Unabhängige Kompetenz-Plattform
für Integrierte Sicherheit in der Schweiz.

Information Security Management

For a long time business processes in companies have only been used to keep records of common business policies. Since some years there are many software systems that directly use those documented processes to conform the programme’s behaviour.

This link between software systems and business processes should ensure consistency between the organisational and the technical domain. Business process documentation changed from graphs, over event-driven process chains to Business Process Modelling Notation (BPMN) whose second version has been published in early 2011. Although there are other ways of documenting those  processes, especially for extraordinary purposes, these three are the most important ones. However, BPMN 1.0 has already been the de facto standard in industry and it becomes apparent that BPMN 2.0 will be its successor. After analysing modern business process description languages like BPMN 2.0, we found out that it is possible to map information flows to processes in order to visualise the use, the transformation and the access of employees to information. Then all information needs to be put into different groups which equates the information security risks caused by the information within a group. With this simple model, it became possible to analyse and improve the information security of business processes.

Business processes are becoming more and more complex, additionally they may link different companies. Therefore we’ve built a set of proof on concept of our Information Process Flow Engine (IPFE). Each of these proofs of concept used a different set of technology to achieve our goals. There is no clear winner of our test but top modern and not business proofed technology brings interesting features, and many problems. So the best result would be a mixture of modern technology (like no-SQL databases) in conjunction with business proofed communication interfaces (like JEE Hornet). Because of the lack of a BPMN 2.0 coverage, it isn’t possible to test the IPFE in the wild. We hope this will change in future.

eSignal 2011 (PDF)
Mehr über Prof. Dr. Stephanie Teufel


Security-Finder Schweiz: Newsletter