Abstract
Information security is strongly dependent on access control models and cryptographic techniques. These are well established areas of research and practice in the enforcement of technical information security policies but are not capable of supporting development of comprehensive information security within organizations. Therefore, there is a need to study upper level issues to establish organizational models for specifying security enforcement mechanisms and coordinating policies. This paper proposes a model for dealing with high level information security policies. The core is to enforce a continuous refinement of information security requirements aiming at formally deriving technical security policies from high level security objectives. This refinement is carried out by in formation security harmonization functions. Contribution of this paper is on the specification of a notation for expressing information security requirements and on the specification of a mechanism to formulate harmonization functions.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
References
Trusted computer systems evaluation criteria. U.S. Department of Defence, 1983.
M. Adabi, M. Burrows, B. Lampson, and G. Plotkin. A calculus for access control in distributed systems. In Advances in Cryptology — Crypto'91, 1991.
J. Backhouse and G. Dhillon. Structures of responsibility and security of information systems. European Journal of Information Systems, 5:2–9, 1996.
D. E. Bell and L. J. LaPadula. Secure computer systems: Mathematical foundations and model. Technical Report M74-244, MITRE Corporation, Bedford, MA,USA, 1975.
K. Biba. Integrity considerations for secure computer systems. Technical Report TR-3153, MITRE Corporation, Bedford, Massachusetts, USA, 1977.
H. Booysen and J. Eloff. A methodology for the development of secure application systems. In Proceedings of the IFIP TC11 11th International Conference on Information Security, 1995.
E. R. Buck. Introduction to Data Security and Controls. QED Technical Publishing Group, Wellesley, MA, USA, second edition, 1991.
D. D. Clark and D. R. Wilson. A comparison of commercial and military security policies. In 1987 IEEE Symposium on Security and Privacy, 1987.
W. Diffie and M. E. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, IT-22(6):644–654, Nov. 1976.
T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31(4):469–472, 1985.
Federal Information Processing Standards Publications (FIPS PUB) 46. Data Encryption Standard. National Bureau of Standards, Jan. 1977.
A. Hartmann. Comprehensive information technology security: A new approach to respond ethical and social issues surrounding information security in the 21st century. In Proceedings of the IFIP TC11 11th international conference of Information Security, Cape Town, South Africa, May 1995.
S. Jajodia, P. Samarati, and V. S. Subrahmanian. A logical language for expressing authorizations. In Proceedings of the IEEE Symposium on Security and Privacy, 1997.
L. J. LaPadula. Foreword for republishing of the Bell-LaPadula model. Journal of Computer Security, 4:233–238, 1996.
J. Leiwo and S. Heikkuri. Clarifying concepts of information security management. In Proceedings of the 2nd International Baltic Workshop on DB and IS, Tallinn, Estonia, June 1996.
J. Leiwo and Y. Zheng. A formal model to aid in documenting and harmonization of information security requirements. In Proceedings of the IFIP TC1I 13th International Conference on Information Systems Security, 1997.
J. Leiwo and Y. Zheng. A mandatory access control policy model for information security requirements. In Proceedings of the 21st Australasian Computer Science Conference (ACSC'98), 1998.
S. Muftic, A. Patel, P. Sanders, R. Colon, J. Heijnsdijk, and U. Pulkkinen. Security Architecture for Open Distributed Systems. John Wiley & Sons, 1994.
R. L. Rivest, A. Shamir, and L. M. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Commun. ACM, 21(2):120–126, Feb. 1978.
R. S. Sandhu. Lattice-based access control models. IEEE Computer, pages 9–19, Nov. 1993.
R. S. Sandhu, E. J. Coyne, H. J. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38–47, Feb. 1996.
B. Schneier. Applied Cryptography. John Wiley & New York, second edition, 1996.
W. Stallings. Network and Internetwork Security: Principles and Practise. Prentice Hall, Inc., Englewood Cliffs, NJ, USA, 1995.
D. F. Sterne. On the buzzword Security Policy. In IEEE Symposium on Security and Privacy, 1991.
T. Y. Woo and S. S. Lam. Authorization in distributed systems: A formal approach. In Proceedings of 1992 IEEE Symposium on Research in Security and Privacy, 1992.
Y. Zheng. Digital signcryption or how to achieve cost(signature & <_ cost (signature) + cost (encryption). In Advances in Cryptology–Crypto'97, number 1294 in Lecture Notes in Computer Science. Springer-Verlag, 1997.
Y. Zheng. The SPEED cipher. In Proceedings of the Financial Cryptography'97, 1997.
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1998 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Leiwo, J., Zheng, Y. (1998). A framework for the management of information security. In: Okamoto, E., Davida, G., Mambo, M. (eds) Information Security. ISW 1997. Lecture Notes in Computer Science, vol 1396. Springer, Berlin, Heidelberg. https://doi.org/10.1007/BFb0030424
Download citation
DOI: https://doi.org/10.1007/BFb0030424
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-64382-1
Online ISBN: 978-3-540-69767-1
eBook Packages: Springer Book Archive