Security Policy

Spyware, Trojans, and Other Malware: Prevention Is Better Than Cure By: Sanjay Anand; Date: 11 June 2004; Hot Issue: What should we do to secure our information assets?
sample security policies - Here is a list of about 32 different sample security policies ranging from encryption to wireless use policies. Sometimes the best way to learn something is by example. These examples should give you some idea on how to write a security policy or least provide a nice template to start practices for security programs - This link provides bulleted paragraphs on the best practices for security programs. The overview includes:
  • Security Plans
  • Security Policies
    • Deciding on a Security Policy
      • Risk Management
    • Writing the Security Policy
    • Implementing the Security Policy
    • Reviewing the Security Policy
Each bullet has a summary of the topic and its best practices.
security policy manual - This link provides a security policy manual for the Western Illinois University. The policy manual includes definitions outlining the protection of the university's assets. Also outlining who the data owners are what the responsibilities of are for the data owner. A list of policy regulations and non-compliance actions is also incorporated into the document.
how to write a security policy - This pdf file is well written document on how to write a security policy. The document provides definitions for what a security policy is, what you should know to write one and how to define roles and responsibilities for the security program. The pdf file also gives advice on how to successfully implement to the policy. Overall the document provides the life cycle development process for security policies. A must read for the serious security policy writer.a survey conducted on survey policies - This link contains respondent's comments from a survey conducted on survey policies. It is interesting seeing how security policies affect the users and their point of view. Some of the comments reflect upon the some of the best practices that obviously weren't performed correctly in the development life cycle of the security policy.
Protect Your PDAs, PDQ! This article talks about the need for protecting PDAs, and states that the appropriate level of security should be a part of the official security policy. The author covers things like physical protections to prevent theft or loss; access control to prevent unauthorized access and usage; anti-virus protection; on-board data protection; data transfers; synching, etc. The points brought up in this article should all be considered when updating or writing a security policy for PDAs.Know your security onions This article discusses the need for security strategies consisting of multiple, overlapping layers of security made up of policies and products. The article also states that before any technology is deployed security policies should be devised, identifying the information that is at risk and what level of protection is required.
discussion of role-bases access control in Windows Server 2003. Windows Server 2003 Authorization Manager gives applications a role-based access control framework that provides manageable administration and natural development for Web-based or line-of-business applications.Survey points to insecurity of PDAs This short article states that two-thirds of PDA users are lax about encrypting and password protecting the data stored on their devices. The article advises that companies should have a mobile security policy and that responsibility for security should be taken away from the user and centrally managed.
Websense product website. Websense provides tools to monitor internet use and enable organization so enforce internet user polices. It provides a description of the functions and capabilities of the Websense Enterprise tool that is used to monitor internet use. (They use it at Ogeechee Technical College)This website provides some concise answers to the question What is the basic difference between the Biba Model and the Bell-Lapadula model of security? Answers are provided by security professionals and university time security models This is rather long article addressing run time security models. It looks at different development environments like Java and .NET and makes mention of some of the security models discussed in chapters 5 - 7.
Department of Defense paper on information assurance policy. This policy is well written, it answers the following questions: What is the goal of the defense; who is responsible for each portion of the defense; who is authorized to access government computer systems, etc."Computer and Information Security Policy"Draft paper for NIST Computer Security Handbook - This site gives detail information on the Draft chapter intended to be part of the NIST Draft paper. The chapter starts with an introduction of security policy, and then the chapter discusses two types of policy that are needed to be developed. Then the paper goes into further detail about the Program-Level and Issue-Specific policies. Then the chapter goes into discussions of how policy implementation is a process and how security policy effects the organization and the need to educate the employees. Then the article brief discussion on cost consideration and interrelationships of security policy. Finally the conclusion goes into a possible guideline.Brief discussion of what a computer security policy is and what is include in the policy including types of access control.
(National Institute of Standards and Technology) this site is subsection of the overall issues of security under the institute's main page. It highlights the most recent document published by the institute.Berkeley national laboratories. It reviews its computer security policies and some of the legal issues concerning the policies.
