Abstract
This paper stresses the importance of integrity of financial data in commercial information systems for the financial auditor.
Integrity of data is defined as giving a true and fair view of reality. The usefulness of the TCSEC and ITSEC criteria are reviewed from this point of view. However, these criteria are mainly focused at the confidentiality of data.
In a business environment integrity of data tends to be more important than confidentiality of data. The model of Clark and Wilson [Clark87] is reviewed for practical use. The model is extended with some suggestions for checking the consistency of business data, based on the concepts of value streams, segregation of duties and comparison with standards. Additionally recommendations are given for the implementation of the adjusted Clark/Wilson model in a midrange computer environment.
Information Technology seems to be developing in the direction of distributed or decentralised data processing and more flexible information systems. A practical problem of the Clark/Wilson model is the heavy reliance on the integrity of application software. In a dynamic business environment the application programs are subject to continuing change Besides which both development procedures and change management procedures are weakening A solution for this dilemma might be the embedding of the separation of duties in the corporate data model.
This paper is a by-product a of research project into information technology and internal control by the Limperg Institute in Amsterdam, a collaboration between the auditing faculties of the Dutch universities. The complete results of this project, which had a wider scope than just integrity of data, will be published later this year.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
D.E. Bell and L.J. LaPadula, Secure Computer Systems, A Mathematical Model, 1973, Mitre Corporation, Bedford Mass.
D.D. Clark and D.R. Wilson, A Comparison of Commercial and Military Security Policies, Proceedings 1987 IEEE Symposium on Security and Privacy, page 184–194, IEEE Computer Society Press, Oakland CA.
Department of Defense,Trusted Computer Security Evaluation Criteria, 1983, Computer Security Centre, Fort Meade, MD.
Department of Trade and Industry (UK), A Code of Practice for Information Security Management, 1993.
European Commission, Information Technology Security Evaluation Criteria (ITSEC), version 1.2, 1991, ECSC-EEC-EAEC, Brussels-Luxembourg.
I. Gray and S. Manson, The Audit Process, 1989, Van Nostrand Reinhold, London.
P.A. Karger, Implementing Commercial Data Integrity with Secure Capabilities, Proceedings 1988 IEEE Symposium on Security and Privacy, page 130–139.
G.J. Ramackers, Integrated Object Modelling, 1994, Thesis Publishers, Amsterdam.
Zentralstelle (or Bundesamt) für Sicherheit in der Informationstechnik, IT-Sicherheitskriterien, 1989, Bonn.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1995 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
de Koning, W.F. (1995). Security Within Financial Information Systems. In: Eloff, J.H.P., von Solms, S.H. (eds) Information Security — the Next Decade. IFIP Advances in Information and Communication Technology. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-34873-5_3
Download citation
DOI: https://doi.org/10.1007/978-0-387-34873-5_3
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-5041-2910-7
Online ISBN: 978-0-387-34873-5
eBook Packages: Springer Book Archive