Back to top

Deriving and Modelling Compliance Requirements from Legal Audits

Last modified by Florian Matthes Apr 2, 2015


The overall demand for a stable and reliable financial system prompted the legislators to react by passing regulations preventing further crises. A central part of those regulations is the handling of operational risks in the economy. Financial institutions have to provide more comprehensive capabilities to handle those risks. In order to decrease the vulnerability to risks and since information technology (IT) has become central within the nancial system, the induced laws imply consequences to IT systems. Adequate risk management is necessary to meet the legal obligations.
Although IT governance and compliance are common parts within IT management, the derivation of concrete measures for existing systems is not trivial. We propose a method to derive concrete legal obligations, classifi ed in requirements, goals and principles. Furthermore we show how existing enterprise models can be enhanced with those demands using the modeling language ArchiMate. We have created several normative models for di erent areas in IT and discuss one of them, namely "User Authorization Management".

Files and Subpages

Name Type Size Last Modification Last Editor
EICAR2014.pdf 1,13 MB 06.11.2014 Versions