Presentation is loading. Please wait.

Presentation is loading. Please wait.

Continuous Compliance Assurance for Trusted Information Sharing: A Research Framework Bonnie W. Morris College of Business & Economics

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Continuous Compliance Assurance for Trusted Information Sharing: A Research Framework Bonnie W. Morris College of Business & Economics"— Presentation transcript:

1 Continuous Compliance Assurance for Trusted Information Sharing: A Research Framework Bonnie W. Morris College of Business & Economics Bonnie.Morris@mail.wvu.edu Cynthia Tanner & George Trapp Lane Department of Computer Science and Electrical Engineering College of Engineering and Mineral Resources West Virginia University Geoffrey Shaw Senior VP, Risk Assessment and Policy Compliance VIACK Corporation

2 Trusted Information Sharing There are many situations where it is mutually beneficial for two or more organizations to share information to improve operational efficiency and to reduce risk There are many situations where it is mutually beneficial for two or more organizations to share information to improve operational efficiency and to reduce risk Business—e.g. Supply Chain Business—e.g. Supply Chain Law Enforcement Law Enforcement Security and intelligence analysis (“connect the dots”) Security and intelligence analysis (“connect the dots”)

3 Impediments to Sharing Concerns about: Opportunistic behavior by sharing partners Opportunistic behavior by sharing partners Antitrust issues Antitrust issues Privacy policy violations Privacy policy violations Inadequate security over shared data Inadequate security over shared data

4 Provider 1 Provider 2 Provider 3 User1 User2 User3 - Datasets are sent to information sharing partners -Risk of misuse is the sum of the risk at each remote site. Sharing without a Trusted Enclave –

5 The Real Problem Information Asymmetry Information Asymmetry Inability to verify compliance with information sharing terms and conditions Inability to verify compliance with information sharing terms and conditions Too many ways for data to leak out or be misused Too many ways for data to leak out or be misused Stolen laptops, hackers Stolen laptops, hackers Poor access controls Poor access controls USB drives, printers, email USB drives, printers, email Fused with other data and disconnected from info about source and use restrictions Fused with other data and disconnected from info about source and use restrictions

6 Trusted Enclave Shared data are stored within the enclave. Shared data are stored within the enclave. Data fusion and analysis applications run within the trusted enclave. Data fusion and analysis applications run within the trusted enclave. Access to data by applications or users is mediated by automated sharing policy enforcement and is logged into immutable audit logs. Access to data by applications or users is mediated by automated sharing policy enforcement and is logged into immutable audit logs. The results of fusion and analysis applications sent to users are also mediated by sharing policy enforcement and logged in immutable audit logs. The results of fusion and analysis applications sent to users are also mediated by sharing policy enforcement and logged in immutable audit logs. Data access by individuals and applications may be continuously verified for compliance with the information sharing rules through assurance provider access to the audit logs. Data access by individuals and applications may be continuously verified for compliance with the information sharing rules through assurance provider access to the audit logs. Users cannot view the entire dataset Users cannot view the entire dataset

7 User1 User2 Audit Testing Audit log Policies Data Fusion/ analysis Trusted Enclave User3...... Provider 1 Provider 2 Provider 3.

8 Information Sharing Need to define conditions for sharing Need to define conditions for sharing More than just access controls More than just access controls It is an economic exchange--Data providers GIVE data and expect to GET something of equal value. It is an economic exchange--Data providers GIVE data and expect to GET something of equal value. Suggests the need to provide assurance about data quality as well as access control aspects of information sharing policies Suggests the need to provide assurance about data quality as well as access control aspects of information sharing policies

9 Data Quality Metrics What are the relevant data quality criteria? What are the relevant data quality criteria? What are the relevant data quality metrics? What are the relevant data quality metrics? How can measures of data quality criteria be combined for concepts such as “best available data” and “minimally acceptable level” of quality? How can measures of data quality criteria be combined for concepts such as “best available data” and “minimally acceptable level” of quality? How can we measure data fusion gain? How can we measure data fusion gain? What are the dimensions of data provenance that are needed to measure quality? What are the dimensions of data provenance that are needed to measure quality? Can data quality requirements be specified indirectly (i.e., inferred from the data fusion application or from information about the other data available)? Can data quality requirements be specified indirectly (i.e., inferred from the data fusion application or from information about the other data available)?

