This article provides explanation for security policy development for small medium enterprises. Information security has three main goals which includes: Confidentiality, Integrity and availability. Donn parker has introduced an alternative to this model by adding three more principals including: possession, authenticity and utility. After identifying the SME assets, we can perform a risk analysis on the assets to find out which asset is more important and prioritizing the risk which is involved with them. There are different security policy standards which can be used in different areas such as database security such as network security. These security policies are implemented to define and standard for company members to make sure they are following a criteria when using the companies facilities to reduce risks and vulnerabilities.
According to the European Commission, 23 million Small and medium-sized enterprises (SMEs) in the EU represents 99% of businesses and they are a key driver for economic growth. Starting an SME is just the beginning and as they grow, they need to employ more staff so they need technologies and frameworks to be able to keep the staff in line with their standards.
Security policies are a core concept in computer security and they are implemented to regulate access to the facilities such as Email, Internet and also define standards such as password and antivirus regulations. These policies explain the acceptable and unacceptable use of these facilities along with the enforcements and responsibilities for the company members.
Key concepts and principals
European community has created a document which defines computer security with three main goals including: Confidentiality, Integrity and Availability (C.I.A Triad). Each of these three principals are important and weakness in any of these legs will cause the network to open for exploitation.
Similarly attackers have three approaches (DAD) to defeat the CIA triad which includes: Disclosure to defeat confidentiality, Alteration to defeat integrity and Destruction to defeat availability.
In 2002 Donn Parker has proposed a new model called six atomic elements of information (Parkerian hexad) which adds possession, authenticity and utility to the CIA definition. Any information security breach can be described by effecting one of these six principals.
Confidentiality relates to preventing unauthorized individuals to access the information. This principal covers many forms such as giving sensitive information over the phone conversation or anything which allows disclosure of information such as allowing others to look at shoulder in public areas while entering sensitive information such as username and passwords or viewing other users personal information. Encryption sensitive data and transmitting sensitive information to prevent network sniffers to access to these data is also defined in this concept.
This principal covers breaches which is performed to modify or alter the data without being detected by intruders. The system must maintain the integrity of the information to keep the information safe from corruption or allowing any unauthorized access or accidental changes to it. An example would be a security hole which allows attackers to modify rules tables to gain access to the system. So if we define integrity to prevent unauthorized actions, then confidentiality might become a part of this definition as well. Some common integrity mechanisms includes: Access control mechanisms, file system security control and cryptography by using digital signatures.
Availability is defined in ISO 7498-2  as the property of being acceptable and usable upon demand by an authorized entry. In this concept it is important to keep access to the information for authorized users at all the time. Securing the system from denial of service attacks take place in this category. Also using fault-tolerant computing and distributed systems can help in case of one of the components crash to make sure the system will be up and running at all the times.
This concept relates to the controlling the information even after they being compromised or stolen. For example if a victim writes the PIN number on the credit card, in case that is stolen the victim has no control over it and is legitimately is concerned about that.
Authenticity includes authorship verification of the information to make sure that we can verify the origin of the information. An example would be using a digital signature to sign a document using a public-key cryptography. Using this principals it is easy to detect any unauthorized changes in the information as well by digital signature verification.
This principal relates to usefulness of data in case of accidental damages such as losing the encryption key or crash in a disk which causes losing private keys to encrypt the data. This will cause breaching the utility even though all the other principals are take in place.
Risks and Threat analysis
Term hazard risks relates to the damages might occur in case of an uncertain event or the risks associated with them. Hazard risks analysis is collected during design, development, deployment and operation phases. To start risk analysis we need to identify our business assets. Then we can identify threats and rate them depending the damage it may cost to the defined assets. This will provide risk analysis for us in the design phase.
We can identify our SME assets into four categories including hardware, software, data & information and reputation assets.
- Servers, personal computer and laptops
- Mobile devices.
- Router, switches and firewalls (hardware based)
- Mobile phone and PDAs.
- Ethernet and wireless equipments, etc…
Includes physical assets such as computers, routers, hardware firewalls, switches, smart cards, mobile phones etc….
- Operating systems
- Application and softwares
- Video conference and instant messenger softwares
- Database management systems
- Information management systems
- Source codes
- Payment processing and e-commerce softwares, etc…
- Data and information
- Customers data including name, address, credit card information and purchase history
- Emails and communication history
- Video and voice recordings
- Sales data
- Stock and suppliers data
- Business plans
- Website statistics data, etc…
- Includes the confidence that you have gained which let customers trust to provide their details in your website such as their credit card details
- Popularity of the company which gained with advertisements, etc..
