Fifth IEEE International Conference on Research Challenges in Information

Science, May 19-21 2011, Guadeloupe - French West Indies, France

ReMoLa: Responsibility Model Language to Align

Access Rights with Business Process Requirements

Christophe Feltus, Michal Petit, Eric Dubois

Motivation
Governance requirements
1st statement : The responsibility of the employees
involved in the processes must be strictly defined and
correctly assigned to the employee:
In ISO IEC 38500:2008 Corporate Governance of ICT
In Sarbanes-Oxley Acts Title III corporate responsibilities
In Basel II Responsibility of the board of directors
2nd statement : One of the requirements is to have
access rights strictly aligned with the business process
ISO 27000, CobiT, etc.
Aligning access rights with BP
Outlines
Responsibility model
Presentation of the main concepts of the model
Links between these concepts
Alignment method
Presentation of the method
Definition of the responsibilities, Assignment of the responsibilities,
Provisioning of the access rights
Proof-of-concept
Analyze of the System Acceptance from ISO/IEC 27002/2005,
Code of practice for information security management.
Definition of the responsibilities
Conclusions and future works
Outlines
Responsibility model
Presentation of the main concepts of the model
Links between these concepts
Alignment method
Presentation of the method
Definition of the responsibilities, Assignment of the responsibilities,
Provisioning of the access rights
Proof-of-concept
Analyze of the System Acceptance from ISO/IEC 27002/2005,
Code of practice for information security management.
Definition of the responsibilities
Conclusions and future works
Presentation of the Responsibility model
Elaboration of the model
Employee, right, obligation, commitment
Presentation of the Responsibility model

4 types of obligation

In order to refine the model, we use the CobiT RACI chart

that describes 4 types of obligation
Responsible: an employee who performs a task
Accountable: an employee that directs and makes authorization
Consulted: an employee that makes consultancy to permit a task
to be done
Informed: an employee that is informed about the achievement
of a task
Presentation of the Responsibility model
Responsible Accountable

Consulted

Informed
Outlines
Responsibility model
Presentation of the main concepts of the model
Links between these concepts
Alignment method
Presentation of the method
Definition of the responsibilities, Assignment of the responsibilities,
Provisioning of the access rights
Proof-of-concept
Analyze of the System Acceptance from ISO/IEC 27002/2005,
Code of practice for information security management.
Definition of the responsibilities
Conclusions and future works
Presentation of the Alignment method
Our approach
2 layers Business/Technical and 2 levels Language/Instantiation
Method:
Definition of the responsibilies from business layer
Assignement of the responsibilities
AR provisioning
 Presentation of the Alignment method
Mapping BP / ReMoLa in order to elaborate responsibilities
Instantiation of Task/Obligation,
Accountabilities, Right Step 2 Step 1

e.g. CobiT,
ISO 15504
 Presentation of the Alignment method
BP owner
Employee Responsibil. Delegator Employees manager RBAC Administrator
HR
involved

Step 3
Presentation of the Alignment method
Mapping of ReMoLa with one AC Model
Role Based Access Control
To simplify the management of granting permissions to
users
3 main elements :
User, Role and Permission
2 main functions :
User-role
assignment (URA)
Permission-role
assignment (PRA)
Presentation of the Alignment method

