Full download ebook at ebookgate.

com

Information security management handbook 5th

Edition Harold F. Tipton

https://ebookgate.com/product/information-
security-management-handbook-5th-edition-harold-f-
tipton/

Download more ebook from https://ebookgate.com

More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Information security management handbook 6th Edition

Harold F. Tipton

https://ebookgate.com/product/information-security-management-
handbook-6th-edition-harold-f-tipton/

Information Security Management Handbook Volume 3 6th

Edition Harold F. Tipton (Editor)

https://ebookgate.com/product/information-security-management-
handbook-volume-3-6th-edition-harold-f-tipton-editor/

Principles of Information Security 5th Edition Michael

E. Whitman

https://ebookgate.com/product/principles-of-information-
security-5th-edition-michael-e-whitman/

Handbook of information security 1st Edition Hossein

Bidgoli

https://ebookgate.com/product/handbook-of-information-
security-1st-edition-hossein-bidgoli/
Strategic Information Management 5th Edition Robert D.
Galliers

https://ebookgate.com/product/strategic-information-
management-5th-edition-robert-d-galliers/

Handbook of Information Management 8th Edition A.

Scammell

https://ebookgate.com/product/handbook-of-information-
management-8th-edition-a-scammell/

Service Management Operations Strategy Information

Technology 5th International Edition James A.
Fitzsimmons

https://ebookgate.com/product/service-management-operations-
strategy-information-technology-5th-international-edition-james-
a-fitzsimmons/

BIALL Handbook of Legal Information Management 2nd

Edition Loyita Worley

https://ebookgate.com/product/biall-handbook-of-legal-
information-management-2nd-edition-loyita-worley/

The InfoSec Handbook An Introduction to Information

Security 1st Edition Umesh Hodeghatta Rao

https://ebookgate.com/product/the-infosec-handbook-an-
introduction-to-information-security-1st-edition-umesh-
hodeghatta-rao/
TLFeBOOK
Fifth Edition, Volume 3
 OTHER INFORMATION SECURITY BOOKS FROM AUERBACH
Asset Protection and Security Management Information Technology Control and Audit,
Handbook Second Edition
POA Publishing Fredrick Gallegos, Daniel Manson,
ISBN: 0-8493-1603-0 Sandra Allen-Senft, and Carol Gonzales
Building a Global Information Assurance ISBN: 0-8493-2032-1
Program Investigator's Guide to Steganography
Raymond J. Curts and Douglas E. Campbell Gregory Kipper
ISBN: 0-8493-1368-6 0-8493-2433-5
Building an Information Security Awareness Managing a Network Vulnerability
Program Assessment
Mark B. Desman Thomas Peltier, Justin Peltier, and John A. Blackley
ISBN: 0-8493-0116-5 ISBN: 0-8493-1270-1
Critical Incident Management Network Perimeter Security: Building
Alan B. Sterneckert Defense In-Depth
ISBN: 0-8493-0010-X Cliff Riggs
Cyber Crime Investigator's Field Guide, ISBN: 0-8493-1628-6
Second Edition The Practical Guide to HIPAA Privacy and
Bruce Middleton Security Compliance
ISBN: 0-8493-2768-7 Kevin Beaver and Rebecca Herold
Cyber Forensics: A Field Manual for ISBN: 0-8493-1953-6
Collecting, Examining, and Preserving A Practical Guide to Security Engineering
Evidence of Computer Crimes and Information Assurance
Albert J. Marcella, Jr. and Robert S. Greenfield Debra S. Herrmann
ISBN: 0-8493-0955-7 ISBN: 0-8493-1163-2
The Ethical Hack: A Framework for Business The Privacy Papers: Managing Technology,
Value Penetration Testing Consumer, Employee and Legislative Actions
James S. Tiller Rebecca Herold
ISBN: 0-8493-1609-X ISBN: 0-8493-1248-5
The Hacker's Handbook: The Strategy Behind Public Key Infrastructure: Building Trusted
Breaking into and Defending Networks Applications and Web Services
Susan Young and Dave Aitel John R. Vacca
ISBN: 0-8493-0888-7 ISBN: 0-8493-0822-4
Information Security Architecture: Securing and Controlling Cisco Routers
An Integrated Approach to Security in the Peter T. Davis
Organization ISBN: 0-8493-1290-6
Jan Killmeyer Tudor Strategic Information Security
ISBN: 0-8493-9988-2 John Wylder
Information Security Fundamentals ISBN: 0-8493-2041-0
Thomas R. Peltier Surviving Security: How to Integrate People,
ISBN: 0-8493-1957-9 Process, and Technology, Second Edition
Information Security Management Handbook, Amanda Andress
5th Edition ISBN: 0-8493-2042-9
Harold F. Tipton and Micki Krause A Technical Guide to IPSec Virtual
ISBN: 0-8493-1997-8 Private Networks
Information Security Policies, Procedures, James S. Tiller
and Standards: Guidelines for Effective ISBN: 0-8493-0876-3
Information Security Management Using the Common Criteria for IT Security
Thomas R. Peltier Evaluation
ISBN: 0-8493-1137-3 Debra S. Herrmann
Information Security Risk Analysis ISBN: 0-8493-1404-6
Thomas R. Peltier
ISBN: 0-8493-0880-1
AUERBACH PUBLICATIONS
www.auerbach-publications.com
To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401
E-mail: [email protected]
Fifth Edition, Volume 3
®

PRESS

Edited by

Boca Raton New York

Chapter 18, Enterprise Security Management Program, by George G. McBride © 2005 Copyright Lucent Technologies.
Chapter 23, Beyond Information Security Awareness Training: It Is Time To Change the Culture, by Stan Stahl © Copyright
2005, Citadel Information Group, Inc. Chapter 25, System Development Security Methodology, by Ian Lim and Ioana V.
Bazavan © Copyright 2003 Accenture. All rights reserved. Used by permission.

