Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Approach to Correctness of Security and Operational Business Policies October 5, 2013 Discussant Graham Gal.

Published bySophie Day Modified over 9 years ago

Similar presentations

Presentation on theme: "An Approach to Correctness of Security and Operational Business Policies October 5, 2013 Discussant Graham Gal."— Presentation transcript:

1 An Approach to Correctness of Security and Operational Business Policies October 5, 2013 Discussant Graham Gal

2 University of Waterloo Symposium on Information Integrity and Information Systems Assurance Outline Policies and Permissions Constraints Representation of Policies Evaluation of Policies

3 University of Waterloo Symposium on Information Integrity and Information Systems Assurance Policies and Permissions Policy is a management statement on acceptable states – Can be based on intensions or extensions Permissions are related to an action Implies permissible states And how to get there (transitions) Not just permit and deny

4 University of Waterloo Symposium on Information Integrity and Information Systems Assurance Types of Policy statements Intensions – On multiplicities Employees must be assigned to a single department Each department must have a single manager – Based on Type Specifications Internal Auditors must have these qualifications – Permissions as Policies REA patterned Sale – Salespeople (Internal Agent Type) can – Sell (Event Type) – Inventory (Resource Type) to – Customers (External Agent Type) Delegate and Perform Permissions

5 University of Waterloo Symposium on Information Integrity and Information Systems Assurance Constraints Restricted States (Preventive Controls) – Unassigned employees – No paychecks to non-employees – No labs to dead patients Possibly violated states – Temporal Separation of events Sale cannot cause customer’s balance to exceed credit limit – Database transactions versus Business transactions Person must be assigned to one and only one department – Accumulation of Evidence Orders over $1000 must be approved by Department Manager

6 University of Waterloo Symposium on Information Integrity and Information Systems Assurance

7

8 Order #DateBuyer Approved by $ Amount 1233S9/30/133433 $995 1245A9/30/133421 $987 16789C10/1/133421 $567 1569V10/1/133433 $998 34335Z10/2/133456 $989 5644N10/1/133456 $994 8977G10/2/133422 $989 Order over $1000 Must Have Approval

Download ppt "An Approach to Correctness of Security and Operational Business Policies October 5, 2013 Discussant Graham Gal."

Similar presentations

The correct order of accounting steps is I.set policies, record, post, adjust II.record, adjust, post, set policies III.record, post, set policies, adjust.

The correct order of accounting steps is I.set policies, record, post, adjust II.record, adjust, post, set policies III.record, post, set policies, adjust.
Chapter 13 Overall Audit Plan and Audit Program

Chapter 13 Overall Audit Plan and Audit Program
Business Processes, Data Modeling and Information Systems

Business Processes, Data Modeling and Information Systems
Understanding Audit Reports

Understanding Audit Reports
The Influence of Internal Audit on Information Security Effectiveness October 5, 2013 Perceptions of Internal Auditors Graham Gal With Paul Steinbart,

The Influence of Internal Audit on Information Security Effectiveness October 5, 2013 Perceptions of Internal Auditors Graham Gal With Paul Steinbart,
Receivables Setting credit policies Accounting for bad debt Computing interest.

Receivables Setting credit policies Accounting for bad debt Computing interest.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
1 Cash Handling – It’s my job Whether you take in lots of money or … you collect “pennies”

1 Cash Handling – It’s my job Whether you take in lots of money or … you collect “pennies”
Semantic Specification and Automated Enforcement of Internal Controls within Accounting Systems Dr. Graham Gal University of Massachusetts at Amherst Dr.

Semantic Specification and Automated Enforcement of Internal Controls within Accounting Systems Dr. Graham Gal University of Massachusetts at Amherst Dr.
1 Pertemuan 18 Audit Performance Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.

1 Pertemuan 18 Audit Performance Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.
Information Fusion in Continuous Assurance Discussed by Dr. Graham Gal University of Massachusetts at Amherst University of Waterloo Conference on Information.

Information Fusion in Continuous Assurance Discussed by Dr. Graham Gal University of Massachusetts at Amherst University of Waterloo Conference on Information.
Chapter 12 Auditing the Human Resource Management Process McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.

Chapter 12 Auditing the Human Resource Management Process McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
Accounting Information Systems: A Business Process Approach Chapter One: Introduction to Accounting Information Systems.

Accounting Information Systems: A Business Process Approach Chapter One: Introduction to Accounting Information Systems.
Analysis into Design. Specifying Business Rules Identifying necessary constraints in an organisation’s operations Can apply to structured or semi-structured.

Analysis into Design. Specifying Business Rules Identifying necessary constraints in an organisation’s operations Can apply to structured or semi-structured.
Copyright © 2007 Prentice-Hall. All rights reserved 1 Internal Control & Cash Chapter 8.

Copyright © 2007 Prentice-Hall. All rights reserved 1 Internal Control & Cash Chapter 8.
Reporting and Analyzing Cash and Internal Controls

Reporting and Analyzing Cash and Internal Controls
Auditing & Assurance Services, 6e

Auditing & Assurance Services, 6e
---Confidential 1 Order Management Training. ---Confidential 2 Introduction Three cycles in Oracle Applications Plan to make. Order to cash Procure to.

---Confidential 1 Order Management Training. ---Confidential 2 Introduction Three cycles in Oracle Applications Plan to make. Order to cash Procure to.
Introduction to SAP R/3.

Introduction to SAP R/3.
Implementing an REA Model in a Relational Database

Implementing an REA Model in a Relational Database

Similar presentations

Ads by Google