[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Security framework issues
|
From: |
Stanley A. Klein |
|
Subject: |
Security framework issues |
|
Date: |
Thu, 07 Nov 2002 13:10:54 |
I've been working on updating the security framework proposal I drafted in
May 2001. One thing I've been trying to do is to take some examples of
security requirements and show how they could be implemented using GNUe.
I've also been trying to infer what additional GNUe features, if any, would
facilitate implementation of the requirements.
I did some searching on the Net looking for examples -- even sanitized --
of real security requirements related to the business processes and data of
real enterprises. I had hoped to find specific requirements in places like
policy and procedures manuals or security policies or the like.
The pickings have been slim. I found two examples of Role Based Access
Control (RBAC) in documents from NIST. One involves medical facilities and
the other involves banking. In addition, there are some university policies
and procedures manuals posted on the Net from which requirements can be
inferred related to the US educational privacy laws. It might be possible
to infer some requirments from the US Health Insurance Portability and
Accountability Act (HIPAA), but it is rather difficult other than what the
NIST paper discusses.
The only other thing I found was a set of examples of the Mandatory Access
Control (MAC) security levels of three major corporations that were
included in a document of the Internet Engineering Task Force. MAC
security levels create security labels placed on data and corresponding
clearance levels placed on users. The lowest level is usually some variant
of "public information" and the top level some variant of "highly
sensitive" information that could result in severe damage to the enterprise
if disclosed or subjected to tampering.
There is a lot available on security as approached from viewpoints such as
general system administration, that do not focus on specific business
processes.
Can anyone suggest any real, business-process-oriented, security
requirments? I can construct some business process security requirements
scenarios from scratch, but I'd rather have them as close to real
requirements of real enterprises as possible.
Stan Klein
- Security framework issues,
Stanley A. Klein <=
- Message not available