Using Patterns for the Analysis and Resolution of Compliance Violations

Today's enterprises demand a high degree of compliance of business processes to meet laws and regulations, such as Sarbanes-Oxley and Basel II. Compliance should be enforced during all phases of business process lifecycle, from the phases of analysis and design to deployment, monitoring and evaluation. In this paper, a taxonomy of compliance constraints for business processes is introduced based on the notion of compliance patterns. Patterns facilitate the formal specification of compliance constraints that enable their verification and analysis against business process models. This taxonomy serves as the backbone of the root-cause analysis, which is conducted to reason about and eventually to resolve design-time compliance violations, by providing appropriate guidelines as remedies to alleviate design-time compliance deviations. We have developed and integrated a set of tools to observe and evaluate the applicability of our approach, and experiment with it in case studies.

[1]  Antonio Cerone,et al.  Verifying BPEL Workflows Under Authorisation Constraints , 2006, Business Process Management.

[2]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[3]  Ying Liu,et al.  A static compliance-checking framework for business process models , 2007, IBM Syst. J..

[4]  Paolo Falcarin,et al.  Synthesizing Service Composition Models on the Basis of Temporal Business Rules , 2008, Journal of Computer Science and Technology.

[5]  Ahmed M. Elgammal,et al.  On the Formal Specification of Business Contracts and Regulatory Compliance , 2010 .

[6]  Christoph Meinel,et al.  Verification of Business Process Entailment Constraints Using SPIN , 2009, ESSoS.

[7]  John Mullins,et al.  A Calculus for Generation, Verification and Refinement of BPEL Specifications , 2008, Electron. Notes Theor. Comput. Sci..

[8]  Anna Philippou,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2018, Lecture Notes in Computer Science.

[9]  Guido Governatori,et al.  Justice Delayed Is Justice Denied: Logics for a Temporal Account of Reparations and Legal Compliance , 2011, CLIMA.

[10]  Shazia Wasim Sadiq,et al.  Modeling Control Objectives for Business Process Compliance , 2007, BPM.

[11]  Moshe Y. Vardi Branching vs. Linear Time: Final Showdown , 2001, TACAS.

[12]  Mike P. Papazoglou,et al.  On the Formal Specification of Regulatory Compliance: A Comparative Analysis , 2010, ICSOC Workshops.

[13]  Xiang Fu,et al.  WSAT: A Tool for Formal Analysis of Web Services , 2004, CAV.

[14]  Xin Zhou,et al.  Regulations Expressed As Logical Models (REALM) , 2005, JURIX.

[15]  John B. Lord SOX-The Sarbanes Oxley Act , 2006 .

[16]  Xiang Fu,et al.  Analysis of interacting BPEL web services , 2004, WWW '04.

[17]  Niels Lohmann,et al.  Analyzing Interacting BPEL Processes , 2006, Business Process Management.

[18]  Mathias Weske,et al.  Specification, Verification and Explanation of Violation for Data Aware Compliance Rules , 2009, ICSOC/ServiceWave.

[19]  Gail-Joon Ahn,et al.  Injecting RBAC to secure a Web-based workflow system , 2000, RBAC '00.

[20]  Shazia Wasim Sadiq,et al.  Measurement of Compliance Distance in Business Processes , 2008, Inf. Syst. Manag..

[21]  Jian Yu,et al.  Pattern Based Property Specification and Verification for Service Composition , 2006, WISE.

[22]  George S. Avrunin,et al.  Property specification patterns for finite-state verification , 1998, FMSP '98.

[23]  Mathias Weske,et al.  Resolution of Compliance Violation in Business Process Models: A Planning-Based Approach , 2009, OTM Conferences.

[24]  Ahmed M. Elgammal,et al.  Towards a Comprehensive Design-time Compliance Management: A Roadmap , 2010 .

[25]  Shin Nakajima Model-Checking Behavioral Specification of BPEL Applications , 2006, Electron. Notes Theor. Comput. Sci..

[26]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[27]  Shazia Wasim Sadiq,et al.  Compliance checking between business processes and business contracts , 2006, 2006 10th IEEE International Enterprise Distributed Object Computing Conference (EDOC'06).

[28]  Aditya K. Ghose,et al.  Auditing Business Process Compliance , 2007, ICSOC.

[29]  Mike P. Papazoglou,et al.  Root-Cause Analysis of Design-Time Compliance Violations on the Basis of Property Patterns , 2010, ICSOC.

[30]  Andreas Schaad,et al.  Modeling of Task-Based Authorization Constraints in BPMN , 2007, BPM.

[31]  Mike P. Papazoglou,et al.  Enforcing compliance on business processes through the use of patterns , 2011, ECIS.

[32]  Carsten Sinz,et al.  Reducing False Positives by Combining Abstract Interpretation and Bounded Model Checking , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[33]  Roger Villemaire,et al.  Specifying and Validating Data-Aware Temporal Web Service Properties , 2009, IEEE Transactions on Software Engineering.

[34]  H. William Dettmer,et al.  Goldratt's Theory of Constraints: A Systems Approach to Continuous Improvement , 1997 .