home-DTAP    IAF    Mindset    Glossary    DTAP    Security    (Ir)responsible    Project
data model    implement    audit-monitor    pen test    top  bottom

Security, RBAC data model


building SAS The fundamentals of working with security in a standard way should be somewhere.


A lot of references of technical subjects like LDAP DAC RBAC can be found. Not the more high level logic design.

The glossary IT contains a lot of links as glossary with IT background.
The glossary contains a lot of links with background.
A worked out samples are at My Gathered Samples




Policies

This is daily life. Using words and limited view of environments leading to much misundertanding


Policies Education

choose

References this site

I have put at dedicated pages as follows

choose

Universities study - Policies engineering

The fundamentals of policies getting more important.


choose

Ethical hacking

Ethical hacking (wiki) is an acttion to already running systems.
Security experts are convinced the necessary security should be made in the start of a project, not something to be doen afterwards.
A whole new area for IT-security is rising a so often information is getting leaked nowdays.
Netherlands: Bart Jacobs Professor of Software Security and Correctness




choose

Policies frameworks



Policies References

legal

WEB Information is about ..

Regulations are forced. They are at high level by the well kwown names: Sarbanes-Oxley_Act   Basel_Accord   Solvency_II_Directive The SOX 404 chapter is IT related and is mentioning with segregation of duties. Tt is about Risk_management

legal Something less high level with some detailed guidelines
insitutes like: isaca , itgi , sans .
End user computing with the disencouraging of Excel usage (lack of auditablity traceability) is (I believe) mentioned.
G38-Access-Controls-Guideline-13Nov07 - subparagraph in 2.12.4 ++ this document has been withdrawn jan 2013 ++ Download for members, being payed for
IT-Audit-and-Assurance-Guidelines
Aligning-COBIT,ITILV3,ISO27002-Bus-Benefit-12Nov08-Research pdf 2008
ISO27002
Practitioner Insights and Good Practices of IT Risk Management symantec
legal Case study-s and overviews with recommendations are found:

legal Germany has it own institutes. Some information:

legal Netherlands has it own institutes. Some information:

legal
. Private information - Public
Digtale security - overheid (nu)
 
ncsc NL eigen dienst
cloud (ncsc)
Raamwerk beveiliging webapplicaties (ncsc)
legal More guidelines with the references found are:


legal

Requirements Security Segregation

There are many guidelines policies a business has to formulate. There are no common rules to an implementation.
It al all about "risk assesment" and measures. Some things are alwas coming back, that are
  1. segregation in environments like: Develop Test Production
  2. segregation of duties. A single person/event may not be capable of causing serious impact
  3. The model must easy to understand and implementation must be easy to verify
  4. Least privilege. Don't autorize more than necessary for the job
The last statement should be intrepreted with caution. Trying to implement something with to many details with no impact will cause a complexity not to understand anymore.



data model    implement    audit-monitor    pen test    top  bottom

IT is the working out of the RBAC goal. RBAC at high level is missing the low level implications of technical components.



Relationships

When modelling the security relations a practical simplified approach for implementation is possible. Using RACF/LDAP/AD with DAC or MAC acess controls. Remarkable: The low level infrastructure is not part of this visible relations.
Placing the Physical parts of a Business Process will give a connection to it (low level infra)
Using the connection middleware/tools will give a connection to it (low level infra)


IT is the working out of the RBAC goal. RBAC at high level is missing the low level implications of technical components.



Objects involved

Users / Accounts / Keys



Groups



Business applications



Tools Infra components

As with BI tools are arround for identity services and administration. The are evaluated by Analysts:



data model    implement    audit-monitor    pen test    top  bottom

Implementations



RBAC

AD LDAP RACF



data model    implement    audit-monitor    pen test    top  bottom

Monitoring Auditing



data model

Opinions are often biassed, It is more difficult find real arguments:


data model    implement    audit-monitor    pen test    top  bottom

Penetration tests



White hat

Other user-registrations. DBMS/Oracle SAS

Blogs (english)

Opinions are often biassed, It is more difficult find real arguments:

Blogs (dutch)

Stukken worden soms vertaald of zijn specfiek locaal:



data model    implement    audit-monitor    pen test    top  bottom
home-DTAP    IAF    Mindset    Glossary    DTAP    Security    (Ir)responsible    Project

© 2012 J.A.Karman (26 feb 2012 - more to do)


working on this I´m working mostly on other pages at this moment (jul 2012).
Found this was subject to do as dedicated subject. Links and paragraph´s will be moved to here.

For the most time this page will be a mesh-up. As soon I see the hit-ratio will grow I will do a clean-up. -->