Audit-based compliance control

J.G. Cederquist, R.J. Corin, M.A.C. Dekker, S. Etalle, J.I. den Hartog, G. Lenzini

    Research output: Contribution to journalArticleAcademicpeer-review

    49 Citations (Scopus)
    9 Downloads (Pure)

    Abstract

    In this paper we introduce a new framework for controlling compliance to discretionary access control policies [Cederquist et al. in Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY), 2005; Corin et al. in Proceedings of the IFIP Workshop on Formal Aspects in Security and Trust (FAST), 2004]. The framework consists of a simple policy language, modeling ownership of data and administrative policies. Users can create documents, and authorize others to process the documents. To control compliance to the document policies, we define a formal audit procedure by which users may be audited and asked to justify that an action was in compliance with a policy. In this paper we focus on the implementation of our framework.We present a formal proof system, which was only informally described in earlier work. We derive an important tractability result (a cut-elimination theorem), and we use this result to implement a proof-finder, a key component in this framework. We argue that in a number of settings, such as collaborative work environments, where a small group of users create and manage document in a decentralized way, our framework is a more flexible approach for controlling the compliance to policies.
    Original languageEnglish
    Pages (from-to)133-151
    Number of pages19
    JournalInternational journal of information security
    Volume6
    Issue number2-3
    DOIs
    Publication statusPublished - 2007

    Keywords

    • METIS-242075
    • CR-D.4.6
    • CR-K.6.5
    • IR-67014
    • SCS-Cybersecurity
    • EWI-9530
    • Access control · Audit · Policy · Privacy

    Fingerprint Dive into the research topics of 'Audit-based compliance control'. Together they form a unique fingerprint.

  • Cite this

    Cederquist, J. G., Corin, R. J., Dekker, M. A. C., Etalle, S., den Hartog, J. I., & Lenzini, G. (2007). Audit-based compliance control. International journal of information security, 6(2-3), 133-151. https://doi.org/10.1007/s10207-007-0017-y