Value-driven Security Agreements in Extended Enterprises

Today organizations are highly interconnected in business networks called extended enterprises. This is mostly facilitated by outsourcing and by new economic models based on pay-as-you-go billing; all supported by IT-as-a-service. Although outsourcing has been around for some time, what is now new is the fact that organizations are increasingly outsourcing critical business processes, engaging on complex service bundles, and moving infrastructure and their management to the custody of third parties. Although this gives competitive advantage by reducing cost and increasing flexibility, it increases security risks by eroding security perimeters that used to separate insiders with security privileges from outsiders without security privileges. The classical security distinction between insiders and outsiders is supplemented with a third category of threat agents, namely external insiders, who are not subject to the internal control of an organization but yet have some access privileges to its resources that normal outsiders do not have. Protection against external insiders requires security agreements between organizations in an extended enterprise. Currently, there is no practical method that allows security officers to specify such requirements. In this paper we provide a method for modeling an extended enterprise architecture, identifying external insider roles, and for specifying security requirements that mitigate security threats posed by these roles. We illustrate our method with a realistic example

EDI control : management and audit issues

https://egrove.olemiss.edu/aicpa_guides/1419/thumbnail.jp

Heartland Payment Systems: lessons learned from a data breach

On August 13, 2009, the Payment Cards Center hosted a workshop examining the changing nature of data security in consumer electronic payments. The center invited the chairman and CEO of Heartland Payment Systems (HPS or Heartland), Robert (Bob) Carr, to lead this discussion and to share his experiences stemming from the data breach at his company in late 2008 and, as important, to discuss lessons learned as a result of this event. The former director of the Payment Cards Center, Peter Burns, who is acting as a senior payments advisor to HPS, also joined the discussion to outline Heartland's post-breach efforts aimed at improving information sharing and data security within the consumer payments industry. In conclusion, Carr introduced several technology solutions that are under discussion in payment security circles as ways to better secure payment card data as they move among the different parties in the card payment systems: end-to-end encryption, tokenization, and chip technology. While HPS has been very supportive of end-to-end encryption, each of these alternatives offers its own set of advantages and disadvantages.Payment systems ; Data protection ; Electronic commerce

Audit implications of EDI; Auditing procedure study;

https://egrove.olemiss.edu/aicpa_guides/1035/thumbnail.jp

Electronic Medical Records: Great Idea Or Great Threat To Privacy?

The practice of storing health care records in electronic format, rather than the traditional paper, is becoming increasing popular, especially since the advent of legislation that provided a framework for transmission of these data and encouragement to convert.  However, this process is not without challenges and there are significant concerns over how to maintain the security of these data.  On one hand, EMRs are expected to increase efficiency and provide cost savings. On the other hand, they increase the risk to privacy.  This paper discusses both the risks and benefits of EMRs in the current legal framework in order for us to gain a better understanding of these systems. Awareness of the risks will help in building more secure EMRs which may be mandated in most countries

E-Commerce Audit Judgment Expertise: Does Expertise in System Change Management and Information Technology Auditing Mediate E-Commerce Audit Judgment Expertise?

A global survey of 203 E-commerce auditors was conducted to investigate the perceptions about the potential determinants of expertise in E-commerce audits. We hypothesize and find evidence indicating that information technology and communication expertise are positively related to expertise in E-commerce audit judgment. We also find that system change management expertise and information technology audit expertise mediate this relationship.E-commerce Audit Judgment, IT Audit, Structural Equations Modeling

Information security

https://egrove.olemiss.edu/aicpa_guides/1470/thumbnail.jp

Accounting for collaborative supply chain relationships : issues and strategies

The purpose of this discussion paper is to explore the contemporary business model that has arisen with the advent of B2B e-commerce systems in order to better understand the improvements needed in the financial reporting model. The contemporary business model has relegated the enterprise-centric view of corporate competition and the current financial reporting model to insignificance in many instances. Rather, today’s business environment is one dominated by competition between supply chains with an organization’s success ultimately hinging on the viability and success of its supply chain partners as much as, or more than, enterprise-centric policies and decisions. As a result, these highly integrative systems connect supply chain partners in a manner that is more tightly coupled than most consolidated entities. Still, the current financial reporting model fails to even minimally capture the complexity of this new reality. This discussion paper provides the foundation for elaborating on a detailed discussion of how this business model could be more accurately captured through an enhanced business reporting model.El objetivo de este documento de debate es explorar el modelo contemporáneo de negocios que ha surgido con la llegada del B2B – una situación en la que un negocio le hace una transferencia comercial a otro – a los sistemas de comercio electrónico, para así comprender mejor las mejoras necesarias en el modelo de información financiera. El modelo contemporáneo de negocios ha relegado la perspectiva de la empresa como centro de la competencia corporativa, y el actual modelo de información financiera a la insignificancia en ciertos momentos. Sin embargo, el entorno empresarial actual está dominado por la competición entre las cadenas de suministro con el éxito de una organización dependiendo de la viabilidad y el éxito de sus socios de dichas cadenas, tanto, o incluso más que, en las políticas y decisiones centradas en la empresa. Como resultado de ello, estos sistemas altamente integrantes conectan a sus socios de esas cadenas de manera que está más acoplada que la mayoría de las entidades consolidadas. Aún así, el modelo actual de información financiera falla en mínimamente capturar la complejidad de esta nueva realidad. Este documento proporciona la base para elaborar un debate detallado sobre cómo este modelo empresarial podría ser capturado de una forma más exacta, a través de un modelo de información empresarial mejorado