Satisfaction of Control Objectives by Control Processes

  • Daniela Marino
  • Fabio Massacci
  • Andrea Micheletti
  • Nataliya Rassadko
  • Stephan Neuhaus
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5900)


Showing that business processes comply with regulatory requirements is not easy. We investigate this compliance problem in the case that the requirements are expressed as a directed, acyclic graph, with high-level requirements (called control objectives) at the top and with low-level requirements (called control activities) at the bottom. These control activities are then implemented by control processes. We introduce two algorithms: the first identifies whether a given set of control activities is sufficient to satisfy the top-level control objectives; the second identifies those steps of control processes that contribute to the satisfaction of top-level control objectives. We illustrate these concepts and the algorithms by examples taken from a large healthcare provider.


Control Activity Business Process Objective Model Control Objective Business Process Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bresciani, P., Giorgini, P., Giunchiglia, F., Mylopoulos, J., Perini, A.: TROPOS: An agent-oriented software development methodology. Autonomous Agents and Multi-Agent Systems 8(3), 203–236 (2004)CrossRefGoogle Scholar
  2. 2.
    Curbera, F., Doganata, Y., Martens, A., Mukhi, N.K., Slominski, A.: Business provenance — a technology to increase traceability of end-to-end operations. In: Meersman, R., Tari, Z. (eds.) OTM 2008, Part II. LNCS, vol. 5332, pp. 100–119. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    DSRL. File f circular no. 5/san 30_1_2004 (2009),
  4. 4.
    DSRL. File f note 27.3.2008 h1.2008.0012810 (2009),
  5. 5.
    DSRL. File f note 30.11.2007 h1.2007.0050480 (2009),
  6. 6.
    Il Dirigente del Sanita Regione Lombardia. File f circular no. 45/san 23_12_2004 (2009),
  7. 7.
    Il Dirigente del Sanita Regione Lombardia (DSRL). File f note 04.12.2008 h1.2008.0044229 (2009),
  8. 8.
    Ghose, A., Koliadis, G.: Auditing business process compliance. In: Krämer, B.J., Lin, K.-J., Narasimhan, P. (eds.) ICSOC 2007. LNCS, vol. 4749, pp. 169–180. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Giblin, C., Liu, A.Y., Müller, S., Pfitzmann, B., Zhou, X.: Regulations expressed as logical models (realm). In: JURIX 2005, pp. 37–48. IOS Press, Amsterdam (2005)Google Scholar
  10. 10.
    Giblin, C., Müller, S., Pfitzmann, B.: From regulatory policies to event monitoring rules: Towards model-driven compliance automation. Technical Report RZ 3662, IBM Research (2006)Google Scholar
  11. 11.
    Goedertier, S., Vanthienen, J.: Designing compliant business processes with obligations and permissions. In: Eder, J., Dustdar, S. (eds.) BPM Workshops 2006. LNCS, vol. 4103, pp. 5–14. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Governatori, G., Hoffmann, J., Sadiq, S., Weber, I.: Detecting regulatory compliance for business process models through semantic annotations. In: 4th International Workshop on Business Process Design (2008)Google Scholar
  13. 13.
    Governatori, G., Milosevic, Z.: A formal analysis of a business contract language. International Journal of Cooperative Information Systems 15(4), 659–685 (2006)CrossRefGoogle Scholar
  14. 14.
    Governatori, G., Rotolo, A.: An algorithm for business process compliance. In: Francesconi, E., Sartor, G., Tiscornia, D. (eds.) JURIX. Frontiers in Artificial Intelligence and Applications, vol. 189, pp. 186–191. IOS Press, Amsterdam (2008)Google Scholar
  15. 15.
    ISACA. Cobit (2008),
  16. 16.
    ISO/IEC. ISO/IEC 27001:2005: Information security management systems (2005)Google Scholar
  17. 17.
    ISO/IEC. ISO/IEC 15408: Common criteria for information technology security evaluation (2009),
  18. 18.
    Kazhamiakin, R., Pistore, M., Roveri, M.: A framework for integrating business processes and business requirements. In: EDOC 2004, pp. 9–20. IEEE, Los Alamitos (2004)Google Scholar
  19. 19.
    Kharbili, M.E., de Medeiros, A.K.A., Stein, S., van der Aalst, W.M.P.: Business process compliance checking: Current state and future challenges. In: MobIS 2008. LNI, vol. 141, pp. 107–113 (2008)Google Scholar
  20. 20.
    Kharbili, M.E., Stein, S.: Policy-based semantic compliance checking for business process management. In: Loos, P., Nuttgens, M., Turowski, K., Werth, D. (eds.) MobIS Workshops. CEUR Workshop Proceedings, vol. 420, pp. 178–192. (2008)Google Scholar
  21. 21.
    Liu, Y., Müller, S., Xu, K.: A static compliance-checking framework for business process models. IBM Syst. J. 46(2), 335–361 (2007)CrossRefGoogle Scholar
  22. 22.
    Namiri, K., Stojanovic, N.: A model-driven approach for internal controls compliance in business processes. In: Hepp, M., Hinkelmann, K., Karagiannis, D., Klein, R., Stojanovic, N. (eds.) SBPM. CEUR Workshop Proceedings, vol. 251 (2007)Google Scholar
  23. 23.
    Namiri, K., Stojanovic, N.: Towards a formal framework for business process compliance. In: Proceedings of Multikonferenz Wirtschaftsinformatik (MKWI 2008). GITO-Verlag, Berlin (2008)Google Scholar
  24. 24.
    Office of Governance Commerce. IT infrastructure library (2009),
  25. 25.
    The President of the Italian Republic. Personal data protection code: Italian legislative decree no. 196 dated 30 june 2003 (2009),
  26. 26.
    Sadiq, S.W., Governatori, G., Namiri, K.: Modeling control objectives for business process compliance. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 149–164. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  27. 27.
    Schmidt, R., Bartsch, C., Oberhauser, R.: Ontology-based representation of compliance requirements for service processes. In: ESWC 2007. CEUR Workshop Proceedings, vol. 251 (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Daniela Marino
    • 1
  • Fabio Massacci
    • 2
  • Andrea Micheletti
    • 1
  • Nataliya Rassadko
    • 2
  • Stephan Neuhaus
    • 2
  1. 1.Fondazione Centro San Raffaele del Monte Tabore-Services for Life & Health UnitMilanoItaly
  2. 2.Dipartimento di Ingegneria e Scienze dell’InformazioneUniversità degli Studi di TrentoTrentoItaly

Personalised recommendations