The automatic generation of information security profiles

Pottas, Dalenca

07 October 2014

D.Phil. (Computer Science) / Security needs have changed considerably in the past decade as the economics of computer usage necessitates increased business reliance on computers. As more individuals need computers to perform their jobs, more detailed security controls are needed to offset the risk inherent in granting more people access to computer systems. Traditionally, computer security administrators have been tasked with configuring' , security systems by setting controls on the actions of users. This basically entails the compilation of access rules (contained in security profiles), which state who can access what resources in what way. The task of building these rules is of considerable magnitude and is in general not well understood. Adhoc approaches, characterized by exhaustive interviewing and endless printouts of organizational data repositories, are usually followed. In the end, too much is left to the discretion of the security administrators...

Computers - Access control

Data protection

Computer security

Biometriese enkelaantekening tot IT stelsels

Tait, Bobby Laubscher

21 April 2009

M.Comm.

Computer security

Access control

Security measures

Biometry

Information security assurance model for an examination paper preparation process in a higher education institution

Mogale, Miemie

January 2016

In today’s business world, information has become the driving force of organizations. With organizations transmitting large amounts of information to various geographical locations, it is imperative that organizations ensure the protection of their valuable commodity. Organizations should ensure that only authorized individuals receive, view and alter the information. This is also true to Higher Education Institutions (HEIs), which need to protect its examination papers, amongst other valuable information. With various threats waiting to take advantage of the examination papers, HEIs need to be prepared by equipping themselves with an information security management system (ISMS), in order to ensure that the process of setting examination papers is secure, and protects the examination papers within the process. An ISMS will ensure that all information security aspects are considered and addressed in order to provide appropriate and adequate protection for the examination papers. With the assistance of information security concepts and information security principles, the ISMS can be developed, in order to secure the process of preparing examination papers; in order to protect the examination papers from potential risks. Risk assessment form part of the ISMS, and is at the centre of any security effort; reason being that to secure an information environment, knowing and understanding the risks is imperative. Risks pertaining to that particular environment need to be assessed in order to deal with those appropriately. In addition, very important to any security effort is ensuring that employees working with the valuable information are made aware of these risks, and can be able to protect the information. Therefore, the role players (within the examination paper preparation process (EPPP)) who handle the examination papers on a daily basis have to be equipped with means of handling valuable information in a secure manner. Some of the role players’ behaviour and practices while handling the information could be seen as vulnerabilities that could be exploited by threats, resulting in the compromise in the CIA of the information. Therefore, it is imperative that role players are made aware of their practices and iv behaviour that could result in a negative impact for the institution. This awareness forms part and is addressed in the ISMS.

Computers -- Access control

Towards a user centric model for identity and access management within the online environment

Deas, Matthew Burns

January 2008

Today, one is expected to remember multiple user names and passwords for different domains when one wants to access on the Internet. Identity management seeks to solve this problem through creating a digital identity that is exchangeable across organisational boundaries. Through the setup of collaboration agreements between multiple domains, users can easily switch across domains without being required to sign in again. However, use of this technology comes with risks of user identity and personal information being compromised. Criminals make use of spoofed websites and social engineering techniques to gain illegal access to user information. Due to this, the need for users to be protected from online threats has increased. Two processes are required to protect the user login information at the time of sign-on. Firstly, user’s information must be protected at the time of sign-on, and secondly, a simple method for the identification of the website is required by the user. This treatise looks at the process for identifying and verifying user information, and how the user can verify the system at sign-in. Three models for identity management are analysed, namely the Microsoft .NET Passport, Liberty Alliance Federated Identity for Single Sign-on and the Mozilla TrustBar for system authentication.

Computers -- Access control

Computer networks -- Security measures

A Certified Core Policy Language

Sistany, Bahman

January 2016

We present the design and implementation of a Certified Core Policy Language (ACCPL) that can be used to express access-control rules and policies. Although full-blown access-control policy languages such as eXtensible Access Control Markup Language (XACML) [OAS13] already exist, because access rules in such languages are often expressed in a declarative manner using fragments of a natural language like English, it isn’t alwaysclear what the intended behaviour of the system encoded in these access rules should be. To remedy this ambiguity, formal specification of how an access-control mechanism should behave, is typically given in some sort of logic, often a subset of first order logic. To show that an access-control system actually behaves correctly with respect to its specification, proofs are needed, however the proofs that are often presented in the literature are hard or impossible to formally verify. The verification difficulty is partly due to the fact that the language used to do the proofs while mathematical in nature, utilizes intuitive justifications to derive the proofs. Intuitive language in proofs means that the proofs could be incomplete and/or contain subtle errors. ACCPL is small by design. By small we refer to the size of the language; the syntax, auxiliary definitions and the semantics of ACCPL only take a few pages to describe. This compactness allows us to concentrate on the main goal of this thesis which is the ability to reason about the policies written in ACCPL with respect to specific questions. By making the language compact, we have stayed away from completeness and expressive power in several directions. For example, ACCPL uses only a single policy combinator, the conjunction policy combinator. The design of ACCPL is therefore a trade-off between ease of formal proof of correctness and expressive power. We also consider ACCPL a core policy access-control language since we have retained the core features of many access-control policy languages. For instance ACCPL employs a single condition type called a “prerequisite” where other languages may have very expressive and rich sets of conditions.

