Article

Separation, review and supervision controls in the context of a credit application process: a case study of organisational control principles

Authors:

Andreas Schaad,

Jonathan MoffettAuthors Info & Claims

SAC '04: Proceedings of the 2004 ACM symposium on Applied computing

Pages 1380 - 1384

https://doi.org/10.1145/967900.968177

Published: 14 March 2004 Publication History

Abstract

This paper presents a case study of the organisational control principles present in a credit application process at the branch level of a bank. The case study has been performed in the context of an earlier suggested formal framework [6] for organisational control principles based on the Alloy predicate logic and its facilities for automated formal analysis and exploration [2].In particular, we establish and validate the novel concepts of specific and general obligations. The delegation of these two kinds of obligations must be controlled by means of review and supervision controls. The example of a credit application process is used to discuss these organisational controls.

References

[1]

Schaad, A. and J. Moffett. A Framework for Organisational Control Principles. in 18th Annual Computer Security Applications Conference. 2002. Las Vegas, Nevada, USA.]]

Digital Library

[2]

Jackson, D. A Micromodularity Mechanism. in 8th Joint Software Engineering Conference. 2001. Vienna, Austria.]]

Digital Library

[3]

Schaad, A. and J. Moffett. Delegation of Obligations. in 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY 2002). 2002. Monterey]]

Digital Library

[4]

Schaad, A., J. Moffett, and J. Jacob. The access control system of a European bank - a case study. in 6th ACM Symposium on Access Control (SACMAT). 2001. Chantilly, VA, USA.]]

Digital Library

[5]

Kern, A., A. Schaad, and J. Moffett. An Administration Concept for the Enterprise Role-Based Access Control Model. in 8th ACM Symposium on Access Control Models and Technologies (SACMAT). 2003.]]

Digital Library

[6]

Schaad, A., A Framework for Organisational Control Principles, in Department of Computer Science. 2003, University of York.]]

[7]

Bacon, J. and K. Moody, Toward Open, Secure, Widely Distributed Services. Communications of the ACM, 2002. 45(6): p. 59--64.]]

Digital Library

[8]

Minsky, N. and V. Ungureanu, Law-governed interaction: a coordination and control mechanism for heterogenous distributed systems. ACM Transactions on Software Engineering, 2000. 9(3).]]

Digital Library

[9]

Kuhn, R. Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems. in ACM workshop on Role-based access control. 1997.]]

Digital Library

[10]

Gligor, V., S. Gavrila, and D. Ferraiolo. On the Formal Definition of Separation-of-Duty Policies and their Composition. in IEEE Symposium on Security and Privacy. 1998. Oakland, CA.]]

[11]

Urwick, L., Notes on the Theory of Organization. 1952: American Management Association.]]

[12]

Damianou, N., et al. The Ponder Policy Specification Language. in Policies for Distributed Systems and Networks. 2001. Bristol: Springer LNCS]]

Digital Library

[13]

Sandhu, R., et al., Role-based access control models. IEEE Computer, 1996. 29(2): p. 38--47.]]

Digital Library

[14]

Zhang, L., G. Ahn, and C. B. A Rule-based Framework for Role-Based Delegation. in 6th ACM Symposium on Access Control Models and Technologies. 2001. Chantilly, VA, USA.]]

Digital Library

[15]

Crampton, J. and G. Loizou. Administrative Scope and Role Hierarchy Operations. in 7th ACM Symposium on Access Control (SACMAT). 2002. Naval Postgraduate School, Monterey, CA, USA.]]

Digital Library

[16]

Sandhu, R., V. Bhamidipati, and Q. Munawer, The ARBAC97 model for role-based administration of roles. ACM TISSEC, 1999. 2(1): p. 105--135.]]

Digital Library

[17]

Schaad, A. and J. Moffett. A Lightweight Approach to Specification and Analysis of Role-based Access Control Extensions. in 7th ACM Symposium on Access Control (SACMAT). 2002. Monterey, CA.]]

Digital Library

[18]

Schaad, A. Conflict Detection in a Role-based Delegation Model. in 17th Annual Computer Security Applications Conference. 2001. New Orleans.]]

Digital Library

Cited By

Piciocchi PBassano CKirikova MMakna JStecjuka J(2012)Managing Change in Fractal Enterprises and IS Architectures from a Viable Systems PerspectiveWorkshops on Business Informatics Research10.1007/978-3-642-29231-6_4(38-50)Online publication date: 2012
https://doi.org/10.1007/978-3-642-29231-6_4
Massacci FMylopoulos JZannone N(2010)Security Requirements Engineering: The SI* Modeling Language and the Secure Tropos MethodologyAdvances in Intelligent Information Systems10.1007/978-3-642-05183-8_6(147-174)Online publication date: 2010
https://doi.org/10.1007/978-3-642-05183-8_6
Schaad A(2007)A framework for evidence lifecycle managementProceedings of the 2007 international conference on Web information systems engineering10.5555/1781503.1781525(191-200)Online publication date: 3-Dec-2007
https://dl.acm.org/doi/10.5555/1781503.1781525
Show More Cited By

