Zusammenfassung
Unternehmen sehen sich steigenden Anforderungen aus neuen Gesetzen, regulatorischen Vorschriften, Standards, Governance und auch Verträgen gegenüber. Durch den Einsatz von Informationstechnologie kann die Validierung der Einhaltung solcher Regeln (Compliance) automatisiert und effizienter erreicht werden. Aktuelle Ansätze basieren im Wesentlichen auf Zugangskontrolle und der Dokumentation der tatsächlichen Nutzung von Daten sowie Durchführung von Prozessen. Damit können zwar einzelne Compliance-Anforderungen adressiert werden, ein effizienter IT-Einsatz erfordert jedoch einen allgemeinen Ansatz. Hierfür wird ein Rahmenwerk zur Automatisierung von Compliance vorgestellt. „Policies“, wie sie aus der IT-Sicherheit bekannt sind, werden als Schlüssel zur Automatisierung von Compliance identifiziert, da sie eine Brücke zwischen nicht-technischen Compliance-Anforderungen und deren Umsetzung in IT-Systemen bieten. Es wird die Policy-Sprache ExPDT präsentiert und gezeigt, inwieweit diese zur automatisierten Einhaltung von Compliance-Anforderungen eingesetzt werden kann, ohne die situationsspezifisch erforderliche Adaptivität von Geschäftsprozessen zu gefährden.
Abstract
Remaining in compliance with growing requirements from new laws, regulations, standards, or contracts demands increasing IT support beyond simple reporting tools or archiving solutions. However, an efficient IT support of compliance management requires a more general approach. In this contribution, a framework for automating compliance is introduced. Policies are seen as the key to aligning non-technical compliance requirements to a technical IT system. The policy language ExPDT is presented and evaluated with regard to maintaining flexibility of business processes and validating compliance.
This is a preview of subscription content, log in via an institution to check access.
Literatur
Accorsi, R. (2008): Automated Privacy Audits to Complement the Notion of Control for Identity Management. In: Proceedings of the IFIP Conference on Policies and Research in Identity Management, Springer, Berlin, pp. 39–48.
Agrawal, R.; Johnson, C.; Kiernan, J.; Leymann, F. (2006): Taming Compliance with Sarbanes-Oxley Internal Controls Using Database Technology. In: Proceedings of the 22nd International Confeence on Data Engineering (ICDE’06). IEEE Computer Society, Washington, DC.
Ashley, P.; Hada, S.; Karjoth, G.; Powers, C.; et al. (2003): Enterprise Privacy Authorization Language (EPAL 1.2). Submission to W3C.
Bace, J.; Rozwell, C. (2006): Understanding the Components of Compliance. Gartner, Report G00137902.
Backes, M.; Karjoth, G.; Bagga, W.; Schunter, M. (2004): Efficient comparison of enterprise privacy policies. In: Proceedings of ACM Symposium on Applied Computing (SAC’04), Nicosia, pp. 375–382.
Bajaj, S; Box, D; et al. (2006): Web Services Policy 1.2 – Framework (WS-Policy). http://www.w3.org/Submission/WS-Policy/, last access 2008-06-27.
Botan, I; Kossmann, D.; et al. (2007): Extending XQuery with Window Functions. In: Proceedings of the 33rd International Conference on Very Large Data Bases, VLDB Endowment, Vienna, pp. 75–86.
Breaux, T. D.; Anton, A. I.; Karat, C.-M.; Karat, J. (2005): Enforceability vs. Accountability in Electronic Policies. Report TR-2005–47, North Carolina State University Computer Science.
Cannon, J. C.; Byers, M. (2006): Compliance deconstructed. In: CACM Queue 4 (7), pp. 30–37.
Cranor, L. F.; Dobbs, B; et al. (2006): The Platform for Privacy Preferences 1.1 (P3P1.1). W3C specification. http://www.w3.org/TR/P3P11/, last access 2008-06-27.
Cranor, L. F.; Langheinrich, M.; Marchiori, M. (2005): A P3P Preference Exchange Language 1.0 (APPEL). W3C Working Draft.
Delbaere, M.; Ferreira, R. (2007): Addressing the data aspects of compliance with industry models. In: IBM Systems Journal 46 (2), pp. 319–334.
Gallier, J. H. (1988): Logic for Computer Science. John Wiley and Sons, New York.
Giblin, C.; Muller, S.; Pfitzmann, B. (2006): From regulatory policies to event monitoring rules: Towards model driven compliance automation. IBM Research Zurich, Report RZ 3662.
Goedertier, S.; Vanthienen, J. (2006): Designing Compliant Business Processes with Obligations and Permissions. In: Proceedings of International Conference on Business Process Management (BPM06) Workshops. LNCS 4103, Springer, Berlin, pp. 5–14.
Hilty, M.; Basin, D.; Pretschner A. (2005): On Obligations. In: Proceedings of 10th European Symposium on Research in Computer Security (ESORICS 2005). LNCS 3679, Springer, Berlin, pp. 98–117.
Iliev, A.; Smith, S. (2005): Protecting Client Privacy with Trusted Computing at the Server. Proceedings of IEEE Security & Privacy 3 (2), pp. 20–28.
