（2008）On the Risk Management and Auditing of SOA Based Business Processes.pdfVIP

On the Risk Management and Auditing of SOA Based Business Processes Bart Orriens, Willem-Jan v/d Heuvel, and Mike Papazoglou Dept. of Information Management, Tilburg University PO Box 90153, 5000 LE Tilburg, The Netherlands {b.orriens,wjheuvel,mikep}@uvt.nl Abstract. SOA-enabled business processes stretch across many cooperating and coordinated systems, possibly crossing organizational boundaries, and technolo- gies like XML and Web services are used for making system-to-system interac- tions commonplace. Business processes form the foundation for all organizations, and as such, are impacted by industry regulations. This requires organizations to review their business processes and ensure that they meet the compliance stan- dards set forth in legislation. In this paper we sketch a SOA-based service risk management and auditing methodology including a compliance enforcement and verification system that assures verifiable business process compliance. This is done on the basis of a knowledge-based system that allows integration of internal control systems into business processes conform pre-defined compliance rules, monitor both the normal process behavior and those of the control systems dur- ing process execution, and log these behaviors to facilitate retrospective auditing. 1 Introduction SOA is an integration framework for connecting loosely coupled software modules into on-demand business processes. Business processes form the foundation for all organi- zations, and as such, are impacted by industry regulations. Without explicit business process definitions, flexible rule frameworks, and audit trails that provide for non- repudiation, organizations face litigation risks and even criminal penalties. Co