Chapter 8 Risk Management HMI 6571

Ace your homework & exams now with Quizwiz!

Least privilege

The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary. Least privilege implies a need to know.

covert channels

Unauthorized or unintended methods of communications hidden inside a computer system.

Common Criteria for Information Technology Security Evaluation

An international standard (ISO/IEC 15408) for computer security certification that is considered the successor to TCSEC and ITSEC.

storage channels

A TCSEC-defined covert channel that communicates by modifying a stored object, such as in steganography.

timing channels

A TCSEC-defined covert channel that communicates by modifying a stored object, such as in steganography.

Bell-LaPadula (BLP) confidentiality model

A confidentiality model or "state machine reference model" that ensures the confidentiality of the modeled system by using MACs, data classification, and security clearances.

security clearance

A personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is "cleared" to access.

mandatory access control (MAC)

A required, structured data classification scheme that rates each collection of information as well as each user. These ratings are often referred to as sensitivity or classification levels.

Lattice-based access control

A variation on the MAC form of access control, which assigns users a matrix of authorizations for particular areas of access, incorporating the information assets of subjects such as users and objects.

Discretionary access controls (DACs)

Access controls that are implemented at the discretion or option of the data user.

Non-discretionary controls

Access controls that are implemented by a central authority.

Biba integrity model

An access control model that is similar to BLP and is based on the premise that higher levels of integrity are more worthy of trust than lower levels.

dumpster diving

An information attack that involves searching through a target organization's trash and recycling bins for sensitive information.

Information Technology System Evaluation Criteria (ITSEC)

An international set of criteria for evaluating computer systems, very similar to TCSEC.

Trusted Computer System Evaluation Criteria (TCSEC)

An older DoD system certification and accreditation standard that defines the criteria for assessing the access controls in a computer system. Also known as the rainbow series due to the color coding of the individual documents that made up the criteria.

Security Model

Another term for Framework

capabilities table

In a lattice-based access control, the row of attributes associated with a particular subject (such as a user).

blueprint

In information security, a framework or security model customized to an organization, including implementation details.

Framework

In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including InfoSec policies, security education and training programs, and technological controls. Also known as a security model.

Separation of Duties

The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them.

Need-to-know

The principle of limiting users' access privileges to only the specific information required to perform their assigned tasks.

trusted computing base (TCB)

Under TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy.

reference monitor

Within TCB, a conceptual piece of the system that manages access controls—in other words, it mediates all access to objects by subjects.


Related study sets

Week 15 - Chapter 15: Europe in the Renaissance and Reformation 1350-1600

View Set

AP Psychology Unit 12 & 13 Abnormal Psychology & Treatment of Abnormal Psychology

View Set

Japanese Expansion in East Asia and Causes

View Set