Published in 2006 by
Auerbach Publications
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742

© 2006 by Taylor & Francis Group, LLC

Auerbach is an imprint of Taylor & Francis Group

No claim to original U.S. Government works

Printed in the United States of America on acid-free paper
10 9 8 7 6 5 4 3 2 1
International Standard Book Number-10: 0-8493-9561-5 (Hardcover)
International Standard Book Number-13: 978-0-8493-9561-1 (Hardcover)
Library of Congress Card Number 2003061151
This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with
permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish
reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials
or for the consequences of their use.

No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or
other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information
storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright.com
(http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC) 222 Rosewood Drive, Danvers, MA
01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For
organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for
identification and explanation without intent to infringe.

Library of Congress Cataloging-in-Publication Data

Information security management handbook / Harold F. Tipton, Micki Krause, editors.--5th ed.
p. cm.
Includes bibliogaphical references and index.
ISBN 0-8493-9561-5 (alk. paper)
1. Computer security--Management--Handbooks, manuals, etc. 2. Data protection--Handbooks, manuals,
etc. I. Tipton, Harold F. II. Krause, Micki.

QA76.9.A25I54165 2003
658’.0558--dc22 2003061151

Visit the Taylor & Francis Web site at

http://www.taylorandfrancis.com
Taylor & Francis Group and the Auerbach Publications Web site at
is the Academic Division of Informa plc. http://www.auerbach-publications.com
 Table of Contents

About the Editors...................................................................................................................... xi

Contributors ...............................................................................................................................xiii
Introduction .............................................................................................................................xxiii

1 ACCESS CONTROL SYSTEMS AND METHODOLOGY ................. 1

Section 1.1 Access Control Techniques

1 Sensitive or Critical Data Access Controls........................................................................... 5
Mollie E. Krehnke and David C. Krehnke
2 An Introduction to Role-Based Access Control ................................................................ 17
Ian Clark
3 Smart Cards.......................................................................................................................... 31
Jim Tiller
4 A Guide to Evaluating Tokens ............................................................................................ 41
Joseph T. Hootman

Section 1.2 Access Control Administration

5 Identity Management: Benefits and Challenges ................................................................ 51
Lynda L. McGhie

2 TELECOMMUNICATIONS AND NETWORK SECURITY ........... 69

Section 2.1 Communications and Network Security

6 An Examination of Firewall Architectures ........................................................................ 73
Paul A. Henry
7 The Five W’s and Designing a Secure, Identity-Based,
Self-Defending Network (5W Network).......................................................................... 119
Samuel W. Chun

v
 8 Maintaining Network Security: Availability via Intelligent Agents................................ 131
Robby Fussell
9 PBX Firewalls: Closing the Back Door ............................................................................ 139
William A. Yarberry, Jr.

Section 2.2 Internet, Intranet, Extranet Security

10 Voice over WLAN .............................................................................................................. 145
Bill Lipiczky
11 Spam Wars: How To Deal with Junk E-Mail................................................................... 155
Al Bredenberg

Section 2.3 Network Attacks and Countermeasures

12 Auditing the Telephony System: Defenses against
Communications Security Breaches and Toll Fraud....................................................... 161
William A. Yarberry, Jr.

3 SECURITY MANAGEMENT PRACTICES ............................................... 175

Section 3.1 Security Management Concepts and Principles

13 The Controls Matrix.......................................................................................................... 179
Robert M. Slade
14 Information Security Governance.................................................................................... 183
Ralph Spencer Poore
15 Belts and Suspenders: Diversity in Information Technology Security .......................... 189
Jeffrey Davis
16 Building Management Commitment through Security
Councils, or Security Council Critical Success Factors .................................................. 197
Todd Fitzgerald

Section 3.4 Risk Management

17 Developing and Conducting a Security Test and Evaluation......................................... 213
Sean M. Price
18 Enterprise Security Management Program ..................................................................... 223
George G. McBride
19 Technology Convergence and Security: A Simplified Risk Management Model.......... 233
Ken M. Shaurette

Section 3.5 Employment Policies and Practices

20 People, Processes, and Technology: A Winning Combination....................................... 241
Felicia M. Nicastro

vi
Section 3.6 Policies, Standards, Procedures, and Guidelines
21 Building an Effective Privacy Program ............................................................................ 251
Rebecca Herold
22 Training Employees To Identify Potential Fraud
and How To Encourage Them To Come Forward.......................................................... 265
Rebecca Herold

Section 3.8 Security Management Planning

23 Beyond Information Security Awareness Training:
It Is Time To Change the Culture .................................................................................... 285
Stan Stahl
24 Establishing a Successful Security Awareness Program .................................................. 295
Charles R. Hudson, Jr.

4 APPLICATIONS AND SYSTEMS

DEVELOPMENT SECURITY ............................................................................. 305

Section 4.3 System Development Controls

25 System Development Security Methodology................................................................... 309
Ian Lim and Ioana V. Bazavan
26 Software Engineering Institute Capability Maturity Model ................................................ 325
Matt Nelson

Section 4.4 Malicious Code

27 Organized Crime and Malware ........................................................................................ 339
Michael Pike

Section 4.5 Methods of Attack

28 Enabling Safer Deployment of Internet Mobile Code Technologies............................. 351
Ron Moritz

5 CRYPTOGRAPHY ...................................................................................................... 363

Section 5.2 Crypto Concepts, Methodologies and Practices

29 Blind Detection of Steganographic Content
in Digital Images Using Cellular Automata..................................................................... 367
Sasan Hamidi
30 An Overview of Quantum Cryptography........................................................................ 373
Ben Rothke

vii
 31 Elliptic Curve Cryptography: Delivering High-Performance
Security for E-Commerce and Communications............................................................ 385
Paul Lambert

