Sarbanes—Oxley and Enterprise Security: IT Governance — What It Takes to Get the Job Done

Abstract

Several sections of the Sarbanes— Oxley Act of 2002 (SOX) directly affect the governance of the information technology (IT) organization, including potential SOX certification by the chief information officer, Section 404 internal control assessments, “rapid and current” disclosures to the public of material changes, and authentic and immutable record retention. The Securities and Exchange Commission (SEC) requires publicly traded companies to comply with the Treadway Commission's Committee of Sponsoring Organizations (COSO) that defines enterprise risk and places security as a critical variable in enterprise risk assessment. Effective IT and security governance are examined in terms of SOX compliance. Motorola IT security governance demonstrates effective structures, processes, and communications; centralized security leaders participate with Motorola's Management Board to create an enabling security organization to sustain long-term change.     

Sarbanes-Oxley: Achieving Compliance by Starting with ISO 17799

Compliance with the Sarbanes-Oxley Act of 2002 (SOX) has been hampered by the lack of implementation details. This article argues that IT departments that have implemented ten categories of IT controls provided by the International Standards Organization (ISO 17799) will be well on their way toward SOX compliance. A side-by-side comparison of the 124 control components of the ISO Standard and the published SOX implementation guidelines is provided.     

可追责和完全可验证外包解密CP-ABE方案

在密文策略属性加密方案（CP-ABE）中,解密密钥定义在多个用户共享的属性上,任何私钥无法追溯到原有密钥的所有者,恶意用户可能为了经济利益泄露他们的解密权限给第三方,并且不会被发现。另外,大多数现有CP-ABE方案的解密成本和密文大小随访问结构的复杂程度呈线性增长。上述问题严重限制了CP-ABE的应用。为此,通过定义追责列表来追溯故意泄露密钥的用户,通过外包运算降低解密运算成本,提出一个可追责和完全可验证外包解密的CP-ABE方案。该方案可以同时检查授权用户和非授权用户转换密文结果的正确性,而且支持任意单调访问结构,可追责性不会给其他安全性带来任何影响。最后在标准模型中证明了该方案是选择明文攻击（CPA）安全的。     

基于XML与数据库技术的权限管理

在基于角色的访问控制（RBAC）模型的基础上,结合XML应用特性,对权限管理中的系统和用户权限信息分别应用XML和数据库技术,设计并实现了将XML与数据库技术相结合的Web应用系统的权限管理方法,提高了Web系统权限管理的灵活性和复用性,并在实际系统中验证成功。     

ESB环境下可视化数据映射技术的研究

ESB系统作为SOA的核心部分,如何使企业之间可以实现透明的数据交换,已成为其需要解决的问题之一。针对这一问题,在研究了XSLT和相关标准的基础上,提出了一种基于XSLT的可视化数据交换模型,并对模型中映射关系从图形化表示转化为XSLT表示的关键算法进行了详细地研究,并提出基于ESB的可视化数据映射工具的设计。     

面向供应链管理的企业应用集成技术选择模型

供应链信息系统的集成对于提高供应链管理水平至关重要,企业应用集成(EnterpriseApplicationIntegration,EAI)技术的出现对供应链信息系统的集成提供了一个新的解决方案。论文通过对供应链集成系统的分类和EAI技术的分析,提出了选择适用于不同类型系统的EAI技术的模型,通过该模型的应用,减少了企业在选择供应链信息系统集成技术时的不确定性,为有效地集成供应链信息系统提供了切实可行的方法和途径。     

Ecosystem-inspired enterprise modelling framework for collaborative and networked manufacturing systems

Rapid changes in the open manufacturing environment are imminent due to the increase of customer demand, global competition, and digital fusion. This has exponentially increased both complexity and uncertainty in the manufacturing landscape, creating serious challenges for competitive enterprises. For enterprises to remain competitive, analysing manufacturing activities and designing systems to address emergent needs, in a timely and efficient manner, is understood to be crucial. However, existing analysis and design approaches adopt a narrow diagnostic focus on either managerial or engineering aspects and neglect to consider the holistic complex behaviour of enterprises in a collaborative manufacturing network (CMN). It has been suggested that reflecting upon ecosystem theory may bring a better understanding of how to analyse the CMN. The research presented in this paper draws on a theoretical discussion with aim to demonstrate a facilitating approach to those analysis and design tasks. This approach was later operationalised using enterprise modelling (EM) techniques in a novel, developed framework that enhanced systematic analysis, design, and business-IT alignment. It is expected that this research view is opening a new field of investigation.     

