This paper introduces a security design method for information exchange in organisations. The method supports security authorities in the design of individual security models. An individual security model is a fully customised specification of access control information for information exchange within a particular business environment. We introduce transaction based business process models (BPMs) and utilise these models to specify need-to-know authorisations. Therefore, we allocate information from BPMs which can be transformed to access control information and derive a specification of an organisation's individual security model. Our method provides transparency of security design because a security model is directly related to the business. Moreover, security effort and costs will be reduced because BPMs must not be specified for security reasons. BPMs are a result of management activities and therefore, existing resources from a security point of view.
Information misuse is one of the major risks for information systems in organisations. Traditional approaches for authorisation and access control are insufficient because information misuse is primarily done by authorised people. These people have opportunity to access information even for unintended purposes. Role based access controls address this problem because access rights can be related to context descriptions (roles) and therefore, need-to-know access controls can be established. Need-to-know access controls define roles according to tasks in an organisation which represent intended purposes for information usage. Nonetheless, existing approaches for role based access controls do not ensure context authenticity during system operation, i.e. correspondence between activated roles and tasks within an organisation's actual business. Context authenticity must be ensured when a user activates a role or requests context related access to a particular object. Therefore, a context authentication service must be integrated with role based access controls. In this paper we describe the functionality and service components of a context authentication service called CARDS (Context Authentication Service for Role Based Access Control in Distributed Systems).
Security requirements are a fundamental ingredient for an information system's quality. Despite their importance, security requirements play the role of a "stepchild" in software engineering. If considered at all they cover the technical dimension of information systems, i.e. the electronic part of information processing. This view is insufficient to deal with the requirements of the "real world", i.e. the organisational practice. It is not just the technical criteria which are decisive in specifying security requirements. We have extended these criteria to incorporate the social and the economic dimension of information exchange in organisations. We will illustrate this extension of traditional approaches in a comprehensive security framework and we will demonstrate the interaction of the additional security criteria with traditional approaches.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.