An approach to correctness of security and operational business policies.pdf.pdf

International Journal of Accounting Information Systems 15 (2014) 323–334
Contents lists available at ScienceDirect
International Journal of Accounting
Information Systems
An approach to correctness of security and
operational business policies☆
. Karimi, . Cowan ⁎, . Alencar
David R. Cheriton School puter Science, University of Waterloo
article info abstract
Article history: In this paper we have proposed an approach to describing security and
Received 1 June 2013 operational business policies and verifying their correctness with
Received in revised form 22 January 2014 respect to a set of properties. The method is based on the REA business
Accepted 15 May 2014 modeling language to construct definitions of security and operational
Available online 12 July 2014
business rules. Once the rules are created their representations are
combined into policies and policy sets using state machines.
Keywords:
© 2014 Elsevier Inc. All rights reserved.
Security policies
REA
Correctness of security policies
1. Introduction
One of the fundamental goals of software engineering is to provide systematic and disciplined approaches
for the development of real-world software systems. In contrast with ad hoc approaches, these methods can
benefit anizations in many ways since they offer techniques that can, for example, be used to
guarantee that the software meets anizational requirements and works correctly with respect to
the expectation anizational stakeholders.
Providing such guarantees es a significant challenge when we consider large plex modern
software such as enterprise resource planning (ERP) systems, which have thousands of control requirements
that need to be managed (Gal et al.). These controls involve a number of different aspects, some of which are
related to anization's business processes involving access control and proper business operation.
Although frameworks such as COSO and CoBIT have been proposed for the evaluation of