W3C home > Mailing lists > Public > www-ws-arch@w3.org > July 2002

RE: Glossary Definition for Audit(ing) [Was: RE: AG004 Closure S ought]

From: Edgar, Gerald <gerald.edgar@boeing.com>
Date: Fri, 26 Jul 2002 15:50:20 -0700
Message-ID: <8339F9648FAF6647A84C43F0CEE730C00B1059@xch-nw-26.nw.nos.boeing.com>
To: "'Joseph Hui'" <Joseph.Hui@exodus.net>, Dave Hollander <dmh@contivo.com>, www-ws-arch@w3.org

FYI - from a security glossary  (US source) NSTISSI No. 4009:

audit:
 Independent review and examination of records
and activities to assess the adequacy of system
controls, to ensure compliance with established
policies and operational procedures, and to
recommend necessary changes in controls,
policies, or procedures.

audit trail:
 Chronological record of system activities to enable
the reconstruction and examination of the
sequence of events and/or changes in an event.
Audit trail may apply to information in an IS or to
message routing in a communications system.

----------------

I suggest for our effort:

Security Auditing: A service that reliably and securely records
security-related events producing an audit trail enabling the reconstruction
and examination of a sequence of events. Security events could include
authentication events, policy enforcement decisions, and others. The
resulting audit trail may be used to detect attacks, confirm compliance with
policy, deter abuse, or other purposes. 

-----------------

I think "abuse of authority" is out of scope. I think we need to define the
purpose- which is to enable events to be reconstructed too.


Gerald W. Edgar <gerald.edgar@boeing.com> 
Architecture support, BCA Architecture and e-business
425-234-1422

Mailing address:
The Boeing Company, M/S 6H-WW
PO Box 3707, Seattle, WA 98124-2207
USA

Opinions expressed in this note may not reflect those of the Boeing Company.

-----Original Message-----
From: Joseph Hui [mailto:Joseph.Hui@exodus.net]
Sent: Friday, July 26, 2002 11:00
To: Dave Hollander; www-ws-arch@w3.org
Subject: RE: Glossary Definition for Audit(ing) [Was: RE: AG004 Closure
Sought]



My take is that, if the WG's glossary is to be organized
alphabetically, then prepending "Security" or "(Security)"
to "Auditing" is a good idea.  OTOH, if the glossary
is structured with a Security section, then it would be
simpler to write an intro or footnote in the section setting
the security context for that section, so that it's
understood that all definitions in that section pertain
to security solely or primarily.  That said, I havr no
issue with titling the definition with "Security Auditing" 
(even under the Security section of the WG's glossary
if so structured) in any case.

In wordsmithing, I think we may want to start the definition
with a phrase like "In the context of security in computing,"
and follow it with the normal text free of the "security"
adjective stapled all over the place.

Cheers,

Joe Hui
Exodus, a Cable & Wireless service
=======================================================


