Compliance Measurement Framework (CMF)

IT service delivery processes need to adhere to several regulations such as security, confidentiality and data integrity. These regulations are typically defined as policies, each of which contains a list of clauses. These are usually verified by periodic audits, which are usually ad-hoc, time-consuming and difficulty verify objectively. In this paper, we present a formal framework - compliance measurement framework (CMF) - by which compliance of the instances of a process model to a policy can be formally modeled and objectively measured. The primary element of CMF is process policy compliance index (PPCI). It is the compliance score of a set of execution traces of a process model against the set of clauses of a single policy. This can be further extended to multi-PPCI - for multiple policies - and organizational compliance index (OCI) - for an aggregate score across the entire organization. This paper focus on dynamic compliance checks where the above indices are computed over several instances of process execution. By using enough instances of execution, the resulting index reflects the real state of non-compliance while also increasing the probability of all relevant paths within the process model being followed. In this paper, we focus on PPCI determination, leaving M-PPCI and OCI for future work.