Towards Policy-Powered Semantic Enterprise Compliance Management - Discussion Paper Marwane El Kharbili1, Sebastian Stein1, Ivan Markovic2, Elke Pulvermüller3 1
IDS Scheer AG, ARIS Research Altenkesseler Str. 17, 66115 Saarbrücken, Germany {marwane.elkharbili, Sebastian.stein}@ids-scheer.com 2
SAP Research Center CEC Karlsruhe, SAP AG Vincenz-Prießnitz Str. 1, 76131 Karlsruhe, Germany
[email protected] 3
Institute of Computer Science, University of Osnabrück Albrechtstr. 28, 49076 Osnabrück, Germany
[email protected]
Abstract. An essential but difficult task to achieve in distributed enterprise systems is the management and enforcement of regulations and policies. We explore and discuss ideas for the implementation of enterprise wide compliance management. We propose an approach that builds on policies to realize compliance checking on semantic descriptions of enterprise models. This paper is meant to initiate a discussion about the pro and contra of our approach. Keywords: Ontologies, Enterprise Model, Business Processes, Compliance Management, Policies.
1 Introduction In past years, there was an intensive public discussion about financial scandals happening at major companies and corporations1. Compliance management is a broad term covering all activities and methods to ensure that a company follows all guidance and implements all measures required by an external or internal regulation. The process of ensuring regulatory compliance is highly-manual and error-prone, because it relies on audits realized by accredited auditing firms [2]. This process is also costly, incomplete, and leaves space for inaccuracy in compliance audits [2]. Ensuring a common understanding of regulations and being able to automate the process of regulatory compliance enforcement are the challenges ahead of compliance management. Current industrial approaches to compliance management rely on identifying a set of measures for ensuring compliance, such as the widely known Segregation of Duty (SoD). These measures are then hard-coded into the systems on
1
Such as Enron, WorldCom, Roche, Siemens, and Volkswagen.
which these checks have to be run. This leads to compliance measures being harder to manage and to maintain. This is why formal modeling of compliance measures constitutes one promising approach to compliance management. In this paper, we explain the idea of semantic policy-based enterprise compliance checking. We first motivate the need for compliance management at the level of enterprise models and show the use of semantics for this considering current research. We follow up by using an example of an SoD policy for the use of policies for formal regulatory compliance management. Finally, we illustrate our ideas by making a proposal for a policy-based compliance ontology framework.
2 Enterprise Regulatory Compliance & Policies Regulations are usually described in a natural language document (as is the case for laws). These texts can be hardly understood by non-experts of the field covered by the regulation. In order to implement regulations, measures are defined, either in the form of policies or controls. Moreover, regulations can be structured and documented in compliance frameworks. The COSO2 (SOX [1] compliance) and COBIT3 (IT governance) frameworks are examples of this. In academia, there have been efforts to come up with compliance support [3, 4, 5, 6], mainly considering only business processes as the scope of compliance management problems. However, compliance covers many aspects of a business and ranges from financial laws to quality standards [2]. In [3] a similar observation is made. In [4] and [6], the authors rely on the definition of controls for implementing compliance. This approach requires predefinition of risks and rather fits to risk management approaches. A holistic framework for compliance management has to support a variety of compliance targets, which is why compliance management should be given the scope of the whole enterprise. Enterprise models seek to model all elements of an organization. Companies create enterprise models to represent their structure and dynamics. Guidelines to structure such a model exist like Zachman [7], TOGAF4 or ARIS [8]. Business processes are one of many elements of an enterprise model that is critical, carrying value-adding activities and accessing all elements of an enterprise model. Ontologies do not only bring the power of formal descriptions of models, they make automated inference on enterprise models possible. Their use allows “Achieving interoperability between multiple representations of reality […] between such representations and reality” [9]. Besides, comprehensive models of the enterprise exist already, such as results of the TOVE [19] project. However, such works do not rely on formal semantics which would enable service agents (e.g. as part of a semantic web services framework) to infer on and intelligently interact with instances of enterprise models. The latter would be an accelerator for the automation of BPM [20]. There are various research efforts made to formalize the underlying meta-
2
See: Committee of Sponsoring Organizations of the Treadway Commission: www.coso.org. See: Control Objectives for Information and related Technology framework: www.isaca.org. 4 See: The Open Group Architectural Framework (TOGAF), http://www.togaf.org/. 3
models of enterprise models using ontologies [11, 12]. Such frameworks provide a unified view on business entities and their relationships (e.g. organizational and resource ontologies) that can be queried and built upon for semantic modeling of enterprise compliance. Enterprise models contain for example business process models and internal enterprise policies. Because of the high relevance of business processes for companies, research on business process management (BPM) has been active in finding ways of enriching business processes semantically [13, 14]. A set of languages and frameworks have been designed for this purpose, mostly coming from the semantic web services community ([10, 14]). Regulatory compliance restraints and guides states and interactions between entities involved in business processes. Using rules for this purpose is a proven technique for example in database research. In [21] the authors explain how to extend a compliance management framework with domain ontologies in OWL and modeling compliance using SWRL rules. However, this approach tackles compliance in the semantic web and does neither focus on enterprise models nor on distributed enforcement (necessary e.g. for open process choreographies). Modeling regulations by using policies provides a formal tool for declarative implementation of compliance management. Hence, maintaining compliance becomes an easier task since compliance measures are decoupled from the enterprise models and business processes they act on. While allowing consistent modeling, verification and enforcement of compliance measures, policy modeling allows for automated compliance management and auditing. It also makes splitting compliance management into policy management and policy implementation and enforcement possible. According to [16], semantic policies can reduce human error, simplify policy analysis, reduce policy conflicts, and facilitate interoperability. In the next section we give an example motivating our approach using policies.
