Audit-based compliance control

International Journal of Information Security

Volumn 6, Issue 2-3, 2007, Pages 133-151

  Cederquist, Jan G ^a   Corin, R ^b   Dekker, Marnix A C ^c   Etalle, S ^b   den Hartog, J I ^b   Lenzini, Gabriele ^d  

^a INSTITUTO DE TELECOMUNICAÇÕES   (Portugal)

^b UNIVERSITY OF TWENTE   (Netherlands)

^c TNO   (Netherlands)

^d TELEMATICA INSTITUUT   (Netherlands)

Author keywords

Access control; Audit; Policy; Privacy

Indexed keywords

COMPUTER SUPPORTED COOPERATIVE WORK; DATA PRIVACY; GROUPWARE; REGULATORY COMPLIANCE;

DISCRETIONARY ACCESS CONTROL POLICIES; TRACTABILITY;

ACCESS CONTROL;

EID: 33947670402     PISSN: 16155262     EISSN: 16155270     Source Type: Journal    
DOI: 10.1007/s10207-007-0017-y     Document Type: Conference Paper

References (42)

1. 2 proof tools at http://www.cs.ru.nl/paw
2. Abadi, M.: Logic in access control. In: Kolaitis, P.G. (ed.) Proceedings of the Symposium on Logic in Computer Science (LICS), pp. 228-233. IEEE Computer Society Press (2003)
3. Appel, A.W., Felten, E.W.: Proof-carrying authentication. In: Tsudik, G. (ed.) Proceedings of the Conference on Computer and Communications Security (CCS), pp. 52-62. ACM Press (1999)
4. Ashley, P., Hada, S., Karjoth, G., Schunter, M.: E-p3p privacy policies and privacy authorization. In: Samarati, P. (ed.) Proceedings of the ACM workshop on Privacy in the Electronic Society (WPES 2002), pp. 103-109. ACM Press (2002)
5. Bandmann, O.L., Firozabadi, B.S., Dam, M.: Constrained delegation. In: Abadi, M., Bellovin, S.M. (eds.) Proceedings of the Symposium on Security and Privacy (S&P), pp. 131-140. IEEE Computer Society Press (2002)
6. BeckeF, M.Y., Sewell, P.: Cassandra: flexible trust management, applied to electronic health records. In: Focardi, R. (ed.) Proceedings of the Computer Security Foundations Workshop (CSFW), pp. 139-154. IEEE Computer Society Press (2004)
7. Beckert B. and Posegga J. (1995). leantap: Lean tableau-based deduction. J. Autom. Reasoning 15(3): 339-358
8. Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings of the Symposium on Security and Privacy (S&P), pp. 164-173. IEEE Computer Society Press (1996)
9. Cederquist, J.G., Corin, R.J., Dekker, M.A.C., Etalle, S., den Hartog, J.I.: An audit logic for accountability. In: Sahai, A., Winsborough, W.H. (eds.) Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY), pp. 34-43. IEEE Computer Society Press (2005)
10. Chong, C.N., Peng, Z., Hartel, P.H.: Secure audit logging with tamper-resistant hardware. In: Gritzalis, D., S.D.C., Samarati, P., Katsikas, S.K. (eds.) 18th IFIP TC11 International Conference on Information Security and Privacy in the Age of Uncertainty (SEC), Athens, Greece, pp. 73-84. Kluwer Academic, Dordrecht (2003)
11. Corin, R., Etalle, S., den Hartog, J.I., Lenzini, G., Staicu, I.: A logic for auditing accountability in decentralized systems. In: Dimitrakos, T., Martinelli, F. (eds.) Proceedings of the IFIP Workshop on Formal Aspects in Security and Trust (FAST), vol. 173, pp. 187-202. Springer, Berlin (2004)
12. DeTreville, J.: Binder, a logic-based security language. In: Proceedings of the Symposium on Research in Security and Privacy (S&P), pp. 105-113. IEEE Computer Society Press (2002)
13. Dowek, G., Jiang, Y.: Eigenvariables, bracketing and the decidability of positive minimal intuitionistic logic. Electr. Notes Theor. Comput. Sci. 85(7) (2003)
14. Garg, D., Bauer, L., Bowers, K., Pfenning, F., Reiter, M.: A linear logic of authorization and knowledge. In: Proceedings of the European Symposium On Research In Computer Security (ESORICS). Springer, Berlin (2006)
15. Garg, D., Pfenning, F.: Non-interference in constructive authorization logic. In: Proceedings of the Computer Security Foundations Workshop (CSFW). IEEE Computer Society Press (2006)
16. Halpern, J.Y., van der Meyden, R.: A logic for SDSI's linked local name spaces. In: Syverson, P. (ed.) Proceedings of the Computer Security Foundations Workshop (CSFW), pp. 111-122. IEEE Computer Society Press (1999)
17. Halpern, J.Y., Weissman, V.: Using first-order logic to reason about policies. In: Focardi, R. (ed.) Proceedings of the Computer Security Foundations Workshop (CSFW), pp. 187-201. IEEE Computer Society Press (2003)
18. Hu, V., Ferraiolo, D., Kuhn, D.: Assessment of access control systems - NIST interagency report. Technical report, National Institute of Standards and Technology (2006)
