An Integrated Solution for Runtime Compliance Governance in SOA

  • Aliaksandr Birukou
  • Vincenzo D’Andrea
  • Frank Leymann
  • Jacek Serafinski
  • Patricia Silveira
  • Steve Strauch
  • Marek Tluczek
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6470)


In response to recent financial scandals (e.g. those involving Enron, Fortis, Parmalat), new regulations for protecting the society from financial and operational risks of the companies have been introduced. Therefore, companies are required to assure compliance of their operations with those new regulations as well as those already in place. Regulations are only one example of compliance sources modern organizations deal with every day. Other sources of compliance include licenses of business partners and other contracts, internal policies, and international standards. The diversity of compliance sources introduces the problem of compliance governance in an organization. In this paper, we propose an integrated solution for runtime compliance governance in Service-Oriented Architectures (SOAs). We show how the proposed solution supports the whole cycle of compliance management: from modeling compliance requirements in domain-specific languages through monitoring them during process execution to displaying information about the current state of compliance in dashboards. We focus on the runtime part of the proposed solution and describe it in detail. We apply the developed framework in a real case study coming from EU FP7 project COMPAS, and this case study is used through the paper to illustrate our solution.


compliance governance business process monitoring SOA complex event processing 


  1. 1.
    COMPAS Deliv. D1.2: Core Meta-models, Templates, and Languages (2009)Google Scholar
  2. 2.
    COMPAS Deliv. D1.3: MDSD Software Framework for Business Compliance (2009)Google Scholar
  3. 3.
    COMPAS Deliverable D5.3: Final Goal-oriented Data Model (2009)Google Scholar
  4. 4.
    COMPAS Deliverable D5.4: Reasoning Mechanisms to Support the Identification and the Analysis of Problems Associated with User Requests (2009)Google Scholar
  5. 5.
    Awad, A., Weidlich, M., Weske, M.: Consistency checking of compliance rules. In: Business Information Systems. ch.10, vol. 47, Springer, Heidelberg (2010)CrossRefGoogle Scholar
  6. 6.
    Giblin, C., et al.: From regulatory policies to event monitoring rules: Towards model-driven compliance automation. Technical report, IBM Zurich (2006)Google Scholar
  7. 7.
    Rodríguez, C., et al.: Analyzing compliance of service-based business processes for root-cause analysis and prediction. In: Proceedings of ESW 2010, Springer, Heidelberg (2010)Google Scholar
  8. 8.
    Schumm, D., et al.: Integrating Compliance into Business Processes: Process Fragments as Reusable Compliance Controls. In: Proc. of the Multikonferenz Wirtschaftsinformatik (MKWI 2010), Universitätsverlag, Göttingen (2010)Google Scholar
  9. 9.
    Daniel, F., et al.: Business compliance governance in service-oriented architectures. In: Proceedings of the IEEE Twenty-Third International Conference on Advanced Information Networking and Applications (AINA 2009), Bradford, UK ( May 2009)Google Scholar
  10. 10.
    Governatori, G., et al.: Detecting regulatory compliance for business process models through semantic annotations. In: Ardagna, D., Mecella, M., Yang, J. (eds.) Business Process Management Workshops. ch. 2, vol. 17, Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. 11.
    Tran, H., et al.: Modeling Process-Driven SOAs - a View-Based Approach. In: Cardoso, J., van der Aalst, W. (eds.) Information Science Reference (2009)Google Scholar
  12. 12.
    Henry, T.: Product for managing governance, risk, and compliance: Market fluff or relevant stuff? Report of Burton Group (March 2008)Google Scholar
  13. 13.
    Kuester, J., Ryndina, K., Gall, H.: Generation of business process models for object life cycle compliance. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 165–181. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  14. 14.
    Ly, L.T., et al.: Integration and verification of semantic constraints in adaptive process management systems. Data Knowl. Eng. 64(1), 3–23 (2008)CrossRefGoogle Scholar
  15. 15.
    El Kharbili, M., et al.: Policy-based semantic compliance checking for business process management. In: Proceedings of the Workshops co-located with the MobIS2008 Conference, aarbrücken, Germany. CEUR Workshop Proceedings, vol. 420, pp. 178–192 (November 2008), CEUR-WS.orgGoogle Scholar
  16. 16.
    El Kharbili, M., et al.: Towards a framework for semantic business process compliance management (2008)Google Scholar
  17. 17.
    Michelson, B.M.: Event-driven architecture overview. Report of Patricia Seybold Group (2006)Google Scholar
  18. 18.
    Namiri, K., Stojanovic, N.: Pattern-based design and validation of business process compliance. In: Meersman, R., Tari, Z. (eds.) OTM 2007, Part I. LNCS, vol. 4803, pp. 59–76. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. 19.
    Object Management Group (OMG). Business Process Model And Notation (BPMN). Version 1.2, OMG Specification (January 2009)Google Scholar
  20. 20.
    Silveira, P., et al.: On the design of compliance governance dashboards for effective compliance and audit management. In: Proc. of the 3rd Workshop on Non-Functional Properties and SLA Management in SOC, NFPSLAM-SOC 2009 (2009)Google Scholar
  21. 21.
    Iannella, R.: Open Digital Rights Language (ODRL). Version 1.1, (Septmeber 2002)Google Scholar
  22. 22.
    Robinson, W.: A requirements monitoring framework for enterprise systems. Requirements Engineering 11(1), 17–41 (2006)CrossRefGoogle Scholar
  23. 23.
    Sadiq, S.W., Governatori, G., Namiri, K.: Modeling control objectives for business process compliance. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 149–164. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  24. 24.
    Sriraman, B., Radhakrishnan, R.: Event driven architecture augmenting service oriented architectures. Report of Unisys and Sun Microsystems (2005)Google Scholar
  25. 25.
    Holmes, T., et al.: Monitoring and analyzing service-based internet systems through a model-aware service environment. In: Pernici, B. (ed.) Advanced Information Systems Engineering. LNCS, vol. 6051, pp. 98–112. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  26. 26.
    Phan, T., et al.: A survey of policy-based management approaches for service oriented systems. In: Proceedings of the 19th Australian Conference on Software Engineering (ASWEC 2008), Washington, DC, USA, pp. 392–401 (2008)Google Scholar
  27. 27.
    Wolter, C., Schaad, A.: Modeling of task-based authorization constraints in BPMN. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 64–79. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Aliaksandr Birukou
    • 1
  • Vincenzo D’Andrea
    • 1
  • Frank Leymann
    • 3
  • Jacek Serafinski
    • 2
  • Patricia Silveira
    • 1
  • Steve Strauch
    • 3
  • Marek Tluczek
    • 2
  1. 1.DISIUniversity of TrentoItaly
  2. 2.Telcordia PolandPoznan
  3. 3.IAASUniversity of StuttgartGermany

Personalised recommendations