A Visual Language for Modeling Multiple Perspectives of Business Process Compliance Rules (Extended Abstract)

A fundamental challenge for enterprises is to ensure compliance of their business processes with imposed compliance rules stemming from various sources, e.g., corporate guidelines, best practices, standards, and laws. In general, a compliance rule may refer to multiple process perspectives including control flow, time, data, resources, and interactions with business partners. On one hand, compliance rules should be comprehensible for domain experts who must define, verify and apply them. On the other, these rules should have a precise semantics to avoid ambiguities and enable their automated processing. Providing a visual language is advantageous in this context as it allows hiding formal details and offering an intuitive way of modeling the compliance rules. However, existing visual languages for compliance rule modeling have focused on the control flow perspective so far, but lack proper support for the other process perspectives. To remedy this drawback, we introduce the extended Compliance Rule Graph language, which enables the visual modeling of compliance rules with the support of multiple perspectives. Overall, this language will foster the modeling and verification of compliance rules in practice

Context-Aware Querying and Injection of Process Fragments in Process-Aware Information Systems

Cyber-physical systems (CPS) are often customized to meet customer needs and, hence, exhibit a large number of hard-/software configuration variants. Consequently, the processes deployed on a CPS need to be configured to the respective CPS variant. This includes both configuration at design time (i.e., before deploying the implemented processes on the CPS) and runtime configuration taking the current context of the CPS into account. Such runtime process configuration is by far not trivial, e.g., alternative process fragments may have to be selected at certain points during process execution of which one fragment is then dynamically applied to the process at hand. Contemporary approaches focus on the design time configuration of processes, while neglecting runtime configuration to cope with process variability. In this paper, a generic approach enabling context-aware process configuration at runtime is presented. With the Process Query Language process fragments can be flexibly selected from a process repository, and then be dynamically injected into running process instances depending on the respective contextual situations. The latter can be automatically derived from context factors, e.g., sensor data or configuration parameters of the given CPS. Altogether, the presented approach allows for a flexible configuration and late composition of process instances at runtime, as required in many application domains and scenarios

Projekt-Bericht: eCRG Evaluation

Dieser Bericht stellt die Ergebnisse des Projekts „eCRG Evaluation“ vor. Dieses Projekt umfasst die Konzeption und Durchführung einer Studie, welche die Verständlichkeit der eCRG-Sprache evaluiert. Hierfür wurden zunächst die genauen Fragestellungen der Studie festgelegt, sowie ein Fragebogen-basiertes Experiment als am besten geeignete Evaluationsmethode ausgewählt. Das entsprechende Experiment und die dazugehörigen Fragebögen wurden entworfen und vorbereitet. Abschließend wurde das Experiment durchgeführt und die Ergebnisse des Experiment für eine Auswertung erfasst. Der Bericht gliedert sich wie folgt: Zunächst wird in Kapitel 1 das Ziel des Projekts bzw. der Studie vorgestellt. Möglichen Fragestellungen und Hypothese werden in Kapitel 2 vorgestellt. Anschließend wird die Planung und Durchführung der Evaluation in Kapitel 3 beschrieben. Kapitel 4 beinhaltet eine Auswertung der Studie und Kapitel 5 beendet den Bericht mit einer Zusammenfassung und einem Ausblick auf zukünftige Arbeiten

Multi-criteria decision analysis for non-conformance diagnosis: A priority-based strategy combining data and business rules

Business process analytics and verification have become a major challenge for companies, especially when process data is stored across different systems. It is important to ensure Business Process Compliance in both data-flow perspectives and business rules that govern the organisation. In the verification of data-flow accuracy, the conformance of data to business rules is a key element, since essential to fulfil policies and statements that govern corporate behaviour. The inclusion of business rules in an existing and already deployed process, which therefore already counts on stored data, requires the checking of business rules against data to guarantee compliance. If inconsistency is detected then the source of the problem should be determined, by discerning whether it is due to an erroneous rule or to erroneous data. To automate this, a diagnosis methodology following the incorporation of business rules is proposed, which simultaneously combines business rules and data produced during the execution of the company processes. Due to the high number of possible explanations of faults (data and/or business rules), the likelihood of faults has been included to propose an ordered list. In order to reduce these possibilities, we rely on the ranking calculated by means of an AHP (Analytic Hierarchy Process) and incorporate the experience described by users and/or experts. The methodology proposed is based on the Constraint Programming paradigm which is evaluated using a real example. .Ministerio de Ciencia y Tecnología RTI2018–094283-B-C3