6 SECURITY ARCHITECTURE AND MODELS ...................................... 393

Section 6.1 Principles of Computer and Network
Organizations, Architectures, and Designs
32 Enterprise Assurance: A Framework Explored................................................................ 397
Bonnie A. Goins

7 OPERATIONS SECURITY ................................................................................... 403

Section 7.1 Operations Controls
33 Managing Unmanaged Systems........................................................................................ 407
Bill Stackpole and Man Nguyen

Section 7.2 Resource Protection Requirements

34 Understanding Service Level Agreements........................................................................ 423
Gilbert Held

8 BUSINESS CONTINUITY PLANNING

AND DISASTER RECOVERY PLANNING .............................................. 429
Section 8.1 Business Continuity Planning
35 Building Maintenance Processes for Business Continuity Plans ................................... 433
Ken Doughty
36 Identifying Critical Business Functions ........................................................................... 445
Bonnie A. Goins
37 Selecting the Right Business Continuity Strategy ........................................................... 451
Ken Doughty

Section 8.2 Disaster Recovery Planning

38 Contingency at a Glance ................................................................................................... 457
Ken M. Shaurette and Thomas J. Schleppenbach
39 The Business Impact Assessment Process and the
Importance of Using Business Process Mapping ............................................................ 465
Carl Jackson
40 How To Test Business Continuity and Disaster Recovery Plans and How Often ........ 483
James S. Mitts

viii
9 LAW, INVESTIGATION, AND ETHICS .................................................... 497
Section 9.1 Information Law
41 Sarbanes–Oxley Compliance: A Technology Practitioner’s Guide................................. 501
Bonnie A. Goins
42 Health Insurance Portability and Accountability Act Security Rule.............................. 511
Lynda L. McGhie
43 The Ethical and Legal Concerns of Spyware ................................................................... 525
Janice C. Sipior, Burke T. Ward, and Georgina R. Roselli

Section 9.3 Major Categories of Computer Crime

44 The Evolution of the Sploit .............................................................................................. 537
Ed Skoudis
45 Computer Crime ............................................................................................................... 551
Christopher A. Pilewski
46 Phishing: A New Twist to an Old Game.......................................................................... 559
Stephen D. Fried
47 It’s All about Power: Information Warfare Tactics
by Terrorists, Activists, and Miscreants............................................................................ 579
Gerald L. Kovacich, Andy Jones, and Perry G. Luzwick

Section 9.4 Incident Handling

48 DCSA: A Practical Approach to Digital Crime Scene Analysis...................................... 601
Marcus K. Rogers
49 What a Computer Security Professional Needs
To Know about E-Discovery and Digital Forensics ........................................................ 615
Larry R. Leibrock
50 How To Begin a Non-Liturgical Forensic Examination ................................................. 621
Carol Stucki

10 PHYSICAL SECURITY ............................................................................................ 637

Section 10.1 Elements of Physical Security
51 Physical Security for Mission-Critical Facilities and Data Centers ............................... 641
Gerald Bowman

INDEX ............................................................................................................................................ 663

ix
This page intentionally left blank
 About the Editors

Harold F. Tipton, CISSP, currently an independent consultant and past president of the International
Information System Security Certification Consortium, (ISC)2, was Director of Computer Security for
Rockwell International Corporation for 15 years. He initiated the Rockwell computer and data security
program in 1977 and then continued to administer, develop, enhance, and expand the program to
accommodate the control needs produced by technological advances until his retirement from Rockwell
in 1994. He has been a member of the Information Systems Security Association (ISSA) since 1982, was
president of the Los Angeles Chapter in 1984, and was president of the national organization of ISSA
from 1987 to 1989. He was added to the ISSA Hall of Fame and the ISSA Honor Role in 2000. He received
the Computer Security Institute “Lifetime Achievement Award” in 1994 and the (ISC)2 “Hal Tipton
Award” in 2001. He was a member of the National Institute for Standards and Technology (NIST)
Computer and Telecommunications Security Council and the National Research Council Secure Systems
Study Committee (for the National Academy of Science). He has a bachelor’s of science degree in
engineering from the U.S. Naval Academy, a master’s degree in personnel administration from George
Washington University, and a certificate in computer science from the University of California, Irvine.
He has published several papers on information security issues in the Information Security Management
Handbook, Data Security Management, Information Systems Security, and the National Academy of Sci-
ences report Computers at Risk. He has been a speaker at all of the major information security conferences,
including the Computer Security Institute, ISSA Annual Working Conference, Computer Security Work-
shop, MIS Conferences, AIS Security for Space Operations, DOE Computer Security Conference, National
Computer Security Conference, IIA Security Conference, EDPAA, UCCEL Security and Audit Users
Conference, and Industrial Security Awareness Conference. He has conducted and participated in infor-
mation security seminars for (ISC)2, Frost & Sullivan, UCI, CSULB, System Exchange Seminars, and the
Institute for International Research. He is currently serving as editor of the Information Security Man-
agement Handbook.

Micki Krause, CISSP, has held positions in the information security profession for the past 20 years. She
is currently the Chief Information Security Officer at Pacific Life Insurance Company in Newport Beach,
California, where she is accountable for directing their information protection and security program
enterprisewide. Micki has held several leadership roles in industry-influential groups including the
Information Systems Security Association (ISSA) and the International Information System Security
Certification Consortium, (ISC)2, and is a long-term advocate for professional security education and
certification. In 2003, Krause received industry recognition as a recipient of the “Women of Vision” award
given by Information Security magazine. In 2002, Krause was honored as the second recipient of the
Harold F. Tipton Award in recognition of sustained career excellence and outstanding contributions to
the profession. She is a reputed speaker, published author, and co-editor of the Information Security
Management Handbook series.

xi
This page intentionally left blank
 Contributors

Ioana V. Bazavan, CISSP, is the Manager of Information Security Access Services at Safeway, Inc. She
manages a team of 18 people who are charged with providing systems access to all of Safeway’s users and
applications. She has been heavily involved in the design and implementation of Safeway’s Identity
Management strategy and technologies. Previously, Ioana was a manager in Accenture’s global security
practice, specializing in holistic security solutions that focus on users and organizations, as well as on
systems. She gained extensive experience in security policy, standards, and process design and imple-
mentation; compliance solutions based on industry and regulatory standards; security organization
design; user training and awareness; incident response; risk assessment; user management systems;
infrastructure security; systems development methodology; and security strategy. Ioana has industry
experience in financial services, government, high-tech, resources, and retail.

Gerald Bowman is currently the North American Director of ACE and Advanced Technologies for
SYSTIMAX® Solutions for the design professional community and advanced technology in the corporate
enterprise. Jerry joined the SYSTIMAX team from Superior Systems Technologies, where he was Chief
Operating Officer. Prior to that, he was Vice President of Engineering for Riser Management Systems, a
telecommunications design, engineering, management, and consulting firm responsible for consulting
engineering projects for 78 of the tallest buildings in the United States, including 12 Carrier Hotels,
numerous data centers for ISPs, high-end telecom real estate, and other corporate enterprises.

Al Bredenberg is a writer, Web developer, and Internet marketing consultant. He is author of The Small
Business Guide to Internet Marketing and editor of The NET Results News Service, both of which are
electronic publications available over the Internet. He can be reached at [email protected] or through
his World Wide Web site at http://www.copywriter.com.

Samuel W. Chun, CISSP, is Director of Network Services at Digital Support Corporation, a TechTeam
Global Company.

Ian Clark is Head of IT Quality Assurance for GE Consumer Finance. While at Nokia, he was the Security
Portfolio Manager for Nokia’s business infrastructure, working on global security projects. Prior to Nokia,
he worked for EDS and spent 11 years in the British army specializing in secure communications.

Jeffrey Davis, CISSP, has been working in information security for the past ten years. He is currently a
senior manager at Lucent Technologies and is involved with intrusion detection, anti-virus, and threat
assessment. He holds a bachelor’s degree in electrical engineering and a master’s degree in computer
science from Stevens Institute of Technology.

Ken Doughty is the Manager of Disaster Recovery for Colonial, one of Australia’s largest financial
institutions in the banking, insurance, and investment services sector. He has over 20 years of information

xiii
systems auditing experience and 12 years business continuity planning experience in the public and
private sectors.

Todd Fitzgerald, CISSP, CISA, CISM, is the Director of Systems Security and Systems Security Officer
for United Government Services, LLC. He has over 25 years of broad-based information technology
experience and has held senior information technology management positions with Fortune 500 and
Global Fortune 250 companies. Todd is a member of the Board of Directors and security taskforce co-
chair for the HIPAA Collaborative of Wisconsin (HIPAA COW); a participant in the CMS/Gartner
Security Best Practices Group, Blue Cross Blue Shield Association Information Security Advisory Group;
a previous board member for several information systems security associations; and a frequent speaker
and writer on security issues. Todd focuses largely on issues related to security management, risk assess-
ments, policy development, organizing security, security assessments, regulatory compliance (HIPAA,
CAST, NIST, ISO17799), security awareness, and developing security programs. Todd can be reached at
[email protected].

Stephen D. Fried, CISSP, CISM, is the Vice President for Information Security and Privacy at Metavante
Corporation. He is a seasoned information security professional with over 20 years’ experience in
information technology. For the past ten years he has concentrated his efforts on providing effective
information security management to large organizations. Stephen has led the creation of security pro-
grams for two Fortune 500 companies and has extensive experience in such diverse security issues as risk
assessment and management, security policy development, security architecture, infrastructure and
perimeter security design, outsource relationship security, offshore development, intellectual property
protection, security technology development, business continuity, secure E-business design, and infor-
mation technology auditing. A frequent speaker at conferences in the United States and internationally,
Stephen is active in many security industry organizations.

Robby Fussell is at the School of Computer and Information Sciences at Nova Southeastern University
in Fort Lauderdale, Florida.

Bonnie A. Goins, BS7799 Certified Lead Auditor, CISSP, CISM, GIAC, ISS, NSA IAM, is a Principal
Consultant with HotSkills, Inc. As a Senior Security Strategist at Isthmus Group, Inc., she was the co-
practice leader for IGI’s Security Practice. She has over 15 years of experience in the areas of information
security; secure network design and implementation; risk, business impact, and security assessment
methods; project management; executive strategy and management consulting; and information tech-
nology. She also has extensive working experience in regulated industries. She has functioned as a National
Security Practice competency leader for multiple companies and has also established premier partnerships
with Novell and Microsoft, across the business continuity/disaster recovery and security disciplines. She
is a coauthor of the Digital Crime Prevention Lab and a contributing reviewer for SANS’ HIPAA Step-
by-Step.

Sasan Hamidi, Ph.D., is Chief Security Officer at Interval International, Inc.

Gilbert Held is an award-winning author and lecturer. Gil is the author of over 50 books and 500 technical
articles. Some of Gil’s recent publications include Building the Wireless Office and The ABCs of TCP/IP,
both published by Auerbach Publications. Gil can be contacted via e-mail at [email protected].

xiv
Paul Henry, CISSP, is Senior Vice President of CyberGuard Corporation. He has more than 20 years’
experience with security and safety controls for high-risk environments such as nuclear power plants
and industrial boiler sites. In addition, Paul has developed and managed security projects for major
government and commercial organizations worldwide. Paul has written technical papers on port scanning
basics, buffer over-runs, firewall architectures, and burner management and process controls for nuclear
power plants, as well as white papers on covert channel attacks, distributed denial of service (DDoS)
attacks, common mode noise and common mode rejection, PLC programming, and buffer over-runs.
Paul also frequently serves as a featured and keynote speaker at network security seminars and conferences
worldwide, presenting white papers on diverse topics, including DDoS attack risk mitigation, firewall
architectures, intrusion methodology, enterprise security, and managed security services. In addition to
the CISSP, Paul holds many other security certifications, including MCP+I, MCSE, CCSA, CCSE, CFSA,
CFSO, CISM, and CISA.