Index Terms

Separation, review and supervision controls in the context of a credit application process: a case study of organisational control principles
1. Computing methodologies
  1. Modeling and simulation
    1. Simulation theory
      1. Systems theory
2. Mathematics of computing
  1. Information theory

Recommendations

A dynamic fuzzy cognitive map applied to chemical process supervision

This work develops an intelligent tool based on fuzzy cognitive maps to supervisory process control. Fuzzy cognitive maps are a neuro-fuzzy methodology that can accurate model complexly system using a causal-effect fuzzy reasoning. In the proposed ...
Brief Supervision of adaptive control algorithms

An adaptive controller needs supervisory functions in order to function well in an industrial environment. This paper describes these needs, and provides examples of supervisory functions that presently are used in industrial adaptive controllers. These ...
The role-based access control system of a European bank: a case study and discussion
SACMAT '01: Proceedings of the sixth ACM symposium on Access control models and technologies

Research in the area of role-based access control has made fast progress over the last few years. However, little has been done to identify and describe existing role-based access control systems within large organisations. This paper describes the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '04: Proceedings of the 2004 ACM symposium on Applied computing

March 2004

1733 pages

ISBN:1581138121

DOI:10.1145/967900

Conference Chair:
Hisham M. Haddad
Kennesaw State University
,
Program Chairs:
Andrea Omicini
Università degli Studi di Bologna a Cesena
,
Roger L. Wainwright
University of Tulsa
,
Publications Chair:
Lorie M. Liebrock
New Mexico Institute of Mining and Technology

Copyright © 2004 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 March 2004

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SAC04

Sponsor:

SIGAPP

SAC04: The 2004 ACM Symposium on Applied Computing

March 14 - 17, 2004

Nicosia, Cyprus

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25

Sponsor:
sigapp

The 40th ACM/SIGAPP Symposium on Applied Computing

March 31 - April 4, 2025

Catania , Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
465
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)0

Reflects downloads up to 22 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Piciocchi PBassano CKirikova MMakna JStecjuka J(2012)Managing Change in Fractal Enterprises and IS Architectures from a Viable Systems PerspectiveWorkshops on Business Informatics Research10.1007/978-3-642-29231-6_4(38-50)Online publication date: 2012
https://doi.org/10.1007/978-3-642-29231-6_4
Massacci FMylopoulos JZannone N(2010)Security Requirements Engineering: The SI* Modeling Language and the Secure Tropos MethodologyAdvances in Intelligent Information Systems10.1007/978-3-642-05183-8_6(147-174)Online publication date: 2010
https://doi.org/10.1007/978-3-642-05183-8_6
Schaad A(2007)A framework for evidence lifecycle managementProceedings of the 2007 international conference on Web information systems engineering10.5555/1781503.1781525(191-200)Online publication date: 3-Dec-2007
https://dl.acm.org/doi/10.5555/1781503.1781525
Schaad A(2007)A Framework for Evidence Lifecycle ManagementWeb Information Systems Engineering – WISE 2007 Workshops10.1007/978-3-540-77010-7_19(191-200)Online publication date: 2007
https://doi.org/10.1007/978-3-540-77010-7_19
Schaad ALotz VSohr KFerraiolo DRay I(2006)A model-checking approach to analysing organisational controls in a loan origination processProceedings of the eleventh ACM symposium on Access control models and technologies10.1145/1133058.1133079(139-149)Online publication date: 7-Jun-2006
https://dl.acm.org/doi/10.1145/1133058.1133079
Schaad ASpadone PWeichsel HHaddad HOmicini AWainwright R(2005)A case study of separation of duty properties in the context of the Austrian "eLaw" process.Proceedings of the 2005 ACM symposium on Applied computing10.1145/1066677.1066976(1328-1332)Online publication date: 13-Mar-2005
https://dl.acm.org/doi/10.1145/1066677.1066976
Schaad A(2005)Revocation of obligation and authorisation policy objectsProceedings of the 19th annual IFIP WG 11.3 working conference on Data and Applications Security10.1007/11535706_3(28-39)Online publication date: 7-Aug-2005
https://dl.acm.org/doi/10.1007/11535706_3
Schaad A(2004)An Extended Analysis of Delegating ObligationsResearch Directions in Data and Applications Security XVIII10.1007/1-4020-8128-6_4(49-64)Online publication date: 2004
https://doi.org/10.1007/1-4020-8128-6_4
Nguyen VLee RBons R(undefined)An Aspect Architecture for Open Exchange of Administrative Controls for Business ProcessesSSRN Electronic Journal10.2139/ssrn.2070316
https://doi.org/10.2139/ssrn.2070316

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents