Deck 6: Security Management Models

Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties.

Information Technology-Code of Practice for Information Security Management was originally published as British Standard BS7799.

In the TCSEC,the reference monitor is the combination of all hardware,firmware,and software responsible for enforcing the security policy.

Management controls deal with the functions of security that have been integrated into the repeatable processes of the organization.

ISO 27002 is an international standard for computer security certification,considered to be the successor to both TCSEC and ITSEC.

There are two types of covert channels,storage channels and network channels.

Role-based controls are tied to the role that a particular user performs in an organization,whereas content-based controls are tied to a particular assignment or responsibility.

Compensating controls remedy a circumstance or mitigate damage done during an incident.

Lattice-based access control assigns users a matrix of authorizations for particular areas of access.

TCSEC is also known as the "Orange Book" and is considered the cornerstone of the DoD Rainbow Series that defines the criteria for assessing the access controls in a computer system.

Within lattice-based access controls,the row of attributes associated with a particular subject (such as a user)is referred to as a capabilities table.

ITSEC is the international set of equivalent for evaluating computer systems,and is very similar to the TCSEC.

In rule-based access controls,access is granted based on a set of rules which may be specified by the central authority.

The 'need to know' principle limits a user's access to the specific information required to perform the currently assigned task,and not merely to the category of data required for a general work function.

All security models discussed in the text are freely available to the public.

ISO/IEC 17799 is designed to promote certification of information security management system.

Bell-LaPadula security rules prevent information from being moved from a level of higher security to a level of lower security.

Preventative controls discourage or deter an incipient incident.

An information security blueprint describes existing controls and identifies other necessary security controls.

Under the Clark-Wilson model,internal consistency means that the system is consistent with similar data in the outside world.

An ATM machine is a common example of a(n)constrained user interface form of access control._________________________

Operational controls cover security processes designed by strategic planners,are integrated into the organization's management practices and are routinely used by security administrators to design,implement and monitor other control systems._________________________

TCSEC is a U.S.DoD standard that is also known as the Red Book,because of its color-coding._________________________

Need to know limits a user's access to the specific information required to perform the currently assigned task,and not merely to the category of data required for a general work function._________________________

The trusted computing base is the piece of the system that manages access controls under TCSEC._________________________

The NIST Security model documents enjoy two notable advantages over many other sources of security information: (1)They are publicly available at no charge,and (2)they have been available for some time and thus have been broadly reviewed by government and industry professionals.

Covert channels are unauthorized or unintended methods of communications hidden inside a computer system._________________________

The ITSEC is the international set of criteria for evaluating computer systems and is very similar to the TCSEC._________________________

The major process steps in the ISO 27000 series include Plan-Do-Check-Act.

The information security blueprint serves as the basis for the design,selection,and implementation of all subsequent security controls._________________________

Discretionary controls are determined by a central authority in the organization._________________________

Deterrent controls help an organization avoid an incident._________________________

Another data classification scheme is the personnel security clearance structure,in which each user of an information asset is assigned an authorization level that identifies the level of information classification he or she can access._________________________

Under the Common Criteria for IT Security Evaluation,a(n)Security Target is the system being evaluated._________________________

A security framework is a generic blueprint offered by a service organization._________________________

Classified documents should not be disposed of in trash otherwise people who engage in refuse recovery (digging through the trash)may retrieve information and thereby compromise the security of the organization's information assets._________________________

COBIT is an IT development framework and supporting toolset that allows managers to bridge the gap between control requirements,technical issues,and design specifications.

The Brewer-Nash model is commonly known as a Japanese wall.

In an access control matrix,as part of lattice-based controls,the column of attributes associated with a particular object (such as a printer)is referred to as a(n)capability table._________________________

The primary objective of the Committee of Sponsoring Organizations of the Treadway Commission (COSO),a private-sector initiative formed in 1985,is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence._________________________

The Biba model is a state machine model that helps ensure the confidentiality of an information system by means of MACs,data classification,and security clearances._________________________

One of the key elements of the Clark-Wilson model is the unconstrained data item which is a data item with protected integrity._________________________

The original purpose of ISO/IEC 17799 was to give recommendations for information security management for use by those who are responsible for initiating,implementing,or maintaining security in their organization._________________________

The objective of COBIT is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence._________________________