Rebecca Herold, CISM, CISA, CISSP, FLMI, is an information privacy, security, and compliance con-
sultant, author, and instructor. Rebecca has over 15 years of information privacy, security, and regulatory
compliance experience and assists organizations of all sizes with their information privacy, security, and
regulatory compliance programs. Prior to owning her own business, Rebecca was Vice President of Privacy
Services and Chief Procurement Officer at DelCreo for two years. Rebecca was also Senior Systems
Security Consultant at Principal Financial Group, where she was instrumental in building an information
security and privacy program that was awarded the 1998 CSI Information Security Program of the Year.
Rebecca is the author of The Privacy Papers (Auerbach, 2001) and Managing an Information Security and
Privacy Training and Awareness Program (Auerbach, 2005) and is co-author of The Practical Guide to
HIPAA Privacy and Security Compliance (Auerbach, 2003) and The Business Executive Practical Guides to
Compliance and Security Risks book series in 2004. She can be reached at rebeccaherold@rebecca-
herold.com

Joseph T. Hootman is President of Computer Security Systems, Inc., a computer and information security
consulting and product sales firm based in Northern California.

Charles R. Hudson, Jr., CISSP, CISM, is an Information Security Manager and Assistant Vice President
at Wilmington Trust Company. Mr. Hudson obtained the Certified Information Systems Security Pro-
fessional (CISSP) designation in 2000 and the Certified Information Security Manager (CISM) designa-
tion in 2003. He is a regular speaker at national conferences and has made presentations at over 15
conferences in the last 5 years as a subject matter expert. Mr. Hudson has contributed to articles for
Computer World, Security Watch, and Information Security Magazine.

Carl Jackson, CISSP, CBCP, is Business Continuity Program Director with Pacific Life Insurance. He is
a Certified Information Systems Security Professional (CISSP) with more than 25 years of experience in
the areas of continuity planning, information security, and information technology internal control and
quality assurance reviews and audits. Prior to joining Pacific Life, he worked with several information
security consulting companies and as a partner with Ernst & Young, where he was the firm’s BCP Line
Leader. Carl has extensive consulting experience with numerous major organizations in multiple indus-
tries, including manufacturing, financial services, transportation, healthcare, technology, pharmaceutical,
retail, aerospace, insurance, and professional sports management. He also has extensive industry business
information security experience as an information security practitioner and as a manager in the field of

xv
information security and business continuity planning. He has written extensively and is a frequent public
speaker on all aspects of information security and business continuity planning. He can be reached at
[email protected].

Andy Jones is an experienced military intelligence analyst and information technology security specialist.
He has had considerable experience in the analysis of intelligence material in strategic, tactical, and
counter-insurgency operations, as well as a wide range of information systems management experience.
In addition, he has considerable experience in the security of information technology systems, having
been responsible for the implementation of information technology security within all areas of the British
Army and in some joint service organizations. He has directed both intelligence and security operations
and briefed the results at the highest level. He was awarded the MBE for his work during his service in
Northern Ireland and has gained an Open University bachelor of science degree in mathematics and
technology. After completing 25 years service with the British Army’s Intelligence Corps, he moved into
research in information warfare and information security. He has gained considerable experience as a
project manager within the U.K. Defence Evaluation and Research Agency (DERA) for security aspects
of digitization of the battlefield initiative and has gained considerable expertise on the criminal and
terrorist aspects of information security. He is currently the business manager for the secure E-business
department of QinetiQ, the privatized portion of DERA. He holds a lecturership with the U.K. Open
University and is a visiting lecturer at the University of Glamorgan in a master of science program for
network security and computer crime.

Gerald L. Kovacich, Ph.D, CISSP, CFE, CPP, has over 37 years of industrial security, investigations,
information systems security, and information warfare experience in the U.S. government as a special
agent; in business, as a technologist and manager for numerous technology-based, international corpo-
rations as an ISSO, security, audit, and investigations manager; and as a consultant to U.S. and foreign
government agencies and corporations. He has also developed and managed several internationally based
InfoSec programs for Fortune 500 corporations and managed several information systems security orga-
nizations, including providing service and support for their information warfare products and services.

David C. Krehnke, CISSP, ISSMP, CISM, CHS-III, IAM, is a Principal Information Security Analyst for
Northrop Grumman Information Technology in Raleigh, North Carolina. He has more than 30 years of
experience in assessment and implementation of information security technologies, policies, practices,
procedures, and protection mechanisms in support of organizational objectives for various federal agen-
cies and government contractors. David has also served the International Information Systems Security
Certification Consortium as a board member, vice president, president, and program director responsible
for test development.

Mollie E. Krehnke, CISSP, CHS-II, IAM, is a Senior Information Security Consultant for Insight Global,
Inc., in Raleigh, North Carolina. Mollie and her husband, David Krehnke, are members of the inventor
team for the Workstation Lock and Alarm System (U.S. Patent No. 6,014,746). Mollie has served as an
information security consultant for more than 15 years.

Paul Lambert is responsible for the development and implementation of Certicom’s product strategy to
meet and exceed current market demands, trends, and forecasts for cryptographic security technologies.
He is currently a government appointee to a technical advisory committee for federal information

xvi
processing and an active contributor to technical standards for such security technologies as digital
signatures and network, e-mail, and LAN security. Lambert was previously at Motorola, where he served
as a top security architect, designing the security architecture for a family of products to protect Internet
communications. Prior to Motorola, he was director of security products at Oracle, where he was
responsible for the development and product management of core security technologies for all Oracle
products. Lambert has published numerous papers on key management and communication security
and is the founder and co-chair of the IP security working group in the Internet Engineering Task Force.
He holds bachelor of science degrees in both electrical engineering and computer science from the
University of Colorado, Boulder.

