Towards a Formal Specification Method for Enterprise Information System Security
As information infrastructure is becoming more and more complex, and connected, the security properties like confidentiality, integrity and availability are becoming more and more difficult to protect. The international community is adopting security standards such as ISO 17799 for best practices in security management and Common Criteria for security certification of IT products. It has been recognized that the security of enterprises has to be tackled from the point of view of a management structure than from a purely technological angle, and to achieve this, the primary need is to have a comprehensive security policy. A security model is a formal way of capturing such security policies. Most existing security models cannot support a wide range of security policies. The need is to develop a formal security model that combines the intricacies of the entire gamut of existing security models and supports security policies for a wide range of enterprises.
KeywordsSecurity Policy Security Model Security Management Access Control Model Information Asset
Unable to display preview. Download preview PDF.
- 1.Bell, D.E., LaPadula, L.J.: Secure Computer Systems: Unified Exposition and Multics Interpretation. ESD-TR-75-306, MTR 2997 Rev. 1, The MITRE Corporation (March 1976)Google Scholar
- 2.Biba, K.J.: Integrity Considerations for Secure Computer systems. Mitre TR-3153, Mitre Corporation, Bedford, MA (April 1977)Google Scholar
- 3.Brewer, D.F.C., Nash, M.J.: The Chinese Wall Security Policy. In: Proceedings of the 1989 IEEE Computer Society Symposium on Security and Privacy, Oakland, California, May 1-3, 1989, pp. 206–214. IEEE Computer Society Press, Washington (1989)Google Scholar
- 4.Clark, D.D., Wilson, D.R.: Evolution of a Model for Computer Integrity. In: Report of the Invitational Workshop on Data Integrity, January 25-27, 1989, Gaithersburg, Maryland. NIST Special Publication, pp. 500–168 (1989)Google Scholar
- 6.Information Technology - Code of practice for information security management, ISO/IEC 17799:2005(E) (2005)Google Scholar
- 7.Information technology - Security techniques - Evaluation criteria for IT security ISO/IEC 15408-1:1999(E) (1999)Google Scholar
- 8.IT Baseline Protection Manual, BSI (2004)Google Scholar
- 9.Lampson, B.W.: Protection. In: Proc. Fifth Princeton Symposium on Information Sciences and Systems, Princeton University, March 1971, pp. 437–443 (1971)Google Scholar
- 10.Sandhu, R.S.: Lattice-based access control models. IEEE Computer 26(11), 9–19 (1993)Google Scholar
- 11.Sandhu, R.S., et al.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)Google Scholar
- 12.Thomas, R.K., Sandhu, R.S.: Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Authorization Management. In: Proceedings of the IFIP TC11 WG11.3 Eleventh International Conference on Database Security XI: Status and Prospects, August 10-13, pp. 166–181 (1997)Google Scholar