> -----Original Message-----
> From: Dave Hollander [mailto:dmh@contivo.com]
> Sent: Friday, July 26, 2002 8:29 AM
> To: 'www-ws-arch@w3.org '
> Subject: RE: Glossary Definition for Audit(ing) [Was: RE: 
> AG004 Closure
> S ought]
> 
> 
> 
> (Sorry, I saw this message after sending my earlier one today.)
> 
> If we are limiting this to security auditing:
> 
> 1) prepend security before "policy enforcement decisions". There are
> lots of types of policies.
> 
> 2) we should describe a family of auditing and event tracking classes,
> or at least security auditing as one of many classes.
> 
> 3) prepend security before "other purposes". 
> 
> 4) define auditing as well as "security auditing"
> 
> 5) address sharing of implementation infrastructure (logging, 
> reporting,
> etc) with other auditing purposes. I would expect that it should be
> allowed, but would defer to the experts if they disagree.
> 
> Overall, I am not sure if the focus on security and not other purposes
> is intentially describing a separate sub-system or just describing
> minimum requirements for security purposes.
> 
> Regards,
> Dave
> 
> 
> -----Original Message-----
> From: Darran Rolls
> To: Joseph Hui; Prafullchandra, Hemma; www-ws-arch@w3.org
> Sent: 7/26/2002 6:08 AM
> Subject: RE: Glossary Definition for Audit(ing)  [Was: RE: 
> AG004 Closure
> Sought]
> 
> Joe/Hav/Memma
> 
>  
> 
> 1 - We should prefix auditing with the word "security" as that is what
> we are defining.  Without that qualifier in the glossary, an 
> independent
> evaluator might question why we are only auditing "security 
> events" and
> not understand the difference between security auditing and 
> generalized
> logging used to say audit/track a transactions history.
> 
>  
> 
> 2 - Would you all consider "policy enforcement decisions" to be a
> super-set of authZ?  Personally I would, but could see that 
> others might
> read this as the AuthN/AuthZ twins missing a sibling.
> 
>  
> 
> 3 - You'll note I've added security as a prefix to the phrase "audit
> trail" in text below.  Again, the term audit trail without 
> this, IMO has
> to include any generalized event logging I care to throw into the
> application just in case. 
> 
>  
> 
> 4. Consider the following (minor) changes to the text:
> 
>  
> 
> Security Auditing: A service that reliably and securely records
> security-related
> 
> Events, such as authentication events, policy enforcement decisions,
> 
> and any general event that deviated from an established norm 
> to imply a
> security relevant event has taken place. The resulting security audit
> trail may then be used to detect attacks, confirm compliance with
> policy, deter abuse of authority or other purposes
> 
>  
> 
> --------------------------------------------------------
> 
> Darran Rolls                      http://www.waveset.com
> 
> Waveset Technologies Inc          drolls@waveset.com 
> 
> (512) 657 8360                    
> 
> --------------------------------------------------------
> 
>  
> 
> -----Original Message-----
> From: Joseph Hui [mailto:Joseph.Hui@exodus.net] 
> Sent: Thursday, July 25, 2002 8:47 PM
> To: Prafullchandra, Hemma; www-ws-arch@w3.org
> Subject: RE: Glossary Definition for Audit(ing) [Was: RE: 
> AG004 Closure
> S ought]
> 
>  
> 
> Thanks again, Hemma.
> 
>  
> 
> I'm also noting your A+B as Text B embellished.
> 
> If the similarity shared by yours and Hoa's is also shared
> 
> by popular sentiment, then I think we're just aboutt there.
> 
>  
> 
> Joe Hui
> 
> Exodus, a Cable & Wireless service
> 
> ===================================
> 
>  
> 
>  -----Original Message-----
> From: Prafullchandra, Hemma [mailto:hprafullchandra@verisign.com]
> Sent: Thursday, July 25, 2002 6:02 PM
> To: www-ws-arch@w3.org
> Subject: RE: Glossary Definition for Audit(ing) [Was: RE: 
> AG004 Closure
> S ought]
> 
> Text A: 
> 
>   Auditing provides passive tracking and logging of 
>   security-related activities, incidents, and events 
>    (such as authentication events, unproven claims, or bad 
>   signature occurrences). Administrator can securely managed 
>   and analyze these audit records to take appropriate action 
>    against antagonists. 
> 
> Text B:
> 
>   Audit: A service that reliably records security-related events
> 
>   for future reference. The resulting audit trail may be used to
> 
>   detect attacks, confirm compliance with policy, deter abuse
> 
>   of authority or other purposes. 
> 
>  
> 
> Final:A+B:
> 
> Auditing: A service that reliably and securely records 
> security-related
> 
> events (such as authentication events, policy enforcement decisions,
> 
> abnormal (deviations from the norm) events). The resulting audit trail
> 
> may be used to detect attacks, confirm compliance with policy, deter
> 
> abuse of authority or other purposes. 
> 
>  
> 
> Unless there was something specific in A, about the players involved
> that you
> 
> wanted to capture or the nature of this activity. Feel free to polish
> A+B further
> 
> but I really think this captures the essence of what we want to say
> given all the other restrictions!
> 
>  
> 
> hemma
> 
> 
Received on Friday, 26 July 2002 18:50:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:25:03 GMT