Larry R. Leibrock, Ph.D., is with eForensics, Inc.

Ian Lim, CISSP, is Director of Enterprise Information Security at New Century Financial Corporation.
He works alongside the Information Security Officer to manage the Corporate Information Security
department, develop corporatewide security policies, review and certify the security of enterprise archi-
tectural components, and assure compliance with security-related regulations. Previously, as a Senior
Consultant in Accenture’s global security practice, Ian worked in the healthcare, financial, government,
telecommunications, and high-tech industries to provide information security expertise in the areas of
strategy development, architectural designs, process definitions, and organizational planning.

Bill Lipiczky has practiced in the information technology and security arena for over two decades,
beginning his career as a mainframe operator. As information technology and security evolved, he evolved
as well. His experience includes networking numerous operating systems (UNIX, NetWare, and Windows)
and networking hardware platforms. He currently is a principal in a security consulting and management
firm as well as a lead CISSP instructor for the International Information System Security Certification
Consortium.

Perry G. Luzwick is Director, Information Assurance Architectures, at Northrop Grumman Information

Technology for information warfare, information assurance, critical infrastructure protection, and knowl-
edge management. Perry served as a Lieutenant Colonel in the U.S. Air Force and was Military Assistant
to the Principal Deputy Assistant Secretary of Defense for Command, Control, Communications, and
Intelligence; Deputy Director for Defensive IO, IO Strategy, and Integration Directorate; Chief, Infor-
mation Assurance Architecture, Directorate for Engineering and Interoperability, Defense Information
Systems Agency (DISA); Deputy Chief, Current Operations and Chief, Operations and Information
Warfare Integration, Operations Directorate, DISA; Information Assurance Action Officer, Information
Assurance Division (J6K), the Joint Staff; and Chief, JCS, CINC, and Defense Agency Communica-
tions–Computer Security Support, National Security Agency.

George G. McBride, CISSP, is the Senior Manager of Lucent Technologies’ Global Risk Assessment and
Penetration Testing group in Holmdel, New Jersey, and has worked in the network security industry for
more than six years. George has spoken at conferences worldwide on topics such as penetration testing,
risk assessments, and open source security tools. He has consulted to numerous Fortune 100 companies
on projects including network architecture, application vulnerability assessments, and security organi-
zation development. George has a bachelor’s degree in electronic engineering and a master’s degree in
software engineering.

xvii
Lynda L. McGhie, CISSP, CISM, is the Information Security Officer/Risk Manager for Wells Fargo Bank,
Private Client Services (PCS). Lynda has over 23 years of information technology and information security
experience, specializing in risk management and compliance, security engineering and design, business
continuity planning and crisis management, network security, and identity management. Lynda was
formerly the Chief Information Security Officer for Delta Dental and Lockheed Martin Corporation. In
her current role, she is responsible for risk management for PCS within the Wells Fargo Corporation
and has a dotted-line responsibility to the corporate CISO/IT security governance. Lynda regularly
publishes articles on state-of-the-art security topics and issues and is also a regular speaker for MIS, ISSA,
ISACA, and other information technology and security venues.

James S. Mitts, CISSP, is a Principal Consultant with Vigilant Services Group who has over 18 years of
demonstrated ability in managing, planning, implementing, and controlling complex projects involving
numerous aspects of business continuity, disaster recovery, and information technology and security. He
holds a bachelor of science degree in professional management from Nova University.

Ron Moritz is director of the Technology Office at Finjan Software, where he serves as primary technology
visionary. As a key member of the senior management team interfacing between sales, marketing, product
management, and product development, Moritz helps establish and maintain the company’s technological
standards and preserve the company’s leadership role as a developer of advanced Internet security
solutions. He was instrumental in the organization of Finjan’s Java Security Alliance and established and
currently chairs Finjan’s Technical Advisory Board. He is one of a select group of Certified Information
Systems Security Professionals, and he earned his master of software engineering, master of business
administration, and bachelor of arts from Case Western Reserve University in Cleveland, Ohio. Moritz
has served in various capacities, including president, with both the North Coast chapter of the Informa-
tion Systems Security Association and the Northeast Ohio chapter of the Information Systems Audit and
Control Association. He has lectured on Web security, mobile code security, computer ethics, intellectual
property rights, and business continuity and resumption planning. Over the past year, his presentations
on mobile code security have been well received at the European Security Forum (London), the FBI’s
InfraGuard Conference (Cleveland), CSI’s NetSec (San Antonio), MISTI’s Web-Sec Europe (London),
and RSA Data Security (San Francisco).

Matt Nelson spent several years as a programmer, a network manager, and an IT director. He now does
information security and business process consulting for International Network Services. He has a
bachelor’s degree in computer science from Texas A&M University and a master’s in technology man-
agement from The University of Texas at San Antonio. His certifications include the CISSP, PMP, and
ITIL Foundation certifications.

Man Nguyen, CISSP, is a Security Consultant at Microsoft Corporation.

Felicia M. Nicastro, CISSP, CHSP, is a Principal Consultant with International Network Services (INS).
Felicia has worked with various Fortune 500 companies over the four years she has been with INS. Her
areas of expertise include security policies and procedures, security assessments and security architecture
planning, design, implementation, and operation. Prior to joining INS, Felicia was a systems adminis-
trator for the Associated Press, responsible for UNIX and security administration. Felicia earned her
bachelor’s degree in management information systems from Stockton College in New Jersey. Her e-mail
address is [email protected].

xviii
Michael Pike, ITIL, CISSP, is an information security consultant working for a large local government
organization in the United Kingdom. He started working in information technology over 14 years ago
and spent several years in end-user support and information technology operations before moving to
information security full time. Michael has worked for a variety of public and private sector organizations
in the North of England. His experience includes security analysis, forensic work, and incident response.
Michael can be contacted at [email protected].