A threat is an undesirable impact on the assets. There are different threat risks models which categorize these threats and define them. Some of the thread risk modelings includes: STRIDE, DREAD, TRIKE, AS/NZS 4360:2004 Risk Management and OCTAVE threat risk modeling.
For managing security threats, security conceptual framework is adapted from ISO/IEC 15408 which defines seven security concepts and their relationships:
- Different type of threats
Using Microsoft STRIDE threat model we can categorized threats into the following categories for our SME business:
- Spoofing identities which includes using other users account details to login into the system, such as stealing the website admin panel username and password to access the SMEs website admin back-end admin panel by hackers.
- Tampering with data includes threats which aim to modify data in the database or during the transmission. An example would be by modifying the data which is transmitted between customer computer and the SME’s server such as man in the middle attacks.
- Repudiation which consists of not having any proof for users who deny their performed actions. An example would be lack of auditing systems to not show proof of login at certain times for managers to show their responsibility for the action that they have taken which caused damage to the system such as data lost.
- Information disclosure which involves exposure of the information to those who should not access these data. An example would be an intruder which can listen to conversations to get the data. Network sniffers will take place into this category as well.
- Denial of service which consists of sending malicious traffic to the system to make in unavailable or unusable.
- Elevation of privileges which consists of providing full access levels to all users to make them be able to crash the entire system while they only supposed to access certain part of the system.
Analysis on vulnerabilities takes place after the system has been implemented. This term includes weaknesses of the system which could lead to exploit or damaging the assets in the system. Some of the typical vulnerabilities in the IT system includes:
- Using simple default passwords for account manager users.
- Providing unnecessary permissions such as root permission for all processes which does not require that access level.
- Using softwares with known bugs and vulnerabilities.
- Implementing weak access controls to allow intruders to gain access to override settings such as changes directly into the memory.
- Weak firewall setting such as keeping most of the unused ports open which helps attackers to use these ports to perform attacks.
It is possible to get information and advices regarding vulnerabilities from organizations such as SANS and CERTs (computer emergency response teams).
It is important to rate the vulnerabilities to measure the risk analysis and get most important vulnerabilities and give them higher priority. An example would be a vulnerability which may lead to give total control of the system by getting admin access to the intruder which is more important than the one which may lead to give access to an intruder with a normal user account.
Attack includes sequences of steps which take place to gain access to a system or damage it. These steps can be defined by attack trees for each attack. We can estimate cost of attacks, the chance that it may occur or the damage it can make. We will use attack trees to analyze threats to provide overall assumptions. Then we can use these Trees to adjust the system for better security on more sensitive areas. The graph below represents a sample attack tree which is performed to steal customers data from the system with its associated costs.
Prioritizing the threats
To prioritizing the threats and vulnerabilities, we can use the Common Vulnerability Scoring System (CVSS). The score depends on some factors such as threat complexity, vulnerability rating, the chance it may be used by attackers and the damage it may cost. Following image represents a sample CVSS implementation:
SME stands for small and medium enterprises. European commission enterprise and industry publication has defined Small enterprises as: “Small enterprises are defined as enterprises which employ fewer than 50 persons and whose annual turnover or annual balance sheet total does not exceed 10 million euro.”
Similarly Medium sized enterprises are defined with less than 250 staff which their annual turnover does not exceed 50 million euros and their balance sheet total does not exceed 43 million euros.
SMEs works on basis of increasing revenue and loss prevention. Incidents such as data leakage, down time and reputation loss can reduce revenue by losing customers. A virus may cost thousands of dollars by damaging the data for SMEs.
We can categorize security threats which affect SMEs into the following categories:
- Malicious internet content, Since most of small or medium-sized enterprises are using internet, they are in the risk of getting affected by malicious internet contents such as viruses, Trojans, Malwares, worms and social engineering attacks such as phishing.
- Attacks on physical systems, which consists of data leak from USB and DVD drives, accessing unauthorized personnel to the data warehouses to steal data and physical theft.