RBAC Role is a type of responsibility : an employee assigned to that

responsibility gets all the permissions needed by that responsibility.
Although if RBAC Role is a business role : an employee assigned to
that role is not obligatory assigned responsible for all the tasks of
the role. He receives to many permissions.
Outlines
Responsibility model
Presentation of the main concepts of the model
Links between these concepts
Alignment method
Presentation of the method
Definition of the responsibilities, Assignment of the responsibilities,
Provisioning of the access rights
Proof-of-concept
Analyze of the System Acceptance from ISO/IEC 27002/2005,
Code of practice for information security management.
Definition of the responsibilities
Conclusions and future works
Proof-of-concept : System Acceptance
Audit of the employees access rights for the process:
System Acceptance
Audit observations :
5 employees with a set of rights and assigned to a business role
Employees Rights Employees Business roles
Carla Access to all Carla Chief information officer
Alice Employee assigned to the System Acceptance process
Access to the list of requirements Emma System Acceptance process manager
Access to migration priorities Denis Project leader
Bob System architect
Alice Allow participating in migration meetings
Access to the migration risks
Access to operational efficiencies requirements
list Are these rights strictly
Access to migration priorities
Allow to participate migration meetings
necessary for the employees ?
Emma Access migration risk analysis
Access to preparation template
Access to testing template
Access to the training support
Time to participate to training
Denis
Access to the system manual
Access to the set of security controls in place
Access to the list of errors
Bob Access to the tests results
Proof-of-concept : System Acceptance
Definition of the responsibilities
Identification of the tasks that compose the System Acceptance
Based on the task semantic,
Tasks Obligation

the associations with a RACI Ensure that the requirements and criteria for acceptance of
new systems are clearly defined, agreed, documented, and R
obligations are possible. tested

Provide acceptance for the migration of new information

A
systems, upgrades, and new versions
Responsibility of Alice Ensure the operational efficiency of the proposed system
C
design

Preparation and testing of routine operating procedures to

Based upon the type of defined standards
R

Training in the operation or use of new systems I

obligation, the specific Agreed set of security controls in place A

responsibility model can be Appropriate tests should be carried out to confirm that all
acceptance criteria have been fully satisfied
R

taken into consideration Consider error recovery and restart procedures, and
contingency plans
R

Alice needs access rights, commitment, is answerable,

Proof-of-concept : System Acceptance
Right to task association
Tasks Rights
Ensure that the requirements and Access to the list of requirements

In most of the business

criteria for acceptance of new
systems are clearly defined, agreed,
Access to the agreement
documentation
documented, and tested

frameworks, and in ISO 27002 Provide acceptance for the

as well, rights are not explicitly
migration of new information
systems, upgrades, and new
versions
Access to the test results
Access to migration priorities
Access to migration meetings
Access migration risk analysis

described. Ensure the operational efficiency of

the proposed system design
Access to operational efficiencies
requirements list

Need for fine grain analysis
to engineer rights that
are needed to perform a task.
Preparation and testing of routine
operating procedures to defined
standards
Training in the operation or use of
new systems
Agreed set of security controls in
place
Access to preparation template
Access to testing template
Access to the training support
Time to participate to training
Access to the system manual
Access to the set of security
controls in place

Appropriate tests should be carried

out to confirm that all acceptance No access required
criteria have been fully satisfied

Consider error recovery and restart

Access to the list of errors
procedures, and contingency plans
Proof-of-concept : System Acceptance
Audit conclusions
Observation : Alice is an employee assigned to the System Acceptance process
and she gets access because of her Business Role
the list of requirements,
migration priorities,
allow participation in migration meetings,
migration risks
access to operation efficiencies requirements list
Using ReMoLa : Alice is responsible for Providing acceptance for the migration
of new information systems, upgrades, and new versions and needs only the
following rights:
access to migration priorities,
allow participating in migration meetings,
access to migration risks.
Outlines
Responsibility model
Presentation of the main concepts of the model
Links between these concepts
Alignment method
Presentation of the method
Definition of the responsibilities, Assignment of the responsibilities,
Provisioning of the access rights
Proof-of-concept
Analyze of the System Acceptance from ISO/IEC 27002/2005,
Code of practice for information security management.
Definition of the responsibilities
Conclusions and future works
Conclusions and future works
Business needs for a better alignement of the employees
responsibility from the management frameworks down to
the technical rules
Our approach :
Step 1: Definition of the responsibilities :
Business Role, Activities, Tasks, Obligations Responsibilities
Step 2 : Responsibility to employee assignment
Step 2 : Rights to responsibility association
Future works
Complementary validations using case studies One ongoing and
one begins in June
Looking forward for integration within ArchiMate and others EA.
Thank you ! Questions ?