Comparison With Requirements

•             Users can’t certify TPs, so CR5 and ER4 enforce this

•             Procedural, so model doesn’t directly cover it; but special process corresponds to using TP

•           No technical controls can prevent programmer from developing program on production system; usual control is to delete software tools

•             TP does the installation, trusted personnel do certification

   CR4 provides logging; ER3 authenticates trusted personnel doing installation; CR5, ER4 control installation procedure

•           New program UDI before certification, CDI (and TP) after

•             Log is CDI, so appropriate TP can provide managers, auditors access

•           Access to state handled similarly

Comparison to Biba

•      Biba

–   No notion of certification rules; trusted subjects ensure actions obey rules

–   Untrusted data examined before being made trusted

•      Clark-Wilson

–   Explicit requirements that actions must meet

–   Trusted entity must certify method to upgrade untrusted data (and not certify the data itself)

Key Points

•      Integrity policies deal with trust

–   As trust is hard to quantify, these policies are hard to evaluate completely

–   Look for assumptions and trusted users to find possible weak points in their implementation

•      Biba based on multilevel integrity

•      Clark-Wilson focuses on separation of duty and transactions