Information technology (IT) service delivery processes need to adhere to several regulations such as, for example, security, confidentiality and data integrity. These regulations are typically defined as policies, each of which contains a list of clauses. These are usually verified by periodic audits, which are usually ad-hoc, time-consuming and difficult to verify objectively.
An increasing focus for organizations is to organize their enterprise processes to comply with a growing list of regulations such as, for example, security guidelines, data integrity and confidentiality norms, etc. Enterprise processes and regulations are typically complex in nature and lack a formal approach to verify compliance. Audits are largely non-objective and compliance adherence is qualitatively assessed.
Existing approaches do not include developing enterprise process metrics from a compliance perspective. Current enterprise process metrics are inspired from existing software engineering design metrics. Existing approaches can include, for example, a design time measure proposed for a given process and a set of policies. However, such approaches focus on comparing different process models during design time with no motivation for run-time measurements of existing enterprise processes.
As a result, it is desirable to have a systematic approach to quantitatively determine the compliance posture of an organization, thus enabling one to quantitatively determine impact of improvements, guidance on investment decisions, comparative analysis, and differentiation with competition.