System requirements engineering in complex situations

The purpose of this paper is to present an alternative systems thinking–based perspective and approach to the requirements elicitation process in complex situations. Three broad challenges associated with the requirements engineering elicitation in complex situations are explored, including the (1) role of the system observer, (2) nature of system requirements in complex situations, and (3) influence of the system environment. Authors have asserted that the expectation of unambiguous, consistent, complete, understandable, verifiable, traceable, and modifiable requirements is not consistent with complex situations. In contrast, complex situations are an emerging design reality for requirements engineering processes, marked by high levels of ambiguity, uncertainty, and emergence. This paper develops the argument that dealing with requirements for complex situations requires a change in paradigm. The elicitation of requirements for simple and technically driven systems is appropriately accomplished by proven methods. In contrast, the elicitation of requirements in complex situations (e.g., integrated multiple critical infrastructures, system-of-systems, etc.) requires more holistic thinking and can be enhanced by grounding in systems theory.     

基于高阶变异的多错误定位实证研究

错误定位是软件调试中最昂贵的活动之一.基于变异的错误定位(MBFL)技术假定被大多数失败测试用例杀死的变异体能够很好地定位错误的位置.之前的研究表明MBFL在单错误定位上有很好的定位效果,但关于MBFL在多错误定位上的表现没有被深入研究过.近年来,高阶变异体被提出用于构造难以被杀死的复杂错误,但高阶变异体是否能提升MBFL的错误定位精度是未知的.本文中,我们研究了一阶变异体和高阶变异体在多错误定位场景下的表现.进一步,我们依据不同的变异位置将高阶变异体划分成3类:准确高阶变异体、部分准确高阶变异体和不准确高阶变异体.探索哪类变异体在错误定位上更有效.基于5个程序上的实证研究,我们发现在多错误定位场景下,高阶变异体比一阶变异体有更好的定位效果.更进一步,我们发现不同种类的高阶变异体的影响是不容忽视的.具体而言,准确高阶变异体比不准确高阶变异体有更高的贡献.因此研究人员应提出更有效的方法生成这类变异体用于未来的MBFL研究.     

基于角色的访问控制在网络教育中的应用研究

基于角色的访问控制（RBAC）作为一种安全机制,是当前研究的热点之一。如何根据网络教育的特点应用RBAC是当前网络教育的重点和难点。在分析了RBAC96模型的基础上,结合网络教育的特点进行系统设计,建立符合网络教育特色的新的权限管理模型,兼顾对个性权限的修改能力,最后给出该模型在网络教育中的系统实现,通过项目验证了RBAC在网络教育中的可行性。     

Securing Parked Vehicle Assisted Fog Computing With Blockchain and Optimal Smart Contract Design

Vehicular fog computing(VFC)has been envisioned as an important application of fog computing in vehicular networks.Parked vehicles with embedded computation resources could be exploited as a supplement for VFC.They cooperate with fog servers to process offloading requests at the vehicular network edge,leading to a new paradigm called parked vehicle assisted fog computing(PVFC).However,each coin has two sides.There is a follow-up challenging issue in the distributed and trustless computing environment.The centralized computation offloading without tamper-proof audit causes security threats.It could not guard against false-reporting,free-riding behaviors,spoofing attacks and repudiation attacks.Thus,we leverage the blockchain technology to achieve decentralized PVFC.Request posting,workload undertaking,task evaluation and reward assignment are organized and validated automatically through smart contract executions.Network activities in computation offloading become transparent,verifiable and traceable to eliminate security risks.To this end,we introduce network entities and design interactive smart contract operations across them.The optimal smart contract design problem is formulated and solved within the Stackelberg game framework to minimize the total payments for users.Security analysis and extensive numerical results are provided to demonstrate that our scheme has high security and efficiency guarantee.     

Performance Measurement in EDP

Abstract

As cyber-criminals get smarter and smarter, staying one step ahead of emerging security threats is getting harder and harder. Seemingly every day, news reports are filled with hair-raising stories about computer networks and corporations being terrorized by worms, viruses, hackers, and identity thieves. More than ever, companies need to pay strict attention to network security, not only to defend against attacks and protect customer data, but also to satisfy a growing list of government regulations such as the Sarbanes–Oxley (SOX) Act, the Health Insurance Portability and Accountability Act (HIPAA), California's privacy breach notification law SB1386, and the Federal Information Security Management Act (FISMA).     

3S系统的设计与实现

针对地理信息系统／全球定位系统／基于位置的服务的应用,提出3S系统的概念,分析3S系统兴起的原因以及实际应用场景,设计典型的3S系统架构和数据流向,对系统中的地图格式、地图匹配、路径导航、跨平台性GUI界面等关键技术进行探讨,给出一个作为2010年上海世博会专项科技项目的3S系统的实现效果。     

Construction and analysis of ground models and their refinements as a foundation for validating computer-based systems

We explain why for the verified software challenge proposed in Hoare (J ACM 50(1): 63–69, 2003), Hoare and Misra (Verified software: theories, tools, experiments. Vision of a Grand Challenge project. In: [Meyer05]) to gain practical impact, one needs to include rigorous definitions and analysis, prior to code development and comprising both experimental validation and mathematical verification, of ground models, i.e., blueprints that describe the required application-content of programs. This implies the need to link via successive refinements the relevant properties of such high-level models in a traceable and checkable way to code a compiler can verify. We outline the Abstract State Machines (ASM) method, a discipline for reliable system development which allows one to bridge the gap between informal requirements and executable code by combining application-centric experimentally validatable system modelling with mathematically verifiable stepwise detailing of abstract models to compile-time-verifiable code.     

