McCumber cube

McCumber cube
The McCumber Cube

In 1991, John McCumber created a model framework for establishing and evaluating information security (information assurance) programs, now known as The McCumber Cube. This security model is depicted as a three dimensional Rubik's Cube-like grid.

The concept of this model is that, in developing information assurance systems, organizations must consider the interconnectedness of all the different factors that impact them. To devise a robust information assurance program, one must consider not only the security goals of the program (see below), but also how these goals relate specifically to the various states in which information can reside in a system and the full range of available security safeguards that must be considered in the design. The McCumber model helps one to remember to consider all important design aspects without becoming too focused on any one in particular (i.e., relying exclusively on technical controls at the expense of requisite policies and end-user training).

Contents

Dimensions and attributes

Desired goals

  • Confidentiality: assurance that sensitive information is not intentionally or accidentally disclosed to unauthorized individuals.
  • Integrity: assurance that information is not intentionally or accidentally modified in such a way as to call into question its reliability.
  • Availability: ensuring that authorized individuals have both timely and reliable access to data and other resources when needed.

Information states

  • Storage: Data at rest (DAR) in an information system, such as that stored in memory or on a magnetic tape or disk.
  • Transmission: transferring data between information systems - also known as data in transit (DIT).
  • Processing: performing operations on data in order to achieve a desired objective.

Safeguards

  • Policy and practices: administrative controls, such as management directives, that provide a foundation for how information assurance is to be implemented within an organization. (examples: acceptable use policies or incident response procedures) - also referred to as operations.
  • Human factors: ensuring that the users of information systems are aware of their roles and responsibilities regarding the protection of information systems and are capable of following standards. (example: end-user training on avoiding computer virus infections or recognizing social engineering tactics) - also referred to as personnel
  • Technology: software and hardware-based solutions designed to protect information systems (examples: anti-virus, firewalls, intrusion detection systems, etc.)

Motivation

Per John McCumber's website, the idea is to push back the advance of security as an art and support it with a structured methodology that functions independent of technology evolution. The basis of this methodology is the inter-relationship among confidentiality, integrity and availability with storage, transmission and processing while applying the policy, procedures, human side and technology.

See also

References

  • Assessing and Managing Security Risk in IT Systems: A Structured Methodology by John McCumber (Author) [Publisher: Auerbach Publications; 1 edition (June 15, 2004)]

External links


Wikimedia Foundation. 2010.

Игры ⚽ Нужна курсовая?

Look at other dictionaries:

  • McCumber — may refer to: Lester McCumbers (born 1921), a celebrated old time fiddler from Nicut, West Virginia Mark McCumber (born 1951), an American golfer Porter J. McCumber (1858–1933), a United States Senator from North Dakota See also Fordney McCumber… …   Wikipedia

  • Information assurance — (IA) is the practice of managing information related risks. More specifically, IA practitioners seek to protect and defend information and information systems by ensuring confidentiality, integrity, authentication, availability, and non… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”