Sat May 17 10:30:22 PDT 2014

Control Architecture: Trust model: How is trust assessed and managed?


{Businesses, Content, People, Systems} x based on {transparency, historical behavior, transitive trust chains, chain of custody, systematic background checks, psychological factors, external clearances, contracts, nationality, group membership, investigations, credentials, certifications, size, etc.} are trusted for {purposes}.


Businesses: Entities not within the direct control of the executive management making risk-related decisions.

Content: The meaningful utility that is being protected by the protection program.

People: Human beings, whether employees, other workers, customers, or anyone else.

Systems: Computers, mechanisms, equipment, and collections thereof, including the things that make them work.

Historical behavior: The history over time of behaviors demonstrated is used, often as the best predictor of future performance.

Transparency: The extent to which process, implementaitn, and history are available for inspection and the results of such inspection.

Transitive trust chains: The trust of someone you trust, the enemy of my enemy, a friend of a friend of a friend, etc.

Chain of custody: The custody and control of systems and/or content aver the life cycle.

Systematic background checks: Well-defined sets of checks undertaken to find and verify facts about individuals or companies in terms of their past.

Psychological factors: Liking, similarity, behavioral characteristics, looking like others, acting like others, and similar influence properties.

External clearances: Externally defined clearances, such as those granted by governments or partner organizations.

Contracts: Agreements between parties with force of law.

Nationality: Where someone or something originates from or has been determined to be a member of.

Group membership: Memberships of organizations or groups, such as military organizations, clubs, professional societies, award winners, political parties, etc.

Investigations: Detailed reviews of facts based on defined principles with identifiable error rates and reliability.

Credentials: Government credentials such as badges, licenses, etc., professional certificates, degrees, or other third party accreditations.

Certifications: Trusted Systems Evaluation Criteria (TCSEC), Trusted computing group (TCG), Common Criteria (CC), Certified examiners or other professional society or institutional certificates, training certificates, etc.

Size: Depth of financial capacity to handle liabilities, physical characteristics, or other measurable things that justify acceptability of proportional risk.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved