Enterprises are rapidly extending their relatively stable and internally-oriented business processes and applications with loosely-coupled enterprise software services in order to support highly dynamic, cross-organizational business processes. These services are no longer solely based on internal enterprise systems, but often implemented, deployed and executed by diverse, external service providers. The ability to dynamically configure cross-organizational business processes with a mixture of internal and external services imposes new security requirements on existing security models. In this paper, we address the problem of defining and enforcing access control rules for securing service invocations in the context of a business process. For this purpose, we amortize existing role-based access control models that allow for dynamic delegation and retraction of authorizations. Authorizations are assigned on an event-driven basis, implementing a push-based interaction protocol between services. This novel security model is entitled the Event-driven Framework for Service Oriented Computing (EFSOC). In addition, this article presents an experimental prototype that is explored using a realistic case study.