ITGI (2007): COBIT 4.1, Framework, Control Objectives, Management Guidelines, Maturity Models. http://www.isaca.org/AMTemplate.cfm?Section=Downloads&Template=/MembersOnly.cfm&ContentFileID=14002, last access 2007-12-01 (free registration required).
Johnson, C. M.; Grandison, T. W. A. (2007): Compliance with data protection laws using Hippocratic Database active enforcement and auditing. IBM Systems Journal 46 (2), pp. 255–264.
Kähmer, M. (2007): ExPDT Ontologies and Examples. http://www.telematik.uni-freiburg.de/mitarbeiter/kaehmer/expdt/, last access 2008-06-27.
Kähmer, M. (2008): Extended Privacy Definition Tool – A Formalism for Specification and Comparison of Privacy Policies. PhD Thesis, University of Freiburg, to appear.
Kähmer, M.; Gilliot, M. (2008): Extended Privacy Definition Tool. In: Proceedings of the Multikonferenz Wirtschaftsinformatik (MKWI 2008), LNI, Springer, Berlin.
Karagiannis, D. (2008): A Business Process-Based Modelling Extension for Regulatory Compliance. In: Proceedings of the Multikonferenz Wirtschaftsinformatik (MKWI 2008), LNI, Springer, Berlin.
Klempt, P.; Schmidpeter, H.; Sowa, S.; Tsinas, L. (2007): Business Oriented Information Security Management – A Layered Approach. In: Proceedings of the 2nd International Symposium on Information Security (IS’07), Vilamoura, pp. 1835–1852.
Liebenau, J.; Kärrberg, P. (2006): International Perspectives on Information Security Practices. London School of Economics and Political Science, McAfee.
McGuinness, D. L.; van Harmelen, F. (2004): OWL Web Ontology Language – Overview. W3C recommendation. http://www.w3.org/TR/2004/REC-owl-features-20040210/, last access 2008.06.27.
Moses, T. (2005): eXtensible Access Control Markup Language (XACML), version 2.0, Oasis Standard. http://xml.coverpages.org/xacml.html, last access 2008-06-27.
Muehlen, M. zur; Rosemann, M. (2005): Integrating Risks in Business Process Models. In: Proceedings of the 16th Australasian Conference on Information Systems (ACIS 2005), Sydney.
Müller, G.; Sackmann, S.; Prokein, O. (2008): IT Security: New Requirements, Regulations and Approaches. In: Frank-Schlottmann, F. et al. (Eds.): Handbook on Information Technology in Finance, Springer, Berlin, pp. 711–730.
Namiri, D.; Stojanovic, N. (2008): Towards a Formal Framework for Business Process Compliance. In: Proceedings of the Multikonferenz Wirtschaftsinformatik (MKWI 2008), LNI, Springer, Berlin.
OCG (2007): ITIL V3 – Service Life Cycle, Office of Governance Commerce, http://www.itil.org/en/itilv3-servicelifecycle/index.php, last access 2008-06-27.
Raghupathi, W. R. P. (2007): Corporate governance of IT: a framework for development. In: Communications of the ACM 50 (8), pp. 94–99.
Raub, D. (2004): Algebraische Spezifikation von Privacy Policies. Master’s thesis, Uni. Karlsruhe (in German).
Raub, D.; Steinwandt, R. (2006): An Algebra for Enterprise Privacy Policies Closed Under Composition and Conjunction. In: Proceedings of International Conference on Emerging Trends in Information and Communication Security (ETRICS), LNCS 3995, Springer, Berlin, pp. 130–144.
Sackmann, S.; Kähmer, M.; Gilliot, M.; Lowis, L. (2008): A Classification Model for Automating Compliance. In: Proceedings of the IEEE Conference on E-Commerce Technology (CEC08), to appear.
Sackmann, S.; Strücker, J.; Accorsi, R. (2006): Personalization in Privacy-Aware Highly Dynamic Systems. In: Communications of the ACM 49 (9), pp. 32–38.
Sadiq, S. W.; Governatori, G.; Namiri, K. (2007): Modeling Control Objectives for Business Process Compliance. In: Proceedings of the 5th International Conference Business Process Management (BPM 2007). LNCS 4714, Springer, Berlin, pp. 149–164.
Schneider, F. B.; Morrisett, G.; Harper, R. (2001): A Language-Based Approach to Security. In: Informatics: 10 Years Back, 10 Years Ahead. LNCS 2000, Springer, Berlin, pp. 86–101.
Schneider, F. B. (2006): Computability classes for enforcement mechanisms. In: ACM Transactions on Programming Languages and Systems 28 (1), pp. 175–205.
Author information
Authors and Affiliations
Corresponding authors
Additional information
Submitted 2007-12-01, after two revisions accepted 2008-06-27 by the editors of the special focus.
Rights and permissions
About this article
Cite this article
Sackmann, S., Kähmer, M. ExPDT: Ein Policy-basierter Ansatz zur Automatisierung von Compliance. Wirtsch. Inform. 50, 366–374 (2008). https://doi.org/10.1007/s11576-008-0078-1
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11576-008-0078-1