Improving an organisations existing information technology policy to increase security

A security policy which includes the appropriate phases of implementation, enforcement, auditing and review is vital to protecting an organisations information security. This paper examined the information security policy of a government organisation in response to a number of perceived shortcomings. The specific issues identified relating to the organisations security policy as a result of this investigation were as follows: a culture of ignoring policies, minimal awareness of policies, minimal policy enforcement, policy updating and review ad hoc at best, policy framework, lengthy policy development and approval process, no compliance program, no formal non-compliance reporting and an apparent inconsistent enforcement across the whole of the organisation. In response to these identified issues, the following recommendations were made to improve the information security of the organisation: changing the organisations culture, creating an awareness mechanism for policies, improving the organisations culture, create an ICT policy awareness programme, review and re-write existing policies, policy enforcement, policy compliance, policy noncompliance reporting, policy updating and review, improve the policy development and approval process, policy compliance checking and uniform policy enforcement. Whilst it is also likely that a lack of governance contributed to these issues, this aspect was not addressed in this paper. It is hoped that timely implementation of the remedies presented here will increase the organisations information security

Model Checking Access Control Policies: A Case Study using Google Cloud IAM

Authoring access control policies is challenging and prone to misconfigurations. Access control policies must be conflict-free. Hence, administrators should identify discrepancies between policy specifications and their intended function to avoid violating security principles. This paper aims to demonstrate how to formally verify access control policies. Model checking is used to verify access control properties against policies supported by an access control model. The authors consider Google's Cloud Identity and Access Management (IAM) as a case study and follow NIST's guidelines to verify access control policies automatically. Automated verification using model checking can serve as a valuable tool and assist administrators in assessing the correctness of access control policies. This enables checking violations against security principles and performing security assessments of policies for compliance purposes. The authors demonstrate how to define Google's IAM underlying role-based access control (RBAC) model, specify its supported policies, and formally verify a set of properties through three examples

Model Checking of Software Defined Networks using Header Space Analysis

This thesis investigates the topic of verifying network status validity with a Cyber Security perspective. The fields of interest are dynamic networks like OpenFlow and Software Defined Networks, where these problems may have larger attack surface and greater impact. The framework under study is called Header Space Analysis, a formal model and protocol-agnostic framework that allows to perform static policy checking both in classical TCP/IP networks and modern dynamic SDN. The goal is to analyse some classes of network failure, declaring valid network states and recognizing invalid ones. HSA has evolved in NetPlumber, to face problems caused by high dynamics of SDN networks. The main difference between HSA and NetPlumber is the incremental way that the latter performs checks and keeps state updated, verifying the actual state compliance with the expected state defined in its model, but the concept is the same: declare what's allowed and recognize states violating that model. The second and main contribute of this thesis is to expand existing vision with the purpose of increasing the network security degree, introducing model-checking-based networks through the definition of an abstraction layer that provides a security-focused model-checking service to SDN. The developed system is called MCS (Model Checking Service) and is implemented for an existing SDN solution called ONOS, using NetPlumber as underlying model-checking technology, but it's validity is general, uncoupled with any kind of SDN implementation. Finally, the demo shows how some cases of well-known security attacks in modern networks can be prevented or mitigated using the reactive behavior of MCS

Formal certification and compliance for run-time service environments

With the increased awareness of security and safety of services in on-demand distributed service provisioning (such as the recent adoption of Cloud infrastructures), certification and compliance checking of services is becoming a key element for service engineering. Existing certification techniques tend to support mainly design-time checking of service properties and tend not to support the run-time monitoring and progressive certification in the service execution environment. In this paper we discuss an approach which provides both design-time and runtime behavioural compliance checking for a services architecture, through enabling a progressive event-driven model-checking technique. Providing an integrated approach to certification and compliance is a challenge however using analysis and monitoring techniques we present such an approach for on-going compliance checking

Model checking usage policies

We study usage automata, a formal model for specifying policies on the usage of resources. Usage automata extend finite state automata with some additional features, parameters and guards, that improve their expressivity. We show that usage automata are expressive enough to model policies of real-world applications. We discuss their expressive power, and we prove that the problem of telling whether a computation complies with a usage policy is decidable. The main contribution of this paper is a model checking technique for usage automata. The model is that of usages, i.e. basic processes that describe the possible patterns of resource access and creation. In spite of the model having infinite states, because of recursion and resource creation, we devise a polynomial-time model checking technique for deciding when a usage complies with a usage policy

Tracking Chart 2005 Reebok, Vietnam 01028472D

This document is part of a digital collection provided by the Martin P. Catherwood Library, ILR School, Cornell University, pertaining to the effects of globalization on the workplace worldwide. Special emphasis is placed on labor rights, working conditions, labor market changes, and union organizing.FLA_2005_Reebok_TC_Vietnam_01028472D.pdf: 7 downloads, before Oct. 1, 2020

Tracking Chart 2005 Adidas Group, Vietnam 01028472D

This document is part of a digital collection provided by the Martin P. Catherwood Library, ILR School, Cornell University, pertaining to the effects of globalization on the workplace worldwide. Special emphasis is placed on labor rights, working conditions, labor market changes, and union organizing.FLA_2005_AdidasGroup_TC_Vietnam_01028472D.pdf: 26 downloads, before Oct. 1, 2020

Tracking Chart 2005 Reebok, Bangladesh 12005081D

This document is part of a digital collection provided by the Martin P. Catherwood Library, ILR School, Cornell University, pertaining to the effects of globalization on the workplace worldwide. Special emphasis is placed on labor rights, working conditions, labor market changes, and union organizing.FLA_2005_Reebok_TC_Bangladesh_12005081D.pdf: 14 downloads, before Oct. 1, 2020

Tracking Chart 2006 Puma, China 36001529CV

This document is part of a digital collection provided by the Martin P. Catherwood Library, ILR School, Cornell University, pertaining to the effects of globalization on the workplace worldwide. Special emphasis is placed on labor rights, working conditions, labor market changes, and union organizing.FLA_2006_Puma_TC_China_36001529CV.pdf: 10 downloads, before Oct. 1, 2020