On Properties of Policy-Based Specifications

The advent of large-scale, complex computing systems has dramatically increased the difficulties of securing accesses to systems' resources. To ensure confidentiality and integrity, the exploitation of access control mechanisms has thus become a crucial issue in the design of modern computing systems. Among the different access control approaches proposed in the last decades, the policy-based one permits to capture, by resorting to the concept of attribute, all systems' security-relevant information and to be, at the same time, sufficiently flexible and expressive to represent the other approaches. In this paper, we move a step further to understand the effectiveness of policy-based specifications by studying how they permit to enforce traditional security properties. To support system designers in developing and maintaining policy-based specifications, we formalise also some relevant properties regarding the structure of policies. By means of a case study from the banking domain, we present real instances of such properties and outline an approach towards their automatised verification.Comment: In Proceedings WWV 2015, arXiv:1508.0338

Are Existing Security Models Suitable for Teleworking?

The availability of high performance broadband services from the home will allow a growing number of organisations to offer teleworking as an employee work practice. Teleworking delivers cost savings, improved productivity and provides a recruitment policy to attract and retain personnel. Information security is one of the management considerations necessary before an effective organisational teleworking policy can be implemented. The teleworking computing environment presents a different set of security threats to those present in an office environment. Teleworking requires a security model to provide security policy enforcement to counter the set of security threats present in the teleworking computing environment. This paper considers four existing security models and assesses each model’s suitability to define security policy enforcement for telework. The approach taken is to identify the information security threats that exist in a teleworking environment and to categorise the threats based upon their impact upon confidentiality of data, system and data integrity, and availability of service in the teleworking environment. It is found that risks exist to the confidentiality, integrity and availability of information in a teleworking environment and therefore a security model is required that provides appropriate policy enforcement. A set of security policy enforcement mechanisms to counter the identified information security threats is proposed. Using an abstraction of the identified threats and the security policy enforcement mechanisms, a set of attributes for a security model for teleworking is proposed. Each of the four existing security models is assessed against this set of attributes to determine its suitability to specify policy enforcement for telework. Although the four existing models were selected based upon their perceived suitability it is found that none provide the required policy enforcement for telework

Ethics in Alternative Dispute Resolution: New Issues, No Answers from the Adversary Conception of Lawyers’ Responsibilities

The romantic days of ADR appear to be over. To the extent that proponents of ADR, like myself, were attracted to it because of its promise of flexibility, adaptability, and creativity, we now see the need for ethics, standards of practice and rules as potentially limiting and containing the promise of alternatives to rigid adversarial modes of dispute resolution. It is almost as if we thought that anyone who would engage in ADR must of necessity be a moral, good, creative, and, of course, ethical person. That we are here today is deeply ironic and yet, also necessary, as appropriate dispute resolution struggles to define itself and insure its legitimacy against a variety of theoretical and practical challenges

Auditor Independence-Its Importance to the External Auditor's Role in Banking Regulation and Supervision

The role of the external auditor in the supervisory process requires standards such as independence,objectivity and integrity to be achieved. Even though the regulator and external auditor perform similar functions, namely the verification of financial statements, they serve particular interests. The regulator works towards safeguarding financial stability and investor interests. On the other hand, the external auditor serves the private interests of the shareholders of a company. The financial audit remains an important aspect of corporate governance that makes management accountable to shareholders for its stewardship of a company2. The external auditor may however, have a commercial interest too. The debate surrounding the role of external auditors focusses in particular on auditor independence. A survey by the magazine “Financial Director” shows that the fees derived from audit clients in terms of non-audit services are significant in comparison with fees generated through auditing.3 Accounting firms sometimes engage in a practice called “low balling” whereby they set audit fees at less than the market rate and make up for the deficit by providing non audit services. As a result, some audit firms have commercial interests to protect too. There is concern that the auditor's interests to protect shareholders of a company and his commercial interests do not conflict with each other. Sufficient measures need to be in place to ensure that the external auditor's independence is not affected. Brussels proposed a new directive for auditors to try to prevent further scandals such as those of Enron and Parmalat.4 The new directive states that all firms listed on the stock market must have independent audit committees which will recommend an auditor for shareholder approval.5 It also states that auditors or audit partners must be rotated but does not mention the separation of auditors from consultancy work despite protests that there is a link to compromising the independence of auditors.6 However this may be because Brussels also shares the view that there is no evidence confirming correlation between levels of non-audit fees and audit failures and that as a result, sufficient safeguards are in place.7 This paper aims to consider the importance of auditor independence in the external auditor's role in banking regulation and supervision. In doing so, it also considers factors which may threaten independence and efforts which have been introduced to act as safeguards to the auditor's independence. It will also support the claim that auditor independence is indeed central to the auditor's role in banking regulation and supervision