McCumber Cube
   HOME

TheInfoList



OR:

The McCumber Cube is a model for establishing and evaluating
information security Information security is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data ...
(
information assurance Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and data transmission, transmission of information. Information assurance includes protection of the data integrity, inte ...
) programs. This security model, created in 1991 by John McCumber, is depicted as a
three-dimensional In geometry, a three-dimensional space (3D space, 3-space or, rarely, tri-dimensional space) is a mathematical space in which three values (''coordinates'') are required to determine the position (geometry), position of a point (geometry), poi ...
Rubik's Cube-like grid. The concept of this model is that, in developing
information assurance Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and data transmission, transmission of information. Information assurance includes protection of the data integrity, inte ...
systems, organizations must consider the interconnectedness of all the different factors that impact them. To devise a robust
information assurance Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and data transmission, transmission of information. Information assurance includes protection of the data integrity, inte ...
program, one must consider not only the security goals of the program (see below), but also how these goals relate specifically to the various states in which information can reside in a system and the full range of available security safeguards that must be considered in the design. The McCumber model helps one to remember to consider all important design aspects without becoming too focused on any one in particular (i.e., relying exclusively on technical controls at the expense of requisite policies and end-user training).


Dimensions and attributes


Desired goals

*
Confidentiality Confidentiality involves a set of rules or a promise sometimes executed through confidentiality agreements that limits the access to or places restrictions on the distribution of certain types of information. Legal confidentiality By law, la ...
: assurance that sensitive information is not intentionally or accidentally disclosed to unauthorized individuals. *
Integrity Integrity is the quality of being honest and having a consistent and uncompromising adherence to strong moral and ethical principles and values. In ethics, integrity is regarded as the honesty and Honesty, truthfulness or of one's actions. Integr ...
: assurance that information is not intentionally or accidentally modified in such a way as to call into question its reliability. *
Availability In reliability engineering, the term availability has the following meanings: * The degree to which a system, subsystem or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at ...
: ensuring that authorized individuals have both timely and reliable access to data and other resources when needed.


Information states

* Storage: Data at rest (DAR) in an information system, such as that stored in memory or on a magnetic tape or disk. * Transmission: transferring data between information systems - also known as
data in transit Data in transit, also referred to as data in motion and data in flight, is data en route between source and destination, typically on a computer network. Data in transit can be separated into two categories: information that flows over the publ ...
(DIT). * Processing: performing operations on data in order to achieve the desired objective.


Safeguards

* Policy and practices: administrative controls, such as management directives, that provide a foundation for how
information assurance Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and data transmission, transmission of information. Information assurance includes protection of the data integrity, inte ...
is to be implemented within an organization. (examples: acceptable use policies or incident response procedures) - also referred to as operations. * Human factors: ensuring that the users of information systems are aware of their roles and responsibilities regarding the protection of information systems and are capable of following standards. (example: end-user training on avoiding computer virus infections or recognizing social engineering tactics) - also referred to as personnel * Technology: software and hardware-based solutions designed to protect information systems (examples: anti-virus, firewalls, intrusion detection systems, etc.)


Motivation

Per John McCumber's website, the idea is to push back the advance of security as an art and support it with a structured methodology that functions independent of technology evolution. The basis of this methodology is the inter-relationship among confidentiality, integrity and availability with storage, transmission and processing while applying the policy, procedures, human side and technology.


See also

*
CIA Triad Information security is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data ...
*
Defense in Depth (computing) Defense in depth is a concept used in information security in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fa ...


References

{{reflist *Assessing and Managing Security Risk in IT Systems: A Structured Methodology by John McCumber (Author) ublisher: Auerbach Publications; 1 edition (June 15, 2004) Data security 1991 introductions