Ontology-based Analysis of Compliance and Regulatory Requirements of Business Processes

Thorsten Humberg, Christian Wessel, Daniel Poggenpohl, Sven Wenzel, Thomas Ruhroth, Jan Jürjens

Abstract

Despite its significant potential benefits, the concept of Cloud Computing is still regarded with skepticism in most companies. One of the main obstacle is posed by concerns about the systems’ security and compliance issues. Examining system and process models for compliance manually is time-consuming and error-prone, in particular due to the mere extent of potentially relevant sources of security and compliance concerns that have to be considered. This paper proposes techniques to ease these problems by providing support in identifying relevant aspects, as well as suggesting possible methods (from an existing pool of such) to actually check a given model. We developed a two-step approach: At first, we build an ontology to formalize rules from relevant standards, augmented with additional semantic information. This ontology is then utilized in the analysis of an actual model of a system or a business process in order to detect possible compliance obligations.

References

  1. Baader, F., Calvanese, D., McGuinness, D. L., Nardi, D., and Patel-Schneider, P. F., editors (2003). The description logic handbook: theory, implementation, and applications. Cambridge University Press, New York, NY, USA.
  2. BITKOM (2009). Cloud-Computing - Evolution in der Technik. Technical report, BITKOM.
  3. Bundesamt für Sicherheit in der Informationstechnik (2006). BSI-Grundschutz Katalog. https://www.bsi. bund.de/ContentBSI/EN/Topics/ITGrundschutz/ itgrundschutz.html.
  4. Bundesanstalt für Finanzdienstleistungsaufsicht (2012). Mindestanforderungen an das Risikomanagement - MaRisk. http://www.bafin.de/SharedDocs/Veroeffent lichungen/DE/Rundschreiben/rs 1210 marisk ba.html.
  5. Bundesrepublik Deutschland, vertreten durch das Bundesministerium der Justiz, v. d. d. B. d. J. (1896). Bürgerliches gesetzbuch.
  6. Bundesrepublik Deutschland, vertreten durch das Bundesministerium der Justiz, v. d. d. B. d. J. (1990). Bundesdatenschutzgesetz.
  7. Dixon, J. and Jones, T. (2011). Hype cycle for business process management. Technical report, Gartner Study.
  8. Fenz, S. and Ekelhart, A. (2009). Formalizing information security knowledge. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security (ASIACCS ), page 183, New York, New York, USA. ACM Press.
  9. Gräuler, M., Martens, and B.; Teuteberg, F. (2011). ITSicherheitsmanagement im Cloud Computing - Entwicklung und Implementierung einer Ontologie. In Proceedings zur INFORMATIK 2011.
  10. ISO (2005). ISO27001: Information Security Management System (ISMS) standard. Online: http://www.27000.org/iso-27001.htm.
  11. ISO (2008). ISO27005: Information security risk management. Online: http://www.27000.org/iso-27005.htm.
  12. Knauss, E., Lubke, D., and Meyer, S. (2009). Feedbackdriven requirements engineering: The Heuristic Requirements Assistant. In Proceedings of the 31st International Conference on Software Engineering, ICSE 7809, pages 587-590, Washington, DC, USA. IEEE Computer Society.
  13. Menzel, M., Thomas, I., and Meinel, C. (2009). Security requirements specification in service-oriented business process management. In ARES.
  14. NIST and Aroms, E. (2012). NIST Special Publication 800-39 Managing Information Security Risk. CreateSpace, Paramount, CA.
  15. Peschke, M., Hirsch, M., Jürjens, J., and Braun, S. (2011). Werkzeuggestützte Identifikation von ITSicherheitsrisiken. In D-A-CH Security 2011.
  16. Schneider, K., Knauss, E., Houmb, S., Islam, S., and Jürjens, J. (2011). Enhancing security requirements engineering by organizational learning. Requirements Engineering, pages 1-22. 10.1007/s00766-011-0141- 0.
  17. Tsoumas, B. and Gritzalis, D. (2006). Towards an Ontology-based Security Management. In Proceedings of the 20th International Conference on Advanced Information Networking and Applications (AINA), volume 1, pages 985-992. IEEE.
  18. van der Aalst, W., Reijers, H., Weijters, A., Vandongen, B., Alvesdemedeiros, A., and M. Song, H. V. (2007). Business process mining: An industrial application. Information Systems, Vol. 32, No. 5, pp. 713-732.
  19. W3C OWL Working Group (11 December 2012). OWL 2 Web Ontology Language: Document Overview (Second Edition). W3C Recommendation. Available at http://www.w3.org/TR/owl2-overview/.
  20. Wolter, C., Menzel, M., and Meinel, C. (2008). Modelling security goals in business processes. In Modellierung.
Download


Paper Citation


in Harvard Style

Humberg T., Wessel C., Poggenpohl D., Wenzel S., Ruhroth T. and Jürjens J. (2013). Ontology-based Analysis of Compliance and Regulatory Requirements of Business Processes . In Proceedings of the 3rd International Conference on Cloud Computing and Services Science - Volume 1: CloudSecGov, (CLOSER 2013) ISBN 978-989-8565-52-5, pages 553-561. DOI: 10.5220/0004505405530561


in Bibtex Style

@conference{cloudsecgov13,
author={Thorsten Humberg and Christian Wessel and Daniel Poggenpohl and Sven Wenzel and Thomas Ruhroth and Jan Jürjens},
title={Ontology-based Analysis of Compliance and Regulatory Requirements of Business Processes},
booktitle={Proceedings of the 3rd International Conference on Cloud Computing and Services Science - Volume 1: CloudSecGov, (CLOSER 2013)},
year={2013},
pages={553-561},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004505405530561},
isbn={978-989-8565-52-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Cloud Computing and Services Science - Volume 1: CloudSecGov, (CLOSER 2013)
TI - Ontology-based Analysis of Compliance and Regulatory Requirements of Business Processes
SN - 978-989-8565-52-5
AU - Humberg T.
AU - Wessel C.
AU - Poggenpohl D.
AU - Wenzel S.
AU - Ruhroth T.
AU - Jürjens J.
PY - 2013
SP - 553
EP - 561
DO - 10.5220/0004505405530561