Over the last few years rapid progress has been made in moving from conceptual studies, "whitepapers" and initiatives to the actual deployment of e-Government systems [13]. In this paper we present the case study of an existing e-Government system (eLaw) which already supports key legislative processes in the country of Austria¹. The study has been performed in the context of the EU FP6 project "eJustice".We present a detailed system and workflow representation referring to the example process of changing a federal law in Austria. Since such processes and their results, i.e. the laws of a country, have an enormous impact on society, they need to be secured against external and internal alteration, be it inadvertent or malicious. This is even more important in the electronic world.Instead of discussing the obvious security requirements like virus protection or network-level access control, our focus is on an often neglected form of organisational security and control properties called separation of duties. We will analyse and discuss a set of these in terms of the described eLaw process.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Atluri, V. and Huang, W. An Authorization Model for Workflows. Lecture Notes in Computer Science 1146, 1996.
	2	A. Belokosztolszki , K. Moody, Meta-Policies for Distributed Role-Based Access Control Systems, Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY'02), p.106, June 05-07, 2002
	3	Elisa Bertino , Elena Ferrari , Vijay Atluri, The specification and enforcement of authorization constraints in workflow management systems, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.65-104, Feb. 1999  [doi>10.1145/300830.300837]
	4	BIS. Framework for Internal Control Systems in Banking Organizations. Technical Report No. 40, Bank for International Settlement, Basel Committee on Banking Supervision, 1998
	5	German Federal Administation Office: BundOnline website, http://www.bund.de/, 2001.
	6	Fang Chen , Ravi S. Sandhu, Constraints for role-based access control, Proceedings of the first ACM Workshop on Role-based access control, p.14-es, November 30-December 02, 1995, Gaithersburg, Maryland, United States  [doi>10.1145/270152.270177]
	7	COSO. Internal Control - Integrated Framework. Technical report, Committee of the Sponsoring Organisations (COSO) of the Treadway Commission, 2002.
	8	Damianou, N. A Policy Framework for Management of Distributed Systems. PhD thesis, Imperial College, UK, 2002.
	9	D. Ferraiolo and R. Kuhn. Role-Based Access Control. In 15th MNCSC National Computer Security Conference, 1992, pages 554--563
	10	Hulme, G. The Threat from Inside. Information Week, April 2003
	11	KPMG, Fraud Survey Reports 1996-2002, KPMG International Canada, 2002.
	12	Republik Oesterreich BGBI I Nr. 100/2003.
	13	Proceedings of the First International Conference on Electronic Government, September 2002
	14	L. Mullins. Management and Organizational Behavior. Prentice Hall, London, 5th edition.
	15	Wolfgang Prinz , Sabine Kolvenbach, Support for workflows in a ministerial environment, Proceedings of the 1996 ACM conference on Computer supported cooperative work, p.199-208, November 16-20, 1996, Boston, Massachusetts, United States  [doi>10.1145/240080.240254]
	16	Pugh, D. Organization Theory: Selected Readings. Penguin Business. Beguin Books, 3rd edition, 1990.
	17	Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996  [doi>10.1109/2.485845]
	18	Ravi Sandhu , Venkata Bhamidipati, An Oracle implementation of the PRA97 model for permission-role assignment, Proceedings of the third ACM workshop on Role-based access control, p.13-21, October 22-23, 1998, Fairfax, Virginia, United States  [doi>10.1145/286884.286889]
	19	Schaad, A. A Framework for Organisational Control Principles, PhD Thesis. Department of Computer Science, University of York, 2003.
	20	Andreas Schaad , Jonathan Moffett, Separation, review and supervision controls in the context of a credit application process: a case study of organisational control principles, Proceedings of the 2004 ACM symposium on Applied computing, March 14-17, 2004, Nicosia, Cyprus  [doi>10.1145/967900.968177]
	21	Shein, E. CEO Warns Threats are Coming from the Inside. eSecurityPlanet.com, June 2004.
	22	Richard Simon , Mary Ellen Zurko, Separation of Duty in Role-based Environments, Proceedings of the 10th Computer Security Foundations Workshop (CSFW '97), p.183, June 10-12, 1997
	23	Prime Minister and Minister for the Cabinet Office of the UK. Modernising Government, presented to Parliament, March 1999.
	24	Cabinet Office of the UK: Directgov webpage, http://direct.gov.uk, 2002.
	25	Wimmer, M., Eberhardt, D., Ehmlechner, P. and Kemper, A. Reliable and Adaptable Security Engineering for Database-Web Services. In 4th International Conference on Web Engineering. July 2004, Munich, Germany.
	26	Domingos, D., Rito-Silva, A. and Veiga, V. Authorization and Access Control in Adaptive Workflows. Proceedings of the 8th European Symposium on Research in Computer Security (ESORICS 2003), Springer-Verlag, LNCS, 2003.