SoDA : a model for the administration of separation of duty requirements in workflow systems
- Authors: Perelson, Stephen
- Date: 2001
- Subjects: Electronic data processing departments -- Security measures , Computers -- Access control
- Language: English
- Type: Thesis , Masters , MTech (Information Technology)
- Identifier: vital:10796 , http://hdl.handle.net/10948/68 , Electronic data processing departments -- Security measures , Computers -- Access control
- Description: The increasing reliance on information technology to support business processes has emphasised the need for information security mechanisms. This, however, has resulted in an ever-increasing workload in terms of security administration. Security administration encompasses the activity of ensuring the correct enforcement of access control within an organisation. Access rights and their allocation are dictated by the security policies within an organisation. As such, security administration can be seen as a policybased approach. Policy-based approaches promise to lighten the workload of security administrators. Separation of duties is one of the principles cited as a criterion when setting up these policy-based mechanisms. Different types of separation of duty policies exist. They can be categorised into policies that can be enforced at administration time, viz. static separation of duty requirements and policies that can be enforced only at execution time, viz. dynamic separation of duty requirements. This dissertation deals with the specification of both static separation of duty requirements and dynamic separation of duty requirements in role-based workflow environments. It proposes a model for the specification of separation of duty requirements, the expressions of which are based on set theory. The model focuses, furthermore, on the enforcement of static separation of duty. The enforcement of static separation of duty requirements is modelled in terms of invariant conditions. The invariant conditions specify restrictions upon the elements allowed in the sets representing access control requirements. The sets are themselves expressed as database tables within a relational database management system. Algorithms that stipulate how to verify the additions or deletions of elements within these sets can then be performed within the database management system. A prototype was developed in order to demonstrate the concepts of this model. This prototype helps demonstrate how the proposed model could function and flaunts its effectiveness.
- Full Text:
- Date Issued: 2001
- Authors: Perelson, Stephen
- Date: 2001
- Subjects: Electronic data processing departments -- Security measures , Computers -- Access control
- Language: English
- Type: Thesis , Masters , MTech (Information Technology)
- Identifier: vital:10796 , http://hdl.handle.net/10948/68 , Electronic data processing departments -- Security measures , Computers -- Access control
- Description: The increasing reliance on information technology to support business processes has emphasised the need for information security mechanisms. This, however, has resulted in an ever-increasing workload in terms of security administration. Security administration encompasses the activity of ensuring the correct enforcement of access control within an organisation. Access rights and their allocation are dictated by the security policies within an organisation. As such, security administration can be seen as a policybased approach. Policy-based approaches promise to lighten the workload of security administrators. Separation of duties is one of the principles cited as a criterion when setting up these policy-based mechanisms. Different types of separation of duty policies exist. They can be categorised into policies that can be enforced at administration time, viz. static separation of duty requirements and policies that can be enforced only at execution time, viz. dynamic separation of duty requirements. This dissertation deals with the specification of both static separation of duty requirements and dynamic separation of duty requirements in role-based workflow environments. It proposes a model for the specification of separation of duty requirements, the expressions of which are based on set theory. The model focuses, furthermore, on the enforcement of static separation of duty. The enforcement of static separation of duty requirements is modelled in terms of invariant conditions. The invariant conditions specify restrictions upon the elements allowed in the sets representing access control requirements. The sets are themselves expressed as database tables within a relational database management system. Algorithms that stipulate how to verify the additions or deletions of elements within these sets can then be performed within the database management system. A prototype was developed in order to demonstrate the concepts of this model. This prototype helps demonstrate how the proposed model could function and flaunts its effectiveness.
