Beruflich Dokumente
Kultur Dokumente
4 types of obligation
Consulted
Informed
Outlines
Responsibility model
Presentation of the main concepts of the model
Links between these concepts
Alignment method
Presentation of the method
Definition of the responsibilities, Assignment of the responsibilities,
Provisioning of the access rights
Proof-of-concept
Analyze of the System Acceptance from ISO/IEC 27002/2005,
Code of practice for information security management.
Definition of the responsibilities
Conclusions and future works
Presentation of the Alignment method
Our approach
2 layers Business/Technical and 2 levels Language/Instantiation
Method:
Definition of the responsibilies from business layer
Assignement of the responsibilities
AR provisioning
Presentation of the Alignment method
Mapping BP / ReMoLa in order to elaborate responsibilities
Instantiation of Task/Obligation,
Accountabilities, Right Step 2 Step 1
e.g. CobiT,
ISO 15504
Presentation of the Alignment method
BP owner
Employee Responsibil. Delegator Employees manager RBAC Administrator
HR
involved
Step 3
Presentation of the Alignment method
Mapping of ReMoLa with one AC Model
Role Based Access Control
To simplify the management of granting permissions to
users
3 main elements :
User, Role and Permission
2 main functions :
User-role
assignment (URA)
Permission-role
assignment (PRA)
Presentation of the Alignment method
the associations with a RACI Ensure that the requirements and criteria for acceptance of
new systems are clearly defined, agreed, documented, and R
obligations are possible. tested
responsibility model can be Appropriate tests should be carried out to confirm that all
acceptance criteria have been fully satisfied
R
taken into consideration Consider error recovery and restart procedures, and
contingency plans
R
Need for fine grain analysis Preparation and testing of routine Access to preparation template
operating procedures to defined
to engineer rights that standards Access to testing template
Access to the training support
Training in the operation or use of
are needed to perform a task. new systems
Time to participate to training
Access to the system manual
Agreed set of security controls in Access to the set of security
place controls in place