Archive for the ‘Information Security’ Category

Understanding Permissions in NIST RBAC

NIST RBAC[1] defines  permission in a particular way which is very tricky but very interesting. If OBS is set of objects, and OPS is the set of operation, then NIST defines permission set (PRMS) as  PRMS = 2^(OPS X OBS). For example, if we have OPS={read, write} and OBS = {o1,o2}, then there are 2^(2×2) = 16 permission. Insane! right?

Lets see all the possible permissions:

p0 = {}

p1 = {read o1}

p2 = {write o2}

p3={read o1 and  write o2}.

p5…. p15.




Initially it seems if we have p1, p2, then we don’t need to define p3. Just combining p1 and p2 makes p3. But interestingly this is not the case. Let me explain why.



For example, consider, a bank teller cannot just deposit money (permission p1) in a bank account or withdraw money from a bank account (permission p2). But he can transfer money (permission p3)  from one account to another which is combination of both p1 and p2 permission. We can think of transferring money as two permission of withdrawing money from one account(p2) and deposit to another account(p1). But while doing transferring, the teller cannot exercise permission p2 and p1 as he wishes. If the teller were given both permission p1 and p2 instead of p3, he could exercise p1 as many times he likes and p2 as many times as he likes. Thus exercise of permission p1 and p2 cannot be regulated as we do in transferring money between account.


NIST solves this problem  by combining these permissions by the notion of PRMS = 2^(OPS X OBS). In this notion having permission p3 = (p1 and p2) is different than having both permission p1 and p2.


Now, lets see what happens


Information Security Acts.

Information Security Laws/Acts  applied to Data (generated or maintained by  Educational Institution):

HIPPA (Health Insurance Privacy Protection Act)

 applies to Medical Records specially ePHI (Electronic Protected Health Information) which includes  

  • Names
  • All geographic subdivisions smaller than a State
  • All elements of dates (except year) for dates directly related to an individual including birth date, admission date, discharge date, date of death
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/License numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • URLs
  • IP addresses
  • Biometric identifiers

EAR (Export Administration Regulation) Act:

Generally, an export includes any:

(1) actual shipment of any covered goods or items; 

(2) the electronic or digital transmission of any covered goods, items or related goods or items; 

(3) any release or disclosure, including verbal disclosures or visual inspections, of any technology, software or technical data to any foreign national; or

(4) actual use or application of covered technology on behalf of or for the benefit of a foreign entity or person anywhere.

Data protected under this laws includes:

  • Chemical and biological agents
  • Scientific satellite information
  • Certain software or technical data sent to foreign persons
  • Military electronics….
  • Nuclear Physics
  • Work on new formula for explosives 

Federal Information Security Management Act (FISMA) 

Examples of research work that might be regulated by FISMA include research in which data is provided by federal organizations such as:

  • National Institutes of Health
  • NASA
  • Department of Veterans Affairs

FISMA regulates that data under FISMA can only be stored in following ways: 

GLBA (Gramm-Leach-Bliley Act) to protect  student loan information

data includes:

  • Loan information
  • Student financial aid data
  • Payment History

PCI-DSS (Payment Card Industry Data Security Standards)

This act regulates financial / Credit Card Information:

Regulated data includes:

  • Cardholder name
  • Account number
  • Expiration date
  • Verification number
  • Security code…

FERPA (Family Educational Rights and Privacy Act): 

This act is applied to records that contain information directly related to a student and which are maintained by an educational agency or institution.

data includes:

  • Grades
  • Student Transcripts
  • Degree Information
  • Class Schedule
  • Advising and Disciplinary records

Following ones do  not directly apply to Educational Institution. But interesting to know. 

Freedom of Information Act (FOIA):

The Freedom of Information Act (FOIA) is a federal law that establishes the public’s right to obtain information from federal government agencies. Under this laws US companies, Educational Institution, Non-commercial Scientific Institution or qualified others can request information for Federal Govt.


Categories: Information Security