3 Business Scenario belongsTo «instanceOf» OrganizationalEntity
Employee *
«Policy» Separation of Duty
* appliesOn
John : Employee
* * Role
«use» hasRole
hasRole «Role» «instanceOf»
Accountant : Role
isPartOf «instanceOf» «Rule»
«Role»
SoD::Auditor/Accountant
Auditor : Role
«use» hasRole
Fig. 1. Organizational policy example: an employee entity cannot be both an accountant and an accounting auditor.
Our main concern is modeling regulatory policies. In order to explain our idea, we chose the example of Segregation of Duty (SoD, see Fig. 1). An SoD says that a certain individual (or Role) who is part of the organization cannot concurrently
exercise a certain set of activities. Usually, each organization has its own SoD matrix. In the example, the regulation defines an SoD as a compliance measure. One of the rules implementing this particular SoD is shown next: If: (OA.Role.equals(“Auditor”)) && OA.Role.equals(“Accountant”)) Then: Violation = True
In this example, the auditor has to examine who was assigned bookkeeping and financial audit in order to ensure that both roles are not shared by one person or organization. With a policy modeling framework at hand, the problem of conducting compliance checks on an enterprise model is reduced to the problem of modeling adequate policies implementing the desired regulation. Policy frameworks provide means of verifying the modeled compliance measures and allow reusing previously modeled compliance measures.
4 A Policy Framework for Compliance Management Our approach is represented on a very high level in Fig.3. A semantic policy is designed to allow the modeling of regulations (e.g. BASEL II for the banking sector). Such policies are thus destined to be enforced on an enterprise ontology, which contains the resources, processes, and organizational entities upon which policies can be enacted. On this basis, we want to use the inference capacities delivered by reasoners to run compliance checking. We can identify a number of requirements on a policy framework for this purpose. Additionally to the functionality of modeling formal policies (i.e. a language and a modeling environment), policies must be checked for correctness (i.e. syntactical as well as functional tests available). The framework must also support policy enforcement and offer analysis functionalities. Since policies are destined to evolve with business processes and enterprise models they have been modeled for, change management aspects have to be considered. In Fig. 2 the structure of a policy framework for compliance management is sketched. The elements shown are needed at both design-time (compliance modeling) and at run-time (compliance checking and enforcement). In [2], an architecture is given where the ontology in Fig. 2 is used in order to implement a compliance management framework. A top layer is used for the modeling of high-level policies and the management of policies themselves. Such a layer allows expressing assertions on policy types, deontic statements, speech acts, meta-policies and management mechanisms such as delegation and domains of jurisdiction. Concrete implementation of policies (so called production rules) can be generated from the upper layers, and is dependent on the context of use. This is an advantage in comparison to direct modeling of compliance measures as SWRL rules in [21].
Fig. 2. A policy framework for compliance management
Work on policies has delivered several policy frameworks that could serve our purposes, and we have retained the following three for evaluation: Ponder [18], KAoS [17] and Rei [16]. In [15], an extensive comparison of these frameworks is made. In our evaluation, the Rei framework presents many advantages, such as being defined semantically and providing a policy engine. We selected Rei for the Upper Level Policy Ontology (ULPO). Building upon the top layer, domain specific ontologies are designed to allow modeling regulations belonging to one particular domain. Each domain has specific types of constraints and standards or regulations that cover this domain. For example, ISO 27001 describes a standard for information systems security. Separating policies by domain is a necessary trade-off between complexity and scope of the policy. The ULPO provides means for integrating policies belonging to different domains. In the lowest part of Fig. 2, we have a layer for modeling rules. Rules are one intuitive way of implementing policies and contain the logic expressed by formal policies. Rules are also destined to be interpreted by target systems and executed. Providing the possibility to transform policies into rules expressed in targetlanguages would add more flexibility and reach to our approach.
