Presentation is loading. Please wait.

Presentation is loading. Please wait.

Compliance Requirements for Business-process driven SOAs Mike P. Papazoglou Tilburg Research Institute on Services Science Tilburg University, The Netherlands.

Similar presentations


Presentation on theme: "Compliance Requirements for Business-process driven SOAs Mike P. Papazoglou Tilburg Research Institute on Services Science Tilburg University, The Netherlands."— Presentation transcript:

1 Compliance Requirements for Business-process driven SOAs Mike P. Papazoglou Tilburg Research Institute on Services Science Tilburg University, The Netherlands

2 2 OUTLINE OVERVIEW – SERVICES & COMPLIANCE OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS COMPLIANCE FRAMEWORKS COMPLIANCE & BPM-DRIVEN SOAs COMPLIANCE & BPM-DRIVEN SOAs RESEARCH TOPICS RESEARCH TOPICS Michael P. Papazoglou © “WCC”Milano Sept. 7, 2008

3 Compliance is any explicitly stated rule or regulation that prescribes any aspect of an internal or cross- organizational business process. Different types of compliance include: Compliance is any explicitly stated rule or regulation that prescribes any aspect of an internal or cross- organizational business process. Different types of compliance include:  Policies internal to an organization (business rules) Functional or non-functional, e.g., QoS - security policies.Functional or non-functional, e.g., QoS - security policies.  Mutually acceptable agreements, e.g., SLAs that drive a business transaction.  Policies external to an organization Public policy (e.g., privacy/data protection, consumer protection,..)Public policy (e.g., privacy/data protection, consumer protection,..) Laws & regulations (universally applicable)Laws & regulations (universally applicable) Sectorial regulations, e.g., transportation & delivery.Sectorial regulations, e.g., transportation & delivery. WHAT IS COMPLIANCE? Michael P. Papazoglou © “WCC”Milano Sept. 7, 2008

4 SOA & COMPLIANCE IT managers & internal auditors need to work together to examine SOA compliance & security vulnerabilities & explore cost-effective approaches to risk mitigation before implementing an SOA. IT managers & internal auditors need to work together to examine SOA compliance & security vulnerabilities & explore cost-effective approaches to risk mitigation before implementing an SOA. Internal controls must be enforced by SOAs, Internal controls must be enforced by SOAs,  e.g., internal controls that segregate duties by assigning user roles to individuals may not work well within the SOA SOAs need to be designed with compliance requirements in mind SOAs need to be designed with compliance requirements in mind 4 Michael P. Papazoglou © “WCC”Milano Sept. 7, 2008

5 CURRENT SITUATION WITH COMPLIANCE Currently compliance solutions to rules and regulations Is ad-hoc & is typically hand crafted for particular compliance problems. It is: hard to maintain hard to maintain hard to evolve hard to evolve multiple systems with ill defined dependencies multiple systems with ill defined dependencies hard to reuse (custom made narrow solutions) hard to reuse (custom made narrow solutions) hard to understand (address several requirements in a tangled manner) hard to understand (address several requirements in a tangled manner) hard to formally verify hard to formally verify 5 Michael P. Papazoglou © “WCC”Milano Sept. 7, 2008

6 REGULATORY COMPLIANCE Compliance regulations, such as HIPAA, Basel II, Sarbanes-Oxley (SOX) and others require all organizations to review their business processes and ensure that they meet the compliance standards set forth in the legislation. This can include: Compliance regulations, such as HIPAA, Basel II, Sarbanes-Oxley (SOX) and others require all organizations to review their business processes and ensure that they meet the compliance standards set forth in the legislation. This can include:  Data acquisition and archival,  document management,  data security,  financial accounting practices,  shareholder reporting functions, &  to know when unusual activities occur. Michael P. Papazoglou © “WCC”Milano Sept. 7, 2008

7 INTERNAL CONTROL: DEFINITION Internal control is the cornerstone in auditing, it assures business process compliance, delivering guarantees regarding virtually all accounting aspects of services, including risk management, financial checks & governance processes Internal control is the cornerstone in auditing, it assures business process compliance, delivering guarantees regarding virtually all accounting aspects of services, including risk management, financial checks & governance processes  it is the most important & fundamental concept for an Internal Auditor It is designed to provide reasonable assurance regarding the achievement of objectives in: It is designed to provide reasonable assurance regarding the achievement of objectives in:  Financial reporting reliability  Operating efficiency and effectiveness  Compliance with applicable laws and standards Michael P. Papazoglou © “WCC”Milano Sept. 7, 2008

8 INTERNAL CONTROL: EXAMPLE (SOX) To implement a compliance regulation act, e.g., SOX section404, which mandates that well-defined & documented processes & controls be in place for all aspects of company operations that affect financial info. & reports requires: To implement a compliance regulation act, e.g., SOX section404, which mandates that well-defined & documented processes & controls be in place for all aspects of company operations that affect financial info. & reports requires: 1. controlling and auditing who accesses financial information, 2. controlling and auditing what financial information is accessed, and 3. ensuring financial information is not compromised during transmission. A strategy for automating the integration of diverse business processes & their accompanying internal control systems throughout the enterprise is therefore needed. A strategy for automating the integration of diverse business processes & their accompanying internal control systems throughout the enterprise is therefore needed. 8 SOX Financial Reporting puts into place requirements and penalties to ensure that companies' financial statements accurately represent their business position.

