A new HP Labs Technical Report has been published called “Job Design: Providing Strategic decision Support for Risk Analysis and Policy Definition” (authors: Marco Casassa Mont, Adrian Baldwin, Simon Shiu, Paul Collins):
“Strategic decision makers need to organize their workforce and define policies on how to allocate roles and rights to individuals allowing them to work effectively for the organization, whilst minimizing security risks. Many organizations have a separation of duty matrix specifying certain toxic combinations of access rights that they generally understand present an extreme risk. These matrices do not always contain some of the less understood or smaller risks. The flip side of the rights allocation problem is the need for an organization to keep systems running under various pressures including reducing headcounts. This tension often leads to a practice of providing skilled individuals with wide access rights to many systems. We describe this tension as the Job Design Problem. That is how to manage the trade-offs between allocating roles allowing for flexibility and the possible security impacts. It is not just a matter of technical "role engineering", access right allocation and Identity & Access Management (IAM) provisioning processes. Decision makers need tools that help them understand how to give guidance and set policies associated with role allocations and mechanisms to enable a debate between various stakeholders within the business, IT and Audit concerning the appropriate level of tradeoff and acceptable risk. In this paper, we aim at making progress in this field by presenting an approach and methodology to provide strategic decision support capabilities for the definition and assessment of policies in the context of Job Design. We focus on a problem provided by an IT department within a large organization, where employees (primarily IT admins and IT support staff) operate on sensitive and critical business systems and services. In this context, security risks are a major concern and need to be fully understood. Depending on the motivations and skills of the workforce, accidental or deliberate misuses of access rights and capabilities might take place and have huge economical and reputational consequences for the organizations. The decision makers (e.g. CIOs, CISOs) need to understand the implications and trade-offs of making job design decisions as wells as investing in additional/complementary controls, such as monitoring/auditing systems, IAM solutions, education or vetting/clearance programs. We describe a decision support solution based on modeling and simulation, to provide this kind of policy-decision support. This is work in progress. We present our current results and next steps.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Thursday, March 11, 2010
The First EnCoRe Technical Architecture for the Management of Consent and Revocation is Available Online
The first EnCoRe Technical Architecture for the explicit management of consent and revocation on personal data has been published and is available online:
“This document is a formal deliverable of the EnCoRe project. It contains the definition of the EnCoRe Technical Architecture for the first realized Case Study: an Enhanced Employee Data Scenario. It also describes that scenario – specifically the use, by employees of an organisation, of a Web2.0-style service for work-related and personal purposes – and its related requirements regarding consent management. These requirements were gathered and defined by legal and social science research within the EnCoRe project, and were influenced by its concept formalisation research.
The scope of the EnCoRe Technical Architecture for this first Case Study encompasses all the technical functions required for the management (including capture and revocation) and enforcement of individuals’ consents that are pertinent to the Case Study‟s scenario. The technical architecture is the block-level design of the necessary technical system, at the level of functional blocks (i.e., software and service components) and the data flows between them and to/from humans, other technical systems, compliance and other business processes and regulatory environments. Its goal is to provide the basis for an EnCoRe reference implementation that validates the approach and the technology. To that end this document’s approach is to start with contextual information and overviews, and incrementally refine the level of detail. Most of this detail is contained within Appendices.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
“This document is a formal deliverable of the EnCoRe project. It contains the definition of the EnCoRe Technical Architecture for the first realized Case Study: an Enhanced Employee Data Scenario. It also describes that scenario – specifically the use, by employees of an organisation, of a Web2.0-style service for work-related and personal purposes – and its related requirements regarding consent management. These requirements were gathered and defined by legal and social science research within the EnCoRe project, and were influenced by its concept formalisation research.
The scope of the EnCoRe Technical Architecture for this first Case Study encompasses all the technical functions required for the management (including capture and revocation) and enforcement of individuals’ consents that are pertinent to the Case Study‟s scenario. The technical architecture is the block-level design of the necessary technical system, at the level of functional blocks (i.e., software and service components) and the data flows between them and to/from humans, other technical systems, compliance and other business processes and regulatory environments. Its goal is to provide the basis for an EnCoRe reference implementation that validates the approach and the technology. To that end this document’s approach is to start with contextual information and overviews, and incrementally refine the level of detail. Most of this detail is contained within Appendices.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
HP Labs 2009 Annual Report
The HP Labs 2009 Annual Report is now available online:
“In fiscal year 2009 -- from November 2008 through October 2009 -- HP Labs has focused its research agenda on fewer, larger projects that have the potential to change the future of the industry and shape the future of HP.
The HP Labs 2009 Annual Report highlights our research themes, significant inventions, open innovation activities and, most importantly, our research team.
Print copies of the report and its Appendix, which lists the year's publications, may be ordered through MagCloud.com, a new print-on-demand service created in HP Labs. To order copies, click here. “
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
“In fiscal year 2009 -- from November 2008 through October 2009 -- HP Labs has focused its research agenda on fewer, larger projects that have the potential to change the future of the industry and shape the future of HP.
The HP Labs 2009 Annual Report highlights our research themes, significant inventions, open innovation activities and, most importantly, our research team.
Print copies of the report and its Appendix, which lists the year's publications, may be ordered through MagCloud.com, a new print-on-demand service created in HP Labs. To order copies, click here. “
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Subscribe to:
Posts (Atom)