A framework for the management of information security

  • Jussipekka Leiwo
  • Yuliang Zheng
Security Management
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1396)

Abstract

Information security is strongly dependent on access control models and cryptographic techniques. These are well established areas of research and practice in the enforcement of technical information security policies but are not capable of supporting development of comprehensive information security within organizations. Therefore, there is a need to study upper level issues to establish organizational models for specifying security enforcement mechanisms and coordinating policies. This paper proposes a model for dealing with high level information security policies. The core is to enforce a continuous refinement of information security requirements aiming at formally deriving technical security policies from high level security objectives. This refinement is carried out by in formation security harmonization functions. Contribution of this paper is on the specification of a notation for expressing information security requirements and on the specification of a mechanism to formulate harmonization functions.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Trusted computer systems evaluation criteria. U.S. Department of Defence, 1983.Google Scholar
  2. 2.
    M. Adabi, M. Burrows, B. Lampson, and G. Plotkin. A calculus for access control in distributed systems. In Advances in Cryptology — Crypto'91, 1991.Google Scholar
  3. 3.
    J. Backhouse and G. Dhillon. Structures of responsibility and security of information systems. European Journal of Information Systems, 5:2–9, 1996.Google Scholar
  4. 4.
    D. E. Bell and L. J. LaPadula. Secure computer systems: Mathematical foundations and model. Technical Report M74-244, MITRE Corporation, Bedford, MA,USA, 1975.Google Scholar
  5. 5.
    K. Biba. Integrity considerations for secure computer systems. Technical Report TR-3153, MITRE Corporation, Bedford, Massachusetts, USA, 1977.Google Scholar
  6. 6.
    H. Booysen and J. Eloff. A methodology for the development of secure application systems. In Proceedings of the IFIP TC11 11th International Conference on Information Security, 1995.Google Scholar
  7. 7.
    E. R. Buck. Introduction to Data Security and Controls. QED Technical Publishing Group, Wellesley, MA, USA, second edition, 1991.Google Scholar
  8. 8.
    D. D. Clark and D. R. Wilson. A comparison of commercial and military security policies. In 1987 IEEE Symposium on Security and Privacy, 1987.Google Scholar
  9. 9.
    W. Diffie and M. E. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, IT-22(6):644–654, Nov. 1976.Google Scholar
  10. 10.
    T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31(4):469–472, 1985.Google Scholar
  11. 11.
    Federal Information Processing Standards Publications (FIPS PUB) 46. Data Encryption Standard. National Bureau of Standards, Jan. 1977.Google Scholar
  12. 12.
    A. Hartmann. Comprehensive information technology security: A new approach to respond ethical and social issues surrounding information security in the 21st century. In Proceedings of the IFIP TC11 11th international conference of Information Security, Cape Town, South Africa, May 1995.Google Scholar
  13. 13.
    S. Jajodia, P. Samarati, and V. S. Subrahmanian. A logical language for expressing authorizations. In Proceedings of the IEEE Symposium on Security and Privacy, 1997.Google Scholar
  14. 14.
    L. J. LaPadula. Foreword for republishing of the Bell-LaPadula model. Journal of Computer Security, 4:233–238, 1996.Google Scholar
  15. 15.
    J. Leiwo and S. Heikkuri. Clarifying concepts of information security management. In Proceedings of the 2nd International Baltic Workshop on DB and IS, Tallinn, Estonia, June 1996.Google Scholar
  16. 16.
    J. Leiwo and Y. Zheng. A formal model to aid in documenting and harmonization of information security requirements. In Proceedings of the IFIP TC1I 13th International Conference on Information Systems Security, 1997.Google Scholar
  17. 17.
    J. Leiwo and Y. Zheng. A mandatory access control policy model for information security requirements. In Proceedings of the 21st Australasian Computer Science Conference (ACSC'98), 1998.Google Scholar
  18. 18.
    S. Muftic, A. Patel, P. Sanders, R. Colon, J. Heijnsdijk, and U. Pulkkinen. Security Architecture for Open Distributed Systems. John Wiley & Sons, 1994.Google Scholar
  19. 19.
    R. L. Rivest, A. Shamir, and L. M. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Commun. ACM, 21(2):120–126, Feb. 1978.Google Scholar
  20. 20.
    R. S. Sandhu. Lattice-based access control models. IEEE Computer, pages 9–19, Nov. 1993.Google Scholar
  21. 21.
    R. S. Sandhu, E. J. Coyne, H. J. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38–47, Feb. 1996.Google Scholar
  22. 22.
    B. Schneier. Applied Cryptography. John Wiley & New York, second edition, 1996.Google Scholar
  23. 23.
    W. Stallings. Network and Internetwork Security: Principles and Practise. Prentice Hall, Inc., Englewood Cliffs, NJ, USA, 1995.Google Scholar
  24. 24.
    D. F. Sterne. On the buzzword Security Policy. In IEEE Symposium on Security and Privacy, 1991.Google Scholar
  25. 25.
    T. Y. Woo and S. S. Lam. Authorization in distributed systems: A formal approach. In Proceedings of 1992 IEEE Symposium on Research in Security and Privacy, 1992.Google Scholar
  26. 26.
    Y. Zheng. Digital signcryption or how to achieve cost(signature & <_ cost (signature) + cost (encryption). In Advances in Cryptology–Crypto'97, number 1294 in Lecture Notes in Computer Science. Springer-Verlag, 1997.Google Scholar
  27. 27.
    Y. Zheng. The SPEED cipher. In Proceedings of the Financial Cryptography'97, 1997.Google Scholar

Copyright information

© Springer-Verlag 1998

Authors and Affiliations

  • Jussipekka Leiwo
    • 1
  • Yuliang Zheng
    • 1
  1. 1.Peninsula School of Computing and Information TechnologyMonash UniversityFrankstonAustralia

Personalised recommendations