University of California, Berkeley, Campus IT policiesUsers' Security Handbook RFC 2504 from the Networking Group is "intended to provide users with the information they need to help keep their networks and systems secure." Department of Defense (DOD) computer security policy. This document is very old, but it states who is responsible for covering a particular area of security in the DOD.
Security Policies, Guidelines, and RegulationsBuilding and Implementing a Successful Information Security PolicyPolicy & Standards
Information Security & Account ManagementThis web site allows you to purchase security policies. It gives background for each policy with the purchase and allows for interactive delivery of the policies. It is also possible to download a trial copy of the RUsecure product.This site provides information about security policies for Microsoft SharePoint products and technologies. It gives guidelines that should be considered when implementing MS Windows SharePoint Services or MS Office SharePoint Portal Server 2003.
This web site talks about the security policy project that the SANS Institute is working on. It has links to an Acceptable Encryption Policy, an Acceptable Use Policy, Analog/ISDN Line Policy, Anti-Virus Process, and several other policies that provide guidelines for the minimum criteria that must be in place for each policy."Site Security Handbook - RFC 2196" Editor: B. Fraser - SEI/CMU September 1997; This document discusses the definition of the Security Policy. It discusses the purpose and why one should have a security policy. Discusses who should be involved in forming a security policy. The document discusses three characteristics of a good security policy. Also the document discusses the nine components of a good security policy. The document does discuss the topics of confidentiality and integrity.
SANS Security Policy Project Free. Provides resources and explanations for developing security policies.Cyber Security Policy and Research Institute "CPI's mission is to encourage, promote, facilitate, and execute interdisciplinary research in areas related to the nexus of society and the Internet." Provides current news synopsis of Internet related issues, resources such as online seminars, virtual library and cooperative efforts as well as current information about Linux issues."How to Improve Your IT Security Policy" Authors: Gary Lynch and Karen Avery; This site is a document gives an example of how to improve your current security policy. This documents shows in a graphically presentation of what an IT personal called Jane Doe of an XYZ company did to improve security policy at her company. She starts out with understanding her current policy and discovering what current employees are ignoring the current security policy. Then she and her top aides come up a measuring system to help determine how well they are doing with their security policy and from the data the collected they analyze and determine where they need to improve. The chart shows what they analyze and what they came up with to improve their security policies. Also states there is a need to maintain the momentum and to keep looking for better ways to improve security policies.
"Creating IT Security Policies"By Ronald van Geijn July 27, 2004; The goal of this article is to help in creating an IT Security Policy. Start of with a quick look at history of some of the biggest security attacks like SoBig Worm in recent years. Talks about because of these threats have thrust the creating of IT Security Policies to the forefront. The article discusses the extreme importance of creating a security policy task force and who should be involve on this task force. Without this security task force the policy will not be taken seriously by the employees. Then the article discusses risk assessment being the next step and the importance to determine these risks. The article discusses the need to consider both monetary and intrinsic value. Then the article discusses that the security policy is just a brief document within a suite of documents. The article gives a good description of what should be in the security suite. Then the last section and conclusion of the article discusses that the serious and most important step of the security policy is actually enforcing and measuring the policy.
Building and Implementing a Successful Information Security Policy by Dancho Danchev - Copyrighted in 2003, this paper outlines the "strategies and managing processes behind implementing a successful Security Policy." This paper focuses on reducing the integration period usually associated with security policies.e-Policy by - Copyrighted in 2004, this whitepaper discusses e-Policy, a corporate statement and set of rules to protect organizations from casual or intentional abuse. This whitepaper explains e-Policy, why it is needed, whose responsibility it is, what is needed to implement it, and the technology that will be needed.How to Develop Good Security Policies and Tips on Assessment and Enforcement by Kerry D. McConnell - Not dated, this document attempts to explain how developing and enforcing good security policies can be accomplished. The document tells the reader where to begin, what questions to ask when developing the policies, how to implement and enforce the policies, and more.
