Legislative and security requirements of audit material for evidentiary purpose

This research used the Queensland Police Service, Australia, as a major case study. Information on principles, techniques and processes used, and the reason for the recording, storing and release of audit information for evidentiary purposes is reported. It is shown that Law Enforcement Agencies have a two-fold interest in, and legal obligation pertaining to, audit trails. The first interest relates to the situation where audit trails are actually used by criminals in the commission of crime and the second to where audit trails are generated by the information systems used by the police themselves in support of the recording and investigation of crime. Eleven court cases involving Queensland Police Service audit trails used in evidence in Queensland courts were selected for further analysis. It is shown that, of the cases studied, none of the evidence presented was rejected or seriously challenged from a technical perspective. These results were further analysed and related to normal requirements for trusted maintenance of audit trail information in sensitive environments with discussion on the ability and/or willingness of courts to fully challenge, assess or value audit evidence presented. Managerial and technical frameworks for firstly what is considered as an environment where a computer system may be considered to be operating “properly” and, secondly, what aspects of education, training, qualifications, expertise and the like may be considered as appropriate for persons responsible within that environment, are both proposed. Analysis was undertaken to determine if audit and control of information in a high security environment, such as law enforcement, could be judged as having improved, or not, in the transition from manual to electronic processes. Information collection, control of processing and audit in manual processes used by the Queensland Police Service, Australia, in the period 1940 to 1980 was assessed against current electronic systems essentially introduced to policing in the decades of the 1980s and 1990s. Results show that electronic systems do provide for faster communications with centrally controlled and updated information readily available for use by large numbers of users who are connected across significant geographical locations. However, it is clearly evident that the price paid for this is a lack of ability and/or reluctance to provide improved audit and control processes. To compare the information systems audit and control arrangements of the Queensland Police Service with other government departments or agencies, an Australia wide survey was conducted. Results of the survey were contrasted with the particular results of a survey, conducted by the Australian Commonwealth Privacy Commission four years previous, to this survey which showed that security in relation to the recording of activity against access to information held on Australian government computer systems has been poor and a cause for concern. However, within this four year period there is evidence to suggest that government organisations are increasingly more inclined to generate audit trails. An attack on the overall security of audit trails in computer operating systems was initiated to further investigate findings reported in relation to the government systems survey. The survey showed that information systems audit trails in Microsoft Corporation's “Windows” operating system environments are relied on quite heavily. An audit of the security for audit trails generated, stored and managed in the Microsoft “Windows 2000” operating system environment was undertaken and compared and contrasted with similar such audit trail schemes in the “UNIX” and “Linux” operating systems. Strength of passwords and exploitation of any security problems in access control were targeted using software tools that are freely available in the public domain. Results showed that such security for the “Windows 2000” system is seriously flawed and the integrity of audit trails stored within these environments cannot be relied upon. An attempt to produce a framework and set of guidelines for use by expert witnesses in the information technology (IT) profession is proposed. This is achieved by examining the current rules and guidelines related to the provision of expert evidence in a court environment, by analysing the rationale for the separation of distinct disciplines and corresponding bodies of knowledge used by the Medical Profession and Forensic Science and then by analysing the bodies of knowledge within the discipline of IT itself. It is demonstrated that the accepted processes and procedures relevant to expert witnessing in a court environment are transferable to the IT sector. However, unlike some discipline areas, this analysis has clearly identified two distinct aspects of the matter which appear particularly relevant to IT. These two areas are; expertise gained through the application of IT to information needs in a particular public or private enterprise; and expertise gained through accepted and verifiable education, training and experience in fundamental IT products and system.

Browser security : a requirements-based approach

A browser is a convenient way to access resources located remotely on computer networks. Security in browsers has become a crucial issue for users who use them for sensitive applications without knowledge ofthe hazards. This research utilises a structure approach to analyse and propose enhancements to browser security. Standard evaluation for computer products is important as it helps users to ensure that the product they use is appropriate for their needs. Security in browsers, therefore, has been evaluated using the Common Criteria. The outcome of this was a security requirements profile which attempts to formalise the security needs of browsers. The information collected during the research was used to produce a prototype model for a secure browser program. Modifications to the Lynx browser were made to demonstrate the proposed enhancements.

Constraints of nutrient availability on primary production in two alpine tundra communities

A nutrient amendment experiment was conducted for two growing seasons in two alpine tundra communities to test the hypotheses that: (1) primary production is limited by nutrient availability, and (2) physiological and developmental constraints act to limit the responses of plants from a nutrient-poor community more than plants from a more nutrient-rich community to increases in nutrient availability. Experimental treatments consisted of N, P, and N+P amendments applied to plots in two physiognomically similar communities, dry and wet meadows. Extractable N and P from soils in nonfertilized control plots indicated that the wet meadow had higher N and P availability. Photosynthetic, nutrient uptake, and growth responses of the dominants in the two communities showed little difference in the relative capacity of these plants to respond to the nutrient additions. Aboveground production responses of the communities to the treatments indicated N availability was limiting to production in the dry meadow community while N and P availability colimited production in the wet meadow community. There was a greater production response to the N and N+P amendments in the dry meadow relative to the wet meadow, despite equivalent functional responses of the dominant species of both communities. The greater production response in the dry meadow was in part related to changes in community structure, with an increase in the proportion of graminoid and forb biomass, and a decrease in the proportion of community biomass made up by the dominant sedge Kobresia myosuroides. Species richness increased significantly in response to the N+P treatment in the dry meadow. Graminoid biomass increased significantly in the wet meadow N and N+P plots, while forb biomass decreased significantly, suggesting a competitive interaction for light. Thus, the difference in community response to nutrient amendments was not the result of functional changes at the leaf level of the dominant species, but rather was related to changes in community structure in the dry meadow, and to a shift from a nutrient to a light limitation of production in the wet meadow.

