Abstract
In recent years, a number of laws and regulations (such as the Basel II accord or SOX) demand that organizations record certain activities or decisions to fulfill legally enforced reporting duties. Most of these regulations have a direct impact on the information systems that support an organization’s business processes. Therefore, the definition of audit requirements at the modeling-level is an important prerequisite for the thorough implementation and enforcement of corresponding policies in a software system. In this paper, we present a UML extension for the specification of audit properties. The extension is generic and can be applied to a wide variety of UML elements. In a model-driven development (MDD) approach, our extension can be used to generate corresponding audit rules via model transformations.
Chapter PDF
Similar content being viewed by others
Keywords
References
Garera, S., Rubin, A.: An Independent Audit Framework for Software Dependent Voting Systems. In: Proc. of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 256–265 (2007)
Hasan, R., Winslett, M.: Efficient Audit-based Compliance for Relational Data Retention. In: Proc. of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 238–248 (2011)
King, J., Smith, B., Williams, L.: Modifying Without a Trace: General Audit Guidelines are Inadequate for Open-source Electronic Health Record Audit Mechanisms. In: Proc. of the 2nd ACM SIGHIT International Health Informatics Symposium, pp. 305–314 (2012)
Sandhu, R., Samarati, P.: Authentication, Access Control, and Audit. ACM Computing Surveys 28(1), 241–243 (1996)
Schneier, B., Kelsey, J.: Secure Audit Logs to Support Computer Forensics. ACM Transaction on Information and System Security 2(2), 159–176 (1999)
Committee on National Security Systems: National Information Assurance (IA) – Glossary (2010), http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf
Basel Committee on Banking Supervision: Basel II: International Convergence of Capital Measurement and Capital Standards (2004), http://www.bis.org/publ/bcbs107.pdf
United States Congress: Sarbanes-Oxley Act of 2002 (2002), http://www.sec.gov/about/laws/soa2002.pdf
Object Management Group: Business Process Model and Notation (BPMN) – Version 2.0 (2011), http://www.omg.org/spec/BPMN/2.0/PDF
Object Management Group: OMG Unified Modeling Language (OMG UML), Superstructure – Version 2.4.1 (2011), http://www.omg.org/spec/UML/2.4.1/Superstructure/PDF
Selic, B.: The Pragmatics of Model-driven Development. IEEE Software 20(5), 19–25 (2003)
Stahl, T., Völter, M.: Model-Driven Software Development. John Wiley & Sons (2006)
Basin, D., Doser, J., Lodderstedt, T.: Model Driven Security: From UML Models to Access Control Infrastructures. ACM Transactions on Software Engineering and Methodology (TOSEM) 15(1) (January 2006)
Hoisl, B., Sobernig, S.: Integrity and Confidentiality Annotations for Service Interfaces in SoaML Models. In: Proceedings of the International Workshop on Security Aspects of Process-aware Information Systems (SAPAIS). IEEE, Vienna (2011)
Strembeck, M., Mendling, J.: Modeling Process-related RBAC Models with Extended UML Activity Models. Information and Software Technology (IST) 53(5), 456–483 (2010)
Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. Journal of Systems Architecture 55(4) (April 2009)
Deursen, A.V., Klint, P.: Little Languages: little Maintenance? Journal of Software Maintenance: Research and Practice 10(2), 75–92 (1998)
Mernik, M., Heering, J., Sloane, A.: When and How to Develop Domain-specific Languages. ACM Computing Surveys (CSUR) 37(4), 316–344 (2005)
Strembeck, M., Zdun, U.: An Approach for the Systematic Development of Domain-Specific Languages. Software: Practice and Experience (SP&E) 39(15) (October 2009)
Cannon, J.C., Byers, M.: Compliance Deconstructed. ACM Queue 4(7) (September 2006)
Damianides, M.: How does SOX change IT? Journal of Corporate Accounting & Finance 15(6) (2004)
Mishra, S., Weistroffer, H.R.: A Framework for Integrating Sarbanes-Oxley Compliance into the Systems Development Process. Communications of the Association for Information Systems (CAIS) 20(1) (2007)
