Cnss security model explained

Exercises: Answer problems 1 and 2 from the "Exercises" section

(page 35) of Chapter 1 of the textbook.

--------------------------------------------------------------------

   Exercises:

   Some hints on Chapter 1 Exercise 1 (page 35)

--------------------------------------------------------------------

A useful reference on the CNSS model can be found

in document NSTISSI No. 4011 from the National Training

Standard for Information Security Professionals

( www.cnss.gov/Assets/pdf/nstissi_4011.pdf )

To answer Exercise 1 (page 35 of text) please refer to Figure 1.2

(CNSS security model) on page 5 of Chapter 1 of the text.

The CNSS model of Figure 1.2 identifies the nine interacting

factors that influence the security of any resource. The nine

key factors are:

    (1) Policy: which deals with info security policies in place,

    (2) Education: which deals with education of users on security related issues,

    (3) Technology: which covers the technology used to implement security measures

    (4) Confidentiality: confidentiality of info/data

    (5) Integrity: addresses measures in place to ensure data integrity

    (6) Availability: to ensure authorized users access to information in usable format

    (7) Storage: issues dealing with data storage

    (8) Processing: issues that cover the processing and handling of data

    (9) Transmission: covers issues related to factors that influence transmission of data

These nine influencing factors can be modeled as a 3-dimensional cube as

shown in Figure 1.2, where the each of the three axes of the cube represent

three of these factors. When we consider the relationship among the three

dimensions represented by the axes shown in Figure 1.2 we have a 3 x 3 x 3

cube with 27 cells, where each cell represents an area of intersection among

the three dimensions that must be addressed.

In Exercise 1 you determine how you would address the different factors that impact

the security and protection of data/information pertaining to this class (such as student

information, student homework submissions, student discussion posts etc.) by applying

the CNSS model (Figure 1.2).

To apply the model, examine the intersecting cells on the CNSS cube from Figure 1.2

and determine how you could address some of the factors influencing security of class

information.

Some examples that you may consider are:

First you could consider the nine factors individually. For example,

(1) Confidentiality: Only students registered in the course have access to the

    course web page.

(2) Integrity: Students would have unit logins which would be their means to

    access the course webpage via eCollege. Students can only alter or modify

    their own work, and cannot change or delete another student's submitted work.

(3) Availability: The university would ensure that the eCollege site is accessible

    to all online students with minimal downtime for maintenance and upgrades.

 ... etc.

After you have addressed the individual factors, you can address the intersecting

cells in the CNSS security model of Figure 1.2. Some examples include:

 - Confidentiality/Policy/Storage - This cell represents the intersection of the

   factors Data Confidentiality, Security Policy, and Data Storage. This can be

   addressed by adopting the following policy:-- "Only students registered in the

   course are able to access course related material and student discussion posts.

   Additionally, homework assignments are only viewable by the instructor and the

   applicable student"

 - Integrity/Policy/Processing - formed by the intersection of the Integrity, Policy,

   and Processing cells in Figure 1.2. This can be addressed by having a policy such

   as:-- "The course would have a policy that would all work submitted by the students

   must represent their own work, and would properly cite all sources referenced."

 - Availability/Education/Processing - formed by the intersection of the Availability,

   Education, and Processing cells in Figure 1.2. This can be addressed by having a

   policy such as:--