@inproceedings{BAK_POLICY06,
 author = {Travis D. Breaux and Annie I. Anton and Clare-Marie Karat and John Karat},
 affiliation = {North Carolina State University},
 title = {Enforceability vs. Accountability in Electronic Policies},
 booktitle = {POLICY '06: Proceedings of the Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06)},
 month = {June},
 year = {2006},
 pages = {227--230},
 doi = {http://dx.doi.org/10.1109/POLICY.2006.18},
 publisher = {IEEE Computer Society},
 address = {Washington, DC, USA},
 location = {London, Ontario},
 isbn = {978-0-7695-2598-3},
 abstract = {Laws, regulations and standards are increasing the requirements complexity of software systems that ensure information resources are both available and protected. To accommodate these requirements and demonstrate compliance, we extend accountability in software systems to include personnel responsibilities as they interact with access control and authorization mechanisms. To this end, we distinguish between enforceable and accountable security policies and show the value of both in achieving compliance. We propose a policy model that leverages resource ownership to build accountability across permissions and obligations. The model accounts for the authorized delegation of permissions and obligations as well as the decisions made by authorized personnel when they interpret and refine high-level goals into permissions and obligations that satisfy those goals. Regulators and compliance officers can use the model to determine both how and why a particular resource is used to evaluate risk and increase security. We motivate our proposed model by analyzing security program, technical issue and system policies and standards from the ISO and NIST and U.S. regulations governing healthcare and finance.},
 keywords = {policy, regulations, legislation, permissions, obligations, recommendations, ownership, accountability, compliance},
 }