towards a framework for achieving effective segregation of duties u of waterloo symposium 2007...
DESCRIPTION
Target Audience Who is the target audience for this manuscript and the application that is described with in it? External Auditors? Internal Auditors? Evaluators of Sarbanes-Oxley?TRANSCRIPT
Towards a Framework for Achieving Effective Segregation of Duties
U of Waterloo Symposium – 2007
Discussant: Ram Sriram
Motivation for this study
• Proposes a role-based separation of duties framework for improving security over information processing. • The framework is proposed within an accounting/transaction
cycle approach.• Expectation: The model can be used automate the resolution
of segregation of duties and conflicting access and other privileges.• Claim: It is a unified model of separation of duties.
Target Audience
Who is the target audience for this manuscript and the application that is described with in it?
• External Auditors?• Internal Auditors?• Evaluators of Sarbanes-Oxley?
Is the contribution new?
I am skeptical Both the concepts of separation of duties and
implementation within business cycles are not new.
How is this model different or how is it an improvement over well-recognized Clark-Wilson, Biba Integrity or other Access Matrix models.
Questions
Does not Clark-Wilson, Biba and others consider separation of duties in an automated context?
Why or in what sense, business cycles appropriate in automated and database environments?
Does it not conflict with one time data entry principles?
Other Questions
Is not business cycles and authorization, record-keeping and custody more appropriate to manual systems?
Are we going back in time to silo approaches?
How do computer-assisted controls play in this business cycles?
Don’t they mitigate the problems of conflicting duties?
Suggestions for Improvement
Agree: users have wrong rights assignments and also redundant and parallel access rights.
Tell the readers, how a business cycle based model will outcome this problem (in the context of an automated environment)?
Tell us how this model will be an improvement over access control matrices with read, write, execute privileges incorporated in them?
Methodology
This is a theoretical paper The tables on business cycles and
separation of duties – how are they different and contribute compared to what is already available in accounting information system textbooks?
All the best