9 CONTROL ACTIVITIES The policies and procedures that ensure that management directives are carried out - control activities occur throughout the organization, at all levels and in all functions. The policies and procedures that ensure that management directives are carried out - control activities occur throughout the organization, at all levels and in all functions. Ensure that the necessary actions are taken to address risks during the achievement of company objectives. Ensure that the necessary actions are taken to address risks during the achievement of company objectives. Include a range of diverse activities such as: Include a range of diverse activities such as:  approvals,  authorizations,  verifications,  reconciliations,  reviews of operating performance,  security of assets, and  segregation of duties. Michael P. Papazoglou © “WCC”Milano Sept. 7, 2008

10 10 OVERVIEW – SERVICES & COMPLIANCE OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS COMPLIANCE FRAMEWORKS COMPLIANCE & BPM-DRIVEN SOAs COMPLIANCE & BPM-DRIVEN SOAs RESEARCH TOPICS RESEARCH TOPICS OUTLINE

11 COMPLIANCE METHODOLOGIES There are good methodologies & guidelines that already exist to help audit processes: There are good methodologies & guidelines that already exist to help audit processes: COSO framework for establishing internal controls over financial reporting. COSO framework for establishing internal controls over financial reporting. COBIT (Control Objectives for Information and Related Technology) provides security & control practices & a reference framework for management, users, IS audit, control & security practitioners. COBIT (Control Objectives for Information and Related Technology) provides security & control practices & a reference framework for management, users, IS audit, control & security practitioners. Maturity Models determine the current status of the organization’s processes how they should evolve. They provide both the goals to strive for and the means of measuring attainment of those goals. Maturity Models determine the current status of the organization’s processes how they should evolve. They provide both the goals to strive for and the means of measuring attainment of those goals. 11 Michael P. Papazoglou © “WCC”Milano Sept. 7, 2008

12 THE COSO FRAMEWORK 12 Monitoring  Assessment of a control system’s performance over time  Combination of ongoing and separate evaluation  Management and supervisory activities  Internal audit activities Information & Communication  Pertinent information identified, captured and communicated in a timely manner  Access to internally and externally generated information  Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action Control Environment  Sets tone of organization, influencing control consciousness of its people  Factors include integrity, ethical values, competence, authority, responsibility, organization structure, HR policies and IT control environment  Foundation for all other components of control Control Activities  Policies/procedures that ensure management directives are carried out  Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties Risk Assessment  Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives – forming the basis for determining control activities COSO is a standard ICT framework providing guidance on organizational governance, business ethics, internal control, enterprise risk management, fraud, & financial reporting. It is the leading framework for applying SOX Michael P. Papazoglou © “WCC”Milano Sept. 7, 2008

13 13 OUTLINE Michael P. Papazoglou © “WCC”Milano Sept. 7, 2008 OVERVIEW – SERVICES & COMPLIANCE OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS COMPLIANCE FRAMEWORKS COMPLIANCE & BPM-DRIVEN SOAs COMPLIANCE & BPM-DRIVEN SOAs RESEARCH TOPICS RESEARCH TOPICS

14 LOOKING AT MATURITY MODELS DEFINE (identify core processes & sub-processes) 2. MEASURE (determine KPIs for processes) 3. ANALYZE (find KPI process gaps) 4. IMPROVE (improve processes) 5. CONTROL (integrate activities) Create ROI Sustain the Change Make it Stick Lean Six Sigma for services is a business process improvement methodology that improves process (DMAIC) quality & consistency & enables the reduction of the cost of complexity Create Possibility for Change Engage & Enable the entire Organization Implement & Sustain Process Transformation Michael P. Papazoglou © “WCC”Milano Sept. 7, 2008

15 15 OVERVIEW – SERVICES & COMPLIANCE OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS COMPLIANCE FRAMEWORKS COMPLIANCE & BPM-DRIVEN SOAs COMPLIANCE & BPM-DRIVEN SOAs RESEARCH TOPICS RESEARCH TOPICS OUTLINE

16 Process Modeling, Simulation and Documentation Process Management & Business Activity Monitoring Historical & Trend Analysis Tools Business Management Process Workspace Process Participants Enterprise Information Systems CRM SCM ERP Business Analysts Business Use Cases Business-domain overview Business process interaction patterns Requirements Process Model interactive, real time dashboards proactive alerts & monitoring screen Business Use Cases Business-domain overview Business process interaction patterns Requirements Process Model interactive, real time dashboards proactive alerts & monitoring screen Process Analyst Process Development and Systems Integration Process and Monitoring Repository BPM-middleware COMPLIANCE & BPM-DRIVEN SOAS 16 Michael P. Papazoglou © “WCC”Milano Sept. 7, 2008

17 17 OVERVIEW – SERVICES & COMPLIANCE OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS COMPLIANCE FRAMEWORKS COMPLIANCE & BPM-DRIVEN SOAs COMPLIANCE & BPM-DRIVEN SOAs RESEARCH TOPICS RESEARCH TOPICS OUTLINE

18 SOME INTRESTING RESEARCH TOPICS Continuous Auditing Business-process driven SOAs Continuous Auditing Business-process driven SOAs Dealing with the Effects of Business Process Changes Dealing with the Effects of Business Process Changes High-level Languages for expressing Compliance- based Requests High-level Languages for expressing Compliance- based Requests Compliance-aware service composition and reuse patterns Compliance-aware service composition and reuse patterns Compliance-aware behaviour specification and checking (reliability & fault tolerance) Compliance-aware behaviour specification and checking (reliability & fault tolerance) Compliance-aware service monitoring Compliance-aware service monitoring 18 Michael P. Papazoglou © “WCC”Milano Sept. 7, 2008


Download ppt "Compliance Requirements for Business-process driven SOAs Mike P. Papazoglou Tilburg Research Institute on Services Science Tilburg University, The Netherlands."

Similar presentations


Ads by Google