10 Information Sharing Policy Representation How should we represent information sharing policies? How should we represent information sharing policies? Can we develop an information sharing ontology? Can we develop an information sharing ontology? How should data quality requirements be incorporated into the sharing policies? How should data quality requirements be incorporated into the sharing policies? Can we identify a semantic model of sharing types, participants, purposes, conditions, using Can we identify a semantic model of sharing types, participants, purposes, conditions, using methods of meta data extraction, methods of meta data extraction, ontology merging and related semantic integration concepts ontology merging and related semantic integration concepts automatic classification of data automatic classification of data How do we specify conflict remediation strategies How do we specify conflict remediation strategies Can we identify prototypical sharing rules and create a repository to reduce the policy negotiation burden. Can we identify prototypical sharing rules and create a repository to reduce the policy negotiation burden.

11 Continuous Compliance Assurance Will independent Continuous Compliance Assurance increase trust among potential information sharing partners and the public? Will independent Continuous Compliance Assurance increase trust among potential information sharing partners and the public? If so, who will they trust to provide the assurance? In the private sector, CPAs have several advantages If so, who will they trust to provide the assurance? In the private sector, CPAs have several advantages A reputation for providing assurance on financial statements and other matters A reputation for providing assurance on financial statements and other matters Professional Standards for providing assurance services including Trust Services Professional Standards for providing assurance services including Trust Services Knowledge of privacy principles as demonstrated by the promulgation of Generally Accepted Privacy Principles Knowledge of privacy principles as demonstrated by the promulgation of Generally Accepted Privacy Principles Potentially deep pockets (important as these assurance services are a means of sharing risk) Potentially deep pockets (important as these assurance services are a means of sharing risk) Who will government and law enforcement trust to provide assurances? Will the CPAs’ advantages hold for the public sector? What alternatives are there? Who will government and law enforcement trust to provide assurances? Will the CPAs’ advantages hold for the public sector? What alternatives are there?

12 Continuous Compliance Assurance What type of assurance report should the assurance provider issue? What type of assurance report should the assurance provider issue? Who should pay for the assurance service? Who should pay for the assurance service? What needs to be logged for testing by the auditors? What needs to be logged for testing by the auditors? What type of audit testing functionality is needed to ensure compliance? What type of audit testing functionality is needed to ensure compliance? For assurances related to data quality metrics, how do we to define “significant departure”? For assurances related to data quality metrics, how do we to define “significant departure”? Is the level of assurance just another policy that should be specified by the data provider and data user? Is the level of assurance just another policy that should be specified by the data provider and data user? Do we need new standards for auditor to auditor communications? Do we need new standards for auditor to auditor communications? What legal representations are required? How often will they be refreshed? What legal representations are required? How often will they be refreshed?

13 Conclusion Trusted information sharing is an excellent application for Continuous Compliance Assurance. The purpose of this paper is to identify some of the research opportunities in this area. Questions?

Download ppt "Continuous Compliance Assurance for Trusted Information Sharing: A Research Framework Bonnie W. Morris College of Business & Economics"

Similar presentations

Chapter 1 Business Driven Technology

Chapter 1 Business Driven Technology
Internal Control–Integrated Framework

Internal Control–Integrated Framework
STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
Department of Environmental Quality Environmental Management System Overview.

Department of Environmental Quality Environmental Management System Overview.
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
1 ACC 3303: AUDITING 2 Assurance Services ?? Need for Assurance ? Illustration using an Audit Engagement as an example.

1 ACC 3303: AUDITING 2 Assurance Services ?? Need for Assurance ? Illustration using an Audit Engagement as an example.
GAO Standards Brian M. Leighton Virginia Department of Motor Vehicles.

GAO Standards Brian M. Leighton Virginia Department of Motor Vehicles.
Security Controls – What Works

Security Controls – What Works
The Demand for Audit and Other Assurance Services Chapter 1.

The Demand for Audit and Other Assurance Services Chapter 1.
Professional Ethics “Ethics are statements of moral principles and values that guide the action of auditors”. The independence, powers and responsibilities.

Professional Ethics “Ethics are statements of moral principles and values that guide the action of auditors”. The independence, powers and responsibilities.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.

Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.
Purpose of the Standards

Purpose of the Standards
Trinidad & Tobago Corporate Governance Code 2013

Trinidad & Tobago Corporate Governance Code 2013
The College of Information Sciences and Technology ist.psu.edu.

The College of Information Sciences and Technology ist.psu.edu.
Yusuf İ slam Ş EFLEK 11 TM/A 85.  An acceptable use policy is a set of rules applied by the owner/manager of a network, website or large computer system.

Yusuf İ slam Ş EFLEK 11 TM/A 85.  An acceptable use policy is a set of rules applied by the owner/manager of a network, website or large computer system.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models

Similar presentations

Ads by Google