INTEGRITY AND INTERNAL CONTROL IN INFORMATION SYSTEMS IFIP -The International Federation for Information Processing IFIP was founded in 1960 under the auspices of UNESCO, following the First World Computer Congress held in Paris the previous year. An umbrella organization for societies working in information processing, IFIP's aim is two-fold: to support information processing within its member countries and to encourage technology transfer to developing nations. As its mission statement clearly states, IFIP's mission is to be the leading, truly international, apolitical organization which encourages and assists in the development, exploitation and application of information technology for the benefit of all people. IFIP is a non-profitmaking organization, run almost solely by 2500 volunteers. It operates through a number of technical committees, which organize events and publications. IFIP's events range from an international congress to local seminars, but the most important are: · The IFIP World Computer Congress, held every second year; · open conferences; · working conferences. The flagship event is the IFIP World Computer Congress, at which both invited and contributed papers are presented. Contributed papers are rigorously refereed and the rejection rate is high. As with the Congress, participation in the open conferences is open to all and papers may be invited or submitted. Again, submitted papers are stringently refereed. The working conferences are structured differently. They are usually run by a working group and attendance is small and by invitation only. Their purpose is to create an atmosphere conducive to innovation and development. Refereeing is less rigorous and papers are subjected to extensive group discussion. Publications arising from IFIP events vary. The papers presented at the IFIP World Computer Congress and at open conferences are published as conference proceedings, while the results of the working conferences are often published as collections of selected and edited papers. Any national society whose primary activity is in information may apply to become a full member of IFIP, although full membership is restricted to one society per country. Full members are entitled to vote at the annual General Assembly, National societies preferring a less committed involvement may apply for associate or corresponding membership. Associate members enjoy the same benefits as full members, but without voting rights. Corresponding members are not represented in IFIP bodies. Affiliated membership is open to non-national societies, and individual and honorary membership schemes are also offered. INTEGRITY AND INTERNAL CONTROL IN INFORMATION SYSTEMS IFIP TC11 Working Group 11.5 Second Working Conference on Integrity and Internal Control in Information Systems: Bridging Business Requirements and Research Results Warrenton, Virginia, USA November 19-20, 1998 edited by Sushil Jajodia George Mason University USA William List The Kingswell Partnership Ltd. UK Graeme W. McGregor The Broken Hill Proprietary Company Ltd. UK Leon A. M. Strous De Nederlandsche Bank NV ~· The Netherlands ,, SPRINGER-SCIENCE+BUSINESS MEDIA, B.V. Library of Congress Cataloging-in-Publication Data A C.I.P. Catalogue record for this book is available from the Library of Congress. ISBN 978-1-4757-5533-6 ISBN 978-0-387-35396-8 (eBook) DOI 10.1007/978-0-387-35396-8 Copyright © 1998 by Springer Science+Business Media Dordrecht Originally published by Kluwer Academic Publishers in 1998 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, mechanical, photo copying, recording, or otherwise, without the prior written permission of the publisher, Springer-Science+Business Media, B.V. Printed on acid-free paper. CONTENTS Preface Vll PART ONE: IFIP TC-11 Working Group 11.5 Second Working Conference on Integrity and Internal Control in Information Systems: Bridging Business Requirements and Research Results Conference Committees 3 Propagating integrity information among interrelated databases A Rosenthal, E. Sciore 5 2 Integrity constraint enforcement in a multidatabase using distributed active rules L.G. Gomez, S.D. Urban 19 3 The constraint operator of MedLan: its efficient implementation and use P. Asirelli, C. Renso, F. Turini 41 4 Growing dependency on IT: the consequences thereof for the organization and for IT-auditors M.E. van Biene-Hershey 57 5 TOP: an example of complex application controls M. Korver 75 6 Algebra for databases with explicit markings of damaged data G. Rumolo, S. Jajodia 103 7 Application of models from epidemiology to metrics for computer virus risk J.L. Aron, R.A. Cove 131 8 Integrity control of spreadsheets: organisation & tools K. Rajalingham, D. Chadwick 147 9 Design basis for achieving information integrity -a feedback control system approach V. V. Mandke, K.M. Nayar 169 10 Modification of integrity constraints through knowledge discovery V. Atluri 191 Vl 11 Managing data quality and integrity in federated databases M. Gertz 211 12 A logical formalization of integrity policies for database management systems F. Cuppens, C. Saurel 231 13 Maintaining integrity constraints and security in real-time database systems Q.N. Ahmed, S. V. Vrbsky 255 14 Assurance- what is it? M.D. Abrams, D.J. Landolt, G. Stoneburner 271 PART TWO: General Information IFIP TC-11 285 IFIP TC-11 working groups 287 Index of contributors 291 Keyword index 292 PREFACE Dear readers, Although it is well-known that confidentiality, integrity and availability are high level objectives of information security, much of the attention in the security arena has been devoted to the confidentiality and availability aspects of security. IFIP TC-11 Working Group 11.5 has been charged with exploring the area of the integrity objective within information security and the relationship between integrity in information systems and the overall internal control systems that are established in organizations to support the corporate governance codes. In this collection you will find the papers that have been presented during the second working conference dedicated to the subject. Also some information about IFIP TC-11 and its working groups is included. The seond working conference of working group 11.5 continues the ongoing dialog between the information security specialists and the internal control specialists so that both may work more effectively together to assist in creating effective business systems in the future. The goals for this and following conferences are to find an answer to the following questions: • what precisely do business managers need in order to have confidence in the integrity of their information systems and their data; • what is the status quo of research and development in this area; • where are the gaps between business needs on the one hand and research and development on the other and what needs to be done to bridge these gaps. The results of the working conference, both in the papers presented and the outcome of the panel sessions, will be the basis for the future direction of the activities of the working group. The cooperation with other organizations that have an interest in this area will be further expanded in the forthcoming years. viii If you have missed the chance to explore the field of integrity and internal control in information systems this year, take the opportunity to contribute next year to the debate with colleagues to further the development of reliable information systems and submit a paper or participate in the working conference. We would like to thank all individuals and organizations that have made it possible for this working conference to take place and all the authors of the papers submitted to the working conference. September 1998 Sushil Jajodia, Fairfax, Virginia, USA William List, Woodford Green, Essex, UK Graeme McGregor, Melbourne, Victoria, Australia Leon Strous, Helmond, The Netherlands Address for contact: Leon Strous Business affiliation: Gistel20 De Nederlandsche Bank NV 5707 GV Helmond Westeinde I The Netherlands 1017 ZN Amsterdam telephone: +31 492 548636 The Netherlands fax: +31 492 548636 telephone: +31 20 5242748 e-mail: [email protected] fax: +31 20 5242505 PART ONE IFIP TC-11 Working Group 11.5 Second Working Conference on Integrity and Internal Control in Information Systems: Bridging Business Requirements and Research Results Warrenton, Virginia, USA <? November 19-20, 1998 CONFERENCE COMMITTEES Organized by: IFIP TC-11 Working Group 11.5 Integrity and Internal Control In cooperation with: Applied Computer Security Associates (ACSA) George Mason University International Federation of Accountants (IFAC), IT-Committee Supported and sponsored by: PricewaterhouseCoopers GRMS Dutch Association of Registered EDP Auditors (NO REA) Dutch Computer Society (NGI), SIG Information Security Conference General Chair dr. Marshall D. Abrams, The MITRE Corporation, USA Programme Committee prof. dr. Sushil Jajodia, George Mason University, USA (chair) William List CA FBCS, The Kingswell Partnership, UK (co-chair) Graeme McGregor FCPA, Broken Hill Proprietary Company, Australia (co-chair)