The Basics of an IT Security Policy by Jack G. Albright - Dated March of 2002, this article addresses "the importance of having a written and enforceable Information Technology (IT) security policy, and to provide an overview of the necessary components of an effective policy." The reader will gain a basic of understanding of the methods and procedures.Why Security Policies Fail This article does not address the tactical "point solutions" typically used to thwart specific direct attacks; it instead focuses on strategic and systematic weaknesses that can slowly degrade security operations, attract thieves, or make a disaster more likely to happen. Its intent is to stimulate further analysis of the security infrastructure, and to suggest mechanisms to combat the "natural weaknesses" of the security process.How to Develop a Network Security Policy by - Based on a book entitled "The Site Security Handbook" and copyrighted in 2004, this document attempts to explain the measures business executives and others can take in order to improve Internet and network security within their organizations. The reader will learn about the need for a site security policy as well as the factors that will come into play when implementing it. This white paper from Sun Microsystems presents a high-level overview of the issues, realities, and technologies available to protect your business from unwanted intrusions and violations when connecting to the Internet. Most aspects of security, including network security and the creation of a security policy, are quite complex; however, gaining a basic understanding of the principles and tools involved is a straightforward exercise.
Another powerpoint presentation of access models that include: Biba, Bell-LaPadula, Chinese Wall and Clark-Wilson.This powerpoint presentation contain information on the history of computer security and several models of security.The SANS Institute Established in 1989 is a cooperative research and education organization, the SANS Institute enables more than 156,000 security professionals, auditors, system administrators, and network administrators to share the lessons they are learning and find solutions to the challenges they face. At the heart of SANS are the many security practitioners in government agencies, corporations, and universities around the world who invest hundreds of hours each year in research and teaching to help the entire information security community.
This site contains a presentation on the Protection Domain, Access Control Matrix Model, Dynamic Policies, Secure Information Flow Models and Confinement Problems.This site contains a powerpoint presentation on the Integrity and how the various models play into the integrity rule.This site is a handbook of Information Security Management.
Reference Library on security policies. White papers, articles, and sample policies. - Page with extensive listings of links to articles about sample policies, how to go about writing a policy, standards documents, and more.Purdue University COAST (Computer Operations, Audit, and Security Technology) Security Archive's directory, includes links to Policy
Building Effective, Tailored Information Security Policy - a presentation from the 20th NISSC Internet Technical Security Policy Panel. From 1997 but still applicable today. - Yet another directory of links on security policyIT Security Cookbook, "intended as a 'self help' guide to computer & network security, primarily for security managers, programmers and system administrators."; "strong focus on writing and implementing security policy"
Information Security Policy World The most cost effective way is often to procure a set of pre-written policies, and then tailor as necessary to meet specific cultural needs: why re-invent the wheel and proceed down a more complex route than necessary? This directory is intended to help you ensure that your policies actually meet your needs. It will help you:
  • develop them if they don't exist (or buy them off the shelf)
  • implement them properly
  • manage compliance with them
Whatever your needs with respect to information security policies or an individual information security policy, you should hopefully find something of value.
- listing itself as a Portal site but most of the non-govermental-agency external links are to companies that are recommending or selling the same products (and the other companies aren't always disclosing the relationship which sets my alarms off). A nice little self-contained circle of recommendations :) Does include evaluation versions of documents.
Configurable Security Policies by Jesse Ruderman; The article discusses Mozilla's configurable security policies (CAPS). Mozilla's configurable security policies allow users to set up security policies for the browser and also have different security policies for different Internet sites. The article is divided into the following sections: What are Configurable Security Policies?, Setting Global Policies, Zone Policies, Security Levels, Get and Set, Figuring out Object Names, Caveat: Some Properties Have Multiple Access Paths, The Complete Preferences Syntax, Disabling All JavaScript for a Site, Additional Examples, and User Interface.Privacy and Customer Security Policies by Verizon [January 23, 2003] The article discusses the security policies of Verizon. The article also details how information is collected and handled at the web site. When is visited, the following information is collected: anonymous statistics and personal information that was knowingly given to the web site such as name, address, and e-mail address.
IT Security Policies And Their Implementation; The article is about IT security policies & network security policies and how to deliver them. The article states that IT security policies (including network security policies) are the foundation, the bottom line, of information security within an organization. The article asks the following questions about security policies:
Are they comprehensive enough?
Are they up to date?