Unified meta-modeling framework using bond graph grammars for conceptual modeling

Existing techniques for developing large scale complex engineering systems are predominantly software based and use Unified Modeling Language (UML). This leads to difficulties in model transformation, analysis, validation, verification and automatic code generation. Currently no general frameworks are available to bridge the concept-code gap rampant in design and development of complex, software-intensive mechatronic systems called cyber-physical systems. To fill this gap and provide an alternative approach to Object Management Group’s UML/SysML/OCL combination, we propose: Bond Graph based Unified Meta-Modeling Framework (BG-UMF). BG-UMF is a practical and viable alternative and uses a novel hybrid approach based on model unification and integration. The focus is on conceptual design and development of executable models for large systems. The viability of the framework is demonstrated through an application scenario: conceptual design and development of a navigation and control system for a rotor-craft UAV.     

Cognitive‐affective drivers of employees' daily compliance with information security policies: A multilevel,longitudinal study

We present a model of employee compliance with information security policy (ISP) that (1) explicates stable, cognitive beliefs regarding the consequences of compliance and noncompliance as well as state‐based affective constructs, namely, positive and negative mood states and episodic, security‐related work‐impediment events, and (2) provides an expanded conceptualisation of moral considerations and normative influences regarding employees' ISP compliance. Because affect is central to this theorisation, we ensure that the model captures and explains differences in day‐to‐day affective constructs to account for the often fleeting nature of affective states. We test our multilevel model using an experience‐sampling methodology design, in which employees completed daily surveys over a 2‐week period, followed by a hierarchal linear modelling statistical assessment. Our contribution to theory is a unique account of ISP compliance that integrates affective factors with constructs from rational choice theory and theory of planned behaviour and that diverges from prior conceptualisations of ISP compliance as a purely stable and reason‐based phenomenon. For practitioners, our results suggest that a combination of cognitive and affective influences may produce discrete episodes of ISP compliance that do not coincide with prior behavioural trends.     

IHE标准下的数字化医院集成及实现机制研究

现阶段我国医院管理信息系统（HIS）正处在综合集成阶段,文章根据医院信息化建设的实际情况,提出了一种现阶段数字化医院系统集成框架,该框架是在医院IHE集成标准模型与方法范畴下,进行建模与细化,是IHE的子集。同时对该框架下的数据中心、集成平台、应用实现的实现机制进行了研究。采用HL7 V3开发框架下参考信息模型RIM对医院相应角色进行建模与集成,最后在“军卫一号HIS”基础上进行了集成医生工作站的功能实现。     

一种基于随机化均匀设计点集的遗传算法用于求解MVCP

基于理想浓度模型的机理分析,利用随机化均匀设计的理论和方法,对遗传算法中的交叉操作进行重新设计,并在分析图最小顶点覆盖问题特点的基础上,结合扫描-修正和局部改进策略,给出一个解决图最小顶点覆盖问题的遗传算法,称之为基于随机化均匀设计点集的遗传算法。通过将该算法与简单遗传算法和佳点集遗传算法进行求解图最小顶点覆盖问题的仿真模拟比较,可看出该算法提高求解的质量、速度和精度。     

基于案例与规则推理的故障诊断专家系统

设计并实现基于案例的推理(CBR)与基于规则的推理(RBR)的故障旋转机械诊断专家系统。采用CBR与RBR串行方式进行推理,优先通过案例匹配方式寻求诊断结果,在不适用情况下转入通用性规则推理,并将诊断结果反馈给知识库进行优化。应用结果表明,该系统诊断结果与实际相符合,且诊断速度快、针对性强。     

A Guide to Selecting and Implementing Security Controls

ABSTRACT

The purpose of this article is to inform and educate the Information Security (IS) professional about some of the key/fundamental tenets of Sarbanes-Oxley (SOX), especially in the context of Confidentiality, Integrity and Availability of information, the three cornerstones of every security initiative. The focus is on such Sections of the Act as 404 (Internal Controls), 302 (Management Certifications), 806 (Whistleblower Protections), 409 (Real Time Disclosures), 802 (Alteration of Documents), amongst others. The purpose is to develop an appreciation and understanding of IS requirements and implications of SOX, and likewise to better understand how SOX can provide a basic roadmap for IS that every professional, department and organization may be able to use.