Standardising business application security assessments with pattern-driven audit automations

In the light of recent corporate corruption scandals the requirement for Corporate Governance and Responsibility has emerged as a top management priority, as reflected on the recent regulatory environment and compliance requirements e.g. Sarbanes-Oxley Act. The need for explicitly demonstrated assurance of the financial and accounting information in an IT-fuelled business environment has shifted interest to the information and the IT systems themselves. Assurance of information is based on the art and science of IT audit, a set of recurring tasks by nature both in time and in space. In environments of integrated business applications and enterprise resource planning systems, auditing is particularly laborious and the requirement for automation of auditing tasks was never more demanding. The belief that audit automation is part of the means to achieve governance is developing amongst scholars and practitioners alike. However there is no common understanding yet developed as of how such automation could be achieved across different systems and applications. We argue that through appropriate standardisation of the automation requirements such cross-system implementation may be possible and we propose as a means of standardisation the use of security design patterns. In this paper we explore the use of security patterns for audit automation and we implement them as a means of supporting its standardisation within integrated business application systems.

[1]  Roger Frost,et al.  International Organization for Standardization (ISO) , 2004 .

[2]  B. J. Ferro Castro,et al.  Pattern-Oriented Software Architecture: A System of Patterns , 2009 .

[3]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[4]  James O. Coplien,et al.  Pattern languages of program design , 1995 .

[5]  Philip Wallage,et al.  Principles of Auditing: An Introduction to International Standards on Auditing , 2004 .

[6]  Thomas Peltier,et al.  Information Technology: Code of Practice for Information Security Management , 2001 .

[7]  Eduardo B. Fernandez,et al.  The Authenticator Pattern , 1999 .

[8]  J. Donald Warren,et al.  Continuous Auditing: Potential for Internal Auditors , 2003 .

[9]  B. F. Castro Buschmann, Frank; Meunier, Regine; Rohnert, Hans; Sommerlad, Peter; Stal, Michael. Pattern-oriented software architecture: a system of patterns, John Wiley & Sons Ltd, 1996 , 1997 .

[10]  Dirk Riehle,et al.  Pattern Languages of Program Design 3 , 1997 .

[11]  Gerard G. Meszaros,et al.  A pattern language for pattern writing , 1997 .

[12]  Gregor Hohpe,et al.  Enterprise Integration Patterns: Designing, Building, and Deploying Messaging Solutions , 2003 .

[13]  Joseph W. Yoder,et al.  Architectural Patterns for Enabling Application Security , 1998 .

[14]  Markus Schumacher,et al.  Security Patterns and Security Standards , 2002, EuroPLoP.

[15]  Ramesh Nagappan,et al.  Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management , 2005 .

[16]  Bobby Woolf,et al.  Enterprise Integration Patterns , 2003 .

[17]  Markus Schumacher,et al.  Security Engineering with Patterns , 2003, Lecture Notes in Computer Science.