an approach to correctness of security and operational business policies october 5, 2013 discussant...
TRANSCRIPT
![Page 1: An Approach to Correctness of Security and Operational Business Policies October 5, 2013 Discussant Graham Gal](https://reader035.vdocuments.us/reader035/viewer/2022062718/56649e6a5503460f94b6790d/html5/thumbnails/1.jpg)
An Approach to Correctness of Security and Operational Business
Policies
October 5, 2013
DiscussantGraham Gal
![Page 2: An Approach to Correctness of Security and Operational Business Policies October 5, 2013 Discussant Graham Gal](https://reader035.vdocuments.us/reader035/viewer/2022062718/56649e6a5503460f94b6790d/html5/thumbnails/2.jpg)
University of Waterloo Symposium on Information Integrity and Information Systems Assurance
Outline
• Policies and Permissions • Constraints• Representation of Policies• Evaluation of Policies
![Page 3: An Approach to Correctness of Security and Operational Business Policies October 5, 2013 Discussant Graham Gal](https://reader035.vdocuments.us/reader035/viewer/2022062718/56649e6a5503460f94b6790d/html5/thumbnails/3.jpg)
University of Waterloo Symposium on Information Integrity and Information Systems Assurance
Policies and Permissions
• Policy is a management statement on acceptable states– Can be based on intensions or extensions
• Permissions are related to an action • Implies permissible states• And how to get there (transitions)• Not just permit and deny
![Page 4: An Approach to Correctness of Security and Operational Business Policies October 5, 2013 Discussant Graham Gal](https://reader035.vdocuments.us/reader035/viewer/2022062718/56649e6a5503460f94b6790d/html5/thumbnails/4.jpg)
University of Waterloo Symposium on Information Integrity and Information Systems Assurance
Types of Policy statements
• Intensions– On multiplicities
• Employees must be assigned to a single department• Each department must have a single manager
– Based on Type Specifications• Internal Auditors must have these qualifications
– Permissions as Policies• REA patterned Sale
– Salespeople (Internal Agent Type) can– Sell (Event Type) – Inventory (Resource Type) to– Customers (External Agent Type)
• Delegate and Perform Permissions
![Page 5: An Approach to Correctness of Security and Operational Business Policies October 5, 2013 Discussant Graham Gal](https://reader035.vdocuments.us/reader035/viewer/2022062718/56649e6a5503460f94b6790d/html5/thumbnails/5.jpg)
University of Waterloo Symposium on Information Integrity and Information Systems Assurance
Constraints
• Restricted States (Preventive Controls)– Unassigned employees– No paychecks to non-employees– No labs to dead patients
• Possibly violated states– Temporal Separation of events
• Sale cannot cause customer’s balance to exceed credit limit
– Database transactions versus Business transactions• Person must be assigned to one and only one department
– Accumulation of Evidence• Orders over $1000 must be approved by Department Manager
![Page 6: An Approach to Correctness of Security and Operational Business Policies October 5, 2013 Discussant Graham Gal](https://reader035.vdocuments.us/reader035/viewer/2022062718/56649e6a5503460f94b6790d/html5/thumbnails/6.jpg)
University of Waterloo Symposium on Information Integrity and Information Systems Assurance
DepartmentsEmployees*
1
1
1
![Page 7: An Approach to Correctness of Security and Operational Business Policies October 5, 2013 Discussant Graham Gal](https://reader035.vdocuments.us/reader035/viewer/2022062718/56649e6a5503460f94b6790d/html5/thumbnails/7.jpg)
University of Waterloo Symposium on Information Integrity and Information Systems Assurance
Cash Receipts
Sales
1 1
1 1
![Page 8: An Approach to Correctness of Security and Operational Business Policies October 5, 2013 Discussant Graham Gal](https://reader035.vdocuments.us/reader035/viewer/2022062718/56649e6a5503460f94b6790d/html5/thumbnails/8.jpg)
University of Waterloo Symposium on Information Integrity and Information Systems Assurance
Order # Date Buyer Approved by
$ Amount
1233S 9/30/13 3433 $9951245A 9/30/13 3421 $98716789C 10/1/13 3421 $5671569V 10/1/13 3433 $99834335Z 10/2/13 3456 $9895644N 10/1/13 3456 $9948977G 10/2/13 3422 $989
Order over $1000 Must Have Approval