- Authentication and privilege attacks which happens when employees are using easy to guess and weak passwords. Defining a password policy may help to resolve it but by using strict password policies employees might write the password on the sticky notes which increase the risk. Sharing username and passwords between employees will make a risk of accessing some data for employees while they are not supposed to access. Those who use mobile devices to login using unsecured wireless networks pose risk for the enterprises as well.
- Denial of service which involves an attack which prevents legitimate users from accessing the service they required. This issue can be prevented in some scale by implementing firewall and security rules such as closing unwanted ports.
GFI security threats white paper has defined security threats for SMEs using following structure:
To outline a security policy, we need to state each entity of the policy and explain its rules. To avoid misunderstanding and ambiguity of this document, it is a good idea to use a formal standard security policy model. Security policy models starts by a formal specification and a high level of system specification. Then we can add more details to this policy to get low-level specifications. Here I explain standard policies and also all policies applies for SMEs. As an example these policies will be written for a sample company called Majid CO.
The Bell-LaPadula Model (BLM) which is also called multi-level model, has proposed by Bell and LaPadula to enforce access control for military and government applications. Subjects and objects are divided into separate security levels so subjects can be accessible by defined objects only. Bella-LaPadula model supports also mandatory, arbitrary and discretionary access controls.
Biba model has been created to preserve the integrity in a computer system. The model prevents the unauthorized modification of data and maintains the consistency of the data (Bishop 2003). In this model, subjects and objects are assigned together in an integrity label to tell the degree of confidence which might be placed in the data (RFC 1457). This model contains 4 access models such as modify, observe, invoke and execute.
Denning et al. Developed the sea view model at Stanford Research Institute which stands for secure data view model. In this model both mandatory and discretionary policies are implemented. This model consist of two layers including reference monitor and trusted computing base.
This model is a discretionary model and in contrast with Biba model. Take-Grant model describes security based on subject and objects and uses a graph to model access controls. Access controls in this security models are read, write, take and grant. The transfer rights allow a subject to give or take away the rights of an object. This overcomes one of the problems of the Biba model, which is that it does not provide any administrative options for granting and revoking authorizations (Castano). This security model can be applied to database security and many DBMS use Take-Grant security model for authorization such as Oracle.
The object capability (OCap) model enables security enforcement abstractions that can be composed by other codes to minimize vulnerabilities in a system. Murray (2008) has defined Object-Capability model as “perhaps the best enabler of cooperation that humankind has yet developed”.
Chinese wall policy basis is including people which are only allowed access to information which does not conflict with the other rules. So the information which already possessed by users must held in the computer and that user must previously accessed that information. In a database organization using chinese wall security model, all information is stored in a hierarchically file system which contains of 3 levels. Lowest level includes individual items of information, intermediate level includes objects grouped together which provides a company dataset and highest level which includes all the company datasets grouped together.
Orange book is known as a document of US Department of Defense called Trusted Computer System Evaluation Criteria. This document original has been written for military systems which discuses about different protection security categories including: minimal protection, discretionary protection, mandatory protection and verified protection which is the highest security division.
Other security models
There are more security models such as Brewer and Nash, Clark-Wilson, NIST RBAC model, Ring, type enforcement, …. which are used in practical system or they been proposed in theory.
The Majid Co. provides employees with electronic tools such as email. This policy applies to the email use for employees at Majid company including all full-time, part-time, independent contractors, interns, consultants, suppliers, clients and other third parties. Any employee who fails to meet Majid Co. email rules and policies is subject to disciplinary action, up to and including termination.
- Personal Responsibility
All employees are obliged to adhere to this policy. A failure to adhere to this policy may result a disciplinary action. All users must make sure that they meed the regulations in the acceptable use stated below.
Managers are responsible to make sure that all the staff are aware of this policy. IT manager must implement this policy on behalf of the Director of Majid Co. and establish procedures that supports the implementation of this policy. Also IT Manager must deal with complains and the issues relating to the breach of this policy.
IT department is responsible of administrating user email accounts and resolving users issues regarding to accessing their accounts and also for maintenance of this policy.
Majid Co. allows access to the email system only for business purposes. Using personal email accounts such as Yahoo, Hotmail or AOL for business contacts is prohibited. This policy is intended to details the rules of conduct for all the staff who use email and related services. This policy applies for use of email system for sending or receiving and also attachments.
- Permitted use
Main purpose in for Majid Co. for providing email services is to support of approved business activities and administration.
Employees who use email system are responsible for handling the email messages they receive as well as the attachments.
