An Approach to Correctness of Security and Operational Business Policies October 5, 2013 Discussant...
-
Upload
sophie-day -
Category
Documents
-
view
213 -
download
0
Transcript of An Approach to Correctness of Security and Operational Business Policies October 5, 2013 Discussant...
An Approach to Correctness of Security and Operational Business
Policies
October 5, 2013
DiscussantGraham Gal
University of Waterloo Symposium on Information Integrity and Information Systems Assurance
Outline
• Policies and Permissions • Constraints• Representation of Policies• Evaluation of Policies
University of Waterloo Symposium on Information Integrity and Information Systems Assurance
Policies and Permissions
• Policy is a management statement on acceptable states– Can be based on intensions or extensions
• Permissions are related to an action • Implies permissible states• And how to get there (transitions)• Not just permit and deny
University of Waterloo Symposium on Information Integrity and Information Systems Assurance
Types of Policy statements
• Intensions– On multiplicities
• Employees must be assigned to a single department• Each department must have a single manager
– Based on Type Specifications• Internal Auditors must have these qualifications
– Permissions as Policies• REA patterned Sale
– Salespeople (Internal Agent Type) can– Sell (Event Type) – Inventory (Resource Type) to– Customers (External Agent Type)
• Delegate and Perform Permissions
University of Waterloo Symposium on Information Integrity and Information Systems Assurance
Constraints
• Restricted States (Preventive Controls)– Unassigned employees– No paychecks to non-employees– No labs to dead patients
• Possibly violated states– Temporal Separation of events
• Sale cannot cause customer’s balance to exceed credit limit
– Database transactions versus Business transactions• Person must be assigned to one and only one department
– Accumulation of Evidence• Orders over $1000 must be approved by Department Manager
University of Waterloo Symposium on Information Integrity and Information Systems Assurance
DepartmentsEmployees*
1
1
1
University of Waterloo Symposium on Information Integrity and Information Systems Assurance
Cash Receipts
Sales
1 1
1 1
University of Waterloo Symposium on Information Integrity and Information Systems Assurance
Order # Date Buyer Approved by
$ Amount
1233S 9/30/13 3433 $9951245A 9/30/13 3421 $98716789C 10/1/13 3421 $5671569V 10/1/13 3433 $99834335Z 10/2/13 3456 $9895644N 10/1/13 3456 $9948977G 10/2/13 3422 $989
Order over $1000 Must Have Approval