[cap-talk] Horton vs. ACLs - private namespaces and the Audit Problem
David Chizmadia (JHU)
chiz at cs.jhu.edu
Wed Oct 10 12:43:32 EDT 2007
Mark,
Fair enough request.
The 50Kfoot answer is that the cited regulations are primarily
about organizations having and applying internal controls over their
automated processes. I would assert that fundamental ocap design
principles provide an excellent basis for arguing that an
organization has made a good faith effort to implement internal
controls, while the log records of the use of interfaces provides a
solid foundation for verifying that the internal controls are
operating in practice as expected.
If anyone is interested, I can develop a more detailed
explanation with illustrative scenario this weekend.
-DMC
Mark Miller wrote:
> On 10/10/07, David Chizmadia (JHU) <chiz at cs.jhu.edu> wrote:
>> I'll agree that a human auditor would have insufficient
>> motivation or energy to audit at this level of resolution. But an
>> automated log analysis system could make very effective use of the
>> kind of event stream being discussed here to audit regulatory
>> compliance for (at least) SOX/OMB A123 and HIPAA.
>
> Without asking us to wade through the text of these, can you provide
> us with any insight about how this could possibly be the case? How
> would one write an automated compliance predicate that could give a
> meaningful answer from such a low level trace of human-meaningless
> data? If the regulation is simply: "though shall record oodles of
> stuff", then I can see it. Otherwise, I can't imagine a compliance
> test that could be answered from these logs.
>
More information about the cap-talk
mailing list