Christopher A. Pilewski, CCSA, CPA/E, FSWCE, FSLCE, MCP, is a Senior Security Strategist at Isthmus
Group, Inc. He has over 14 years of professional experience in networking technology, engineering, audit,
security, and consulting. This experience spans security, risk assessment and mitigation, business process,
technical controls, business continuity, technical project leadership, design, and integration of network
and information systems. Prior to joining the Isthmus Group, he worked for three flagship communi-
cations companies where he led a wide variety of projects in security assessments, implementation of
security systems, secure network architecture, network management systems, quality control/assurance,
protocol analysis, and technical marketing.

Ralph Spencer Poore, CFE, CISA, CISSP, CHS-III, Principal Consultant, Innovè, LLC, and Senior Part-
ner, Pi R Squared Consulting, LLP, provides security, privacy, and compliance consulting services, con-
tinuing a 30-plus-year distinguished career in information security as an inventor, author, consultant,
CISO, CTO, college instructor, and entrepreneur. He has published widely, including articles on infor-
mation security issues in the Information Security Management Handbook and in Information Systems
Security (where he was a past consulting editor). He served in numerous capacities with (ISC)2, including
as a past International president, as founding chairman of the Test Development Committee, and as
chairman of the Governance Committee. He currently serves on the Professional Conduct Committee,
the CBK Committee, and the Americas Advisory Board.

Sean M. Price, CISSP, is an independent information security consultant located in the Washington,
D.C., area. He provides security consulting and engineering support for commercial and government
entities. His experience includes nine years as an electronics technician in metrology for the U.S. Air
Force. He has earned a bachelor’s of science degree in accounting and a master’s of science degree in
computer information systems. Sean is continually immersed in research and development activities for
secure systems. His e-mail address is [email protected].

Marcus K. Rogers, Ph.D., CISSP, CCCI, is with the Department of Computer Technology at Purdue
University.

Georgina R. Roselli is a member of the faculty at the College of Commerce and Finance at Villanova
University.

Ben Rothke, CISSP, CISSM, is a New York City-based senior security consultant with ThruPoint, Inc., and
has over 15 years of industry experience in the area of information systems security. His areas of expertise
are in PKI, HIPAA, 21 CFR Part 11, security and privacy regulatory issues, design and implementation of
systems security, encryption, firewall configuration and review, cryptography, and security policy devel-
opment. Ben is the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill,
2003) and a contributing author to Network Security: The Complete Reference (McGraw–Hill Osborne,
2003) and Information Security Management Handbook (Auerbach, 1999). He can be reached at
[email protected].

xix
Thomas J. Schleppenbach, CISSP, CISM, SCTA, is a Senior Information Security Advisor for MPC
Solutions in Waukesha, Wisconsin. With over 16 total years of information technology experience, Tom
is a trained Computer Forensics investigator who focuses on assisting organizations with secure infra-
structure design and provides strategic security advice to help organizations plan and build information
security programs for compliance with legal and regulatory requirements. Tom is a member of the Western
Wisconsin Chapter of InfraGard Executive planning committee and a member of the Wisconsin Associ-
ation of Computer Crime Investigators and has worked with schools and school districts to educate
children on how to stay safe online. He can be reached at [email protected].

Ken M. Shaurette, CISSP, CISA, CISM, is an Information Security Solutions Manager for MPC Security
Solutions practice located in Pewaukee, Wisconsin. Ken has been in information technology since 1978.
Since 1985, Ken has worked at several organizational levels providing information security and audit
advice and vision for organizations building information security programs in several different industries
and for Fortune 500 organizations. Ken holds several security certifications and is certified in the NSAs
InfoSec Assessment Methodology. As a frequent speaker at regional and national seminars and confer-
ences, Ken has also contributed white papers and other articles on security. Ken is the chairman of the
Information Security Specialist Advisory Board for Milwaukee Area Technical College, president of the
Western Wisconsin Chapter of InfraGard, president of International Systems Security Association–Mil-
waukee Chapter, a member of the Wisconsin Association of Computer Crime Investigators, and co-chair
of the HIPAA-COW (Collaborative of Wisconsin) Security Workgroup; he has also been the co-chair for
the Wisconsin InfraGard KIS (Kids Improving Security) poster contest.

Janice C. Sipior is a member of the faculty at the College of Commerce and Finance at Villanova
University. Janice can be reached at [email protected].

Ed Skoudis, CISSP, is a senior security consultant with Intelguardians Network Intelligence. Ed’s expertise
includes hacker attacks and defenses, the information security industry, and computer privacy issues. He
has performed numerous security assessments, designed secure network architectures, and responded to
computer attacks for clients in the financial, high-technology, healthcare, and other industries. Ed is a
frequent speaker on issues associated with hacker tools and defenses and has published several articles
on these topics, as well as Malware and Counter Hack. Ed is also author of the popular “Crack the Hacker
Challenge” series, which challenges InfoSec professionals to learn from others’ mistakes. Additionally, Ed
conducted a demonstration of hacker techniques against financial institutions for the U.S. Senate. His
prior work experience includes Bell Communications Research (Bellcore), SAIC, Global Integrity, and
Predictive Systems.

Robert M. Slade, MS, CISSP, is a data communications and security specialist from North Vancouver,
British Columbia, Canada. He has both formal training in data communications and exploration with
the BBS and network community and has done communications training for a number of the international
commercial seminar firms. He is the author of Robert Slade’s Guide to Computer Viruses (Springer–Verlag,
1996). He earned a bachelor of science degree at the University of British Columbia, and a master’s from
the University of Oregon. He is the founder of the DECUS Canada Education and Training SIG.

Bill Stackpole, CISSP, CISM, is an Engagement Manager with Microsoft Corporation.

