SlideShare une entreprise Scribd logo

ReMoLa: Responsibility Model Language to Align Access Rights with Business Process Requirements

L
Luxembourg Institute of Science and Technology

Presentation of "ReMoLa: Responsibility Model Language to Align Access Rights with Business Process Requirements" at Fifth IEEE International Conference on Research Challenges in Information Science, May 19-21 2011, Guadeloupe - French West Indies, France

LogicielsTechnologie
1  sur  21
Télécharger pour lire hors ligne
ReMoLa: Responsibility Model Language to Align Access Rights with Business Process Requirements Christophe Feltus, Michaël Petit, Eric Dubois Fifth IEEE International Conference on Research Challenges in Information Science, May 19-21 2011, Guadeloupe - French West Indies, France
Motivation  Governance requirements  1st statement :The responsibility of the employees involved in the processes must be strictly defined and correctly assigned to the employee:  In ISO IEC 38500:2008 – Corporate Governance of ICT  In Sarbanes-Oxley Act’s – Title III corporate responsibilities  In Basel II – Responsibility of the board of directors  2nd statement : One of the requirements is to have access rights strictly aligned with the business process  ISO 27000, CobiT, etc.  Aligning access rights with BP
Outlines  Responsibility model  Presentation of the main concepts of the model  Links between these concepts  Alignment method  Presentation of the method  Definition of the responsibilities, Assignment of the responsibilities, Provisioning of the access rights  Proof-of-concept  Analyze of the System Acceptance from ISO/IEC 27002/2005, Code of practice for information security management.  Definition of the responsibilities  Conclusions and future works
Outlines  Responsibility model  Presentation of the main concepts of the model  Links between these concepts  Alignment method  Presentation of the method  Definition of the responsibilities, Assignment of the responsibilities, Provisioning of the access rights  Proof-of-concept  Analyze of the System Acceptance from ISO/IEC 27002/2005, Code of practice for information security management.  Definition of the responsibilities  Conclusions and future works
Presentation of the Responsibility model  Elaboration of the model  Employee, right, obligation, commitment
Presentation of the Responsibility model  4 types of obligation  In order to refine the model, we use the CobiT RACI chart that describes 4 types of obligation  Responsible: an employee who performs a task  Accountable: an employee that directs and makes authorization  Consulted: an employee that makes consultancy to permit a task to be done  Informed: an employee that is informed about the achievement of a task
Presentation of the Responsibility model Responsible Accountable Consulted Informed
Outlines  Responsibility model  Presentation of the main concepts of the model  Links between these concepts  Alignment method  Presentation of the method  Definition of the responsibilities, Assignment of the responsibilities, Provisioning of the access rights  Proof-of-concept  Analyze of the System Acceptance from ISO/IEC 27002/2005, Code of practice for information security management.  Definition of the responsibilities  Conclusions and future works
Presentation of the Alignment method  Our approach  2 layers Business/Technical and 2 levels Language/Instantiation  Method:  Definition of the responsibilies from business layer  Assignement of the responsibilities  AR provisioning
Presentation of the Alignment method  Mapping BP / ReMoLa in order to elaborate responsibilities  Instantiation of Task/Obligation, Accountabilities, Right Step 2 Step 1 e.g. CobiT, ISO 15504
Presentation of the Alignment method BP owner Responsibil. DelegatorEmployee Employee’s manager RBAC Administrator HR involved Step 3
 Mapping of ReMoLa with one AC Model  Role Based Access Control  To simplify the management of granting permissions to users  3 main elements :  User, Role and Permission  2 main functions :  User-role assignment (URA)  Permission-role assignment (PRA) Presentation of the Alignment method
RBAC Role is a type of responsibility : an employee assigned to that responsibility gets all the permissions needed by that responsibility. Although if RBAC Role is a business role : an employee assigned to that role is not obligatory assigned responsible for all the tasks of the role. He receives to many permissions. Presentation of the Alignment method
Outlines  Responsibility model  Presentation of the main concepts of the model  Links between these concepts  Alignment method  Presentation of the method  Definition of the responsibilities, Assignment of the responsibilities, Provisioning of the access rights  Proof-of-concept  Analyze of the System Acceptance from ISO/IEC 27002/2005, Code of practice for information security management.  Definition of the responsibilities  Conclusions and future works