- Full Text:
- Date Issued: 2001
The development of a technique to establish the security requirements of an organization
- Authors: Gerber, Mariana
- Date: 2001
- Subjects: Computer security -- Management , Electronic data processing departments -- Security measures , Businesses -- Data processing -- Security measures , Computers -- Access control
- Language: English
- Type: Thesis , Masters , MTech (Information Technology)
- Identifier: vital:10789 , http://hdl.handle.net/10948/89 , Computer security -- Management , Electronic data processing departments -- Security measures , Businesses -- Data processing -- Security measures , Computers -- Access control
- Description: To perform their business activities effectively, organizations rely heavily on the use of information (ISO/IEC TR 13335-2, 1996, p 1). Owens (1998) reiterates this by claiming that all organizations depend on information for their everyday operation and without it business will fail to operate (Owens, 1998, p 1-2). For an organization it means that if the right information is not available at the right time, it can make the difference between profit and loss or success and failure (Royds, 2000, p 2). Information is an asset and just like other important business assets within the organization, it has extreme value to an organization (BS 7799-1, 1999, p 1; Humphreys, Moses & Plate, 1998, p 8). For this reason it has become very important that business information is sufficiently protected. There are many different ways in which information can exist. Information can be printed or written on paper, stored electronically, transmitted electronically or by post, even spoken in conversation or any other way in which knowledge and ideas can be conveyed (URN 99/703, 1999, p. 2; Humphreys, Moses & Plate, 1998, p 8; URN 96/702, 1996, p 3).It is, therefore, critical to protect information, and to ensure that the security of IT (Information Technology) systems within organizations is properly managed. This requirement to protect information is even more important today, since many organizations are internally and externally connected by networks of IT systems (ISO/IEC TR 13335-2, 1996, p 1). Information security is therefore required to assist in the process of controlling and securing of information from accidental or malicious changes, deletions or unauthorized disclosure (Royds, 2000, p 2; URN 96/702, 1996, p 3). By preventing and minimizing the impact of security incidents, information security can ensure business continuity and reduce business damage (Owens, 1998, p 7). Information security in an organization can be regarded as a management opportunity and should become an integral part of the whole management activity of the organization. Obtaining commitment from management is therefore extremely important for effective information security. One way in which management can show their commitment to ensuring information security, is to adopt and enforce a security policy. A security policy ensures that people understand exactly what important role they play in securing information assets.
- Full Text:
- Date Issued: 2001
- Authors: Gerber, Mariana
- Date: 2001
- Subjects: Computer security -- Management , Electronic data processing departments -- Security measures , Businesses -- Data processing -- Security measures , Computers -- Access control
- Language: English
- Type: Thesis , Masters , MTech (Information Technology)
- Identifier: vital:10789 , http://hdl.handle.net/10948/89 , Computer security -- Management , Electronic data processing departments -- Security measures , Businesses -- Data processing -- Security measures , Computers -- Access control
- Description: To perform their business activities effectively, organizations rely heavily on the use of information (ISO/IEC TR 13335-2, 1996, p 1). Owens (1998) reiterates this by claiming that all organizations depend on information for their everyday operation and without it business will fail to operate (Owens, 1998, p 1-2). For an organization it means that if the right information is not available at the right time, it can make the difference between profit and loss or success and failure (Royds, 2000, p 2). Information is an asset and just like other important business assets within the organization, it has extreme value to an organization (BS 7799-1, 1999, p 1; Humphreys, Moses & Plate, 1998, p 8). For this reason it has become very important that business information is sufficiently protected. There are many different ways in which information can exist. Information can be printed or written on paper, stored electronically, transmitted electronically or by post, even spoken in conversation or any other way in which knowledge and ideas can be conveyed (URN 99/703, 1999, p. 2; Humphreys, Moses & Plate, 1998, p 8; URN 96/702, 1996, p 3).It is, therefore, critical to protect information, and to ensure that the security of IT (Information Technology) systems within organizations is properly managed. This requirement to protect information is even more important today, since many organizations are internally and externally connected by networks of IT systems (ISO/IEC TR 13335-2, 1996, p 1). Information security is therefore required to assist in the process of controlling and securing of information from accidental or malicious changes, deletions or unauthorized disclosure (Royds, 2000, p 2; URN 96/702, 1996, p 3). By preventing and minimizing the impact of security incidents, information security can ensure business continuity and reduce business damage (Owens, 1998, p 7). Information security in an organization can be regarded as a management opportunity and should become an integral part of the whole management activity of the organization. Obtaining commitment from management is therefore extremely important for effective information security. One way in which management can show their commitment to ensuring information security, is to adopt and enforce a security policy. A security policy ensures that people understand exactly what important role they play in securing information assets.
- Full Text:
- Date Issued: 2001
- «
- ‹
- 1
- ›
- »