Compliance by design - Bridging the chasm between auditors and IT architects

Computers and Security

Volumn 30, Issue 6-7, 2011, Pages 410-426

  Julisch, Klaus ^a   Suter, Christophe ^b   Woitalla, Thomas ^b   Zimmermann, Olaf ^a  

^a IBM RESEARCH ZURICH   (Switzerland)

^b Beijing PricewaterhouseCoopers Management Consulting   (Switzerland)

Author keywords

Business processes; CAVR; Compliance; Enterprise applications; Information systems audit; Patterns; Security architecture; Service oriented architecture

Indexed keywords

BUSINESS PROCESS; CAVR; COMPLIANCE; ENTERPRISE APPLICATIONS; PATTERNS; SECURITY ARCHITECTURE; SERVICE ORIENTED;

ARCHITECTURE; DATA PROCESSING; FINANCIAL DATA PROCESSING; INFORMATION SERVICES; INFORMATION SYSTEMS; RISK PERCEPTION;

SERVICE ORIENTED ARCHITECTURE (SOA);

EID: 80051786633     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2011.03.005     Document Type: Article

References (56)

1. AICPA Generally accepted Auditing Standards. SAS 95 URL: 2001 American Institute of Certified Public Accountants http://www.aicpa.org/download/members/ div/auditstd/AU-00150.PDF
2. AICPA Statements on Auditing Standards (SAS) No. 104. Amendment to Statement on Auditing Standards No. 1 Codification of Auditing Standards and procedures ("Due professional care in the performance of work") 2006 American Institute of Certified Public Accountants
3. W.H. Baker, A. Hutton, C.D. Hylender, C. Novak, C. Porter, and B. Sartin 2009 data breach investigations report 2009 Verizon Business
4. L. Bass, P. Clements, and R. Kazman Software architecture in practice 2nd ed. 2003 Addison Wesley
5. J.L. Bayuk Stepping through the IS audit: what to expect, how to prepare 2nd ed. 2004 ISACA
6. M. Benantar Access control systems: security, identity management and trust models 2006 Springer
7. V. Bertocci, G. Serack, and C. Baker Understanding windows cardspace 2008 Addison Wesley
8. P.R. Bitterli, J. Brun, T. Bucher, B. Christ, B. Hamberger, and M. Huissoud Guide to the audit of IT applications 2009 ISACA
9. B. Blakley, and C. Heath Security design patterns. technical report G031 2004 Open Group 1931624275
10. W. Bradshaw, and A. Willis Learning about risk: choices, connections and competencies 1998 Canadian Institute for Chartered Accountants Toronto
11. S.M. Bragg The ultimate accountants' reference: including GAAP, IRS and SEC regulations, leases, and more 3rd ed. 2010 John Wiley & Sons
12. A. Buecker Understanding SOA security design and implementation 2007 IBM Redbooks
13. S. Cantor SAML 2.0 single sign-on with constrained delegation. Working draft URL: http://shibboleth.internet2.edu/docs/draft-cantor-saml-sso- delegation-01.pdf Oct. 2005
14. R.E. Cascarino Auditor's guide to information systems auditing 2007 John Wiley & Sons
15. D. Cohn User stories applied 2004 Addison Wesley
16. Congress of the United States of America. Sarbanes-Oxley Act of 2002, H.R. 3763.
17. M. Cross, L.J. Norris, and T. Piltzecker Security+ study guide 2002 Syngress Publishing
18. L. Davidson, K. Kline, and K. Windisch Pro SQL server 2005 database design and optimization 2006 Apress
19. M. Ebbers, B. Barrus, S. Bonazebi, P. Daly, and C. Lee Data power architectural design patterns 2008 IBM Redbook
20. EC EudraLex - volume 4 good manufacturing practice (GMP) guidelines URL: 2010 European Commission http://ec.europa.eu/enterprise/sectors/pharmaceuticals/ documents/eudralex/vol-4/index-en.htm
21. J. Epstein Security Lessons Learned from Société Générale IEEE Security & Privacy 6 3 2008
22. E. Evans Domain-driven design: tackling complexity in the heart of software 2003 Addison Wesley
23. N. Ferguson, and B. Schneier Practical cryptography 1st ed. 2003 Wiley
24. M. Fowler Patterns of enterprise application architecture 2003 Addison Wesley
25. M. Hansen, A. Schwartz, and A. Cooper Privacy and identity management IEEE Security & Privacy March/April 2008
26. G. Hohpe, and B. Woolf Enterprise integration patterns 2004 Addison Wesley