Proof-of-concept : System Acceptance  Audit of the employees’ access rights for the process: System Acceptance  Audit observations :  5 employees with a set of rights and assigned to a business role  Are these rights strictly necessary for the employees ? Employees Rights Carla Access to all Alice Access to the list of requirements Access to migration priorities Allow participating in migration meetings Access to the migration risks Access to operational efficiencies requirements list Emma Access to migration priorities Allow to participate migration meetings Access migration risk analysis Denis Access to preparation template Access to testing template Access to the training support Time to participate to training Access to the system manual Access to the set of security controls in place Access to the list of errors Bob Access to the tests results Employees Business roles Carla Chief information officer Alice Employee assigned to the System Acceptance process Emma System Acceptance process manager Denis Project leader Bob System architect
 Definition of the responsibilities  Identification of the tasks that compose the System Acceptance  Based on the task semantic, the associations with a RACI obligations are possible.  Based upon the type of obligation, the specific responsibility model can be taken into consideration  Alice needs access rights, commitment, is answerable,… Proof-of-concept : System Acceptance Tasks Obligation Ensure that the requirements and criteria for acceptance of new systems are clearly defined, agreed, documented, and tested R Provide acceptance for the migration of new information systems, upgrades, and new versions A Ensure the operational efficiency of the proposed system design C Preparation and testing of routine operating procedures to defined standards R Training in the operation or use of new systems I Agreed set of security controls in place A Appropriate tests should be carried out to confirm that all acceptance criteria have been fully satisfied R Consider error recovery and restart procedures, and contingency plans R Responsibility of Alice
 Right to task association  In most of the business frameworks, and in ISO 27002 as well, rights are not explicitly described.  Need for fine grain analysis to engineer rights that are needed to perform a task. Proof-of-concept : System Acceptance Tasks Rights Ensure that the requirements and criteria for acceptance of new systems are clearly defined, agreed, documented, and tested Access to the list of requirements Access to the agreement documentation Access to the test results Provide acceptance for the migration of new information systems, upgrades, and new versions Access to migration priorities Access to migration meetings Access migration risk analysis Ensure the operational efficiency of the proposed system design Access to operational efficiencies requirements list Preparation and testing of routine operating procedures to defined standards Access to preparation template Access to testing template Training in the operation or use of new systems Access to the training support Time to participate to training Access to the system manual Agreed set of security controls in place Access to the set of security controls in place Appropriate tests should be carried out to confirm that all acceptance criteria have been fully satisfied No access required Consider error recovery and restart procedures, and contingency plans Access to the list of errors
 Audit conclusions  Observation :Alice is an employee assigned to the System Acceptance process and she gets access because of her Business Role  the list of requirements,  migration priorities,  allow participation in migration meetings,  migration risks  access to operation efficiencies requirements list  Using ReMoLa :Alice is responsible for Providing acceptance for the migration of new information systems, upgrades, and new versions and needs only the following rights:  access to migration priorities,  allow participating in migration meetings,  access to migration risks. Proof-of-concept : System Acceptance
Outlines  Responsibility model  Presentation of the main concepts of the model  Links between these concepts  Alignment method  Presentation of the method  Definition of the responsibilities, Assignment of the responsibilities, Provisioning of the access rights  Proof-of-concept  Analyze of the System Acceptance from ISO/IEC 27002/2005, Code of practice for information security management.  Definition of the responsibilities  Conclusions and future works
Conclusions and future works  Business needs for a better alignement of the employees’ responsibility from the management frameworks down to the technical rules  Our approach :  Step 1: Definition of the responsibilities :  Business Role, Activities, Tasks, Obligations  Responsibilities  Step 2 : Responsibility to employee assignment  Step 2 : Rights to responsibility association  Future works  Complementary validations using case studies – One ongoing and one begins in June  Looking forward for integration within ArchiMate and others EA.
Thank you ! Questions ?

