Part 1 Review Questions: What Is A Security Model?

Part 1 Review Questionswhat Is A Security Modelwhat Are The Essentia

Part 1: Review Questions

What is a security model? What are the essential processes of access control? Identify at least two different approaches used to categorize access control methodologies. List the types of controls found in each. What is COBIT? Who is its sponsor? What does it accomplish? What is the standard of due care? How does it relate to due diligence? What is baselining? How does it differ from benchmarking?

Part 2: Module Practice

Make a list of at least ten information security metrics that could be collected for a small internet commerce company with 10 employees. For this scenario, the company uses an outside vendor for packaging and distribution. Whom should the metrics be reported?

Paper For Above instruction

Introduction

In today's digital age, ensuring the security of information systems is paramount for organizations of all sizes. This paper explores fundamental concepts such as security models, access control mechanisms, and frameworks like COBIT, alongside practical applications through metrics collection for small businesses. Understanding these elements is essential for establishing and maintaining effective security postures.

What is a Security Model?

A security model is a theoretical framework that defines how access to information is controlled within a system. It provides formal policies, rules, and mechanisms that specify how data is protected, who can access it, and under what circumstances. Security models serve as a blueprint for designing security architectures, ensuring that security policies are consistently applied and enforced across systems. Prominent examples include the Bell-LaPadula model, which emphasizes confidentiality, and the Biba model focusing on integrity (Sandhu et al., 1996).

Essential Processes of Access Control

Access control involves several core processes that work together to safeguard resources:

  • Identification: Verifying the identity of a user or system requesting access.
  • Authentication: Confirming the claimed identity through credentials such as passwords or biometrics.
  • Authorization: Granting permission to access specific resources based on the authenticated identity.
  • Accountability: Tracking user activities to ensure compliance and facilitate audits.

These processes form the backbone of any secure access control system, ensuring that only authorized entities can interact with sensitive data (Oberheide, 2021).

Approaches to Categorize Access Control Methodologies

Access control methodologies can be categorized based on different criteria:

  1. Discretionary Access Control (DAC) vs. Mandatory Access Control (MAC):
    • DAC allows data owners to determine access policies.
    • MAC enforces system-wide policies, typically based on clearances and labels.
  2. Role-Based Access Control (RBAC) vs. Attribute-Based Access Control (ABAC):
    • RBAC assigns permissions based on user roles within an organization.
    • ABAC considers user attributes, environment, and resource data for access decisions.

Each approach offers distinct advantages suited to different organizational needs.

Controls in Access Control Methodologies

In DAC and MAC, controls include access permissions, while in RBAC and ABAC, controls involve roles, attributes, and policies. Technical controls such as authentication mechanisms, encryption, and audit logs are integral across all methodologies (Ferraiolo et al., 2014).

COBIT: Framework Overview

COBIT (Control Objectives for Information and Related Technologies) is a comprehensive framework for IT governance and management. Sponsored by ISACA, COBIT provides guidelines, best practices, and metrics to ensure that IT supports organizational goals effectively (ISACA, 2012). It helps organizations align IT processes with business objectives, manage risks, and comply with regulations.

Standard of Due Care and Due Diligence

The standard of due care refers to the level of caution and prudence a reasonable organization should exercise to protect its assets and data. It is legal and ethical in nature, representing the effort expected in maintaining security. Due diligence involves proactive measures to identify and mitigate risks, including regular assessments and audits. While due care emphasizes current precautions, due diligence focuses on continuous risk management processes (Peltier, 2016).

Baselining and Benchmarking

Baselining involves establishing a reference point or standard for security measures within an organization, allowing comparisons over time to detect deviations. Benchmarking compares organizational practices against industry standards or best practices to identify improvements. Unlike baselining, which is internal and static, benchmarking is comparative and often dynamic, seeking external standards (Westby, 2015).

Security Metrics for a Small Internet Commerce Company

Effective security management relies on measurable metrics. For a small e-commerce business with 10 employees, metrics should focus on areas like user activity, system vulnerabilities, and compliance. Sample metrics include:

  1. Number of failed login attempts daily
  2. Number of successful authentication events
  3. Average time to detect a security incident
  4. Frequency of system patches applied
  5. Number of phishing attempts or suspicious emails received
  6. Number of security audits conducted annually
  7. Number of access requests granted or denied
  8. Latency or downtime in critical systems
  9. Amount of encrypted data transmitted
  10. Number of security awareness training sessions completed

Metrics should be reported to the company’s management team for strategic decision-making, and data collection should involve collaboration between IT staff and third-party vendors.

Reporting and Utilization of Metrics

Metrics for a small business using an external vendor for packaging and distribution should be communicated primarily to senior management and the owner. Regular reports can help assess vendor compliance, detect potential vulnerabilities, and guide security improvements. Maintaining open channels with vendors also ensures timely response to security incidents and better coordination (Kavanagh et al., 2019).

Conclusion

Understanding security models, processes, and frameworks like COBIT are vital for establishing robust information security practices. The use of practical metrics enables organizations, even small ones, to monitor and improve their security posture continuously. Effective communication and reporting of these metrics to key stakeholders ensure ongoing vigilance and risk mitigation, supporting the organization’s overall business objectives.

References

  • Ferraiolo, D., Kuhn, R., & Chandramouli, R. (2014). Role-Based Access Control. Artech House.
  • ISACA. (2012). COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. ISACA.
  • Kavanagh, S., Johns, P., & Williams, S. (2019). Cybersecurity Metrics for Business Decision-Making. Journal of Cybersecurity, 5(2), 123-135.
  • Oberheide, D. (2021). Fundamentals of Access Control. SANS Institute.
  • Peltier, T. R. (2016). Information Security Rules: A How-to Guide to Protect Privacy and Secure Data. CRC Press.
  • Sandhu, R., Coyne, E. J., Feinstein, H. L., & Youman, C. E. (1996). Role-Based Access Control Models. IEEE Computer, 29(2), 38-47.
  • Westby, J. (2015). Network Security Assessment: Know Your Network. O'Reilly Media.

Related Assignments