Do you deliver them effectively?
Security Policies & Baseline Standards: Effective Implementation by Security Risk Associates; The article is about security policies and states that having a security policy document is not enough. A security policy should be deployed and implemented to be effective. Security policies and baseline security standards underpin the security of information and organization. The article is divided into the following sections: creation & delivery of information security policies, security policy compliance strategy, and a proven compliance solution.The University of Arizona Information Security and Privacy by Business Continuity & Information Security; The article is about The University of Arizona's security policies. The article covers information security and privacy. The article is divided into the following sections: guidelines, procedures, policies, principles, and other related links.
Security Policies 101 by Intranet Journal staff [1/6/2003]; a concise overview of what comprises a security policy. The article takes time to describe the differences between administrative and technical policies. It covers just the basics in who, what, and how on developing and writing policies.Developing Security Policies: Charting an Obstacle course by Rosemary Sumajit [April 4, 02]; A rather long essay on developing security policies in an academic environment, but it is applicable to any area. The author covers topics from the myth of security to risk assessment and why polices fail.Security Policies - Not Yet As Common As You'd Thinkby Jacqueline Emigh [June 20, 2002]; A short enlightening article on the problems with developing security policies, it brings to light the issue that the information infrastructure is 90% owned by private corporations and that private organizations and the government must come together in policy development in order to protect our information infrastructure.
Security Policies - A good web page for the introduction of topics necessary to consider when planning to write a security policy. This page discusses Acceptable use, of network, hardware and software as well as disaster and incident response.Aspects of Security Policies by John Barkley [Mon Jan 9 13:56:57 EST 1995]; Although some what out of date, the basic theme of this article is still relevant today. That private corporations need a security policy to protect their information, and the components necessary in such a policy.Developing a security policy by Jonathan Harker [30-01-2003]; This article states that "IDC recently reported that fewer than 10 per cent of European companies have a security policy in place." The article offers a few basic suggestions to implementing and creating a security policy. The focus of the article is that with all of the threats that exist a company needs to have a security policy in place. The article also gives a list of common attack points that need to be protected.
Developing Effective Security Policies By J. Craig Lowery, Ph.D. (November 2002); "This article discusses the importance of security policies and examines the security policies required in most organizations. It also provides guidelines on how to develop, implement, and enforce policies that are effective without being overly intrusive. ."Developing a Site Security Policy - This article states that a security policy should first start with no access and then decide what access needs to be granted by trying to understand what the organization's expectations are as well as their goals. The risks must be identified and continously reevaluated in order to make a security policy effective. The policy should be created with the knowledge of risks, company structure, goals, expectations and assetts in mind.The SANS Security Policy Project - This site has a link to explain the difference between a security policy, guideline and standard that is helpful in understanding why we design security policies. There are also other security policy related links on this site. SSPR is "a consensus research project" with the ultimate goal "to offer everything you need for rapid development and implementation of information security policies" Includes dozens of sample policies addressing a variety of infosec topics.
85321: Developing a Security Policy by Rob McMillan; This is a great article about aspects to consider when writing a security policy. The article explains why an organization needs a security policy, what the characteristics of a security policy are and what a site security policy contains.Developing an Information Security Policy - This article is geared towards creating a security policy for a health organization. It explains whey health organizations need a security policy and what the policy should include. It lists the two main reasons to have a security policy as protecting the patients rights and reducing organizational risk and liabilities.How To Develop Information Security Policies
The Information Security GlossaryA Security Policy Configuration for the Security-Enhanced LinuxBridging the Gap Between Technology and Policy
Integrating Flexible Support for Security Policies into the Linux Operating SystemConfiguring the SELinux PolicyNSA/SNAC Router Security Configuration Guide
Introduction to Security Policies, Part Four: A Sample PolicySecurity Management folderGeorgia Institute of Technology - Computer and Network Usage Policy
Georgia Institute of Technology - Unit Level Network Usage PoliciesPaper describing a new security access model "Generalized Role-Based Access Control" (GRBAC). GRBAC is an extension of traditional Role-Based Access Control that uniformly applies the concepts of roles not only to subjects, but also to objects and system states. Policy can be written from any of the subject-centric, object-centric, or environement-centric viewpoints. Includes a description of Georgia Tech's "Aware Home" project and several examples of the GRBAC applications within that project."Dealing with Multi-Policy Security in Large Open Distributed Systems" When multiple security policies exist across multiple systems, how should they be addressed? This paper introduces a model for specifying security policy in terms of security domains, access control and information flow rules, and identifies the set of operators for combining the specifications of sub-policies.