27. M. Howard, and D. LeBlanc Writing secure code 2nd ed. 2003 Microsoft Press
28. ISACA COBIT and application controls: a management guide 2009 9781933284859
29. ISACA Certified information systems auditor, CISA certification overview URL: 2010 http://www.isaca.org/Template.cfm?Section=CISA- Certification&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID= 16&ContentID=43558
30. ISO/IEC Information technology - security techniques - information security management Systems - requirements. ISO/IEC 27001 2005
31. ISO/IEC Information technology - security techniques - information security management systems - guidelines. ISO/IEC 27002 2005
32. IT Governance Institute Control objectives for information and related technology 4.0 (COBIT) 2005 1-933284-37-4
33. N.M. Josuttis SOA in practice 2007 O'Reilly
34. D.S. Kidwell, D.W. Blackwell, D.A. Whidbee, and R.L. Peterson Financial institutions, markets, and money 10th ed. 2008 John Wiley & Sons
35. J. Killmeyer Information security architecture 2000 Auerbach Publications
36. F. Leymann, and D. Roller Production workflow: concepts and techniques 1999 Prentice Hall
37. J.D. Meier, A. Mackman, M. Dunner, and S. Vasireddy Building secure Microsoft ASP.NET applications: authentication, authorization, and secure communication 2003 Microsoft Press
38. B. Meyer Object-oriented software construction 2nd ed. 2000 Prentice Hall
39. W.H. Murray Principles and applications of cryptographic key management H.F. Tipton, M. Krause, Information security management handbook 6th ed. 2007 Auerbach
40. NIST Trusted computer system evaluation criteria 1983 Department of Defense, National Security Institute
41. OGC The official introduction to the ITIL service lifecycle 2007 Office of Government Commerce
42. OAuth Core Workgoup OAuth core 1.0 Revision A URL: http://oauth.net/core/ 1.0a June 2009
43. PCAOB Auditing Standard No. 5: an audit of internal control over financial reporting that is integrated with an audit of financial statements. PCAOB release No. 2007-005A URL: Nov. 2007 Public Company Accounting Oversight Board http://pcaobus.org/Standards/Auditing/Pages/Auditing-Standard-5.aspx
44. M. Rosen, B. Lublinsky, K.Y. Smith, and M.J. Balcer Applied SOA: service-oriented architecture and design strategies 2008 John Wiley & Sons
45. R. Ross, S. Katzke, A. Johnson, M. Swanson, G. Stoneburner, and G. Rogers Recommended security controls for federal information systems Special Publication 800-53, Rev. 2 Dec. 2007 National Institute of Standards and Technology
46. J. Rumbaugh, I. Jacobson, and G. Booch The Unified modeling language reference manual 1999 Addison Wesley
47. J.H. Saltzer, and M.D. Schroeder The protection of information in computer systems Proceedings of the IEEE 63 9 1975 1278 1308
48. M.S. Schaeffer Accounts payable and Sarbanes-Oxley: strengthening your internal controls 2006 John Wiley & Sons
49. M. Schumacher, E.B. Fernandez, D. Hybertson, F. Buschmann, and P. Sommerlad Security patterns: integrating security and systems engineering 2006 Wiley
50. SEC Commission guidance regarding management's report on internal control over financial reporting under section 13(a) or 15(d) of the securities exchange act of 1934. RELEASE NOS. 33-8810; 34-55929; FR-77; file No. S7-24-06 2007 Securities and Exchange Commission
51. S. Senft, and F. Gallegos Information technology control and audit 2009 Auerbach Publications
52. Symantec Web based attacks. Symantec Corp., technical report Feb 2009
53. H. Trent Products for managing governance, risk, and compliance: market fluff or relevant stuff? Mar.18, 2008 Burton Group
54. J. Tulach Practical API design: confessions of a Java framework architect 2008 Apress
55. Yoder J, Barcalow J, 1997. Architectural Patterns for Enabling Application Security. In: Proceedings of the Fourth Conference on Pattern Languages and Programs.
56. Zimmermann O, 2009. An Architectural Decision Modeling Framework for Service-Oriented Architecture Design. PhD thesis. University of Stuttgart.