4 Conclusions In this work we have introduced the concept of policy-based compliance checking. Outsourcing the complexity of regulations from business processes and enterprise models into policies allows for flexibility, reduces the complexity of these models, and enables automation of the activities related to compliance management. We have proposed an approach and sketched a policy framework for it. It is our aim to achieve automation of the compliance auditing process. We are currently investigating automated generation of rules from policies, which allows productive enforcement of compliance policies on a variety of platforms. Finally, we will pursue the integration of these elements in an industrial BPM framework, and show their usage in concrete regulatory compliance use cases. Acknowledgements. Our research on semantic compliance management and BPM is supported by the EU commission within the SUPER project: http://www.ip-super.org. References 1. Congress of the United States (2002). Public Company Accounting Reform and Investor Protection Act (Sarbanes-Oxley Act). Pub. L. No. 107-204, 116 Stat. 745.
2. El Kharbili, M., Stein, S., Markovic, I. and Pulvermueller, E.: Towards a Framework for Semantic Business Process Compliance Management. In proceedings of the workshop on Governance, Risk, and Compliance on Information Systems (GRCIS). Montpellier, 2008. 3. Karagiannis, D.: A Business process Based Modeling Extension for Regulatory Compliance. In Multikonferenz Wirtschaftsinformatik 2008, Munich, 2008. 4. Namiri, K., Stojanovic., N.: A Formal Approach for Internal Controls Compliance in Business Processes. In 8th Workshop on Business Process Modeling, Development, and Support (BPMDS07), Trondheim, Norway, 2007. 5. Schmidt, R., Bartsch, C., Oberhauser, R.: Ontology-based representation of compliance requirements for service processes. In Proceedings of the Workshop on Semantic Business Process and Product Lifecycle Management (SBPM 2007), 2007 6. Sadiq S., Governatori G., Namiri K.: Modeling Control Objectives for Business Process Compliance In Proceedings of the 5th International Conference, BPM 2007, Brisbane, Springer, 2007, pp.149-164. 7. Zachman, J. A.: A framework for information systems architecture. IBM systems journal, Volume 26, No. 3, pp 276-292, 1987. 8. Scheer, A.W.: ARIS - Business Process Frameworks. Third edition, Springer, Berlin (1999) 9. Hepp M.. Ontologies: State of the art, business potential, and grand challenges. Ontology Management: Semantic Web, Semantic Web Services, and Business Application, pp. 3–22. Springer. 2007. 10. http://www.ip-super.org/res/Deliverables/M12/D1.1.pdf. 11. Hepp M. et al.. Semantic Business Process Management: A Vision Towards Using Semantic Web Services for Business Process Management. In IEEE International Conference on e- Business Engineering (ICEBE 2005), pages 535–540, Beijing, China. 12. Mike Uschold, Martin King, Stuart Moralee, and Yannis Zorgios. The Enterprise Ontology. The Knowledge Engineering Review, 13, 1998. 13. Martin Hepp and Dimitru Roman. An Ontology Framework for Semantic Business Process Management. In 8th International Conference on Wirtschaftsinformatik 2007, pp. 423–440, Karlsruhe. 14. Markovic, I., Pereira, A.C., Stojanovic, N.: A Framework for Querying in Business Process Modelling. In Multikonferenz Wirtschaftsinformatik 2008, Munich, 2008. 15. Gianluca T. Bradshaw J.M., Jeffers R., Montanari R., Suri N. and Uszok A.. semantic web languages for policy representation and reasoning: A comparison of KAoS, Rei and Ponder. In The SemanticWeb - ISWC 2003. 16. Lalana Kagal. A Policy-Based Approach to Governing Autonomous Behavior in Distributed Environments. PhD Thesis. Faculty of the Graduate School of the University of Maryland . 2004. 17. Jeffrey M. Bradshaw, Stewart Dutfield, Pete Benoit, \& John D. Woolley. KAoS: Toward An Industrial-Strength Open Agent Architecture. Pp 375-418. 18. N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The ponder policy specification language. In Morris Sloman, editor, Proc. of Policy Worshop, 2001, Bristol UK, January 2001. 19. Fox, M.S. The TOVE Project: A Common-sense Model of the Enterprise. Industrial and Engineering Applications of Artificial Intelligence and Expert Systems, Belli, F. et al. (Eds.), Lecture Notes in Artificial Intelligence # 604, Springer-Verlag, pp. 25-34. 1992. 20. M. Hepp, D. Roman. An Ontology Framework for Semantic Business Process Management, Proceedings of Wirtschaftsinformatik 2007. 21. F. Yip, N. Parameswaran and P. Ray. Rules and Ontology in Compliance Management. In proceedings of the 11th IEEE International Enterprise Distributed Object Computing Conference. IEEE Computer Society. 2007.
