Integrity and Internal Control in Information Systems V represents a continuation of the dialogue between researchers, information security specialists, internal control specialists and the business community. The objectives of this dialogue are: -To present methods and techniques that will help business achieve the desired level of integrity in information systems and data; -To present the results of research that may be used in the near future to increase the level of integrity or help management maintain the desired level of integrity; -To investigate the shortcomings in the technologies presently in use, shortcomings that require attention in order to protect the integrity of systems in general. The book contains a collection of papers from the Fifth International Working Conference on Integrity and Internal Control in Information Systems (IICIS), sponsored by the International Federation for Information Processing (IFIP) and held in Bonn, Germany in November 2002.

This publication is a collection of papers from the Third International Working Conference of IFIP TC-11 Working group 11.5 on "Integrity and Internal Control in Information systems". IFIP TC-11 Working Group 11.5 explores the area of integrity within information systems and the relationship between integrity in information systems and the overall internal control systems that are established in organizations to support the corporate governance codes. We want to recommend this book to security specialists, IT auditors and researchers who want to learn more about the business concerns related to integrity. Those same security specialists, IT auditors and researchers will also value this book for the papers presenting research into new techniques and methods for obtaining the desired level of integrity. The third conference represents a continuation of the dialogue between information security specialists, internal control specialists and the business community. The conference objectives are: • To present methods and techniques that will help business achieve the desired level of integrity in information systems and data; • To present the results of research that may in future be used to increase the level of integrity or help management maintain the desired level of integrity; • To investigate the shortcomings in the technologies presently in use, shortcomings that require attention in order to protect the integrity of systems in general.

The development and integration of integrity and internal control mechanisms into information system infrastructures is a challenge for researchers, IT personnel and auditors. Since its beginning in 1997, the IICIS international working conference has focused on the following questions: what precisely do business managers need in order to have confidence in the integrity of their information systems and their data and what are the challenges IT industry is facing in ensuring this integrity; what are the status and directions of research and development in the area of integrity and internal control; where are the gaps between business needs on the one hand and research / development on the other; what needs to be done to bridge these gaps. This sixth volume of IICIS papers, like the previous ones, contains interesting and valuable contributions to finding the answers to the above questions. We want to recommend this book to security specialists, IT auditors and researchers who want to learn more about the business concerns related to integrity. Those same security specialists, IT auditors and researchers will also value this book for the papers presenting research into new techniques and methods for obtaining the desired level of integrity.

Integrity and Internal Control in Information Systems is a state-of-the-art book that establishes the basis for an ongoing dialogue between the IT security specialists and the internal control specialists so that both may work more effectively together to assist in creating effective business systems in the future. Building on the issues presented in the preceding volume of this series, this book seeks further answers to the following questions: What precisely do business managers need in order to have confidence in the integrity of their information systems and their data? What is the status quo of research and development in this area? Where are the gaps between business needs on the one hand and research/development on the other; what needs to be done to bridge these gaps? Integrity and Internal Control in Information Systems contains the selected proceedings of the Second Working Conference on Integrity and Internal Control in Information Systems, sponsored by the International Federation for Information Processing (IFIP) and held in Warrenton, Virginia, USA, in November 1998. It will be essential reading for academics and practitioners in computer science, information technology, business informatics, accountancy and edp-auditing.

This is the first joint working conference between the IFIP Working Groups 11. 1 and 11. 5. We hope this joint conference will promote collaboration among researchers who focus on the security management issues and those who are interested in integrity and control of information systems. Indeed, as management at any level may be increasingly held answerable for the reliable and secure operation of the information systems and services in their respective organizations in the same manner as they are for financial aspects of the enterprise, there is an increasing need for ensuring proper standards of integrity and control in information systems in order to ensure that data, software and, ultimately, the business processes are complete, adequate and valid for intended functionality and expectations of the owner (i. e. the user organization). As organizers, we would like to thank the members of the international program committee for their review work during the paper selection process. We would also like to thank the authors of the invited papers, who added valuable contribution to this first joint working conference. Paul Dowland X. Sean Wang December 2005 Contents Preface vii Session 1 - Security Standards Information Security Standards: Adoption Drivers (Invited Paper) 1 JEAN-NOEL EZINGEARD AND DAVID BIRCHALL Data Quality Dimensions for Information Systems Security: A Theorectical Exposition (Invited Paper) 21 GURVIRENDER TEJAY, GURPREET DHILLON, AND AMITA GOYAL CHIN From XML to RDF: Syntax, Semantics, Security, and Integrity (Invited Paper) 41 C. FARKAS, V. GowADiA, A. JAIN, AND D.

IT Governance is finally getting the Board's and top management's attention. The value that IT needs to return and the associated risks that need to be managed, have become so important in many industries that enterprise survival depends on it. Information integrity is a significant part of the IT Governance challenge. Among other things, this conference will explore how Information Integrity contributes to the overall control and governance frameworks that enterprises need to put in place for IT to deliver business value and for corporate officers to be comfortable about the IT risks the enterprise faces. The goals for this international working conference are to find answers to the following questions: • what precisely do business managers need in order to have confidence in the integrity of their information systems and their data; • what is the status quo of research and development in this area; • where are the gaps between business needs on the one hand and research I development on the other; what needs to be done to bridge these gaps. The contributions have been divided in the following sections: • Refereed papers. These are papers that have been selected through a blind refereeing process by an international programme committee. • Invited papers. Well known experts present practice and research papers upon invitation by the programme committee. • Tutorial. Two papers describe the background, status quo and future development of CobiT as well as a case of an implementation of Co biT.

Research has deeply investigated several issues related to the use of integrity constraints on relational databases. In particular, a great deal of attention has been devoted to the problem of extracting "reliable" information from databases containing pieces of information inconsistent with regard to some integrity constraints. In this manuscript, the problem of extracting consistent information from relational databases violating integrity constraints on numerical data is addressed. Aggregate constraints defined as linear inequalities on aggregate-sum queries on input data are considered. The notion of repair as consistent set of updates at attribute-value level is exploited, and the characterization of several data-complexity issues related to repairing data and computing consistent query answers is provided. Moreover, a method for computing “reasonable” repairs of inconsistent numerical databases is introduced, for a restricted but expressive class of aggregate constraints. An extension of this method for dealing with the data repairing problem in the presence of weak aggregate constraints which are expected to be satisfied, but not required to, is presented. Furthermore, a technique for computing consistent answers of aggregate queries in the presence of a wide form of aggregate constraints is provided. Finally, extensions of the framework as well as several open problems are discussed.