Users must use the provided storage space for their mailbox appropriately and cleaning the folders, archiving and saving the archives in a timely manner.
Employees must log off their email page as soon as they leave their computer.
Once staff leave their current position, they should take adequate measures to either file, destroy or transfer the information which they have been responsible for in line with legislative principles of Freedom of Information 2000 and the Data Protection Act 1998.
- Banned activity
Email system provided Majid Co. should not be abused. You are not allowed to use this email system to:
- Create and transmitting offensive, obscene, defamatory, abusive or otherwise unlawful materials. Any emails or written communications can be used as evidence in a court of law.
- Create and transmitting any materials which brings Majid Co. into disrepute.
- Creating and transmitting any advertising materials which are unsolicited.
- Sending confidential material which concerns the activities of Majid Co.
- Transmitting any copyrighted materials which concerns activities of Majid Co.
- Transmitting messages which are unreasonable or excessively for personal use.
- Creating or sending any material which is designed or likely to cause annoyance, inconvenience or anxiety.
- Sending links to web pages or bulletin boards that are offensive, obscene, defamatory, abusive or otherwise unlawful.
- Sending any materials for your private commercial purposes.
- Transferring deliberate forging messages or email header information ie to make your messages look like it it sent from another sender.
- Transmitting any material which violates the privacy of others or unfairly criticize or misrepresent others.
In line with legislative requirements of Regulation of Investigation Powers Act 2000, it is illegal to intercept communications without the express or implied consent of both the sender and recipient of the communication.
Permitted exceptions that principles that interception without consent is unlawful includes:
- To investigate compliance with all the Majid Co regulations and policies.
- To perform monitoring to ensure the effective operation of the system such as scanning for viruses and other malicious attachments, to monitor the email storage usage, to forward messages to the correct address and eliminating spams.
- Investigation for detecting unauthorized use.
- To resolve a user problem.
- To monitor standards of service or training purposes.
- To prevent crime or in interest of national security which must be authorized by the Director of the company for when a reasonable suspicion of criminal misuse or on the request of PSNI or other specified public bodies.
- To check if communication is related to the Majid Co. business.
- Auditing will be carried out by the IT department.
In any case of breaches in the email policy, a complain must be made to the IT manager.
In a breach is verified, access to the email for the responsible person will be temporary suspended for future investigations.
Investigation must be referred to the Director of the company and any action taken must be follow the Majid Co’s agreed Disciplinary Procedure for employees.
Remote access policy
Trojan horses and viruses are an important concern when it becomes to remote access to the systems. An attempt to login in to the system from a remote location by an infected computer or trojan or virus may lead to lose of data and costs for the company.
The purpose of this policy is to provide standards to access Majid Co.’s network from outside the company. These standards are designing to minimize security risks from damages which might cause by unauthorized use.
- All the employees and contractors must make sure that their internet connection is safe and they are not using an open public WIFI connections.
- Employees are permitted to login into the system from outside of the organization only for the facilities which are permitted by IT department.
- Contractors are not permitted to login into their provided control panel by Majid Co. from public areas which might allow others to see their computer screen.
- Employees must not open their email account outside of the organization.
- Employees must make sure that they set their wireless router security protocols to WPA 2 security to minimize the risk that their traffics are being compromised.
- Reconfiguration of a home users equipments for the purpose of split-tunneling of dual homing is not permitted at any time.
- Frame relay must meet minimum authentication requirements of DLCI standards.
- Employees must install antivirus and also keep the antivirus always updated from the computer they are using to remotely access the companies servers.
- Employees must make sure that the firewall software on their remote computers are up and running.
- Employees must make sure that they keep their operating system updated and check for the updates on a regularly basis.
- Users or managers must not attempt to login outside of the organization for any system level users such as root and admin.
- Remote login for system level users must be disabled.
Any employee found to have violated this policy may be subject to disciplinary action, up and including termination of employment.
Passwords are an important aspect in the computer security. Using easy to guess passwords may lead to a vulnerability which let attackers to compromise whole system and access the data so passwords should be treated with same level security as a credit card PIN number.
The purpose of this policy document is to establish a standard for employees to select a strong password and also protect their passwords as well as changing their passwords in a timely manner.
System level passwords must meet following rules:
- System level passwords must contain both uppercase and lowercase characters, numbers and hyphens.
