A Design of MAC Model Based on the Separation of Duties and Data Coloring: DSDC-MAC

Among the access control methods for database security, there is Mandatory Access Control (MAC) model in which the security level is set to both the subject and the object to enhance the security control. Legacy MAC models have focused only on one thing, either confidentiality or integrity. Thus, it can cause collisions between security policies in supporting confidentiality and integrity simultaneously. In addition, they do not provide a granular security class policy of subjects and objects in terms of subjects\u27 roles or tasks. In this paper, we present the security policy of Bell_LaPadula Model (BLP) model and Biba model as one complemented policy. In addition, Duties Separation and Data Coloring (DSDC)-MAC model applying new data coloring security method is proposed to enable granular access control from the viewpoint of Segregation of Duty (SoD). The case study demonstrated that the proposed modeling work maintains the practicality through the design of Human Resources management System. The proposed model in this study is suitable for organizations like military forces or intelligence agencies where confidential information should be carefully handled. Furthermore, this model is expected to protect systems against malicious insiders and improve the confidentiality and integrity of data

Intercom 1996 February 19

Sam Donaldson Featured in Lecture Series, In The Spotlight, Faculty Participate in Panel Discussion, Granville Earns Lifetime Award, Rick Assessment: Separation of Duties, Faculty to Present Research Feb.29

Separable and anonymous identity-based key issuing

In identity-based (ID-based) cryptosystems, a local registration authority (LRA) is responsible for authentication of users while the key generation center (KGC) is responsible for computing and sending the private keys to users and therefore, a secure channel is required. For privacy-oriented applications, it is important to keep in secret whether the private key corresponding to a certain identity has been requested. All of the existing ID-based key issuing schemes have not addressed this anonymity issue. Besides, the separation of duties of LRA and KGC has not been discussed as well. We propose a novel separable and anonymous ID-based key issuing scheme without secure channel. Our protocol supports the separation of duties between LRA and KGC. The private key computed by the KGC can be sent to the user in an encrypted form such that only the legitimate key requester authenticated by LRA can decrypt it, and any eavesdropper cannot know the identity corresponding to the secret key. © 2005 IEEE.published_or_final_versio

Політика безпеки інформації в автоматизованій системі

An information security policy addresses many issues such as the following: disclosure, integrity, and availability concerns; who may access what information in what manner; basis on which the access decision is mademaximized sharing versus least privilege; separation of duties; who controls and who owns the information; and authority issues

Security-sensitive tackling of obstructed workflow executions

Imposing access control onto workflows considerably reduces the set of users authorized to execute the workflow tasks. Further constraints (e.g. Separation of Duties) as well as unexpected unavailabilty of users may finally obstruct the successful workflow execution. To still complete the execution of an obstructed workflow, we envisage a hybrid approach. If a log is provided, we partition its traces into “successful” and “obstructed” ones by analysing the given workflow and its authorizations. An obstruction should then be solved by finding its nearest match from the list of successful traces. If no log is provided, we flatten the workflow and its authorizations into a Petri net and encode the obstruction with a corresponding “obstruction marking”. The structural theory of Petri nets shall then be tweaked to provide a minimized Parikh vector, that may violate given firing rules, however reach a complete marking and by that, complete the workflow.Peer ReviewedPostprint (published version

Lessons from Health Care Fraud Cases: Implications for Management of Health Care Entities

Fraud has been a major issue all throughout the health care industry. There have been many cases around the world in relation to health care fraud. There are several laws now that do try to reduce the amount of healthcare fraud, but more changes could and should be made to reduce it even more. Four different cases that have occurred within the health care industry have be analyzed in this project. It looks at the positives and negatives of each company’s internal control structure and provides suggestions for how to improve these internal controls to prevent fraud from reoccurring in the health care industry. It also gives examples of other requirements that can be put in place in order to reduce the amount of fraud that occurs. Fraud is very common within the health care industry due to weaknesses within the companies’ internal control systems and many improvements should be made in order to prevent fraud from continuing to occur in the future

ANALISIS SISTEM INFORMASI AKUNTANSI ATAS SIKLUS PENGGAJIAN PADA PT “X” DI SURABAYA

This research are describes about implementation of the payroll systems on PT X. The purpose of this research is to understand the procedure of payroll systems and compare the procedure payroll systems with theory accounting information system of payroll. This research uses qualitative method with descriptive qualitative research approach. And the results indicate that the payroll system has been well implemented, it is shown by the separation of duties, authorization of transactions, and the responsibilities of each department. But needs additional department of general ledger, because it can help companies to recording payroll transaction process. Keyword: Accounting Information Systems, Payroll System

Auditor configural information processing in control risk appraisal / 1585

Includes bibliographical references (p. 30-33)