towards a framework for achieving effective segregation of duties u of waterloo symposium 2007...

9
Towards a Framework for Achieving Effective Segregation of Duties U of Waterloo Symposium – 2007 Discussant: Ram Sriram

Upload: emery-summers

Post on 19-Jan-2018

213 views

Category:

Documents


0 download

DESCRIPTION

Target Audience  Who is the target audience for this manuscript and the application that is described with in it? External Auditors? Internal Auditors? Evaluators of Sarbanes-Oxley?

TRANSCRIPT

Page 1: Towards a Framework for Achieving Effective Segregation of Duties U of Waterloo Symposium  2007 Discussant: Ram Sriram

Towards a Framework for Achieving Effective Segregation of Duties

U of Waterloo Symposium – 2007

Discussant: Ram Sriram

Page 2: Towards a Framework for Achieving Effective Segregation of Duties U of Waterloo Symposium  2007 Discussant: Ram Sriram

Motivation for this study

• Proposes a role-based separation of duties framework for improving security over information processing. • The framework is proposed within an accounting/transaction

cycle approach.• Expectation: The model can be used automate the resolution

of segregation of duties and conflicting access and other privileges.• Claim: It is a unified model of separation of duties.

Page 3: Towards a Framework for Achieving Effective Segregation of Duties U of Waterloo Symposium  2007 Discussant: Ram Sriram

Target Audience

Who is the target audience for this manuscript and the application that is described with in it?

• External Auditors?• Internal Auditors?• Evaluators of Sarbanes-Oxley?

Page 4: Towards a Framework for Achieving Effective Segregation of Duties U of Waterloo Symposium  2007 Discussant: Ram Sriram

Is the contribution new?

I am skeptical Both the concepts of separation of duties and

implementation within business cycles are not new.

How is this model different or how is it an improvement over well-recognized Clark-Wilson, Biba Integrity or other Access Matrix models.

Page 5: Towards a Framework for Achieving Effective Segregation of Duties U of Waterloo Symposium  2007 Discussant: Ram Sriram

Questions

Does not Clark-Wilson, Biba and others consider separation of duties in an automated context?

Why or in what sense, business cycles appropriate in automated and database environments?

Does it not conflict with one time data entry principles?

Page 6: Towards a Framework for Achieving Effective Segregation of Duties U of Waterloo Symposium  2007 Discussant: Ram Sriram

Other Questions

Is not business cycles and authorization, record-keeping and custody more appropriate to manual systems?

Are we going back in time to silo approaches?

How do computer-assisted controls play in this business cycles?

Don’t they mitigate the problems of conflicting duties?

Page 7: Towards a Framework for Achieving Effective Segregation of Duties U of Waterloo Symposium  2007 Discussant: Ram Sriram

Suggestions for Improvement

Agree: users have wrong rights assignments and also redundant and parallel access rights.

Tell the readers, how a business cycle based model will outcome this problem (in the context of an automated environment)?

Tell us how this model will be an improvement over access control matrices with read, write, execute privileges incorporated in them?

Page 8: Towards a Framework for Achieving Effective Segregation of Duties U of Waterloo Symposium  2007 Discussant: Ram Sriram

Methodology

This is a theoretical paper The tables on business cycles and

separation of duties – how are they different and contribute compared to what is already available in accounting information system textbooks?

Page 9: Towards a Framework for Achieving Effective Segregation of Duties U of Waterloo Symposium  2007 Discussant: Ram Sriram

All the best