Abstract
As information infrastructure is becoming more and more complex, and connected, the security properties like confidentiality, integrity and availability are becoming more and more difficult to protect. The international community is adopting security standards such as ISO 17799 for best practices in security management and Common Criteria for security certification of IT products. It has been recognized that the security of enterprises has to be tackled from the point of view of a management structure than from a purely technological angle, and to achieve this, the primary need is to have a comprehensive security policy. A security model is a formal way of capturing such security policies. Most existing security models cannot support a wide range of security policies. The need is to develop a formal security model that combines the intricacies of the entire gamut of existing security models and supports security policies for a wide range of enterprises.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bell, D.E., LaPadula, L.J.: Secure Computer Systems: Unified Exposition and Multics Interpretation. ESD-TR-75-306, MTR 2997 Rev. 1, The MITRE Corporation (March 1976)
Biba, K.J.: Integrity Considerations for Secure Computer systems. Mitre TR-3153, Mitre Corporation, Bedford, MA (April 1977)
Brewer, D.F.C., Nash, M.J.: The Chinese Wall Security Policy. In: Proceedings of the 1989 IEEE Computer Society Symposium on Security and Privacy, Oakland, California, May 1-3, 1989, pp. 206–214. IEEE Computer Society Press, Washington (1989)
Clark, D.D., Wilson, D.R.: Evolution of a Model for Computer Integrity. In: Report of the Invitational Workshop on Data Integrity, January 25-27, 1989, Gaithersburg, Maryland. NIST Special Publication, pp. 500–168 (1989)
Denning, D.E.: A Lattice Model of Secure Information Flow. Communications of ACM 19(5), 236–243 (1976)
Information Technology - Code of practice for information security management, ISO/IEC 17799:2005(E) (2005)
Information technology - Security techniques - Evaluation criteria for IT security ISO/IEC 15408-1:1999(E) (1999)
IT Baseline Protection Manual, BSI (2004)
Lampson, B.W.: Protection. In: Proc. Fifth Princeton Symposium on Information Sciences and Systems, Princeton University, March 1971, pp. 437–443 (1971)
Sandhu, R.S.: Lattice-based access control models. IEEE Computer 26(11), 9–19 (1993)
Sandhu, R.S., et al.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)
Thomas, R.K., Sandhu, R.S.: Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Authorization Management. In: Proceedings of the IFIP TC11 WG11.3 Eleventh International Conference on Database Security XI: Status and Prospects, August 10-13, pp. 166–181 (1997)
Yu, C.-F., Gligor, V.D.: A Specification and Verification Method for Preventing Denial of Service. IEEE Trans. on Software Engineering 16(6), 581–592 (1990)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sengupta, A., Barik, M.S. (2006). Towards a Formal Specification Method for Enterprise Information System Security. In: Bagchi, A., Atluri, V. (eds) Information Systems Security. ICISS 2006. Lecture Notes in Computer Science, vol 4332. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11961635_31
Download citation
DOI: https://doi.org/10.1007/11961635_31
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-68962-1
Online ISBN: 978-3-540-68963-8
eBook Packages: Computer ScienceComputer Science (R0)