Analyzing requirements and approaches for sourcing software based services

Increasingly, software is no longer developed as a single system, but rather as a smart combination of so-called software services. Each of these provides an independent, specific and relatively small piece of functionality, which is typically accessible through the Internet from internal or external service providers. To the best of our knowledge, there are no standards or models that describe the sourcing process of these software based services (SBS). We identify the sourcing requirements for SBS and associate the key characteristics of SBS (with the sourcing requirements introduced). Furthermore, we investigate the sourcing of SBS with the related works in the field of classical procurement, business process outsourcing, and information systems sourcing. Based on the analysis, we conclude that the direct adoption of these approaches for SBS is not feasible and new approaches are required for sourcing SBS.

Analyzing requirements and approaches for sourcing software based services

Increasingly, software is no longer developed as a single system, but rather as a smart combination of so-called software services. Each of these provides an independent, specific and relatively small piece of functionality, which is typically accessible through the Internet from internal or external service providers. There are no standards or models that describe the sourcing process of these software based services (SBS). The authors identify the sourcing requirements for SBS and associate the key characteristics of SBS (with the sourcing requirements introduced). Furthermore, this paper investigates the sourcing of SBS with the related works in the field of classical procurement, business process outsourcing, and information systems sourcing. Based on the analysis, the authors conclude that the direct adoption of these approaches for SBS is not feasible and new approaches are required for sourcing SBS.

Requirements for enhancing trust, security and integrity of GNSS location services

The paper describes a number of requirements for enhancing the trust of location acquisition from Satellite Navigation Systems, particularly for those applications where the location is monitored through a remote GNSS receiver. We discuss how the trust of a location acquisition could be propagated to an application through the use of a proposed tamper-­resistant GNSS receiver which quantifies the trust of a location solution from the signaling used (ie. P(Y) code, Galileo SOL, PRS, CS) and provides a cryptographic proof of this to a remote application. The tamper­-resistance state of the receiver is also included in this cryptographic proof.

Modelling complex resource requirements in Business Process Management Systems

Real-world business processes are resource-intensive. In work environments human resources usually multitask, both human and non-human resources are typically shared between tasks, and multiple resources are sometimes necessary to undertake a single task. However, current Business Process Management Systems focus on task-resource allocation in terms of individual human resources only and lack support for a full spectrum of resource classes (e.g., human or non-human, application or non-application, individual or teamwork, schedulable or unschedulable) that could contribute to tasks within a business process. In this paper we develop a conceptual data model of resources that takes into account the various resource classes and their interactions. The resulting conceptual resource model is validated using a real-life healthcare scenario.

Data and process requirements for product recall coordination

When an organisation becomes aware that one of its products may pose a safety risk to customers, it must take appropriate action as soon as possible or it can be held liable. The ability to automatically trace potentially dangerous goods through the supply chain would thus help organisations fulfill their legal obligations in a timely and effective manner. Furthermore, product recall legislation requires manufacturers to separately notify various government agencies, the health department and the public about recall incidents. This duplication of effort and paperwork can introduce errors and data inconsistencies. In this paper, we examine traceability and notification requirements in the product recall domain from two perspectives: the activities carried out during the manufacturing and recall processes and the data collected during the enactment of these processes. We then propose a workflow-based coordination framework to support these data and process requirements.

Queensland requirements (old and new) for the appointment of a real estate agent

In Moneywood Pty Ltd v Salamon Nominees Pty Ltd 1 the High Court of Australia considered an appeal from the Queensland Court of Appeal in relation to the correct interpretation of s76 (1)(c) Auctioneers and Agents Act 1971 (Qld). In paraphrase, s76(1)(c) provides that a real estate agent shall not be entitled to sue for or recover any commission unless “the engagement or appointment to act as …..real estate agent ….. in respect of such transaction is in writing signed by the person to be charged with such…..commission…..or the person’s agent or representative” (“the statutory requirement”).

Waiver of statutory requirements : Property Agents and Motor Dealers Act 2000 (Qld)

One of the many difficulties associated with the drafting of the Property Agents and Motor Dealers Act 2000 (Qld) (‘the Act’) is the operation of s 365. If the requirements imposed by this section concerning the return of the executed contract are not complied with, the buyer and the seller will not be bound by the relevant contract and the cooling-off period will not commence. In these circumstances, it is clear that a buyer’s offer may be withdrawn. However, the drafting of the Act creates a difficulty in that the ability of the seller to withdraw from the transaction prior to the parties being bound by the contract is not expressly provided by s 365. On one view, if the buyer is able to withdraw an offer at any time before receiving the prescribed contract documentation the seller also should not be bound by the contract until this time, notwithstanding that the seller may have been bound at common law. However, an alternative analysis is that the legislative omission to provide the seller with a right of withdrawal may be deliberate given the statutory focus on buyer protection. If this analysis were correct the seller would be denied the right to withdraw from the transaction after the contract was formed at common law (that is, after the seller had signed and the fact of signing had been communicated to the buyer).