CAB240 Lecture Notes - Lecture 5: Application Software, Mandatory Access Control, Discretionary Access Control

Information assets: data files, system documentation: services: computing, communications, power. First step is to identify all information assets, and understand risks to them (covered in 27002:2015 standard) If your name is on the list, you will not have access: whitelists: access forbidden to all unless expressly permitted. Separation of duties (privileges): for any critical task, divide the task up into a series of steps, each step being performed by a different entity. Major access control approaches: can use combinations of access control approaches, combining mandatory and discretionary access control approaches, mandatory access control is applied first, access is granted only if both of the approaches permit access. If access is granted by the mac, then the dac system is invoked: combining mandatory and discretionary access control approaches ensures that, no owner can make sensitive information available to unauthorised users, and.