Task-Based Authorization controls (TBAC): A Family of Models for Active and Enterprise-oriented Authorization Management. Paper describing a new paradigm for access control management: Task-Based Authorization Controls (TBAC). TBAC models access controls from a task-oriented perspective rather than the traditioanl subject-object one. Rule Set Based Access Control (RSBAC) for Linux - an open source security extension access control framework for current Linux kernels. Provides a range of access control models such as MAC (Bell-LaPadula Mandatory Access Control), FC (Functional Control), MS (Malware Scan), FF (File Flags), RC, and ACL, plus runtime registration facility allowing implementatin of your own access control model.The Flask Security Architecture: System Support for Diverse Security Policies The Abstract: This paper introduces a new operating system security architecture. It provides for controlling propagation of access rights, enforcing fine-grained access rights and supporting the revocation of previously granted access rights. The architecture includes a security decision caching mechanism intended to prevent performance degredation while ensuring a consistent view of policy decisions.
Paper describing a new security access model: " Generalized Temporal Role Based Access Control" (GTRBAC) model, combining the key features of the RBAC model with a temporal framework. From the Abstract: "The proposed GTRBAC model allows specification of a comprehensive set of time-based access control policies, including temporal constraints on role enabling, user-role and role-permission assignments, and role activities. The model provides an event-based mechanism for supporting dynamic access control policies, which are crucial for developing secure workflow-based enterprise applications. In addition, the temporal hierarchies and separation of duty constraints facilitated by GTRBAC allow the development of security policies for commercial enterprises. The thesis provides various design guidelines for managing complexity and building secure systems based on this model. X-GTRBAC, an XML-based policy language has been developed to allow specification of GTRBAC policies."(Warning: LARGE PDF! 3+meg)This site is an in depth article on computer integrity security standards.This paper describes in detail an implementation of Chinese Wall Model
This page has some definitions and a brief comparision among the Bell-Padula Model, and the Biba Model and also the Clark-Wilson Model. This is a short description of a broad definition of computer security including a definition for the integrity of a system among other computer security issues. "Protection: Bell-Lapadula Models," Author:Dennis Gibson, Summary: Even though the author of our text makes the Bell-LaPadula Model (BLM) easy to understand, I wanted to find a site that helps drive his point home. This site does an excellent job of making the BLM model easy to understand. It starts off by stating they type of system the BLM is and goes even further with the different restrictions imposed by the BLM. It uses a diagram to demonstrate the different levels and talks about the Simple Security Property and Star Property along with the basic security theorem and Tranquility. This article would be beneficial to anyone who had problems understanding the BLM.
"Chaffing and winnowing" Author: Ronald L. Rivest, MIT Lab for Computer Science, April 24, 1998; Summary: The paper written by Ronald was very interesting. He introduces another message of achieving confidentiality other than steganography and encryption. The method is referred to have chaffing and winnowing. Winnowing is the process of separating the good from the bad and is used when separating grain from wheat. The author gives several examples in his paper, stressing the difference of winnowing and encryption. The author also gives examples to how winnowing provides more confidentiality than encryption when law enforcement is involved. Law enforcement can get permission to decrypt an encrypted message, but is unable to obtain authentication key for a message. An authentication key will need to be obtain to read a message that has been chaffed."Fact Sheet 6: How Private is my Credit report," Author: Privacy Rights Clearinghouse, December 2000; Summary: In a search to find an interesting article on confidentiality, I stumbled upon the privacy rights website. The homepage itself has several different links. The link above is strictly dealing with credit reports. I chose this article because, I think it should be an interest of everyone in the class. This article answers questions about who has the right to view your credit report with our without your permission, and what they can do with the information found on your credit report. For those of you who receive pre-approved credit card letters in the mail everyday, it gives you a 800 number and mailing address to call to keep your information from being released to these agencies."TCB Isolation Using a Mandatory Integrity Policy," Author: Casey Schaufler, February 10, 1995; Summary: I surfed across this paper in an effort to understand the Biba Integrity Model. Silicon Graphics developed a system that addresses security requirements of customers within the government. They developed a policy, which they refer to as MINT that is based on the Biba Integrity Model. This paper does a good job of explaining the Biba Integrity Model, making it easier to comprehend. It also allows you to see the Biba Integrity Model being used in creation of an integrity policy.
