skip to main content
10.1145/1066677.1066976acmconferencesArticle/Chapter ViewAbstractPublication PagessacConference Proceedingsconference-collections
Article

A case study of separation of duty properties in the context of the Austrian "eLaw" process.

Published: 13 March 2005 Publication History

Abstract

Over the last few years rapid progress has been made in moving from conceptual studies, "whitepapers" and initiatives to the actual deployment of e-Government systems [13]. In this paper we present the case study of an existing e-Government system (eLaw) which already supports key legislative processes in the country of Austria1. The study has been performed in the context of the EU FP6 project "eJustice".We present a detailed system and workflow representation referring to the example process of changing a federal law in Austria. Since such processes and their results, i.e. the laws of a country, have an enormous impact on society, they need to be secured against external and internal alteration, be it inadvertent or malicious. This is even more important in the electronic world.Instead of discussing the obvious security requirements like virus protection or network-level access control, our focus is on an often neglected form of organisational security and control properties called separation of duties. We will analyse and discuss a set of these in terms of the described eLaw process.

References

[1]
Atluri, V. and Huang, W. An Authorization Model for Workflows. Lecture Notes in Computer Science 1146, 1996.]]
[2]
Belokosztolszki, A. and Moody, K. Meta-Policies for Distributed Role-Based Access Control Systems. In 3rd IEEE Workshop on Policies for Distributed Systems and Networks, 2002.]]
[3]
Bertino, E., Ferrari, E. et al. The specification and enforcement of authorization constraints in workflow management systems. Transactions on Informations Systems Security 2(1): 65--104, 1999]]
[4]
BIS. Framework for Internal Control Systems in Banking Organizations. Technical Report No. 40, Bank for International Settlement, Basel Committee on Banking Supervision, 1998]]
[5]
German Federal Administation Office: BundOnline website, http://www.bund.de/, 2001.]]
[6]
Chen, F. and Sandhu, R. Constraints for RBAC. In 1st ACM workshop on Role-Based Access Control, pages 39--46, 1995.]]
[7]
COSO. Internal Control - Integrated Framework. Technical report, Committee of the Sponsoring Organisations (COSO) of the Treadway Commission, 2002.]]
[8]
Damianou, N. A Policy Framework for Management of Distributed Systems. PhD thesis, Imperial College, UK, 2002.]]
[9]
D. Ferraiolo and R. Kuhn. Role-Based Access Control. In 15th MNCSC National Computer Security Conference, 1992, pages 554--563]]
[10]
Hulme, G. The Threat from Inside. Information Week, April 2003]]
[11]
KPMG, Fraud Survey Reports 1996-2002, KPMG International Canada, 2002.]]
[12]
Republik Oesterreich BGBI I Nr. 100/2003.]]
[13]
Lenk, K., Traunmüller, R. (Eds.): Electronic Government, First International Conference, EGOV 2002, Aix-en-Provence, France, Lecture Notes in Computer Science 2456, 2002.]]
[14]
L. Mullins. Management and Organizational Behavior. Prentice Hall, London, 5th edition.]]
[15]
Prinz, W., Kolvenbach, S. Support for Workflows in a Ministerial Environment. In proceedings of the ACM Conference on CSCW, November 1996.]]
[16]
Pugh, D. Organization Theory: Selected Readings. Penguin Business. Beguin Books, 3rd edition, 1990.]]
[17]
Sandhu, R., Coyne, E. et al. Role-based access control models. IEEE Computer 29(2): 38--47. 1996.]]
[18]
Sandhu, R., Bhamidipadi, V. An Oracle Implementation of the PRA97 Model for Permission-Role Assignment. Third ACM Workshop on Role-based Access Control, 1998.]]
[19]
Schaad, A. A Framework for Organisational Control Principles, PhD Thesis. Department of Computer Science, University of York, 2003.]]
[20]
Schaad, A. and Moffett, J. Separation, Review and Supervision Controls in the Context of a Credit Application Process - A Case Study of Organisational Control Principles. ACM Symposium of Applied Computing, Cyprus, 2004]]
[21]
Shein, E. CEO Warns Threats are Coming from the Inside. eSecurityPlanet.com, June 2004.]]
[22]
Simon, R., Zurko, M. E. Separation of Duty in Role-Based Environments. IEEE Computer Security Foundations Workshop, 1997]]
[23]
Prime Minister and Minister for the Cabinet Office of the UK. Modernising Government, presented to Parliament, March 1999.]]
[24]
Cabinet Office of the UK: Directgov webpage, http://direct.gov.uk, 2002.]]
[25]
Wimmer, M., Eberhardt, D., Ehmlechner, P. and Kemper, A. Reliable and Adaptable Security Engineering for Database-Web Services. In 4th International Conference on Web Engineering. July 2004, Munich, Germany.]]
[26]
Domingos, D., Rito-Silva, A. and Veiga, V. Authorization and Access Control in Adaptive Workflows. Proceedings of the 8th European Symposium on Research in Computer Security (ESORICS 2003), Springer-Verlag, LNCS, 2003.]]

