Compliance Requirements for Business-process driven SOAs Mike P. Papazoglou Tilburg Research Institute on Services Science Tilburg University, The Netherlands email: mikep@uvt.nl http://infolab.uvt.nl/people/mikep
OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS OUTLINE OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS COMPLIANCE & BPM-DRIVEN SOAs RESEARCH TOPICS Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008
WHAT IS COMPLIANCE? Compliance is any explicitly stated rule or regulation that prescribes any aspect of an internal or cross-organizational business process. Different types of compliance include: Policies internal to an organization (business rules) Functional or non-functional, e.g., QoS - security policies. Mutually acceptable agreements, e.g., SLAs that drive a business transaction. Policies external to an organization Public policy (e.g., privacy/data protection, consumer protection, ..) Laws & regulations (universally applicable) Sectorial regulations, e.g., transportation & delivery. Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008
SOA & COMPLIANCE IT managers & internal auditors need to work together to examine SOA compliance & security vulnerabilities & explore cost-effective approaches to risk mitigation before implementing an SOA. Internal controls must be enforced by SOAs, e.g., internal controls that segregate duties by assigning user roles to individuals may not work well within the SOA SOAs need to be designed with compliance requirements in mind Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008
CURRENT SITUATION WITH COMPLIANCE Currently compliance solutions to rules and regulations Is ad-hoc & is typically hand crafted for particular compliance problems. It is: hard to maintain hard to evolve multiple systems with ill defined dependencies hard to reuse (custom made narrow solutions) hard to understand (address several requirements in a tangled manner) hard to formally verify Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008
REGULATORY COMPLIANCE Compliance regulations, such as HIPAA, Basel II, Sarbanes-Oxley (SOX) and others require all organizations to review their business processes and ensure that they meet the compliance standards set forth in the legislation. This can include: Data acquisition and archival, document management, data security, financial accounting practices, shareholder reporting functions, & to know when unusual activities occur. Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008
INTERNAL CONTROL: DEFINITION Internal control is the cornerstone in auditing, it assures business process compliance, delivering guarantees regarding virtually all accounting aspects of services, including risk management, financial checks & governance processes it is the most important & fundamental concept for an Internal Auditor It is designed to provide reasonable assurance regarding the achievement of objectives in: Financial reporting reliability Operating efficiency and effectiveness Compliance with applicable laws and standards Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008
INTERNAL CONTROL: EXAMPLE (SOX) To implement a compliance regulation act, e.g., SOX section404, which mandates that well-defined & documented processes & controls be in place for all aspects of company operations that affect financial info. & reports requires: controlling and auditing who accesses financial information, controlling and auditing what financial information is accessed, and ensuring financial information is not compromised during transmission. A strategy for automating the integration of diverse business processes & their accompanying internal control systems throughout the enterprise is therefore needed. SOX Financial Reporting puts into place requirements and penalties to ensure that companies' financial statements accurately represent their business position.
