Outline for April 26, 2006

Reading: text, §7.2—7.4

1. Greetings and felicitations!
   1. Office hours changed, due to talk at noon
   2. Bad typo in book relevant to homework; in Definition 3—21, number 3, it should be τ(X), not τ(Y)
2. CISS
   1. Intended for medical records; goals are confidentiality, authentication of annotators, and integrity
   2. Patients, personal health information, clinician
   3. Assumptions and origin of principles
   4. Access principles
   5. Creation principle
   6. Deletion principle
   7. Confinement principle
   8. Aggregation principle
   9. Enforcement principle
   10. Comparison to Bell-LaPadula: lattice structure but different focus
   11. Comparison to Clark-Wilson: specialization
3. ORCON
   1. Originator controls distribution
   2. DAC, MAC inadequate
   3. Solution is combination
4. Role-based Access Control (RBAC)
   1. Definition of role
   2. Partitioning as job function
   3. Containment