ExPDT: A policy-based approach for automating compliance;ExPDT: Ein Policy-basierter Ansatz zur Automatisierung von Compliance

Wirtschaftsinformatik

Volumn 50, Issue 5, 2008, Pages 366-374

  Sackmann, Stefan ^a   Kähmer, Martin ^a  

^a UNIVERSITY OF FREIBURG   (Germany)

Author keywords

Automating compliance; Flexible business process management; Policy language; Risk management

Indexed keywords

EID: 57849129576     PISSN: 09376429     EISSN: None     Source Type: Journal    
DOI: 10.1007/s11576-008-0078-1     Document Type: Article

References (39)

1. Accorsi, R. (2008): Automated Privacy Audits to Complement the Notion of Control for Identity Management. In: Proceedings of the IFIP Conference on Policies and Research in Identity Management, Springer, Berlin, pp. 39-48.
2. Agrawal, R.; Johnson, C.; Kiernan, J.; Leymann, F. (2006): Taming Compliance with Sarbanes-Oxley Internal Controls Using Database Technology. In: Proceedings of the 22nd International Confeence on Data Engineering (ICDE'06). IEEE Computer Society, Washington, DC.
3. Ashley, P.; Hada, S.; Karjoth, G.; Powers, C. et al. (2003): Enterprise Privacy Authorization Language (EPAL 1.2). Submission to W3C.
4. Bace, J.; Rozwell, C. (2006): Understanding the Components of Compliance. Gartner, Report G00137902.
5. Backes, M.; Karjoth, G.; Bagga, W.; Schunter, M. (2004); Efficient comparison of enterprise privacy policies. In: Proceedings of ACM Symposium on Applied Computing (SAC'04), Nicosia, pp. 375-382.
6. Bajaj, S.; Box, D. et al. (2006): Web Services Policy 1.2 - Framework (WS-Policy). http://www.w3. org/Submission/WS-Policy/, last access 2008-06-27.
7. Botan, I.; Kossmann, D. et al. (2007): Extending XQuery with Window Functions. In: Proceedings of the 33rd International Conference on Very Large Data Bases, VLDB Endowment, Vienna, pp. 75-86.
8. Breaux, T. D.; Anton, A. I.; Karat, C.-M.; Karat, J. (2005): Enforceability vs. Accountability In Electronic Policies. Report TR-2005-47, North Carolina State University Computer Science.
9. Cannon, J. C.; Byers, M. (2006): Compliance deconstructed, In: CACM Queue 4 (7), pp. 30-37.
10. Cranor, L. F.; Dobbs, B. et al. (2006): The Platform for Privacy Preferences 1.1 (P3P1.1). W3C specification. http://www.w3.org/TR/P3P11/, last access 2008-06-27.
11. Cranor, L. F.; Langheinrich, /V).; Marchiori, M. (2005): A P3P Preference Exchange Language 1.0 (APPEL). W3C Working Draft.
12. Delbaere, M.; Ferreira, R. (2007): Addressing the data aspects of compliance with industry models. In: IBM Systems Journal 46 (2), pp. 319-334.
13. Gallier, J. H. (1988); Logic for Computer Science. John Wiley and Sons, New York.
14. Giblin, C.; Muller, S.; Pfitzmann, B. (2006): From regulatory policies to event monitoring rules: Towards model driven compliance automation. IBM Research Zurich, Report RZ 3662.
15. Goedertier, S.; Vanthienen, J. (2006): Designing Compliant Business Processes with Obligations and Permissions. In: Proceedings of International Conference on Business Process Management (BPM06) Workshops. LNCS 4103, Springer, Berlin, pp. 5-14.
16. Hilty, M.; Basin, D.; PretschnerA. (2005); On Obligations. In: Proceedings of 10th European Symposium on Research in Computer Security (ESORICS 2005). LNCS 3679, Springer, Berlin, pp. 98-117.
17. Iliev, A.; Smith, S. (2005): Protecting Client Privacy with Trusted Computing at the Server. Proceedings of IEEE Security & Privacy 3 (2), pp. 20-28.
18. ITGI (2007): COBIT 4.1, Framework, Control Objectives, Management Guidelines, Maturity Mo dels. http://www.lsaca.org/AMTemplate.cfm?S ection=Downloads&Template=/MembersOnly.cfm&ContentFileID=14002, last access 2007-12-01 (free registration required).