access-control

formal verification

proofs

policy language

Public records : a study in archival theory

Livelton, Trevor

January 1991

This thesis provides a theoretical examination of the nature of public records. The study begins by outlining a view of archival theory as knowledge resulting from the analysis of ideas. This form of analysis is first applied to the concept of records, and then to the narrower concept of public records. The result is a view of public records as documents made or received and preserved by the sovereign or its agents in the legitimate conduct of governance. / Arts, Faculty of / Library, Archival and Information Studies (SLAIS), School of / Graduate

Archives -- Management

Public records -- Access control

The informational needs of historians researching women : an archival user study

Beattie, Diane Lynn

January 1987

This thesis examines the informational needs of historians researching women as a subject in archives. The research methodology employed combines two types of user studies, the questionnaire and the reference analysis, in order to determine both the use and usefulness of archival materials and finding aids for historians researching women. This study begins with an overview of the literature on user studies. The thesis then outlines both the kinds of materials and the information historians researching women require. Finally, this study looks at the way historians researching women locate relevant materials and concomitantly the effectiveness of current descriptive policies and practices in dealing with the needs of this research group. This thesis concludes by suggesting a number of ways in which archivists can respond to the informational needs of historians researching women in archives. Firstly, a considerable amount of documentation relevant to the study of women remains to be acquired by archival repositories. While archives should continue to acquire textual materials, more emphasis needs to be placed upon the acquisition of non-textual materials since these materials are also very useful to historians researching women in archives. Secondly, archivists must focus more attention on the informational value of their holdings since the majority of historians researching women are interested in the information the records contain about people, events or subject area and not the description of institutional life contained in records. Thirdly this study demonstrates the need for more subject oriented finding aids. Archivists can improve subject access to their holdings through the preparation of thematic guides, by the creation of more analytical inventory descriptions and by indexing or cataloguing women's records. / Arts, Faculty of / Library, Archival and Information Studies (SLAIS), School of / Graduate

Women -- History -- Archival resources

Archives -- Access control

An access control model based on time and events

Jaggi, Felix P.

January 1990

A new access control model incorporating the notion of time and events is introduced. It allows the specification of fine-grained and flexible security policies which are sensitive to the operating environment. The system constraints, expressed in terms of access windows and obligations, are stored in extended access control lists. The addition of a capability mechanism gives another dimension of protection and added flexibility, so that the flexibility and expressive power of the system constraints is fully supported by the underlying mechanism. The approach is compared to several existing models and its' expressive power is demonstrated by showing the new model can be used to specify different existing security models as well as some special problems. The model is then adapted to work in a distributed environment. / Science, Faculty of / Computer Science, Department of / Graduate

Computer security

Computers -- Access control

Data protection

An evaluation of integrity control facilities in an AS/400 environment

Bosman, Michael Louis

23 September 2014

M.Com. (Computer Auditing) / Both the auditor, faced with the task of determining an effective and efficient audit approach, as well as management, charged with implementing and monitoring need purer security, need to evaluate integrity controls. This need to evaluate integrity controls is increasing, due to the growing complexity of computer environments, the breakdown of the paper audit trail, and the replacement of application controls by integrity controls. By applying the Access Path and Path Context Models, an evaluation was performed of integrity controls and risks in an AS/400 environment. The operating system (08/400) was delineated into functional categories to assist in the evaluation, in a manner consistent with that outlined in the Access Path Model. It was found that sufficient integrity control facilities exist in an AS/400 environment to meet the control objectives, although several risks were identified which could only be addressed by application controls.

Software protection - Evaluation

Auditing - Access control

Institutionalizing information security.

Von Solms, Elmarie

04 June 2008

Information security has become a much discussed subject all over the world in the last few years. This is because information security is no longer a luxury, but a necessity in all organisations. The securing of information is not an easy task because information security is flexible and always seems to be in a state of development. This means that information security has undergone different development changes due to new technologies in the past few years. Information security became prominent around 50 years ago and had a very strict technical approach. In this approach, industries mainly worked with mainframes, with little or no concept of management aspects such as security policies or awareness programmes. The technical approach thus included little or no management effort in terms of information security. The need to manage information security began when new technologies such as the Internet and the World Wide Web were introduced to the information security environment. This caused information security to shift from the technical to the more managerial approach. The move of information security from the technical to the managerial approach may be identified through different development trends. These development trends have occurred mainly to improve information security management in any organisation. The primary purpose of this dissertation is therefore to identify and investigate different development trends that have an influence on information security, especially from a managerial point of view. / Prof. J.H.P. Eloff

microcomputer access control

computer security

data protection