Types of Security Policies

by Meden Reece.
Share
|
Homepage | Submit your article | Contact | TOS
More articles on data security  

You are here: Categories » Computers and technology » Data security

Each site has its own requirements for the levels of confidentiality, integrity, and availability, and the site policy states these needs for that particular site.

A military security policy (also called a governmental security policy) is a security policy developed primarily to provide confidentiality.

The name comes from the military's need to keep information, such as the date that a troop ship will sail, secret. Although integrity and availability are important, organizations using this class of policies can overcome the loss of eitherfor example, by using orders not sent through a computer network. But the compromise of confidentiality would be catastrophic, because an opponent would be able to plan countermeasures (and the organization may not know of the compromise).

Confidentiality is one of the factors of privacy, an issue recognized in the laws of many government entities (such as the Privacy Act of the United States and similar legislation in Sweden). Aside from constraining what information a government entity can legally obtain from individuals, such acts place constraints on the disclosure and use of that information. Unauthorized disclosure can result in penalties that include jail or fines; also, such disclosure undermines the authority and respect that individuals have for the government and inhibits them from disclosing that type of information to the agencies so compromised.

A commercial security policy is a security policy developed primarily to provide integrity.

The name comes from the need of commercial firms to prevent tampering with their data, because they could not survive such compromises. For example, if the confidentiality of a bank's computer is compromised, a customer's account balance may be revealed. This would certainly embarrass the bank and possibly cause the customer to take her business elsewhere. But the loss to the bank's "bottom line" would be minor. However, if the integrity of the computer holding the accounts were compromised, the balances in the customers' accounts could be altered, with financially ruinous effects.

Some integrity policies use the notion of a transaction; like database specifications, they require that actions occur in such a way as to leave the database in a consistent state. These policies, called transaction-oriented integrity security policies, are critical to organizations that require consistency of databases

EXAMPLE: When a customer moves money from one account to another, the bank uses a well-formed transaction. This transaction has two distinct parts: money is first debited to the original account and then credited to the second account. Unless both parts of the transaction are completed, the customer will lose the money. With a well-formed transaction, if the transaction is interrupted, the state of the database is still consistenteither as it was before the transaction began or as it would have been when the transaction ended. Hence, part of the bank's security policy is that all transactions must be well-formed.

The role of trust in these policies highlights their difference. Confidentiality policies place no trust in objects; so far as the policy is concerned, the object could be a factually correct report or a tale taken from Aesop's Fables. The policy statement dictates whether that object can be disclosed. It says nothing about whether the object should be believed.

Integrity policies, to the contrary, indicate how much the object can be trusted. Given that this level of trust is correct, the policy dictates what a subject can do with that object. But the crucial question is how the level of trust is assigned. For example, if a site obtains a new version of a program, should that program have high integrity (that is, the site trusts the new version of that program) or low integrity (that is, the site does not yet trust the new program), or should the level of trust be somewhere in between (because the vendor supplied the program, but it has not been tested at the local site as thoroughly as the old version)? This makes integrity policies considerably more nebulous than confidentiality policies. The assignment of a level of confidentiality is based on what the classifier wants others to know, but the assignment of a level of integrity is based on what the classifier subjectively believes to be true about the trustworthiness of the information.

Two other terms describe policies related to security needs; because they appear elsewhere, we define them now.

A confidentiality policy is a security policy dealing only with confidentiality.

An integrity policy is a security policy dealing only with integrity.

Both confidentiality policies and military policies deal with confidentiality; however, a confidentiality policy does not deal with integrity at all, whereas a military policy may. A similar distinction holds for integrity policies and commercial policies.

Share
Leave a comment or ask a question
Total comments: 0

Data security Disclaimer

  • The e-articles directory is not responsible for any and all copyright infringements by writers and authors. If you suspect the information contained by this page for any copyright infringements, please contact us to investigate the issue
Biometric Locks: How The Windows 7's Biometric Driver Helps You - Biometric technology is making it even easier to use computers. There's no need to remember passwords anymore because you can unlock your computer by using your fingerprint. Fingerprint readers a (more...)
How to speed up your computer - Most of People surf sites daily and don't care which should be visited, when they felt thier computer slow, they start worrying about it. Five tips You must adapt 1: Use Antivirus and update (more...)
Tips on Buying Biometric Locks - The security of your home is essential. You owe it to yourself and your loved ones to make sure you are safe at all times. So, with the development of biometric security locks things h (more...)
3 Signs You Need a Virus Removal Service - Virus and malware infestations are some of the most common computer repair problems that computer owners everywhere deals with. These malicious hijacking attempts of your (more...)
Six Myths about Nulled Scripts, or There's No Such Thing as Free Lunch - Once every so often our customers are asking us how come on some websites our software is sold at a fraction of price or is even free. They further ask how come they have to pay for the software if (more...)
How to protect against Spoofing and Session Hijacking - Spoofing is the term hackers use to describe the act of faking information sent to a computer. This is a broad definition of spoofing, but there are many subtle variations of this attack. Howev (more...)
Online Security on Public Computers - Using public computers can put you at risk for password hackers who use tools such as keystroke logging devices. Find out how to protect yourself from criminals preying on public computers. (more...)
How to Create a Strong Password - Using a password keeper can help you keep your online information more secure by allowing you to create more complex passwords for your Internet accounts without having to remember them. Here a (more...)
How Many Passwords do You Know to Protect Your Computer Privacy - 1.Administrators Password: It is the most common way to lock your computer. But is it the safest way? Mostly, it is the easiest way to lock your computer. How to (more...)
What will be a perfect password - Myth: if it is encrypted, it is secure Truth: if it is not encrypted, it is not secure Before creating a password you should know: ⑴ NO passwo (more...)
 
free content
    Copyright © 2006 - 2012 e-articles.info.
The texts, articles and tutorials in the directory are property of their respective owners and authors.