Professional Documents
Culture Documents
Isc2 Cissp 3 2 1 Fundamental Concepts of Security Models
Isc2 Cissp 3 2 1 Fundamental Concepts of Security Models
Objectives:
Understand what the fundamental concepts of security models and apply the
recommended guidance pertinent to them through your daily practice as an
information security professional.
External Resources:
================================================================================
State Machine Model - based on the computer science definition of a Finite State
Machine (FSM), which describes the behavior of a system as it moves between one
state and another.
Take-Grant Model - uses a set of rules to enforce how rights can be passed from
one subject to another or from a subject to an object.
Take rule allows a subject to take rights
Multilevel Lattice Models - describes strict layers of subjects and objects and
defines clear rules that allow or disallow interactions between them based on
the layers they are in. Subjects are assigned security clearances that define
what layer they are assigned to and objects are classified into similar layers.
Related security labels are attached to all subjects and objects. According to
this type of model, the clearance of the subject is compared with the
classification of the data to determine access. They will also look at what the
subject is trying to do to determine whether access should be allowed.
Specific Models:
2. Biba - INTEGRITY !!! (only). Like Bell LaPadula, requires that all
subjects & objects have a classification label. Designed to address ONLY the
first of the three integrity issues:
Properties:
a. Simple Integrity Property - subject cannot read an object at a lower
integrity level ... NO READ DOWN
Principles:
a. well-formed transactions
b. separation of duties
a. constrained data item (CDI) - any data item protected by the model
b. unconstrained data item (UDI) - any data item not protected by the model
CSA Security Trust, Assurance and Risk (STAR) is a program for security assurance
in the cloud. STAR encompasses key principles of transparency, rigorous auditing,
and harmonization of standards. The STAR program provides multiple benefits,
including indications of best practices and validation of security posture of
cloud offerings.
The CAIQ is based upon the CCM and provides a set of Yes/No questions a cloud
consumer and cloud auditor may wish to ask of a cloud provider to ascertain their
compliance to the Cloud Controls Matrix.
The CSA Code of Conduct for GDPR Compliance includes all the necessary requirements
a Cloud Service Provider has to satisfy in order to comply with the EU GDPR.
One of most essential features of the STAR program is its registry that documents
the security and privacy controls provided by popular cloud computing offerings.
Level One: Self-Assessment - There are different options for completing each
level of assurance. For level one organizations can choose to complete one or
both of the security and privacy self-assessments.
All Levels: Continuous Auditing - Each level of STAR has also has a continuous
auditing option that allows you to increase your transparency.