Recommandé

Patient Rights and Responsibilities, by Christine Lang of Citizens Advice Bureau
Patient Rights and Responsibilities, by Christine Lang of Citizens Advice BureauPatient Rights and Responsibilities, by Christine Lang of Citizens Advice Bureau
Patient Rights and Responsibilities, by Christine Lang of Citizens Advice Bureau
HIVScotland
 
Rights of the patient
Rights of the patientRights of the patient
Rights of the patient
Bakul Arora
 
Patients' rights and responsibilities
Patients' rights and responsibilitiesPatients' rights and responsibilities
Patients' rights and responsibilities
Ankuran Dutta
 
Medication Administration - Eight Rights of Medication Administration
Medication Administration - Eight Rights of Medication AdministrationMedication Administration - Eight Rights of Medication Administration
Medication Administration - Eight Rights of Medication Administration
DrShiv19
 
6 patients' rights & responsibilities
6 patients' rights & responsibilities6 patients' rights & responsibilities
6 patients' rights & responsibilities
patientsafetyalliance
 
Patient rights and responsibilities
Patient rights and responsibilitiesPatient rights and responsibilities
Patient rights and responsibilities
د/ ايناس كلية التمريض
 
Pureform Employee Handbook
Pureform Employee HandbookPureform Employee Handbook
Pureform Employee Handbook
mypureform
 
Your Employee Handbook for Offices
Your Employee Handbook for OfficesYour Employee Handbook for Offices
Your Employee Handbook for Offices
wellssmith
 

Recommandé

Patient Rights and Responsibilities, by Christine Lang of Citizens Advice Bureau
Patient Rights and Responsibilities, by Christine Lang of Citizens Advice BureauPatient Rights and Responsibilities, by Christine Lang of Citizens Advice Bureau
Patient Rights and Responsibilities, by Christine Lang of Citizens Advice Bureau
HIVScotland
 
Rights of the patient
Rights of the patientRights of the patient
Rights of the patient
Bakul Arora
 
Patients' rights and responsibilities
Patients' rights and responsibilitiesPatients' rights and responsibilities
Patients' rights and responsibilities
Ankuran Dutta
 
Medication Administration - Eight Rights of Medication Administration
Medication Administration - Eight Rights of Medication AdministrationMedication Administration - Eight Rights of Medication Administration
Medication Administration - Eight Rights of Medication Administration
DrShiv19
 
6 patients' rights & responsibilities
6 patients' rights & responsibilities6 patients' rights & responsibilities
6 patients' rights & responsibilities
patientsafetyalliance
 
Patient rights and responsibilities
Patient rights and responsibilitiesPatient rights and responsibilities
Patient rights and responsibilities
د/ ايناس كلية التمريض
 
Pureform Employee Handbook
Pureform Employee HandbookPureform Employee Handbook
Pureform Employee Handbook
mypureform
 
Your Employee Handbook for Offices
Your Employee Handbook for OfficesYour Employee Handbook for Offices
Your Employee Handbook for Offices
wellssmith
 
Patients Bill of Rights
Patients Bill of RightsPatients Bill of Rights
Patients Bill of Rights
mirjanamilijevic
 
Iasosol- NABH Quality presentation
Iasosol- NABH Quality presentationIasosol- NABH Quality presentation
Iasosol- NABH Quality presentation
bhaveensheth
 
Legal rights of a patient
Legal rights of a patientLegal rights of a patient
Legal rights of a patient
Health Education Library for People
 
Patient’s right
Patient’s rightPatient’s right
Patient’s right
Lee Oi Wah
 
Patients rights and responsibilities
Patients rights and responsibilitiesPatients rights and responsibilities
Patients rights and responsibilities
GTClub
 
Unit 201 Employee Rights & Responsibilities
Unit 201 Employee Rights & Responsibilities Unit 201 Employee Rights & Responsibilities
Unit 201 Employee Rights & Responsibilities
rfelters
 
Crispin Porter + Bogusky employee handbook
Crispin Porter + Bogusky employee handbookCrispin Porter + Bogusky employee handbook
Crispin Porter + Bogusky employee handbook
whatidiscover
 
