  Arie van Deursen,et al.  Little languages: little maintenance , 1998 .

[2]  Mohd Fadzil Hassan,et al.  Model driven software development: An overview , 2014, 2014 International Conference on Computer and Information Sciences (ICCOINS).

[3]  Mario Piattini,et al.  Secure business process model specification through a UML 2.0 activity diagram profile , 2011, Decis. Support Syst..

[4]  Heinz Roland Weistroffer,et al.  A Framework for Integrating Sarbanes-Oxley Compliance into the Systems Development Process , 2007, Commun. Assoc. Inf. Syst..

[5]  Andreas Schaad,et al.  Model-driven business process security requirement specification , 2009, J. Syst. Archit..

[6]  Mary S. Schaeffer,et al.  Sarbanes-Oxley Act of 2002 , 2012 .

[7]  Mark Strembeck,et al.  Modeling process-related RBAC models with extended UML activity models , 2011, Inf. Softw. Technol..

[8]  Jan Jürjens Modelling Audit Security for Smart-Cart Payment Schemes with UML-SEC , 2001, SEC.

[9]  Bernhard Hoisl,et al.  Integrity and Confidentiality Annotations for Service Interfaces in SoaML Models , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[10]  Wolfgang Reisig,et al.  The Role of Business Processes in Service Oriented Architectures Dagstuhl Seminar , 2006 .

[11]  P. Sarbanes,et al.  Sarbanes-Oxley Act of 2002 , 2002 .

[12]  Laurie A. Williams,et al.  Modifying without a trace: general audit guidelines are inadequate for open-source electronic health record audit mechanisms , 2012, IHI '12.

[13]  Claudia Kocian,et al.  Geschäftsprozessmodellierung mit BPMN 2.0 - Business Process Model and Notation im Methodenvergleich. , 2011 .

[14]  Ekkart Kindler,et al.  AMFIBIA: a meta-model for integrating business process modelling aspects , 2007, Int. J. Bus. Process. Integr. Manag..

[15]  U. Zdun Patterns of Component and Language Integration , 2006 .

[16]  Marios Damianides,et al.  How does SOX change IT , 2004 .

[17]  M Mernik,et al.  When and how to develop domain-specific languages , 2005, CSUR.

[18]  Bran Selic,et al.  The Pragmatics of Model-Driven Development , 2003, IEEE Softw..

[19]  Pierangela Samarati,et al.  Authentication, access control, and audit , 1996, CSUR.

[20]  Mark Strembeck,et al.  Modeling Support for Delegating Roles, Tasks, and Duties in a Process-Related RBAC Context , 2011, CAiSE Workshops.

[21]  Bernhard Hoisl,et al.  Modeling Support for Confidentiality and Integrity of Object Flows in Activity Models , 2011, BIS.

[22]  Volker Gruhn,et al.  Model-Driven Software Development , 2005 .

[23]  Marianne Winslett,et al.  Efficient audit-based compliance for relational data retention , 2011, ASIACCS '11.

[24]  Gregor Hohpe,et al.  Enterprise Integration Patterns: Designing, Building, and Deploying Messaging Solutions , 2003 .

[25]  Martin Törngren,et al.  Tool Integration Beyond Wasserman , 2011, CAiSE 2011.

[26]  Ekkart Kindler,et al.  AMFIBIA: A Meta-Model for the Integration of Business Process Modelling Aspects , 2006, The Role of Business Processes in Service Oriented Architectures.

[27]  Shane Sendall,et al.  Model Transformation: The Heart and Soul of Model-Driven Software Development , 2003, IEEE Softw..

[28]  Mark Strembeck,et al.  An approach for the systematic development of domain‐specific languages , 2009, Softw. Pract. Exp..

[29]  Peter R. Pietzuch,et al.  Distributed event-based systems , 2006 .

[30]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[31]  Sujata Garera,et al.  An independent audit framework for software dependent voting systems , 2007, CCS '07.

[32]  Dirk Riehle,et al.  Pattern Languages of Program Design 3 , 1997 .

[33]  Mark Strembeck,et al.  Modeling Composition in Dynamic Programming Environments with Model Transformations , 2006, SC@ETAPS.

[34]  Bruce Schneier,et al.  Secure audit logs to support computer forensics , 1999, TSEC.

[35]  Mark Strembeck,et al.  Modeling Process-Related Duties with Extended UML Activity and Interaction Diagrams , 2011, Electron. Commun. Eur. Assoc. Softw. Sci. Technol..

[36]  Mark Strembeck,et al.  Modeling Context-Aware RBAC Models for Business Processes in Ubiquitous Computing Environments , 2012, 2012 Third FTRA International Conference on Mobile, Ubiquitous, and Intelligent Computing.

[37]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[38]  Tom Mens,et al.  A Taxonomy of Model Transformation , 2006, GRaMoT@GPCE.

[39]  Mario Piattini,et al.  Access control and audit model for the multidimensional modeling of data warehouses , 2006, Decis. Support Syst..

[40]  J. C. Cannon,et al.  Compliance Deconstructed , 2006, ACM Queue.

[41]  Ruth Breu,et al.  SECTISSIMO: A Platform-Independent Framework for Security Services , 2008, MODSEC@MoDELS.

[42]  Uwe Zdun,et al.  Some Patterns of Component and Language Integration , 2004, EuroPLoP.

[43]  История National Information Assurance Glossary , 2010 .