Chapter 08: Security Management Models

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

The Common Criteria:

(CC) international standard (ISO/IEC 15408) for computer security certification -widely considered successor to both TCSEC and ITSEC

COSO's framework is built on five components:

-Control environment -Risk assessment -Control activities -Information and communication -Monitoring

NIST Documents have two advantages

-They are publicly available at no charge -they have been available for some time and broadly reviewed by government

general application of access control comprises four processes:

-obtaining identity of the entity requesting access -confirming identity -determining which actions an authenticated entity can perform -documenting the activities of authorized individual and systems

COBIT 5 provides five principles:

1. Meeting Stakeholder needs 2. covering enterprise end-to-end 3. applying a single, integrated framework 4. enabling a holistic approach 5. separating governance from management

BLP

Bell-LaPadula Confidentiality Model -state machine reference model helps ensure confidentiality of info system by means of MACs, data classification, and security clearances

Core of infosec governance fraemwork includes:

Board of directors/trustees -senior executives -executive team members who report to senior exec -senior managers -all employees and users

COSO

Committee of sponsoring organizations -private sector initiative formed in 1985 -major objective to identify the factors that cause fraudulent financial reporting -helps orgs comply with critical regulations like Sarbanes-Oxley

Benchmarking

Comparison of two related measurements -describes both internal and external comparisons

CDI

Constrained data item: data item with protected integrity

COBIT

Control Objectives for Information and Related Technology -provides advice about implementation of sound controls and control objectives for infosec -created by information Systems audit and control association (ISACA) and IT governance institute (ITGI) in 1992

categories of access controls:

Directive deterrent preventative detective corrective recovery compensating

DACs

Discretionary access controls -implemented at the discretion of the data user -most personal computer systems designed based on DAC model

ITIL

Information Technology Infrastructure Library -collection of methods and practices useful for managing the development of information technology infrastrcutures

ITSEC

International standard information technology system evaluation criteria -Targets of evaluationj (ToE) are compared to detailed security function specs, resulting in assessment of systems fucntionality and pen testing -Replaced by "Common Criteria"

organizational structures

Key tdecision making entities in an enterprise

Information Security Governance Framework

Managerial model providing guidance in devlopment of organizational information security governance structure

MACs

Mandatory access controls -required and structured within data classification scheme that rates each collection of info -ratings are referred as sensitivity levles or classification levels

COBIT 5 principle "enablers"

Principles, policies and frameworks are vehicle to translate behavior into practical guidance

Internal Control process

Provide reasonable assurance regarding the achievement of objectives in following categories: -effectiveness and efficiency of operations -reliability of financial reporting -compliance with applicable laws and regulations

RBAC

Role-based access controls -tied to the role that a particular user performs in an org whereas task based controls are tied to particular assignment

TP

Transofrmation procedure: only allows changes to constrained data item

TCSEC

Trusted Computer System Evaluation Criteria -older DoD standard defines criteria for assessing access controls in a computer system -part of larger series referred as "rainbow series" -known as the organge book and cornerstone of series -replaced by the "common criteria" in 2005

TCB

Trusted computing Base -combination of all hardware, firmware, and software responsible for enforcing security policy

how to determine how closely an org is complying with ISO 27002

Use SANS SCORE (Security Consensus Operational Rediness Evaluation) Audit checklist, based on 17799:2005

content dependent access controls

access to a specific set of info may be dependent on its content

temporal (time-based) isolation

access to info is limited by a time-of-day constraint (time release safes)

Clark-Wilson Integrity Model

built upon principles of change control, designed for commercial environment

external benchmarking

comparing one's org results against other similar orgs

separation of duties:

control requiring that significan tasks be split up in such a way that more than one individual is responsible for completion

eight primitive protection rights

create object create subject delete object delete subject read access right grant access right delete access right transfer access right

Harrison-Ruzzo-Ullman (HRU) model

defines a method to allow changes to access rights and the addition and removal of subjects and objects

Processes:

describe an organized set of practices and activities to achieve certain objectives

Brewer Nash (Chinese Wall)

designed to prevent a conflict of interest between two parties -requires users to select on of two conflicting sets of data, after which they cannot access the conflicting data

detective

detects or identifies incident when it occurs

nondiscretionary controls

determined by central authority in org and can be based on roles: RBAC

deterrent:

discourages or deters an incipient incident

directive

employs admin controls such as policy and training

preventative

helps org avoid an incident

security architecture models

illustrate information security implementations -help orgs quickly make improvements through adaptation -some models implemented in computer hardware/software -some implemented as policies and practices

IVP

integrity verification procedure: scans data and confirms integrity

internal benchmarking

known as baselining, involves comparing org performance at some defined state against current performance

access control key principles:

least privilege need to know separation of duties

need to know:

limits user's access to specific info required to perform duties

least privilege:

members of org can access minimum amount of info for min amount of time necessary to perform duties

ISO 27000 Series

most widely referenced and discussed security models

Purpose of ISO/IEC 27002

offer guidance for management of infosec to individuals responsible for their org's security programs -focused on broad overview of various areas of security -providing information on 127 controls over 10 areas

Framework or security model:

outline of the more thorough and organization-specific blueprint -for basis for design, selection and implementation of all security controls including policy, SETA, and technologies

Biba Integrity Model

provide access controls to ensure objects cannot have less integrity -ensures no info from a subject can be passed on to an object in a higher security level

ISO/IEC 27001

provides information how to implement ISO/IEC 27002 and how to set up an infosec managemtn system (ISMS)

Access Controls:

regulate admission of users into trusted areas of organization: both logical or physical access

corrective

remedies a circumstance or mitigates damage done during incident

compensating

resolves shortcomings

recovery

restores operating conditions back to normal

constrained user interfaces

some systems designed specific to restrict what info an indivudal user can access (ATMs)

state machine model

the design follows conceptual approach -always in a known secure condition

Graham-Denning Access Control Model

three parts: Set of subjects, set of rights, and set of objects -composed of process and domain

Lattice based access controls

variation on the MAC form, assigns users matrix of authorizations for particular areas of access -contains subjects and objects and the boundaries associated with each


Kaugnay na mga set ng pag-aaral

Nutrition for Health and Fitness Exam 2

View Set

Bio Exam Accumulative Final - Geneseo - Non-majors

View Set

BIO 112 Lab Practical Final Review - Combined Sets

View Set

Supply Chain Chapter 8 operations management

View Set

ATI Pharmacology - Questions Part 2

View Set

Psyc Chapter 2: Psychological Research

View Set