Hohpe, G., Woolf, B.: Enterprise Integration Patterns: Designing, Building, and Deploying Messaging Solutions. Addison-Wesley, Boston (2004)
Mühl, G., Fiege, L., Pietzuch, P.: Distributed Event-Based Systems. Springer, Heidelberg (2006)
Mens, T., Gorp, P.V.: A Taxonomy of Model Transformation. Electronic Notes in Theoretical Computer Science 152, 125–142 (2006)
Sendall, S., Kozaczynski, W.: Model Transformation: The Heart and Soul of Model-Driven Software Development. IEEE Software 20(5) (2003)
Zdun, U., Strembeck, M.: Modeling Composition in Dynamic Programming Environments with Model Transformations. In: Löwe, W., Südholt, M. (eds.) SC 2006. LNCS, vol. 4089, pp. 178–193. Springer, Heidelberg (2006)
Axenath, B., Kindler, E., Rubin, V.: AMFIBIA: A Meta-Model for the Integration of Business Process Modelling Aspects. In: Leymann, F., Reisig, W., Thatte, S.R., van der Aalst, W. (eds.) The Role of Business Processes in Service Oriented Architectures. Number 06291 in Dagstuhl Seminar Proceedings (2006)
Zdun, U.: Patterns of Component and Language Integration. In: Manolescu, D., Voelter, M., Noble, J. (eds.) Pattern Languages of Program Design 5 (2006)
Object Management Group: OMG Meta Object Facility (MOF) Core Specification – Version 2.4.1 (2011), http://www.omg.org/spec/MOF/2.4.1/PDF/
Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley, Reading (1995)
Object Management Group: OMG Object Constraint Language (OCL) – Version 2.3.1 (2012), http://www.omg.org/spec/OCL/2.3.1/PDF
Object Management Group: OMG Unified Modeling Language (OMG UML), Infrastructure – Version 2.4.1 (2011), http://www.omg.org/spec/UML/2.4.1/Infrastructure/PDF/
International Organization for Standardization: Information Technology – Syntactic Metalanguage – Extended BNF (ISO/IEC 14977) (1996), http://standards.iso.org/ittf/PubliclyAvailableStandards/s026153_ISO_IEC_14977_1996E.zip
Jürjens, J.: Modelling Audit Security for Smart-Card Payment Schemes with UML-SEC. In: Proceedings of the 16th International Conference on Information Security, Paris, France (2001)
Rodríguez, A., Fernández-Medina, E., Trujillo, J., Piattini, M.: Secure Business Process Model Specification through a UML 2.0 Activity Diagram Profile. Decision Support Systems 51(3), 446–465 (2011)
Hoisl, B., Strembeck, M.: Modeling Support for Confidentiality and Integrity of Object Flows in Activity Models. In: Abramowicz, W. (ed.) BIS 2011. LNBIP, vol. 87, pp. 278–289. Springer, Heidelberg (2011)
Schefer, S., Strembeck, M.: Modeling Process-Related Duties with Extended UML Activity and Interaction Diagrams. In: Proc. of the International Workshop on Flexible Workflows in Distributed Systems, Electronic Communications of the EASST (March 2011)
Schefer, S., Strembeck, M.: Modeling Support for Delegating Roles, Tasks, and Duties in a Process-Related RBAC Context. In: Salinesi, C., Pastor, O. (eds.) CAiSE Workshops 2011. LNBIP, vol. 83, pp. 660–667. Springer, Heidelberg (2011)
Schefer-Wenzl, S., Strembeck, M.: Modeling Context-Aware RBAC Models for Business Processes in Ubiquitous Computing Environments. In: Proc. of the 3rd International Conference on Mobile, Ubiquitous and Intelligent Computing, MUSIC (June 2012)
Fernández-Medina, E., Trujillo, J., Villarroel, R., Piattini, M.: Access Control and Audit Model for the Multidimensional Modeling of Data Warehouses. Decision Support Systems 42(3), 1270–1289 (2006)
Memon, M., Hafner, M., Breu, R.: SECTISSIMO: A Platform-independent Framework for Security Services. In: Proceedings of the Modeling Security Workshop in Association with MODELS 2008, Toulouse, France (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hoisl, B., Strembeck, M. (2012). A UML Extension for the Model-Driven Specification of Audit Rules. In: Bajec, M., Eder, J. (eds) Advanced Information Systems Engineering Workshops. CAiSE 2012. Lecture Notes in Business Information Processing, vol 112. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31069-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-31069-0_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31068-3
Online ISBN: 978-3-642-31069-0
eBook Packages: Computer ScienceComputer Science (R0)