- All system level passwords such as root and admin passwords must be changed at least once per 6 months. These passwords must be known by at least one person.
- In case of a suspected security breach, system level passwords must be changed.
- Passwords must be kept secret and must not be inserted into email messages or other forms of electronic communications.
- All the accounts created for external contractors should be set to one day expiry so after the contact is finish access to that account must be closed.
- In case of 5 failure attempts to login the account must be locked for at least 1 hour. IT manager should have access to unlock the accounts.
All user level passwords also must meet following conditions:
- User level passwords must be more than 6 characters and not be a word found in a dictionary. It should at least contain both character and digits.
- Employees must not discuss their password over the phone or in any email messages.
- Employees must not share their passwords with their colleagues or family members.
- Employees must not write down their passwords or store it in any electronic storages such as email messages.
- In case of suspected password breach or a virus or trojan infection, employees must change their passwords and notify the IT manager.
- Employees must not use public computers to login into the system.
- Employees must not share their passwords to any
- Employees must not use the same password they are using for their personal accounts outside the company which might lead a security breach in case their personal computer at home is infected.
Any employee which found to violate this policy may be subject to a disciplinary action. IT manager may investigate the employees computer to find if the computer is infected to any virus or trojans. In case of the IT manager verifies the computer is infected, future investigations take place to detect if the employee is responsible for the security breach and a disciplinary action might take place.
A virus or trojan can cause a security hole in the system which can lead to damaging the data by intruders. Viruses can easily infect the system by opening a suspicious email or visiting a website with malicious contents.
Antivirus policy focuses on prevention of security risks associated with this category. The purpose of this policy is to establish a standard for employees to make sure that they keep their antivirus software updated and also to avoid their computers to get infected by malicious contents such as viruses, trojan horses.
- Employees must not open any email attachments from unknown sources.
- Employees must not download any form of executable files from email messages such as .exe .com .bat files.
- Employees must make sure that the antivirus software on their computer is up-to-date and in case of subscription of their antivirus is expired, they must report it to the IT manager.
- Employees must schedule a virus scan at least once per week.
- All the software installations must be made IT department, employees are not allowed to install any softwares from any sources such as CD/DVD, USB drives or internet to the computer.
- IT Manager must disable admin user privileges which allows access to employees to install softwares.
- IT Manager should block access to CD drives, USB drives.
- If an employee detects any virus, should contact IT department and after the investigation the employee must change his/her password.
- Employees should not attempt to disable the antivirus or any other security softwares.
- In case of any trojan horse suspicious traffic on the employees computer, employees must report this matter to the IT department.
IT manager must disable the employees account until the investigation is completed and change the password if necessary. Employee might face a disciplinary action if the infection is caused by the employees negligence.
Internet usage policy
Access to the Internet is a useful means of communication,The Internet is primary for business use and employees are permitted to use the Internet for occasional and business use only.
Majid Co. will take all reasonable steps to make sure that all employees are aware of this policy and legal obligations. This will be done by training the staff.
IT manager is responsible to monitor the network for unacceptable use and will take action against those who fail to meet this policy.
All users should take reasonable precautions to prevent virus or other malicious contents to infect the company’s network.
The purpose of this policy is to ensure the proper use of the Internet, so all the staff meet acceptable use of this policy.
- Acceptable Internet Usage
- Personal use is made only outside normal working hours for limited periods is allowed
- Staff are not allowed to run a private business using Majid Co.’s internet facility.
- Unacceptable Internet Usage
- Viewing any pornographic, obscene, indecent or any sexual materials.
- Viewing any illegal materials
- Employees are not permitted to perform any activities to run a private business.
- Employees are not allowed to send offensive, harassing materials or send malicious contents using Internet facility.
- Employees are not allowed to deliberately waste network resources such as bandwidth or any activities which may interfere other employees works.
- Any activity which involves deliberately introduction of viruses, spyware or malwares.
- Streaming video or audio, using Internet for chat, social networks or downloading is not allowed unless its related to the business.
- Using the Internet to send spam or illegal advertisements to other users is prohibited.
- Downloading or transmitting any copyrighted material is strictly prohibited.
- System Monitoring
All the Internet traffic is logged automatically and monitored by IT department to ensure that damaging code or viruses do not enter the organizations network.
Majid Co company also uses softwares that prevents users visiting sites with harmful contents or illegal materials. Also only network ports which needs to be open will be accessible and all other ports will be closed by firewall in the IT department.
