CNSS Model Exercise
Exercises: Answer problems 1 and 2 from the “Exercises” section
(page 35) of Chapter 1 of the textbook.
Some hints on Chapter 1 Exercise 1 (page 35)
A useful reference on the CNSS model can be found
in document NSTISSI No. 4011 from the National Training
Standard for Information Security Professionals
( www.cnss.gov/Assets/pdf/nstissi_4011.pdf )
To answer Exercise 1 (page 35 of text) please refer to Figure 1.2
(CNSS security model) on page 5 of Chapter 1 of the text.
The CNSS model of Figure 1.2 identifies the nine interacting
factors that influence the security of any resource. The nine
key factors are:
(1) Policy: which deals with info security policies in place,
(2) Education: which deals with education of users on security related issues,
(3) Technology: which covers the technology used to implement security measures
(4) Confidentiality: confidentiality of info/data
(5) Integrity: addresses measures in place to ensure data integrity
(6) Availability: to ensure authorized users access to information in usable format
(7) Storage: issues dealing with data storage
(8) Processing: issues that cover the processing and handling of data
(9) Transmission: covers issues related to factors that influence transmission of data
These nine influencing factors can be modeled as a 3-dimensional cube as
shown in Figure 1.2, where the each of the three axes of the cube represent
three of these factors. When we consider the relationship among the three
dimensions represented by the axes shown in Figure 1.2 we have a 3 x 3 x 3
cube with 27 cells, where each cell represents an area of intersection among
the three dimensions that must be addressed.
In Exercise 1 you determine how you would address the different factors that impact
the security and protection of data/information pertaining to this class (such as student
information, student homework submissions, student discussion posts etc.) by applying
the CNSS model (Figure 1.2).
To apply the model, examine the intersecting cells on the CNSS cube from Figure 1.2
and determine how you could address some of the factors influencing security of class
Some examples that you may consider are:
First you could consider the nine factors individually. For example,
(1) Confidentiality: Only students registered in the course have access to the
course web page.
(2) Integrity: Students would have unit logins which would be their means to
access the course webpage via eCollege. Students can only alter or modify
their own work, and cannot change or delete another student’s submitted work.
(3) Availability: The university would ensure that the eCollege site is accessible
to all online students with minimal downtime for maintenance and upgrades.
After you have addressed the individual factors, you can address the intersecting
cells in the CNSS security model of Figure 1.2. Some examples include:
– Confidentiality/Policy/Storage – This cell represents the intersection of the
factors Data Confidentiality, Security Policy, and Data Storage. This can be
addressed by adopting the following policy:– “Only students registered in the
course are able to access course related material and student discussion posts.
Additionally, homework assignments are only viewable by the instructor and the
– Integrity/Policy/Processing – formed by the intersection of the Integrity, Policy,
and Processing cells in Figure 1.2. This can be addressed by having a policy such
as:– “The course would have a policy that would all work submitted by the students
must represent their own work, and would properly cite all sources referenced.”
– Availability/Education/Processing – formed by the intersection of the Availability,
Education, and Processing cells in Figure 1.2. This can be addressed by having a
policy such as:–