CONTROL ACTIVITIES The policies and procedures that ensure that management directives are carried out - control activities occur throughout the organization, at all levels and in all functions. Ensure that the necessary actions are taken to address risks during the achievement of company objectives. Include a range of diverse activities such as: approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties. Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008
OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS OUTLINE OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS COMPLIANCE & BPM-DRIVEN SOAs RESEARCH TOPICS
COMPLIANCE METHODOLOGIES There are good methodologies & guidelines that already exist to help audit processes: COSO framework for establishing internal controls over financial reporting. COBIT (Control Objectives for Information and Related Technology) provides security & control practices & a reference framework for management, users, IS audit, control & security practitioners. Maturity Models determine the current status of the organization’s processes how they should evolve. They provide both the goals to strive for and the means of measuring attainment of those goals. Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008
THE COSO FRAMEWORK COSO is a standard ICT framework providing guidance on organizational governance, business ethics, internal control, enterprise risk management, fraud, & financial reporting. It is the leading framework for applying SOX Monitoring Assessment of a control system’s performance over time Combination of ongoing and separate evaluation Management and supervisory activities Internal audit activities Control Activities Policies/procedures that ensure management directives are carried out Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties Information & Communication Pertinent information identified, captured and communicated in a timely manner Access to internally and externally generated information Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action COSO is a standard produced by the Committee of Sponsoring Organizations of the Treadway Commission. It has been promoted by the Sarbanes-Oxley oversight committee as the preferred ICT control framework. Concretely, the framework defines internal control as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives. To this end it identifies control environment, risk assessment, control activities, information and communication, and monitoring as key components. Control activities are of relevance here as they constitute the policies and procedures that help ensure that all necessary actions are taken to address risks. Although COSO does not define how to model such activities, it does identify several of them including matters such as authorizations, data verifications, reviews of operating performance, security of assets and segregation of duties. Risk Assessment Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives – forming the basis for determining control activities Control Environment Sets tone of organization, influencing control consciousness of its people Factors include integrity, ethical values, competence, authority, responsibility, organization structure, HR policies and IT control environment Foundation for all other components of control Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008
OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS OUTLINE OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS COMPLIANCE & BPM-DRIVEN SOAs RESEARCH TOPICS Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008
LOOKING AT MATURITY MODELS Lean Six Sigma for services is a business process improvement methodology that improves process (DMAIC) quality & consistency & enables the reduction of the cost of complexity Make it Stick Implement & Sustain Process Transformation Sustain the Change Create ROI Engage & Enable the entire Organization 5. CONTROL (integrate activities) 4. IMPROVE (improve processes) Create Possibility for Change DMAIC is a process improvement approach 3. ANALYZE (find KPI process gaps) 2. MEASURE (determine KPIs for processes) 1. DEFINE (identify core processes & sub-processes) Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008
OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS OUTLINE OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS COMPLIANCE & BPM-DRIVEN SOAs RESEARCH TOPICS
COMPLIANCE & BPM-DRIVEN SOAS Process Modeling, Simulation and Documentation Process Analyst Process Development and Systems Integration Business Analysts Process and Monitoring Repository BPM-middleware Business Use Cases Business-domain overview Business process interaction patterns Requirements Process Model interactive, real time dashboards proactive alerts & monitoring screen Process Workspace Process Participants Business Management As with every IT project, the Systems Analysts interview the Business Owners to understand the use cases, requirements, etc. A business process model is used to gain understanding and agreement not just between the Business Owners and Systems Analysts, but even between individuals in the Business Owners group (we would all be surprised how often there is real disagreement about how our processes actually work). **CLICK** That process model (along with the documentation you embed directly within it) becomes the contract between the Business and IT. Once the Systems Analysts complete the model and future Test Cases, **CLICK** they share the model with the Development Team who will complete the detailed work of connecting the model to the systems and human interfaces required to complete the Process Application. As the diagram indicates, **CLICK** this is very often an iterative process that serves to further solidify that contract between the Business and IT. Once the Developers are finished, **CLICK** the completed Process Application is deployed in the BPM system for execution. The BPM system manages the interaction **CLICK** of humans and systems in the process and stores every event in its state repository. Since this repository contains process AND business data, it provides management **CLICK** interfaces and dashboards to the Business Owners. These are real-time displays showing status at any level of the process. For example, one executive may be viewing a Balanced Scorecard while a business operations expert may have a dashboard depicting adherence to Service Level Agreements. This data provides the final link in the lifecycle chain that allows the business to further refine and improve the process. As you can see, this is an iterative lifecycle that fosters and enables Continuous Process Improvement. Process Management & Business Activity Monitoring Historical & Trend Analysis Tools Enterprise Information Systems CRM SCM ERP Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008
OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS OUTLINE OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS COMPLIANCE & BPM-DRIVEN SOAs RESEARCH TOPICS
SOME INTRESTING RESEARCH TOPICS Continuous Auditing Business-process driven SOAs Dealing with the Effects of Business Process Changes High-level Languages for expressing Compliance-based Requests Compliance-aware service composition and reuse patterns Compliance-aware behaviour specification and checking (reliability & fault tolerance) Compliance-aware service monitoring Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008