19. Johnson, C. M.; Grandison, T.W.A. (2007): Compliance with data protection laws using Hippocratic Database active enforcement and auditing. IBM Systems Journal 46 (2), pp. 255-264.
20. Kähmer, M. (2007): ExPDT Ontologies and Examples. http://www.telematik.uni-freiburg.de/ mitarbeiter/kaehmer/expdt/, last access 2008-06-27.
21. Kähmer, M. (2008): Extended Privacy Definition Tool - A Formalism for Specification and Comparison of Privacy Policies. PhD Thesis, University of Freiburg, to appear.
22. Kähmer, M.; Gilliot, M. (2008): Extended Privacy Definition Tool. In: Proceedings of the Multikonferenz Wirtschaftsinformatik (MKWI 2008), LNI, Springer, Berlin.
23. Karagiannis, D. (2008): A Business Process-Based Modelling Extension for Regulatory Compliance. In: Proceedings of the Multikonferenz Wirtschaftsinformatik (MKWI 2008), LNI, Springer, Berlin.
24. Klempt, P.; Schmidpeter, H.; Sowa, S.; Tsinas, L. (2007): Business Oriented Information Security Management - A Layered Approach. In; Proceedings of the 2nd International Symposium on Information Security (IS'07), Vilamoura, pp. 1835-1852.
25. Liebenau, J.; Kärrberg, P. (2006): International Perspectives on Information Security Practices. London School of Economics and Political Science, McAfee.
26. McGuinness, D. L.; van Harmelen, F. (2004): OWL Web Ontology Language - Overview, W3C recommendation. http://www.w3.org/TR/2004/ REC-owl-features-20040210/, last access 2008.06.27.
27. Moses, T. (2005): eXtensible Access Control Markup Language (XACML), version 2.0, Oasis Standard. http://xml.coverpages.org/xacml.html, last access 2008-06-27.
28. Muehlen, M. zur; Rosemann, M. (2005): Integrating Risks in Business Process Models. In: Proceedings of the 16th Australasian Conference on Information Systems (ACIS 2005), Sydney.
29. Müller, G.; Sackmann, S.; Prokein, O. (2008): IT Security: New Requirements, Regulations and Approaches. In: Frank-Schlottmann, F. et al. (Eds.): Handbook on Information Technology in Finance, Springer, Berlin, pp. 711-730.
30. Namiri, D.; Stojanovic, N. (2008): Towards a Formal Framework for Business Process Compliance. In: Proceedings of the Multikonferenz Wirtschaftsinformatik (MKWI 2008), LNI, Springer, Berlin.
31. OCG (2007): ITIL V3 - Service Life Cycle, Office of Governance Commerce, http://www.itll.org/ en/itilv3-servicelifecycle/index.php, last access 2008-06-27,
32. Raghupathl, W. R. P. (2007): Corporate governance of IT: a framework for development. In: Communications of the ACM 50 (8), pp. 94-99.
33. Raub, D. (2004): Algebraische Spezifikation von Privacy Policies. Master's thesis, Uni. Karlsruhe (in German).
34. Raub, D.; Steinwandt, R. (2006): An Algebra for Enterprise Privacy Policies Closed Under Composition and Conjunction. In: Proceedings of International Conference on Emerging Trends in Information and Communication Security (ET-RICS), LNCS 3995, Springer, Berlin, pp. 130-144.
35. Sackmann, S.; Kähmer, M.; Gilliot, M.; Lowis, L. (2008): A Classification Model for Automating Compliance. In: Proceedings of the IEEE Conference on E-Commerce Technology (CEC08), to appear.
36. Sackmann, S.; Strücker, J.; Accorsi, R. (2006): Personalization in Privacy-Aware Highly Dynamic Systems. In: Communications of the ACM 49 (9), pp. 32-38.
37. Sadiq, S. W.; Governatori, G.; Namiri, K. (2007): Modeling Control Objectives for Business Process Compliance. In: Proceedings of the 5th International Conference Business Process Management (BPM 2007). LNCS 4714, Springer, Berlin, pp. 149-164.
38. Schneider, F. B.; Morrisett, G.; Harper, R. (2001); A Language-Based Approach to Security. In: Informatics: 10 Years Back, 10 Years Ahead. LNCS 2000, Springer, Berlin, pp. 86-101.
39. Schneider, F. B. (2006): Computability classes for enforcement mechanisms. In: ACM Transactions on Programming Languages and Systems 28(1), pp. 175-205.