Models

Only available on StudyMode
  • Download(s) : 34
  • Published : January 22, 2013
Open Document
Text Preview
Color profile: Generic CMYK printer profile
Composite Default screen
All-In-One

/ CISSP Certification All-in-One Exam Guide / Harris / 222966-7/ Chapter 5

C HAPTER

Security Models
and Architecture
In this chapter, you will learn about the following topics:
• Computer architecture and the items that fall within it
• Trusted computing base and security mechanisms
• Components within an operating system
• Various security models
• Security criteria and ratings
• Certification and accreditation processes

Computer and information security covers many areas within an enterprise. Each area has security vulnerabilities and, hopefully, some corresponding countermeasures that raise the security level and provide better protection. Not understanding the different areas and security levels of network devices, operating systems, hardware, protocols, and applications can cause security vulnerabilities that can affect the environment as a whole. Two fundamental concepts in computer and information security are the security model, which outlines how security is to be implemented—in other words, providing a “blueprint”—and the architecture of a computer system, which fulfills this blueprint. A security policy outlines how data is accessed, what level of security is required, and what actions should be taken when these requirements are not met. The policy outlines the expectations of a computer system or device. A security model is a statement that outlines the requirements necessary to properly support and implement a certain security policy. If a security policy dictates that all users must be identified, authenticated, and authorized before accessing network resources, the security model might lay out an access control matrix that should be constructed so that it fulfills the requirements of the security policy. If a security policy states that no one from a lower security level should be able to view or modify information at a higher security level, the supporting security model will outline the necessary logic and rules that need to be implemented to ensure that under no circumstances can a lower-level subject access a higher-level object in an unauthorized manner. A security model provides a deeper explanation of how a computer operating system should be developed to properly support a specific security policy.

185
P:\010Comp\All-in-1\966-7\ch05.vp
Monday, May 19, 2003 3:39:48 PM

5

Color profile: Generic CMYK printer profile
Composite Default screen
All-In-One

/ CISSP Certification All-in-One Exam Guide / Harris / 222966-7/ Chapter 5

CISSP Certification All-in-One Exam Guide

186
NOTE Individual systems and devices can have their own security policies. We are not talking about organizational security policies that contain management’s directives. The systems’ security policies and models they use should enforce the higher-level organizational security policy that is in place.

Security Models and Architecture
Computer security can be a slippery term because it means different things to different people. There are many aspects of a system that can be secured, and security can happen at various levels and to varying degrees. We have stated in previous chapters that information security is made up of the following main attributes: • Availability

• Integrity

Prevention of loss of access to resources and data

Prevention of unauthorized modification of data

• Confidentiality

Prevention of unauthorized disclosure of data

From here these main attributes branch off into more granular security attributes such as authenticity, accountability, non-repudiation, and dependability. How does a company know which of these it needs, to what degree they are needed, and if the operating systems and applications they use actually provide these features and protection? These questions get much more complex as one looks deeper into the questions and systems themselves. Companies are not just...
tracking img