Accounting Information System, Critical Review of Karim’s 2014 Approach

This paper provides a critical review of V.R. Karimi, D.D. Cowan, and P.S.C. Alencar, 2014, ‘An approach to correctness of security and operational business policies,' International Journal of Accounting Information Systems, ACCINF-00330, No of Pages 12. In this journal article, Karimi, Cowan, and Alencar suggested a new approach that can be used in operational and security policies in the business. The approach provided here can also be used to verify the correctness of operational and security policies with respect to a given set of properties. They propose a method that constructs definition of business operational and security rules based on REA business modeling language. This method is designed to use state machines to combine policy sets and policies automatically once the rules have been created. I find this new method to be very essential because it provides disciplined and systematic approaches that can be used in developing real world software systems for accounting purposes. In addition, this method has a higher potential of benefiting modern organizations in several ways.

Verification of temporal-epistemic properties of access control systems

Verification of access control systems against vulnerabilities has always been a challenging problem in the world of computer security. The complication of security policies in large- scale multi-agent systems increases the possible existence of vulnerabilities as a result of mistakes in policy definition. This thesis explores automated methods in order to verify temporal and epistemic properties of access control systems. While temporal property verification can reveal a considerable number of security holes, verification of epistemic properties in multi-agent systems enable us to infer about agents' knowledge in the system and hence, to detect unauthorized information flow. This thesis first presents a framework for knowledge-based verification of dynamic access control policies. This framework models a coalition-based system, which evaluates if a property or a goal can be achieved by a coalition of agents restricted by a set of permissions defined in the policy. Knowledge is restricted to the information that agents can acquire by reading system information in order to increase time and memory efficiency. The framework has its own model-checking method and is implemented in Java and released as an open source tool named \char{cmmi10}{0x50}\char{cmmi10}{0x6f}\char{cmmi10}{0x6c}\char{cmmi10}{0x69}\char{cmmi10}{0x56}\char{cmmi10}{0x65}\char{cmmi10}{0x72}. In order to detect information leakage as a result of reasoning, the second part of this thesis presents a complimentary technique that evaluates access control policies over temporal-epistemic properties where the knowledge is gained by reasoning. We will demonstrate several case studies for a subset of properties that deal with reasoning about knowledge. To increase the efficiency, we develop an automated abstraction refinement technique for evaluating temporal-epistemic properties. For the last part of the thesis, we develop a sound and complete algorithm in order to identify information leakage in Datalog-based trust management systems

A System For Visual Role-Based Policy Modelling

The definition of security policies in information systems and programming applications is often accomplished through traditional low level languages that are difficult to use. This is a remarkable drawback if we consider that security policies are often specified and maintained by top level enterprise managers who would probably prefer to use simplified, metaphor oriented policy management tools. To support all the different kinds of users we propose a suite of visual languages to specify access and security policies according to the role based access control (RBAC) model. Moreover, a system implementing the proposed visual languages is proposed. The system provides a set of tools to enable a user to visually edit security policies and to successively translate them into (eXtensible Access Control Markup Language) code, which can be managed by a Policy Based Management System supporting such policy language. The system and the visual approach have been assessed by means of usability studies and of several case studies. The one presented in this paper regards the configuration of access policies for a multimedia content management platform providing video streaming services also accessible through mobile devices

Geospatial Informational Security Risks and Concerns of the U.S. Air Force GeoBase Program

Technological advancements such as Geospatial Information Systems (GIS) and the Internet have made it easier and affordable to share information, which enables complex and time sensitive decisions to be made with higher confidence. Further, advancements in information technology have dramatically increased the ability to store, manage, integrate, and correlate larger amounts of data to improve operational efficiency. However, the same technologies that enable increased productivity also provide increased capabilities to those wishing to do harm. Today’s military leaders are faced with the challenge of deciding how to make geospatial information collected on military installations and organizations available to authorized communities of interest while simultaneously restricting access to protect operational security. Often, these decisions are made without understanding how the sharing of certain combinations of data may pose a significant risk to protecting critical information, infrastructure or resources. Information security has been an area of growing concern in the GeoBase community since, by definition, it is required to strike a balance between competing interests, each supported by federal policy: (1) the availability of data paid for by tax dollars and (2) the protection of data as required to mitigate risks. In this research we will explore the security implications of the US Air Force GeoBase (the US Air Force’s applied Geospatial Information System) program. We examine the rapid expansion of the use of GeoBase to communities outside of the civil engineering field; examine the intrinsic and extrinsic security risks of the unconstrained sharing of geospatial information; explore difficulties encountered when attempting to rate the sensitivity of information, discuss new policies and procedures that have been implemented undertaken to protect the information, and propose technical and managerial control measures to facilitate sharing geospatial information sharing while minimizing the associated operational risks

SWYSWYK: A Privacy-by-Design Paradigm for Personal Information Management Systems

Pushed by recent legislation and smart disclosure initiatives, Personal Information Management Systems (PIMS) emerge and hold the promise of giving the control back to the individual on her data. However, this shift leaves the privacy and security issues in user\u27s hands, a role that few people can properly endorse. Indeed, existing sharing models are difficult to administrate and securing their implementation in user\u27s computing environment is an unresolved challenge. This paper advocates the definition of a Privacy-by-Design sharing paradigm, called SWYSWYK (Share What You See with Who You Know), dedicated to the PIMS context. This paradigm allows each user to physically visualize the net effects of sharing rules on her PIMS and automatically provides tangible guarantees about the enforcement of the defined sharing policies. Finally, we demonstrate the practicality of the approach through a performance evaluation conducted on a real PIMS platform

Complexity and Unwinding for Intransitive Noninterference

The paper considers several definitions of information flow security for intransitive policies from the point of view of the complexity of verifying whether a finite-state system is secure. The results are as follows. Checking (i) P-security (Goguen and Meseguer), (ii) IP-security (Haigh and Young), and (iii) TA-security (van der Meyden) are all in PTIME, while checking TO-security (van der Meyden) is undecidable, as is checking ITO-security (van der Meyden). The most important ingredients in the proofs of the PTIME upper bounds are new characterizations of the respective security notions, which also lead to new unwinding proof techniques that are shown to be sound and complete for these notions of security, and enable the algorithms to return simple counter-examples demonstrating insecurity. Our results for IP-security improve a previous doubly exponential bound of Hadj-Alouane et al