Employee Rights
Employee RightsEmployee Rights
Employee Rights
sh_neha252
 
Patient rights ppt
Patient rights pptPatient rights ppt
Patient rights ppt
Sandhya M
 
rights and legal aspects of disability in India
rights and legal aspects of disability in Indiarights and legal aspects of disability in India
rights and legal aspects of disability in India
Neeraja Cj
 
Employment Rights & Responsibilities Presentation
Employment Rights & Responsibilities PresentationEmployment Rights & Responsibilities Presentation
Employment Rights & Responsibilities Presentation
dbtraining
 
396849 developing-business-it-solutions
396849 developing-business-it-solutions396849 developing-business-it-solutions
396849 developing-business-it-solutions
Md. Mahabub Alam
 
ITIL V3 Overview
ITIL V3 OverviewITIL V3 Overview
ITIL V3 Overview
Allwyn George
 
Unit 4 standards.ppt
Unit 4 standards.pptUnit 4 standards.ppt
Unit 4 standards.ppt
ClashWithGROUDON
 
System Development Life Cycle
System Development Life CycleSystem Development Life Cycle
System Development Life Cycle
Doma Ngonie
 
Ch 2-RE-process.pptx
Ch 2-RE-process.pptxCh 2-RE-process.pptx
Ch 2-RE-process.pptx
balewayalew
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
christophefeltus
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
Luxembourg Institute of Science and Technology
 
Using Modelling and Simulation for Policy Decision Support in Identity Manage...
Using Modelling and Simulation for Policy Decision Support in Identity Manage...Using Modelling and Simulation for Policy Decision Support in Identity Manage...
Using Modelling and Simulation for Policy Decision Support in Identity Manage...
gueste4e93e3
 
Health Informatics- Module 2-Chapter 1.pptx
Health Informatics- Module 2-Chapter 1.pptxHealth Informatics- Module 2-Chapter 1.pptx
Health Informatics- Module 2-Chapter 1.pptx
Arti Parab Academics
 
Lean Thinking Inside and Outside a Software Engineering Company (Dave Jackson)
Lean Thinking Inside and Outside a Software Engineering Company (Dave Jackson)Lean Thinking Inside and Outside a Software Engineering Company (Dave Jackson)
Lean Thinking Inside and Outside a Software Engineering Company (Dave Jackson)
AdaCore
 
Hilary Martin CV 07 16
Hilary Martin CV 07 16Hilary Martin CV 07 16
Hilary Martin CV 07 16
Hilary Martin
 

Contenu connexe

En vedette

Patient’s right
Patient’s rightPatient’s right
Patient’s right
Lee Oi Wah
 
Employment Rights & Responsibilities Presentation
Employment Rights & Responsibilities PresentationEmployment Rights & Responsibilities Presentation
Employment Rights & Responsibilities Presentation
dbtraining
 

En vedette (11)

Patients Bill of Rights
Patients Bill of RightsPatients Bill of Rights
Patients Bill of Rights
 
Iasosol- NABH Quality presentation
Iasosol- NABH Quality presentationIasosol- NABH Quality presentation
Iasosol- NABH Quality presentation
 
Legal rights of a patient
Legal rights of a patientLegal rights of a patient
Legal rights of a patient
 
Patient’s right
Patient’s rightPatient’s right
Patient’s right
 
Patients rights and responsibilities
Patients rights and responsibilitiesPatients rights and responsibilities
Patients rights and responsibilities
 
Unit 201 Employee Rights & Responsibilities
Unit 201 Employee Rights & Responsibilities Unit 201 Employee Rights & Responsibilities
Unit 201 Employee Rights & Responsibilities
 
Crispin Porter + Bogusky employee handbook
Crispin Porter + Bogusky employee handbookCrispin Porter + Bogusky employee handbook
Crispin Porter + Bogusky employee handbook
 
Employee Rights
Employee RightsEmployee Rights
Employee Rights
 
Patient rights ppt
Patient rights pptPatient rights ppt
Patient rights ppt
 
rights and legal aspects of disability in India
rights and legal aspects of disability in Indiarights and legal aspects of disability in India
rights and legal aspects of disability in India
 