"An Implementation of the Chinese Wall Security Model using ConSA," Author: Frans Lategan and Martin S. Oliver (PDF, 78K). Summary: In this paper the author attems to show that the ConSA architecture can also support the Chinese Wall Security Model. The ConSA is a new type of architecture that is implemented separtley from the system that it would protect. ConSA has worked on several different security models. The ConSA is similar to plug-n-play it can be configured to work on almost any system. I feel compel to warn you all, the article is easy to read UNTIL you get into the mathematical notations.Title: Computer Security Models, Author: Eddy Chan; Summary: The article discusses security models. The article states that security models are an important concept in the design of secure systems. According to the article, security models all have different security policies applying to the systems. The article is comprised of sections on the Bell-Lapadula model, Biba Integrity model, and Clark-Wilson model. Title: Introduction to Security Policies, Part Two: Creating a Supportive Environment, Date: September 24, 2001, Author: Charl van der Walt; Summary: The article offers an introduction to security policies and states that policies in themselves are ineffective; their effectiveness is directly proportional to the support they receive from the organization. Thus, it is crucial that the organization be aware of the importance of security policies and create an environment in which security is given a high priority. The bigger the organization, the more important the support issue becomes. The article covers a few of things that can be done to ensure that security policies given the full support of the management of the organization which will thereby increase the efficacy of the policies.
Title: Security Architecture and Models, Author: Mitchell Rowton; Summary: The article discusses security model and security policy. The article states that the security policy outlines several high level points: how the data is accessed, the amount of security required and what the steps are when these requirements are not met. The security model is more in depth and supports the security policy. The Bell-LaPadula Model, Biba model, and Clark-Wilson Model are utilized as examples in the article. A fairly good article on security models including the Biba Integrity, it also introduces a model I did not see in the text, the Clark-Wilson Integrity model. Overall, the article is useful in understanding the differences between the different models.Title: In-Depth Review of the Bell-Lapadula Model, Author: Eddy Chan; Summary: The article discusses the Bell-LaPadula model. According to the article, the Bell-Lapadula model is one of the earliest and most famous computer security models. The article offers a more in-depth review of the Bell-Lapadula model. The article lists problems with the Bell-Lapadula model.Title: Computer Security Inference Control, Date: May, 1997, Author: Halim. M. Khelalfa; Summary: Today's world of computers is drastically different from that of twenty years ago. The advent of computer networking and especially the interconnection on computer networks have played a major role in the revolution of Information Technology (IT). The article reports on an on-going project at CERIST on computer security inference controls. The most important formal models of access control in which entities are divided into security classification levels are: the Bell-La Padula Model, the Biba Model.
Health Insurance Portability and Accountability Act of 1996 Public Law 104-191, Aug 03; A short page with many additional links on the impact and details of the HIPPA privacy and security mandates as described in Title II of the law.The all-important confidentiality policy, By David Southgate, TechRepublic, January 16, 2003; A short and relevant article on the concept of confidentiality in technology based companies. I found interesting the idea of the new employees confidentiality agreement, where a company must consider any trade secrets a new employee may bring with them to a new job, and how those trade secrets could compromise the integrity of the company and the employees work.Possibilities for Covert Write Down Detection via Null Differential, Marked Money Tests, M.S. Jaffe; This paper introduces some interesting thoughts, how to prevent convert write downs in a secure environment when using commercial off the shelf systems. One particular piece on how to downgrade a document from Secret High to confidential and the risks of covert Trojans or the software appearance of deleting information when it actually only hidden.
