Essay by b831923 May 2004

download word file, 31 pages 4.0



This report explores the industry standard concepts and best practices including:


        Access control


        Data confidentiality

        Data integrity



Authentication is the ability to verify the identity of a user, host or system process. Access control determines who, when and what is allowed to access an operating system or network. Encryption is the use of mechanisms to scramble information in order to prevent electronic eavesdropping or data tampering. Preserving data confidentiality involves the use of encryption to ensure that confidential data remains secret. Data integrity is about the use of encryption and other mechanisms to ensure that unauthorised persons have not interfered with data during transmission. Auditing involves keeping track of when and by whom data has been accessed. Non-repudiation is the ability to prove that a transaction has in fact occurred.

Security Documents and Organisations

There are a number of security standards and stands organisations.

For example, the National Institute of Standards and Technology (NIST), which was sponsored by the US Department of Defense (DOD), created the Trusted Computer System Evaluation Criteria (TCSEC) also known as the Orange Book. The Orange Book, which is still widely used by security professionals, rates the security protection offered by operating systems on a scale from A, the most secure to D the least secure. The most common rating is C-2. Unix, Windows NT and Novell NetWare are all C-2 compliant. Note that an Orange Book rating applies to an operating system configured to run on a given platform. This means that just because an installation of NT is C-2 compliant on vendor A's sever, in need not be C-2 compliant when installed on vendor B's server.

Additional standards include the International Standards Organisation (ISO) 7498-2 and the British Standards BS 7799 (1995 and 1999).