19. Jajodia, S., Gadia, S., Bhargava, G.: Logical design of audit information in relational databases. In: Information Security: An integrated Collection of Essays, pp. 585-595. IEEE Computer Society Press (1995)
20. Karjoth, G., Schunter, M., Waidner, M.: Platform for enterprise privacy practices: Privacy-enabled management of customer data. Privacy Enhancing Technologies (2002)
21. Li N., Grosof B.N. and Feigenbaum J. (2003). Delegation logic: A logic-based approach to distributed authorization. ACM Trans. on Inf. Syst. Secur. (TISSEC) 6(1): 128-171
22. Li, N., Mitchell, J.: Datalog with constraints: A foundation for trust management languages. In: Dahl, V., Wadler, P. (eds.) Proceedings of the International Symposium on Practical Aspects of Declarative Languages (PADL) (2003)
23. Li, N., Mitchell, J., Winsborough, W.: Design of a role-based trust-management framework. In: Abadi, M., Bellovin, S.M. (eds.) Proceedings of the Symposium on Research in Security and Privacy (S&P), pp. 114-130. IEEE Computer Society Press (2002)
24. Longstaff, J.J., Lockyer, M.A., Thick, M.G.: A model of accountability, confidentiality and override for healthcare and other applications. In: Proceedings of the Workshop on Role-based Access Control (RBAC)
25. Necula, G.C.: Compiling with proofs. Ph.D. thesis, School of Computer Science, Carnegie Mellon University, Pittsburgh, PA (1998)
26. OASIS Access Control TC: EXtensible Access Control Markup Language (XACML) Version 2.0 - Oasis Standard, 1 Feb 2005 (2005)
27. Park, J., Sandhu, R.: Originator control in usage control. In: Lobo, J., Dulay, N. (eds.) Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY), p. 60. IEEE Computer Society, Washington, DC, USA (2002)
28. Park, J., Sandhu, R.: ToBards usage control models: beyond traditional access control. In: Bertino, E. (ed.) Proceedings of the Symposium on Access Control Models and Technologies (SACMAT), pp. 57-64. ACM Press (2002)
29. Pfenning, F.: Linear logic course handouts. http://www.cs.cmu. edu/fp/ courses/linear.html (2002)
30. Pfenning, F., Schürmann, C.: System description: Twelf - a meta-logical framework for deductive systems. In: Ganzinger, H. (ed.) Proceedings of the International Conference on Automated Deduction (CADE), pp. 202-206. Springer, Berlin (1999)
31. Rissanen, E., Firozabadi, B.S., Sergot, M.J.: Discretionary overriding of access control in the privilege calculus. In: Dimitrakos, T., Martinelli, F. (eds.) Proceedings of the 2nd IFIP Workshop on Formal Aspects in Security and Trust (FAST), pp. 219-232. Springer, Berlin (2004)
32. Sandhu, R., Park, J.: Usage control: A vision for next generation access control. In: Gorodetsky, V., Popyack, L.J., Skormin, V.A. (eds.) Proceedings of the International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security MMM-ACNS. LNCS, vol. 2776, pp. 17-31. Springer, Berlin (2003)
33. Sandhu R. and Samarati P. (1994). Access control: Principles and practice. IEEE Commun. Mag. 32(9): 40-48
34. Sandhu R. and Samarati P. (1996). Authentication, access control and audit. ACM Comput. Surv. 28(1): 241-243
35. Shmatikov V. and Talcott C.L. (2005). Reputation-based trust management. J. Comput. Secur. 13(1): 167-190
36. Szabo E.M. ed. (1969). The Collected of Gerhard Gentzen. North Holland, Amsterdam
37. The European Parliament and the Council of the European Union: UE DIRECTIVE 2002/58/EC on privacy and electronic communications. Official Journal of the European Union. http://europa.eu.int/eur-lex/pri/en/oj/ dat/2002/l_201/l_20120020731en00370047.pdf (2002)
38. The US Department of Health and Human Services: Summary of the HIPAA Privacy Rule. Available on the website http://www.hhs.gov/ocr/ privacysummary.pdf (2002)
39. Topkara, M., TopSara, U., Atallah, M.J.: Words are not enough: sentence level natural language watermarking. In: Proceedings of the International workshop on Contents Protection and Security (MCPS), pp. 37-46. ACM Press (2006)
40. U.S. Securities and Exchange Commission: Sarbanes-oxley act (2002)
41. Wang, X., Lao, G., De Martini, T., Reddy, H., Nguyen, M., Valenzuela, E.: XrML: eXtensible rights markup language. In: Kudo, M. (ed.) Proceedings of the Workshop on XML Security (XMLSEC), pp. 71-79. ACM Press (2002)
42. Whitehead, N., AbadA, M., Necula, G.C.: By reason and authority: a system for authorization of proof-carrying code. In: Focardi, R. (ed.) Proceedings of the Computer Security Foundations Workshop (CSFW), pp. 236-250. IEEE Computer Society Press (2004)