Abstract
M.Sc. (Computer Science)
Information is a valuable resource in any organisation and more and more
organisations are realising this and want efficient means to protect it against disclosure,
modification or destruction. Although relatively efficient security methods have been
available almost as long as information databases, they all provide additional cost. This
cost does not only involve money but also cost in terms of system performance and
management of information security. Any new information security model must also
provide better management of information security. In this dissertation we present a
model that provides information security and aims to lower the technical skills required
to manage information security using this approach.
In any business organisation we can describe each employee's duties. Put in other
words, we can say that each employee has a specific business role in the organisation.
In organisations with many employees there are typically many employees that have
more or less the same duties in the organisation. This means that employees can be
grouped according to their business roles. We use an employee's role as a description
of his/her duties in a business organisation. '
Each role needs resources to perform its duties in the organisation. In terms of
computer systems, each role needs computer resources such as printers. Most roles
need access to data files in the organisation's database but it is not desirable to give all
roles access to all data files. It is obvious that roles have specific privileges and
restrictions in terms of information resources.
Information security can be achieved by identifying the business roles in an
organisation and giving these roles only the privileges needed to fulfill their business
function and then assigning these roles to people (users of the organisation's computer
system). This is called role-based security.
People's business functions are related, for example clerks and clerk-managers are
related in the sense that a clerk-manager is a manager of clerks. Business roles are
related in the same way. For an information security manager to assign roles to users it
is important to see this relationship between roles. In this dissertation we present this
relationship using a lattice graph which we call a role lattice. The main advantage of
this is that it is eases information security management...