By Topic

Computing conspiracies [data integrity]

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

3 Author(s)

The concept of `segregation of duties' is well-known in both organisational and security contexts. For example, the Clark-Wilson model stresses the importance of such a policy appropriate for regulating the involvement of subjects in acting upon business information and business values. However, it gives no guidelines on how to distinguish a proper policy from an improper one. Furthermore, the discipline of auditing has developed numerous schemes for segregation of duties. In this paper we use a model that allows quantification of-and reasoning about-audit-technical segregation of duties. Our approach is based on normative (`Soll') and actual (`Ist') specifications of a company's circular flow of business values in terms of enriched Petri nets. In this type of Petri net the markers represent money, goods, debts and registrations of these business values, the places represent their buffer locations and the transitions represent transformation procedures. Associated to these Petri net elements are agents and their authorisations and abilities. Undetectable use of company assets can now be modelled in the `Ist' net by the general Petri net notion of `T-invariant'. The design of a proper scheme for segregation of duties then reduces to maximisation of the number of agents that need to be minimally involved in order to establish a firing of such a T-invariant

Published in:

Database and Expert Systems Applications, 1998. Proceedings. Ninth International Workshop on

Date of Conference: