Whitepaper 01-03: Formal Security Models and the Organization
Our organization performs work for and stores information on behalf of customers in the federal government. Our customers demand security, reliability, and scalability both for data storage and data access. To achieve these goals, we apply various formal security models to ensure that the data and systems we run operate within well-defined security perimeters. In this paper we look at selected formal security models to see how they enable us to satisfy customer requirements, thus helping us to provide the best possible value to them. Specifically, we examine:
- Brief definitions and key terms of selected formal security models.
- Our organization’s overall securityÂ policy (â€œstatements outlining entity interaction, access control, protection methods, and remediationâ€)[i] and how security models (â€œrequirements for proper support of and implementation of a security policyâ€)[ii] affect our organizational roles.
- How we use the Parkerian Hexad[iii] to guide our security structure.
We close this paper with our view of how we see computer security models adapting to future threats.
[i]Â Â Â Â Â Shon Harris, â€œInformation Security and Risk Management,â€ CISSP All-in-One (AIO), 4th ed., (New York: McGraw-Hill, 2007), pg. 279. For space considerations, we paraphrase Harris’ definition of a â€œsecurity policy.â€
[ii]Â Â Â Â Ibid, pg. 279. As before, we paraphrase the definition given in the text for a â€œsecurity model.â€
[iii]Â Â Â Seymour Bosworth, M.E. Kabay, Eric Whyne, eds., â€œChapter 3.1: Proposal for a new Information Security Framework,â€ Computer Security Handbook: Volume 1, 4th ed. (Hoboken, NJ: John Wiley & Sons, Inc., 2009), pg. 97. See the Six Essential Security Elements for a listing of the Parkerian Hexad.