Data science to promote corporate governance of information technology

ABSTRACT: Data Science theory and practice can be operationalized in different ways but is the Data Mining technique that is one of the most used by institutions today because it allows to discover and generate knowledge about the databases they have. More than that, this data mining approach integrated with expert knowledge can promote the machine learning that in this work helps IT Governance to improve Accountability. For this purpose, a data base was set up with almost six hundred companies with a consolidated maturity evaluation of four dozen technological processes for a didactic analysis of use and approximation of this technique to the management context.RESUMO: A teoria e prática de Data Science pode ser operacionalizada de diferentes maneiras, mas é a técnica de Data Mining uma das mais utilizadas atualmente pelas instituições pois permite descobrir e gerar conhecimento sobre as bases de dados que possuem. Mais que isso, esse enfoque de mineração de dados integrado a conhecimento de especialista pode promover o aprendizado de máquina que neste trabalho ajuda a Governança de TI para melhorar a Prestação de Contas. Para tal se utilizou uma base de dados constituída junto a quase seiscentas empresas com avaliação consolidada de maturidade de quatro dezenas de processos tecnológicos para uma análise didática de uso e aproximação dessa técnica ao contexto de gestão

Multicriteria analysis of the compliance for the improvement on information security

ABSTRACT: Information security is a current issue of protection of information assets that considers significant variables of a strategic, organizational and IT governance nature, and that requires to analyze the compliance with international standards that regulate business actions. In this way, the work analyzes institutional compliance to improve information security applying the Analytic Hierarchy Process methodology to the specific practices defined in ISO/IEC 27002:2013. Expert Choice has been used as Decision Support Systems that has generated as a result the ranking of priorities of the criteria and alternatives used in the decisional process. It has been later applied in a medium-sized Brazilian industrial company. The results identify that the main security practice is the one related to the independent critical analysis of information security

Enabling Multi-Perspective Business Process Compliance

A particular challenge for any enterprise is to ensure that its business processes conform with compliance rules, i.e., semantic constraints on the multiple perspectives of the business processes. Compliance rules stem, for example, from legal regulations, corporate best practices, domain-specific guidelines, and industrial standards. In general, compliance rules are multi-perspective, i.e., they not only restrict the process behavior (i.e. control flow), but may refer to other process perspectives (e.g. time, data, and resources) and the interactions (i.e. message exchanges) of a business process with other processes as well. The aim of this thesis is to improve the specification and verification of multi-perspective process compliance based on three contributions: 1. The extended Compliance Rule Graph (eCRG) language, which enables the visual modeling of multi-perspective compliance rules. Besides control flow, the latter may refer to the time, data, resource, and interaction perspectives of a business process. 2. A framework for multi-perspective monitoring of the compliance of running processes with a given set of eCRG compliance rules. 3. Techniques for verifying business process compliance with respect to the interaction perspective. In particular, we consider compliance verification for cross-organizational business processes, for which solely incomplete process knowledge is available. All contributions were thoroughly evaluated through proof-of-concept prototypes, case studies, empirical studies, and systematic comparisons with related works

Data mining to evaluate operational risk in technological processes

RESUMEN: Un riesgo operativo es un riesgo de negocio principalmente en empresas que actúan en el sector financiero. Este tipo de riesgo puede ser tratado con diferentes marcos regulatorios, los específicos de riesgo, los de seguridad y los de evaluación de procesos tecnológicos como COBIT del Instituto de Gobernanza de TI. Identificar y tratar el riesgo no siempre es tarea fácil aun con muchos estudios. En esta investigación se utiliza la metodología Data Mining con la técnica de Machine Learning basada en árboles de decisión, para analizar el proceso de Evaluación y Gestión de Riesgos (PO9) del dominio Organización y Planificación de COBIT. La base de datos se fundamenta en el grado de madurez respondido por 548 empresas en 34 procesos diferentes. Los resultados encontrados se corresponden con la jerarquía de relaciones representadas en el árbol de decisión y con la representación de otros algoritmos utilizados en un previo clasificador de transparencia de esta misma base de datos.ABSTRACT: An operational risk is a business risk mainly in companies that operate in the financial sector. This type of risk can be dealt with different regulatory frameworks, as risk specific, security and technological process evaluation such as COBIT from the IT Governance Institute. To Identify and treat risk is not always easy, even with many studies. In this research Data Mining methodology is used with Machine Learning technique based on decision trees, to analyze the Risk Assessment and Management (PO9) process of the Planning and Organization domain of COBIT. The database is based on the maturity level of 548 companies in 34 different processes. The results found correspond to the hierarchy of relations represented in the decision tree and with the representation of other algorithms used in a previous transparency classifier of this same database

A Visual Language for Modeling Business Process Compliance Rules

A fundamental challenge for enterprises is to ensure compliance of their business processes with imposed compliance rules stemming from various sources, e.g., corporate guidelines, best practices, standards, and laws. In general, a compliance rule may refer to multiple process perspectives including control flow, time, data, resources, and interactions with business partners. On one hand, compliance rules should be comprehensible for domain experts who must define, verify and apply them. On the other, these rules should have a precise semantics to avoid ambiguities and enable their automated processing. Providing a visual language is advantageous in this context as it allows hiding formal details and offering an intuitive way of modeling the compliance rules. However, existing visual languages for compliance rule modeling have focused on the control flow perspective so far, but lack proper support for the other process perspectives. To remedy this drawback, this paper introduces the extended Compliance Rule Graph language, which enables the visual modeling of compliance rules with the support of multiple perspectives. Overall, this language will foster the modeling and verification of compliance rules in practice