PRIVACY IN THE WORKPLACE SEMINAR This is a case study style seminar that helps employers develop privacy and confidentiality policies for their work place, although this goes beyond the scope of the technical security policies it does address many areas of concern for computer security including the physical security of confidential information and how to balance flexibility with security.Security Models, Emm Gun Sirer; This is a nice Power point presentation of security models and how they relate to integrity and confidentiality policies. Security Policies, Stephan Hutter; These Power point notes give an overview of access control, the Chinese Wall model, the Bell LaPadula model and the Biba model.
Protection: Bell-LaPadula Model, Harsh Manocha; This is an informative website that explains the Bell-LaPadula model clearly. The site explains restriction imposed by this model.The Chinese Wall Security Policy; This article explains the Chinese wall model and compares it to the Bell-LaPadula model. It states that the Chinese wall can imitate the BLP model but that the BLP model is unable to imitate the Chinese wall model.Security Models and Architecture; This site gives a decent overview of security models. The site explains the criticisms of the models and well as a brief explanation of each model. The models covered are Bell-LaPadula, Biba, Clark-Wilson, Information Flow models and Noninterference models.
Security Policies; This site displays well written Power point notes that cover security policies and models and how they relate to confidentiality and integrity.Confidentiality and Integrity with Untrusted Hosts - This paper was written by Steve Zdancewic and Andrew C. Myers both from Cornell University. The paper is primarily addressing security-typed languages that have been proposed to enforce confidentiality and integrity. The paper discusses the fact that untrusted hosts have become the rule rather than the exception and they are proposing a new security-typed language called SPL@.Data Integrity Limitations in Highly Secure Systems - This paper was written by Cynthia E. Irvine and Timothy E. Levin. Cynthia Irvine is from the Computer Science department of the Naval Postgraduate School and Timothy Levin is with Anteon Corporation a contracting company with the Naval Postgraduate School. The paper discusses a network architecture that supports multilevel security. Primarily multilevel security and the utilization of commercial off the shelf workstations.
Confidentiality and integrity - This paper was written by Filip Schepers in 1998 as a thesis for the University of London. The title of the thesis is "A Framework for Adaptive Security Management Systems". In section he explains what confidentiality and integrity are and how they relate to cryptography and security management.Security Policy Roadmap Process for Creating Security Policies - This paper was written by Chaiw Kok Kee and discusses Security policies and the process for creating those policies. The author basically takes you through the step by step process to creating a security policy that is a policy primarily for confidentiality and integrity.Protection Profile Development - This document describes the federal criteria for Information Technology Security. This document was written by P-80 International Information Systems. It describes the technology of information security and whenever you discuss security you also have to talk about what confidentiality and integrity are and what they do.


10 Golden Security Rules This article is about ISO17799. It states that 17799 is a code of practice and identifies itself as "A starting point for developing organizational specific guidance". The standard gives some general information on setting and defining security goals and establishing a security policy. The article list the ten security areas contained in the policy with a short description of what's contained in each area. The article also gives a brief comparison of ISO17799 and Common Criteria (International Standard 15498).What is ISO 17799? ISO17700 is an internationally recognized security standard (policy). This presentation gives a general description of the standard and some background on how it came about. The site recommends when creating a new security policy make sure it covers all of the issues in ISO17799 or to base any new policy directly on ISO17799.presentation on the ISO 17799 security standard. Since I did not know anything about the standard, this was of some help to me.
"The ISO17799 Security News Letter: ISO17799 News" - This site is a newsletter site that is focus on the ISO/IEC Security Standard. This link is Issue 4 of the ISO17799 News. This issue does discuss IS017799 toolkit and points out the section 3 of the toolkit which gives a detail set of ISO17799 compliant security policies.ISO 1799 Standard This site explains the 10 categories of the 1799 standard that make up a comprehensive security policy.The ISO 17799 and ISO 27001 User Group the non-commercial user group for the ISO series of IS standards.

Back to Information Assurance e-Library Index   Back to Information Assurance e-Library Index

Click here to return to Wayne's World's homepage: return to Wayne's World

written by Wayne Summers