Audit-based compliance control

J.G. Cederquist, R.J. Corin, M.A.C. Dekker, S. Etalle, J.I. Hartog, den, G. Lenzini

    Research output: Contribution to journalArticleAcademicpeer-review

    48 Citations (Scopus)

    Abstract

    In this paper we introduce a new framework for controlling compliance to discretionary access control policies [Cederquist et al. in Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY), 2005; Corin et al. in Proceedings of the IFIP Workshop on Formal Aspects in Security and Trust (FAST), 2004]. The framework consists of a simple policy language, modeling ownership of data and administrative policies. Users can create documents, and authorize others to process the documents. To control compliance to the document policies, we define a formal audit procedure by which users may be audited and asked to justify that an action was in compliance with a policy. In this paper we focus on the implementation of our framework. We present a formal proof system, which was only informally described in earlier work. We derive an important tractability result (a cut-elimination theorem), and we use this result to implement a proof-finder, a key component in this framework. We argue that in a number of settings, such as collaborative work environments, where a small group of users create and manage document in a decentralized way, our framework is a more flexible approach for controlling the compliance to policies.
    LanguageEnglish
    Pages133-151
    JournalInternational Journal of Information Security
    Volume6
    Issue number2-3
    DOIs
    StatePublished - 2007

    Fingerprint

    Compliance control
    Access control
    Compliance

    Cite this

    Cederquist, J. G., Corin, R. J., Dekker, M. A. C., Etalle, S., Hartog, den, J. I., & Lenzini, G. (2007). Audit-based compliance control. International Journal of Information Security, 6(2-3), 133-151. DOI: 10.1007/s10207-007-0017-y
    Cederquist, J.G. ; Corin, R.J. ; Dekker, M.A.C. ; Etalle, S. ; Hartog, den, J.I. ; Lenzini, G./ Audit-based compliance control. In: International Journal of Information Security. 2007 ; Vol. 6, No. 2-3. pp. 133-151
    @article{88a01e25f63a45329c3cf18c96d6ba8e,
    title = "Audit-based compliance control",
    abstract = "In this paper we introduce a new framework for controlling compliance to discretionary access control policies [Cederquist et al. in Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY), 2005; Corin et al. in Proceedings of the IFIP Workshop on Formal Aspects in Security and Trust (FAST), 2004]. The framework consists of a simple policy language, modeling ownership of data and administrative policies. Users can create documents, and authorize others to process the documents. To control compliance to the document policies, we define a formal audit procedure by which users may be audited and asked to justify that an action was in compliance with a policy. In this paper we focus on the implementation of our framework. We present a formal proof system, which was only informally described in earlier work. We derive an important tractability result (a cut-elimination theorem), and we use this result to implement a proof-finder, a key component in this framework. We argue that in a number of settings, such as collaborative work environments, where a small group of users create and manage document in a decentralized way, our framework is a more flexible approach for controlling the compliance to policies.",
    author = "J.G. Cederquist and R.J. Corin and M.A.C. Dekker and S. Etalle and {Hartog, den}, J.I. and G. Lenzini",
    year = "2007",
    doi = "10.1007/s10207-007-0017-y",
    language = "English",
    volume = "6",
    pages = "133--151",
    journal = "International Journal of Information Security",
    issn = "1615-5262",
    publisher = "Springer",
    number = "2-3",

    }

    Cederquist, JG, Corin, RJ, Dekker, MAC, Etalle, S, Hartog, den, JI & Lenzini, G 2007, 'Audit-based compliance control' International Journal of Information Security, vol. 6, no. 2-3, pp. 133-151. DOI: 10.1007/s10207-007-0017-y

    Audit-based compliance control. / Cederquist, J.G.; Corin, R.J.; Dekker, M.A.C.; Etalle, S.; Hartog, den, J.I.; Lenzini, G.

    In: International Journal of Information Security, Vol. 6, No. 2-3, 2007, p. 133-151.

    Research output: Contribution to journalArticleAcademicpeer-review

    TY - JOUR

    T1 - Audit-based compliance control

    AU - Cederquist,J.G.

    AU - Corin,R.J.

    AU - Dekker,M.A.C.

    AU - Etalle,S.

    AU - Hartog, den,J.I.

    AU - Lenzini,G.

    PY - 2007

    Y1 - 2007

    N2 - In this paper we introduce a new framework for controlling compliance to discretionary access control policies [Cederquist et al. in Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY), 2005; Corin et al. in Proceedings of the IFIP Workshop on Formal Aspects in Security and Trust (FAST), 2004]. The framework consists of a simple policy language, modeling ownership of data and administrative policies. Users can create documents, and authorize others to process the documents. To control compliance to the document policies, we define a formal audit procedure by which users may be audited and asked to justify that an action was in compliance with a policy. In this paper we focus on the implementation of our framework. We present a formal proof system, which was only informally described in earlier work. We derive an important tractability result (a cut-elimination theorem), and we use this result to implement a proof-finder, a key component in this framework. We argue that in a number of settings, such as collaborative work environments, where a small group of users create and manage document in a decentralized way, our framework is a more flexible approach for controlling the compliance to policies.

    AB - In this paper we introduce a new framework for controlling compliance to discretionary access control policies [Cederquist et al. in Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY), 2005; Corin et al. in Proceedings of the IFIP Workshop on Formal Aspects in Security and Trust (FAST), 2004]. The framework consists of a simple policy language, modeling ownership of data and administrative policies. Users can create documents, and authorize others to process the documents. To control compliance to the document policies, we define a formal audit procedure by which users may be audited and asked to justify that an action was in compliance with a policy. In this paper we focus on the implementation of our framework. We present a formal proof system, which was only informally described in earlier work. We derive an important tractability result (a cut-elimination theorem), and we use this result to implement a proof-finder, a key component in this framework. We argue that in a number of settings, such as collaborative work environments, where a small group of users create and manage document in a decentralized way, our framework is a more flexible approach for controlling the compliance to policies.

    U2 - 10.1007/s10207-007-0017-y

    DO - 10.1007/s10207-007-0017-y

    M3 - Article

    VL - 6

    SP - 133

    EP - 151

    JO - International Journal of Information Security

    T2 - International Journal of Information Security

    JF - International Journal of Information Security

    SN - 1615-5262

    IS - 2-3

    ER -

    Cederquist JG, Corin RJ, Dekker MAC, Etalle S, Hartog, den JI, Lenzini G. Audit-based compliance control. International Journal of Information Security. 2007;6(2-3):133-151. Available from, DOI: 10.1007/s10207-007-0017-y