Policies & MetaPolicies Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: How.

Slides:



Advertisements
Similar presentations
Operating System Security
Advertisements

BIOMETRICS, CCTV & DATA PROTECTION By Drudeisha Madhub Data Protection Commissioner Date:
PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.
Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.
Archiving: What Does It Mean For Me? December 2008.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Digital Signatures Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Digital.
SIU School of Medicine Identity Protection Act and Associated SIU Policy.
Assignment I, part 1. Groups of three students. Specify one as group leader. group names to TA and me. Create an object-oriented conceptualization.
Information Security Policies Larry Conrad September 29, 2009.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies.
Information Security Policies and Standards
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Normative vs. Descriptive vs. Pragmatic. Sad reality Faculty, staff and students are using mobile devices today, with or without our help (probably without)
introduction to MSc projects
Cryptography Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Cryptography 11.
EMu and Archives NA EMu Users Conference – Oct Slide 1 EMu and Archives Experiences from the Canada Science and Technology Museum Corporation.
Data Protection Act. Lesson Objectives To understand the data protection act.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Practical Information Management
Information Security Technological Security Implementation and Privacy Protection.
Searching Provenance Shankar Pasupathy, Network Appliance PASS Workshop, Harvard October 2005.
An Educational Computer Based Training Program CBTCBT.
Health & Social Care Apprenticeships & Diploma
Intrusion Detection Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Intrusion.
Sensitive Data Accessibility Financial Management College of Education Michigan State University.
Lecture 18 Page 1 CS 111 Online Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to.
Access Control Policies Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) 11 Coming up:
Feasibility Study.
MLS Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Multi-Level Security 11.
Lecture 15 Page 1 CS 236 Online Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Overview of Key Security Concepts and Vocabulary This Document was Funded by the National Science Foundation Federal Cyber Service Scholarship For Service.
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
Dan Fleck CS 469: Security Engineering
A Holistic Security Architecture for Distributed Information Systems – A Categorical Approach.
IT Professionalism Ethics Modified by Andrew Poon.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
SPI Class Goal Setting. What is a goal? Brainstorm as a class.
Modes of Usage Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) 11 Coming up: Modes of.
Seminar 2 – Part 1 Managing Data to Improve Business Performance Ref: Chapter 3 of Turban and Volonino.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Aspects of Security Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects.
INTERNAL CONTROLS What are they? Why should I care?
Information Technology & Ethics. Impact The impact of IT on information and communication can be categorized into 4 groups: privacy, accuracy, property,
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Now what? 1.  I have short-listed projects I am interested in  I know the types of projects I would like to pursue  I have an idea of the resources.
Prepared By: Razif Razali 1 TMK 264: COMPUTER SECURITY CHAPTER SIX : ADMINISTERING SECURITY.
A Comparison of Commercial and Military Computer Security Presenter: Ivy Jiang1 A Comparison of Commercial and Military Computer Security Policies Authors:
Personal data protection in research projects
Privacy/Confidentiality – Principles and Regulations in the Social Sciences and Behavioral Research Moira Keane, MA, CIP University of Minnesota May 4,
Computer Laws Data Protection Act 1998 Computer Misuse Act 1990.
Software Security II Karl Lieberherr. What is Security Enforcing a policy that describes rules for accessing resources. Policy may be explicit or implicit.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
BizSmart Lunch & Learn Webinar Information Security and Protecting your business With the increased risk of some sort of cyber- attack over the past few.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
Outline Basic concepts in computer security
What Is ISO ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS It is intended.
Legal and Ethical Responsibilities
Lecture 14: Business Information Systems - ICT Security
6 Principles of the GDPR and SQL Provision
Reporting personal data breaches to the ICO
LO2 - Be Able to Design IT Systems to Meet Business Needs
Neil Kirton and Zoë Newman
Security.
Identify the laws and guidelines that affect day-to-day use of IT.
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Golden rules for handling personal data
Presentation transcript:

Policies & MetaPolicies Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: How Do We Define Security? 11

How Do We Define Security? We said that in the most general terms, security seems to mean something like “protection of assets against threats.” But this question is very specific to the context. Security is very different for: a wireless phone system a military database system an online banking system. If these have different associated notions of security, how do you specify the security requirements of a given system? Coming up: Policies 22

Policies Often, security for a given system is defined in terms of a security policy. A policy is a set of rules for implementing specific security goals. Another way to think of it is as a contract between the system designer/implementer and the customer. It should be both achievable (able to be followed) and adequate for the intended goals. Coming up: Thought Experiment 33

Thought Experiment Students’ academic records are stored on computers at the university. Design a security policy to protect them. You might start by asking: 1.What does it mean “to protect them”? 2.What are the potential threats? 3.Which of the following are important here: confidentiality, integrity, availability? 4.Who are the stakeholders, i.e., whose interests are at risk? 5.Do their interests conflict? How are conflicts resolved? Coming up: Evaluating A Policy 44

Evaluating A Policy If a policy is a set of rules, how do we decide if they are the right set of rules? GMU has in place a policy with the following rules, among others: 1.Faculty/staff may not use student SSNs in documents/files/postings. 2.Documents containing SSNs must be destroyed unless deemed necessary. 3.Documents containing SSNs and deemed necessary for retention must be kept in secure storage. These rules only make sense in service to a larger goal. What is it? Coming up: Metapolicy vs. Policy 55

Metapolicy vs. Policy A useful distinction is between the metapolicy and the policy. metapolicy: The overall security goals of the system. policy: A system-specific refinement of the metapolicy adequate to provide guidance to developers and users of the system. If you don’t understand the metapolicy, it becomes difficult to justify and evaluate the policy. Often the metapolicy will be in terms of confidentiality, integrity, and availability; the policy will be in terms of mechanisms like firewalls, encryption, locked drawers, etc. Coming up: So Why Have a Policy? 66

So Why Have a Policy? If the “metapolicy” is what we really care about, why bother with the policy at all? 1.The metapolicy is often too general to provide adequate guidance. 2.The metapolicy may be subject to multiple interpretations. 3.There may be multiple acceptable policies that accomplish the security goals. 4.The policy provides specific and enforceable guidelines to the system user/developer. Coming up: Lessons 77

Lessons System security is often characterized in terms of a security policy, a set of rules governing activities within the system. The policy will seem arbitrary unless you understand the metapolicy, the overarching security goals. How would you phrase the GMU meta-policy for highly sensitive data? What are some of the policies surrounding it? See the link and tell me: End of presentation 88

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.