Cited By

View all
  • (2016)Algorithms for the workflow satisfiability problem engineered for counting constraintsJournal of Combinatorial Optimization10.1007/s10878-015-9877-732:1(3-24)Online publication date: 1-Jul-2016
  • (2015)A novel evaluation criteria to cloud based access control modelsProceedings of the 2015 11th International Conference on Innovations in Information Technology (IIT)10.1109/INNOVATIONS.2015.7381517(68-73)Online publication date: 1-Nov-2015
  • (2015)E-GRANTProceedings of the 2015 3rd International Conference on Future Internet of Things and Cloud10.1109/FiCloud.2015.43(135-144)Online publication date: 24-Aug-2015
  • Show More Cited By

Index Terms

  1. A case study of separation of duty properties in the context of the Austrian "eLaw" process.

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    SAC '05: Proceedings of the 2005 ACM symposium on Applied computing
    March 2005
    1814 pages
    ISBN:1581139640
    DOI:10.1145/1066677
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 13 March 2005

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. e-Government
    2. electronic documents
    3. legislation
    4. organisational control
    5. workflow security

    Qualifiers

    • Article

    Conference

    SAC05
    Sponsor:
    SAC05: The 2005 ACM Symposium on Applied Computing
    March 13 - 17, 2005
    New Mexico, Santa Fe

    Acceptance Rates

    Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

    Upcoming Conference

    SAC '25
    The 40th ACM/SIGAPP Symposium on Applied Computing
    March 31 - April 4, 2025
    Catania , Italy

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)2
    • Downloads (Last 6 weeks)1
    Reflects downloads up to 16 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2016)Algorithms for the workflow satisfiability problem engineered for counting constraintsJournal of Combinatorial Optimization10.1007/s10878-015-9877-732:1(3-24)Online publication date: 1-Jul-2016
    • (2015)A novel evaluation criteria to cloud based access control modelsProceedings of the 2015 11th International Conference on Innovations in Information Technology (IIT)10.1109/INNOVATIONS.2015.7381517(68-73)Online publication date: 1-Nov-2015
    • (2015)E-GRANTProceedings of the 2015 3rd International Conference on Future Internet of Things and Cloud10.1109/FiCloud.2015.43(135-144)Online publication date: 24-Aug-2015
    • (2015)Transparency in the national assemblies of Portuguese speaking African countries: Adapting the bungeni parliamentary system — The case study of Sao Tome and Principe2015 10th Iberian Conference on Information Systems and Technologies (CISTI)10.1109/CISTI.2015.7170486(1-5)Online publication date: Jun-2015
    • (2014)Modeling the Resource Perspective of Business Process Compliance Rules with the Extended Compliance Rule GraphEnterprise, Business-Process and Information Systems Modeling10.1007/978-3-662-43745-2_4(48-63)Online publication date: 2014
    • (2011)Role inheritance with object-based DSDInternational Journal of Internet Technology and Secured Transactions10.1504/IJITST.2011.0397753:2(149-160)Online publication date: 1-Apr-2011
    • (2010)IdeaProceedings of the Second international conference on Engineering Secure Software and Systems10.1007/978-3-642-11747-3_12(157-165)Online publication date: 3-Feb-2010
    • (2008)Enforcing security properties in task-based systemsProceedings of the 13th ACM symposium on Access control models and technologies10.1145/1377836.1377843(41-50)Online publication date: 11-Jun-2008
    • (2008)Avoiding Policy-based Deadlocks in Business ProcessesProceedings of the 2008 Third International Conference on Availability, Reliability and Security10.1109/ARES.2008.131(709-716)Online publication date: 4-Mar-2008
    • (2005)XacTProceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications10.1145/1083200.1083202(1-7)Online publication date: 15-May-2005
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media