Business-process-management systems are increasingly used in service-oriented architectures (SOA), coordinating activities of loosely coupled information systems, of web services, and of human actors. This often requires exchanging and processing sensitive, personally-identifiable information, e.g., in e-employability and e-health applications. Supporting security in such a service-oriented environment is challenging. Existing approaches focus on security in service-oriented architectures but neglect business-process specific characteristics. Motivated by a real-world business process from the e-employability domain, in this paper we collect security requirements, exploiting the specific properties and semantics of business processes. We evaluate the requirements with respect to the state of the art of suitable security mechanisms and identify possible solutions as well as remaining gaps. We see this article as an important prerequisite for the design and implementation of advanced security mechanisms for business processes.