This paper introduces a formal security design approach for information exchange in organisations. The formal approach provides for automation of a security design method which supports security authorities in the design of individual security models. An individual security model is a fully customised specification of access control information for information exchange within a particular business environment. We introduce transaction based business process models (BPM) and utilise these models for a formal transformation to “need-to-know” authorisations. Therefore, we allocate information from BPMs which can be transformed to access control information and derive a specification of an organisation’s individual security model. Our approach provides transparency of security design because the design method ensures that a security model is directly related to the business. Moreover, security effort and costs will be reduced because BPMs must not be specified for security reasons and security design can be automated. BPMs are a result of management activities and therefore, existing resources from a security point of view.
[1]
Terry Winograd,et al.
The action workflow approach to workflow management technology
,
1992,
CSCW '92.
[2]
Hubert F. Hofmann,et al.
Reaching out for Quality: Considering Security Requirements in the Design of Information Systems
,
1994,
CAiSE.
[3]
Kalle Lyytinen,et al.
Modelling Offices Through Discourse Analysis: The SAMPO Approach
,
1992,
Comput. J..
[4]
Bill Curtis,et al.
Process modeling
,
1992,
CACM.
[5]
Allan L. Scherr,et al.
A New Approach to Business Processes
,
1993,
IBM Syst. J..
[6]
Thomas H. Davenport,et al.
Process Innovation: Reengineering Work Through Information Technology
,
1992
.
[7]
Steve Mathews,et al.
Securing your business process
,
1993,
Comput. Secur..