Anacleto Correia

Rui Shantilau, Antonio Goncalves, Anacleto Correia

In general, the perspective customer / supplier followed by organizations, regarding information security management, is based mainly on management controls based on standards such as ISO / IEC 27001: 2015, resulting in the production of especially technical analysis reports, rather than a socio-technical approach. This leads to the perception by the customer of the delivery of a product instead of a service.The product concerned is reduced to a set of prescriptions, sometimes unrelated, which materialize in a descriptive and static view of client security management. As a result, the client can hardly use the product continuously, following the dynamics of changes in their organization, therefore recognizing value in the provision made by the supplier. The use of the paradigm Service Dominant Logic (LDS), in the development of a range of security management information, helps to change the focus of tangible resources to the intangible assets. The aspects of tangibility, materialized in a document that describes the client's vulnerabilities and attack vectors are referred to a secondary level, given the importance of the intangible aspects, such as the interaction that is established between the customer specialists and supplier. In this article we propose to analyze in the perspective of a socio-technical theory, the Activity Theory, the service provided by an artifact called 27001 Manager, designed to assist the entire cycle of analysis, development and maintenance of an information security management system (ISMS). The analysis aims at observing the existing interaction between customer / supplier, considering that the service is inherently dynamic and inter-subjective, ie the result of a compromise between the customer and the supplier.

Anacleto Correia

Several BPMN graphical tools support, at least partly, the OMG's BPMN specification. The BPMN standard is an essential guide for tools' makers when implementing the rules regarding depiction of BPMN diagrammatic constructs. Process modelers should also know how to rigorously use BPMN constructs when depicting business processes either for business or IT purposes. Several already published OMG's standards include the formal specification of well-formedness rules concern-ing the metamodels they address. However, the BPMN standard does not. Instead, the rules regarding BPMN elements are only informally specified in natural language throughout the overall BPMN documentation. Without strict rules concerning the correct usage of BPMN elements, no wonder that plenty of available BPMN tools fail to enforce BPMN process models' correctness. To mitigate this problem, and therefore contribute for achieving BPMN models' correctness, we propose to supplement the BPMN metamodel with well-formedness rules expressed by OCL invariants. So, this document contributes to bring together a set of requirements that tools' makers must comply with, in order to claim a broader BPMN 2 compliance. For the regular process modeler, this report provides an extensive and pragmatic catalog of BPMN elements' usage, to be followed in order to attain correct BPMN process models.