Hierarchical security design: successive refinement of detail. 10 aspects addressed in every level.
1. Philosophy security vision of ideal security
solution. high-level executive position statements that give
direction & relative importance to the areas addressed.
Encompasses: trust: level of confidence needed to use info;
determines authorizations, privileges, admin
protection: level of control, integrity, auditing
2. Principles standards of conduct. Refine philosophy to standards that policies adhere to. security architecture: common understanding & framework. Definition of principles that a security implementation can be built with.
3. Policies technology-independent descriptions of the security precautions. Specify what must or must not be done to fulfill the principles. security strategy how to implement the vision in accordance with the architecture given technological constraints.
4. Procedures how to implement the policies to a specific
technology. How standards should be implemented. security
framework applying the security procedures, which is largely the
admin of security objects.
Standards: basic security requirements. Define an acceptable level of
security to which every system must adhere.
Exceptions: specific instances where the standards will not be
implemented.
5. Practices day-to-day operations that implement the procedures. security implementation details of how framework is implemented. Detailed steps, schedules, responsibilities.