IT manager should warn the employee and also notify the manager if employee fails to meet this policy. IT department should start investigation if there is a suspected virus or trojan infection in the network. Employee might face a disciplinary action if the infection is caused by the employees negligence.
In small and medium-sized enterprises, security policy documents are created to address constraints for behavior of the members. These documents defines acceptable use, unacceptable behavior which needs to be enforced by SMEs to ensure members are following this rules for securing the system and facilities in the organization. To outline policy documents, it is essential to understand to how create these policies most effective and enforceable.
Identifying assets, threats, vulnerabilities and attacks are steps to be taken in order to develop a risk analysis and prioritize security threats for SMEs. Using these reports, it is possible to provide more effective security policy documents to cover different facilities in SMEs. If security policies are properly implemented, they can become efficient for the information security.
There is no silver bullets in security, because attacks and threats are always changing so that should effect security policy documents as well. So security policy documents must be updated when it becomes necessary.
Security documents must be easy to access for employees and contents of policy documents should be easy to use and understand. Structuring policy documents in a hierarchical manner make them easier to understand.
Contents of security policy documents may vary for different organizations even though there are some fundamental principals that policy documents should enforce, such as password policies.
- Gollmann, D., 2011. Computer Security. 3rd ed. United Kingdom: John Wiley and Sons Ltd.
- The STRIDE Threat Model [ONLINE] Available at: http://msdn.microsoft.com/en-us/library/ee823878%28v=cs.20%29.aspx [Accessed 15 March 2011]
- Threat Risk Modeling – OWASP [ONLINE] Available at: http://www.owasp.org/index.php/Threat_Risk_Modeling [Accessed 20 March 2011]
- Computer Security Handbook: The NIST handbook, Special Publication 800-12, pp.62
- Practical Threat Analysis and Risk Management | Linux Journal [ONLINE] Available at: http://www.linuxjournal.com/article/5567?page=0,2 [Accessed 21 March 2011]
- Top 10 Threats to SME Data Security. 2008 [ONLINE] Available at: http://www.bnaindia.com/files/wg_top10-summary_wp.pdf [Accessed 12 March 2011]
- The new SME definition | User guide and model declaration. 2005 [ONLINE] Available at: http://ec.europa.eu/enterprise/policies/sme/files/sme_definition/sme_user_guide_en.pdf [Accessed 20 March 2011]
- A. P. Lenaghan, C. Onwubiko, (2007). Managing Security Threats and Vulnerabilities for Small to Medium Enterprises. In IEEE International Conference on Intelligence and Security Informatics 2007. London: Kingston University 1-6
- C. Onwubiko, A. P. Lenaghan, L. Hebbes & R. Malyan (2005), “The Representation and use of Relation Information for the Detection of Threats by Security Information Management Systems”, Proceeding of European Conference on Computer Network Defence, EC2ND 2005, United Kingdom, Springer, December, University of Glamorgan, Wales UK, ISBN/ISSN 1- 84628-311-6 (2005)
- GFI white paper. Security threats: a guide for small and medium enterprises[ONLINE] Available at: http://www.gfi.com/whitepapers/Security_threats_SMEs.pdf [Accessed 22 March 2011]
- Bishop, M. “Hierarchical Take-Grant Protection System” Proceedings of the eighth ACM symposium on Operating systems principles. Pacific Grove, California, pgs. 109 – 122 1981.
- RFC 1457. “Security Label Framework for the Internet” [Online] available at: http://www.ietf.org/rfc/rfc1457.txt [Accessed 18 March 2011]
- N. Balon, I. Thabet (2007) Biba security model comparison, CIS 576
- Castano, S. (et. al). Database Security, Addison Wesley, Harlow, England. 1995.
- Object Capability Model [ONLINE] Available at: http://c2.com/cgi/wiki?ObjectCapabilityModel [Accessed 20 March 2011]
- The Chinese Wall security policy [ONLINE] Available at: http://www.gammassl.co.uk/topics/chinesewall.html [Accessed 22 March 2011]
- Orange Book Summary [ONLINE] Available at: http://www.dynamoo.com/orange/summary.htm [Accessed 22 March 2011]
- Murray, T., Analysing object-capability security, in: Proceedings of the Joint Workshop on Foundations of Computer Security, Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security (FCS-ARSPA-WITS’08), 2008, pp. 177–194.