Employment Rights & Responsibilities Presentation
Employment Rights & Responsibilities PresentationEmployment Rights & Responsibilities Presentation
Employment Rights & Responsibilities Presentation
 

Similaire à ReMoLa: Responsibility Model Language to Align Access Rights with Business Process Requirements

Using Modelling and Simulation for Policy Decision Support in Identity Manage...
Using Modelling and Simulation for Policy Decision Support in Identity Manage...Using Modelling and Simulation for Policy Decision Support in Identity Manage...
Using Modelling and Simulation for Policy Decision Support in Identity Manage...
gueste4e93e3
 
Hilary Martin CV 07 16
Hilary Martin CV 07 16Hilary Martin CV 07 16
Hilary Martin CV 07 16
Hilary Martin
 
Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls Framework
BlackLine
 
Ms – 05 management of machines and materials
Ms – 05 management of machines and materialsMs – 05 management of machines and materials
Ms – 05 management of machines and materials
smumbahelp
 

Similaire à ReMoLa: Responsibility Model Language to Align Access Rights with Business Process Requirements (20)

396849 developing-business-it-solutions
396849 developing-business-it-solutions396849 developing-business-it-solutions
396849 developing-business-it-solutions
 
ITIL V3 Overview
ITIL V3 OverviewITIL V3 Overview
ITIL V3 Overview
 
Unit 4 standards.ppt
Unit 4 standards.pptUnit 4 standards.ppt
Unit 4 standards.ppt
 
System Development Life Cycle
System Development Life CycleSystem Development Life Cycle
System Development Life Cycle
 
Ch 2-RE-process.pptx
Ch 2-RE-process.pptxCh 2-RE-process.pptx
Ch 2-RE-process.pptx
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
 
Using Modelling and Simulation for Policy Decision Support in Identity Manage...
Using Modelling and Simulation for Policy Decision Support in Identity Manage...Using Modelling and Simulation for Policy Decision Support in Identity Manage...
Using Modelling and Simulation for Policy Decision Support in Identity Manage...
 
Health Informatics- Module 2-Chapter 1.pptx
Health Informatics- Module 2-Chapter 1.pptxHealth Informatics- Module 2-Chapter 1.pptx
Health Informatics- Module 2-Chapter 1.pptx
 
Lean Thinking Inside and Outside a Software Engineering Company (Dave Jackson)
Lean Thinking Inside and Outside a Software Engineering Company (Dave Jackson)Lean Thinking Inside and Outside a Software Engineering Company (Dave Jackson)
Lean Thinking Inside and Outside a Software Engineering Company (Dave Jackson)
 
Hilary Martin CV 07 16
Hilary Martin CV 07 16Hilary Martin CV 07 16
Hilary Martin CV 07 16
 
SAD_SDLC.pptx
SAD_SDLC.pptxSAD_SDLC.pptx
SAD_SDLC.pptx
 
Methodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it companyMethodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it company
 
Methodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it companyMethodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it company
 
Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...
 
Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls Framework
 
Ch14
Ch14Ch14
Ch14
 
Ms – 05 management of machines and materials
Ms – 05 management of machines and materialsMs – 05 management of machines and materials
Ms – 05 management of machines and materials
 
Sdlc
SdlcSdlc
Sdlc
 
Joint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forumJoint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forum
 

Plus de Luxembourg Institute of Science and Technology

Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-TopicsSmart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Luxembourg Institute of Science and Technology
 
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Luxembourg Institute of Science and Technology
 

Plus de Luxembourg Institute of Science and Technology (20)

Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-TopicsSmart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
 
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
 
Modeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate languageModeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate language
 
Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
 
Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...
 
Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...
 
Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...
 
Service specification and service compliance how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...Service specification and service compliance how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...
 
Responsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e governmentResponsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e government
 
Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...
 
Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...
 
Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...
 
Preliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methodsPreliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methods
 
Organizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructureOrganizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructure
 
Open sst based clearing mechanism for e business
Open sst based clearing mechanism for e businessOpen sst based clearing mechanism for e business
Open sst based clearing mechanism for e business
 
On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...
 
Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...
 
Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...
 
Multi agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reactionMulti agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reaction
 

Dernier

Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 

Dernier (20)

Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
SHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions PresentationSHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions Presentation
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 

ReMoLa: Responsibility Model Language to Align Access Rights with Business Process Requirements

  • 1. ReMoLa: Responsibility Model Language to Align Access Rights with Business Process Requirements Christophe Feltus, Michaël Petit, Eric Dubois Fifth IEEE International Conference on Research Challenges in Information Science, May 19-21 2011, Guadeloupe - French West Indies, France
  • 2. Motivation  Governance requirements  1st statement :The responsibility of the employees involved in the processes must be strictly defined and correctly assigned to the employee:  In ISO IEC 38500:2008 – Corporate Governance of ICT  In Sarbanes-Oxley Act’s – Title III corporate responsibilities  In Basel II – Responsibility of the board of directors  2nd statement : One of the requirements is to have access rights strictly aligned with the business process  ISO 27000, CobiT, etc.  Aligning access rights with BP
  • 3. Outlines  Responsibility model  Presentation of the main concepts of the model  Links between these concepts  Alignment method  Presentation of the method  Definition of the responsibilities, Assignment of the responsibilities, Provisioning of the access rights  Proof-of-concept  Analyze of the System Acceptance from ISO/IEC 27002/2005, Code of practice for information security management.  Definition of the responsibilities  Conclusions and future works
  • 4. Outlines  Responsibility model  Presentation of the main concepts of the model  Links between these concepts  Alignment method  Presentation of the method  Definition of the responsibilities, Assignment of the responsibilities, Provisioning of the access rights  Proof-of-concept  Analyze of the System Acceptance from ISO/IEC 27002/2005, Code of practice for information security management.  Definition of the responsibilities  Conclusions and future works
  • 5. Presentation of the Responsibility model  Elaboration of the model  Employee, right, obligation, commitment
  • 6. Presentation of the Responsibility model  4 types of obligation  In order to refine the model, we use the CobiT RACI chart that describes 4 types of obligation  Responsible: an employee who performs a task  Accountable: an employee that directs and makes authorization  Consulted: an employee that makes consultancy to permit a task to be done  Informed: an employee that is informed about the achievement of a task
  • 7. Presentation of the Responsibility model Responsible Accountable Consulted Informed
  • 8. Outlines  Responsibility model  Presentation of the main concepts of the model  Links between these concepts  Alignment method  Presentation of the method  Definition of the responsibilities, Assignment of the responsibilities, Provisioning of the access rights  Proof-of-concept  Analyze of the System Acceptance from ISO/IEC 27002/2005, Code of practice for information security management.  Definition of the responsibilities  Conclusions and future works
  • 9. Presentation of the Alignment method  Our approach  2 layers Business/Technical and 2 levels Language/Instantiation  Method:  Definition of the responsibilies from business layer  Assignement of the responsibilities  AR provisioning
  • 10. Presentation of the Alignment method  Mapping BP / ReMoLa in order to elaborate responsibilities  Instantiation of Task/Obligation, Accountabilities, Right Step 2 Step 1 e.g. CobiT, ISO 15504
  • 11. Presentation of the Alignment method BP owner Responsibil. DelegatorEmployee Employee’s manager RBAC Administrator HR involved Step 3
  • 12.  Mapping of ReMoLa with one AC Model  Role Based Access Control  To simplify the management of granting permissions to users  3 main elements :  User, Role and Permission  2 main functions :  User-role assignment (URA)  Permission-role assignment (PRA) Presentation of the Alignment method
  • 13. RBAC Role is a type of responsibility : an employee assigned to that responsibility gets all the permissions needed by that responsibility. Although if RBAC Role is a business role : an employee assigned to that role is not obligatory assigned responsible for all the tasks of the role. He receives to many permissions. Presentation of the Alignment method
  • 14. Outlines  Responsibility model  Presentation of the main concepts of the model  Links between these concepts  Alignment method  Presentation of the method  Definition of the responsibilities, Assignment of the responsibilities, Provisioning of the access rights  Proof-of-concept  Analyze of the System Acceptance from ISO/IEC 27002/2005, Code of practice for information security management.  Definition of the responsibilities  Conclusions and future works
