|
"Domain-based security", abbreviated to "DBSy", is a model-based approach to help analyse information security risks in a business context and provide a clear and direct mapping between the risks and the security controls needed to manage them. A variant of the approach is used by the UK government's HMG Infosec Standard No.1 technical risk assessment method.〔HMG IA Standard No. 1 "Technical Risk Assessment", Issue 3.51, October 2009, http://www.cesg.gov.uk/publications/Documents/is1_risk_assessment.pdf accessed 15 August 2014〕 DBSy is a registered trade mark of QinetiQ Ltd. DBSy was developed in the late 1990s by the Defence Evaluation and Research Agency (DERA). It is a model-based approach to information assurance that describes the requirements for security in an organisation, taking account of the business that needs to be supported. The model is based around the concept of a security Domain, which represents a logical place where people work with information using a computer system, and which has connections with other security domains where this is necessary to support business activity. Hence the focus is on the information that needs protection, the people that work with it and the people they exchange information with. The model can also describe the physical environments where people work and the system boundaries where major system security measures are placed. A systematic method is then applied to the model to identify and describe the risks to which valuable information assets are exposed and specify security measures that are effective in managing the risks. ==History== DBSy has its origins in the late 1990s, having been developed by the Defence Evaluation and Research Agency (DERA) for the Ministry of Defence (MOD). Initially called the Domain-based Approach, it was developed alongside Purple Penelope to support the MOD's increasing need for interconnections between systems operating at different security levels ,〔B. Pomeroy and S. Wiseman, “Private desktops and shared store,” Proc. of 14th Computer Security Applications Conference, pp. 190–200, Phoenix, AZ, December 1998〕 .〔Macdonald R, "Purple Penelope and UK MOD’s Emerging Strategy for Information Security", September 1997 http://www.opengroup.org/security/meetings/sep97/Group.pdf Accessed May 27, 2014〕 It was recognised that the risks associated with such connections were directly related to the nature of the information exchange that was needed and that an effective model for understanding and managing the risks would need to take account of the business needs for information sharing. It was also recognised that the controlled release of information from a system handling secret information (sometimes referred to at the time as 'down grading' or 'sanitisation') was not adequately described by any of the existing models of Information security (notably Bell-LaPadula, Biba and the associated information flow models). Information flow models were found to be unhelpful in understanding the risks when information has to be shared with people and systems that are not entirely trusted. An effective model for understanding and managing the risks would need to take account of the business needs for exchanging information both within and outside an organisation .〔Chiew Pheng Goh, “A Security Model For A Defence-Related Organization” University of Wales, Aberystwyth 30 November 2003 http://www.aber.ac.uk/~dcswww/Dept/Teaching/MSc_dissertations/2003/Goh_Chiew_Pheng.pdf Accessed 26 August 2014〕 The modelling technique was applied to some major projects for the MOD and as a result of this experience the graphical modelling techniques were revised and a rigorous risk assessment method, based on the concepts of compromise paths was developed. An approach to IT security documentation through a project lifecycle was also created .〔Robinson C, Hughes K, “What are security documents for?- Objectives of MOD’s Accreditation Documents” Presented at the Annual Sunningdale Accreditor’s Conference, 23rd-24th September 2002〕 Domain Based Security conferences were held at QinetiQ Malvern in June 2005 and June 2006, promoting discussion of how it could be more widely used, both for defence 〔Hayat Z, Reeve J, Boutle C, "Domain Based Security: Improving Practices” Southampton University, sponsored by BAe Systems, 2005 http://www.hpl.hp.com/techreports/2005/HPL-2005-141.pdf Accessed 26 August 2014〕 and commercial systems .〔Monahon B et al., "DBSy in a Commercial Services Context” HP Laboratories Bristol, HPL-2005-141, August 4, 2005 http://www.hpl.hp.com/techreports/2005/HPL-2005-141.pdf Accessed 26 August 2014〕 A variant of the DBSy method was subsequently developed and incorporated into the UK government's HMG Infosec Standard No.1 Technical Risk Assessment method, the standard method to be used for security risk assessments for all government Information Technology systems. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Domain-based security」の詳細全文を読む スポンサード リンク
|