  • 15. Proof-of-concept : System Acceptance  Audit of the employees’ access rights for the process: System Acceptance  Audit observations :  5 employees with a set of rights and assigned to a business role  Are these rights strictly necessary for the employees ? Employees Rights Carla Access to all Alice Access to the list of requirements Access to migration priorities Allow participating in migration meetings Access to the migration risks Access to operational efficiencies requirements list Emma Access to migration priorities Allow to participate migration meetings Access migration risk analysis Denis Access to preparation template Access to testing template Access to the training support Time to participate to training Access to the system manual Access to the set of security controls in place Access to the list of errors Bob Access to the tests results Employees Business roles Carla Chief information officer Alice Employee assigned to the System Acceptance process Emma System Acceptance process manager Denis Project leader Bob System architect
  • 16.  Definition of the responsibilities  Identification of the tasks that compose the System Acceptance  Based on the task semantic, the associations with a RACI obligations are possible.  Based upon the type of obligation, the specific responsibility model can be taken into consideration  Alice needs access rights, commitment, is answerable,… Proof-of-concept : System Acceptance Tasks Obligation Ensure that the requirements and criteria for acceptance of new systems are clearly defined, agreed, documented, and tested R Provide acceptance for the migration of new information systems, upgrades, and new versions A Ensure the operational efficiency of the proposed system design C Preparation and testing of routine operating procedures to defined standards R Training in the operation or use of new systems I Agreed set of security controls in place A Appropriate tests should be carried out to confirm that all acceptance criteria have been fully satisfied R Consider error recovery and restart procedures, and contingency plans R Responsibility of Alice
  • 17.  Right to task association  In most of the business frameworks, and in ISO 27002 as well, rights are not explicitly described.  Need for fine grain analysis to engineer rights that are needed to perform a task. Proof-of-concept : System Acceptance Tasks Rights Ensure that the requirements and criteria for acceptance of new systems are clearly defined, agreed, documented, and tested Access to the list of requirements Access to the agreement documentation Access to the test results Provide acceptance for the migration of new information systems, upgrades, and new versions Access to migration priorities Access to migration meetings Access migration risk analysis Ensure the operational efficiency of the proposed system design Access to operational efficiencies requirements list Preparation and testing of routine operating procedures to defined standards Access to preparation template Access to testing template Training in the operation or use of new systems Access to the training support Time to participate to training Access to the system manual Agreed set of security controls in place Access to the set of security controls in place Appropriate tests should be carried out to confirm that all acceptance criteria have been fully satisfied No access required Consider error recovery and restart procedures, and contingency plans Access to the list of errors
  • 18.  Audit conclusions  Observation :Alice is an employee assigned to the System Acceptance process and she gets access because of her Business Role  the list of requirements,  migration priorities,  allow participation in migration meetings,  migration risks  access to operation efficiencies requirements list  Using ReMoLa :Alice is responsible for Providing acceptance for the migration of new information systems, upgrades, and new versions and needs only the following rights:  access to migration priorities,  allow participating in migration meetings,  access to migration risks. Proof-of-concept : System Acceptance
  • 19. Outlines  Responsibility model  Presentation of the main concepts of the model  Links between these concepts  Alignment method  Presentation of the method  Definition of the responsibilities, Assignment of the responsibilities, Provisioning of the access rights  Proof-of-concept  Analyze of the System Acceptance from ISO/IEC 27002/2005, Code of practice for information security management.  Definition of the responsibilities  Conclusions and future works
  • 20. Conclusions and future works  Business needs for a better alignement of the employees’ responsibility from the management frameworks down to the technical rules  Our approach :  Step 1: Definition of the responsibilities :  Business Role, Activities, Tasks, Obligations  Responsibilities  Step 2 : Responsibility to employee assignment  Step 2 : Rights to responsibility association  Future works  Complementary validations using case studies – One ongoing and one begins in June  Looking forward for integration within ArchiMate and others EA.
  • 21. Thank you ! Questions ?