Stan Stahl, Ph.D., is President of Citadel Information Group, Inc.

xx
Carol Stucki is working as a technical producer for PurchasePro.com, a rapidly growing dot.com company
that is an application service provider specializing in Internet-based procurement. Carol’s past experiences
include working with GTE, Perot Systems, and Arthur Andersen as a programmer, system analyst, project
manager, and auditor.

Jim Tiller, CISM, CISA, CISSP, is Chief Security Officer and Managing Vice President of Security Services
for International Network Services (INS). Jim has been with INS since 1998 and has provided security
solutions for global organizations for the last 13 years. He is the author of The Ethical Hack: A Framework
for Business Value Penetration Testing (Auerbach, 2003) and A Technical Guide to IPSec Virtual Private
Networks (Auerbach, 2000) and editor of Information Systems Security.

Burke T. Ward is a member of the faculty at the College of Commerce and Finance at Villanova University.

William A. Yarberry, Jr., CPA, CISA, is a principal with Southwest Telecom Consulting. He is the author
of Computer Telephony Integration (Auerbach, 2002) and co-author of Telecommunications Cost Manage-
ment (Auerbach, 2002). He welcomes reader comments ([email protected]).

xxi
This page intentionally left blank
 Introduction

The landscape of information security has changed. The bad news: It is more nebulous than ever before.
No longer can chief information security officers work solely within the confines of their organizations’
security policies or their industry-specific regulatory mandates and feel comfortable that the depth and
efficacy of their program will not be second guessed. As current events unfold, established institutions
such as Bank of America, Lexis-Nexis, and Choicepoint watch as their reputations come into question
and their names are plastered on the front pages of the national media. Regardless of the incidental
details, be they business process fraud or third-party errors and omissions, all of the events to date have
been publicized as “security breaches.” Does this mean that the chief information security officer is the
individual who is accountable for the deficiencies? If not, who is? What role does the chief information
security officer play in this extraordinarily complex and imprecise environment?
Prompted by current events, legislators hold committee hearings and continue to probe, asking inces-
sant questions about the adequacy of information security and protection programs as they weigh in on
the adoption of additional federal and state regulations relative to widely publicized events such as identity
theft. At the same time, threats such as external hacking endanger the security of organizations’ infra-
structures. Although the data indicates that companies are adopting more robust security postures at the
perimeter, the enemy continues to get smarter and the security professional continues to look for a better
mousetrap. Moreover, immature control disciplines on, for example, Web application development
introduce newer, potentially exploitable vulnerabilities, such as cross-site scripting and buffer overflows.
So, as custodians and guardians of a broad spectrum of information assets, what are we to do? Enter
the Information Security Management Handbook, the mission of which is to arm readers so they are
prepared to do battle in this exciting yet taxing environment. The multitude of authors who have
contributed to this handbook delve into detail on the ten domains of the information security common
body of knowledge, providing technical, people-based, and process-based solutions for many of the same
situations that the readers routinely encounter. Our goal is to empower readers with pragmatic counsel
so they can establish a defensible standard of due care in their own organizations.
As always, this volume balances contemporary articles along with relevant articles from past editions.
We offer this compilation of information, representing hundreds of years of accumulated experience and
knowledge, so our readers can fight the good fight and triumph over the various and sundry challenges
facing all of us.

Good Luck,
Hal Tipton and Micki Krause

xxiii
This page intentionally left blank
 Domain 1
Access Control
Systems and
Methodology
2 Information Security Management Handbook

According to Webster’s Dictionary, control is a method to “exercise restraining or directing influence

over.” Organizations use controls to regulate and define the limits of behavior for their workforces,
operations, processes, and systems. Access control is comprised of the processes and supporting tech-
nical tools used to enforce the fundamental principle of least privilege, which ensures that appropriate
access is granted for only those resources required for performance of a job. Access controls can be (1)
user based, (2) role based, or (3) user and role based. [Ample justification exists for beginning the
handbook with the fundamental concept of controlling access to resources. Absent access controls,
organizations have little if any assurance that information will be used or disclosed in other than an
authorized manner.]
Access Control Systems and Methodology 3

Contents

Section 1.1 Access Control Techniques

1 Sensitive or Critical Data Access Controls ..................................................................................... 5
Mollie E. Krehnke and David C. Krehnke
2 An Introduction to Role-Based Access Control........................................................................... 17
Ian Clark
3 Smart Cards ....................................................................................................................................31
Jim Tiller
4 A Guide to Evaluating Tokens....................................................................................................... 41
Joseph T. Hootman

Section 1.2 Access Control Administration

5 Identity Management: Benefits and Challenges........................................................................... 51
Lynda L. McGhie
This page intentionally left blank
 1
Sensitive or Critical
Data Access Controls

Mollie E. Krehnke and David C. Krehnke

Introduction
Corporations have incredible amounts of data that is created, acquired, modified, stored, and transmitted.
This data is the life blood of the corporation and must be protected like any other strategic asset. The
controls established to prevent unauthorized individuals from accessing a company’s or a customer’s data
will depend on the data itself and the laws and regulations that have been enacted to protect that data.
A company also has proprietary information, including research, customer lists, bids, and proposals —
information the company needs to survive and thrive. A company also has personal, medical, and financial
information and security-related information such as passwords, physical access control and alarm
documentation, firewall rules, security plans, security test and evaluation plans, risk assessments, disaster
recovery plans, and audit reports. Suppliers and business partners may have shared their proprietary
information to enable business processes and joint ventures. Appropriate access controls should be
implemented to restrict access to all of these types of information. The effectiveness of any control will
depend on the environment in which it is implemented and how it is implemented.
The need to protect individual, business, financial, and technology data in the United States has become
paramount in the last 40 years because of the impact of unauthorized disclosure of such information.
Key examples are the Privacy Act, the Health Insurance Portability and Accountability Act (HIPAA), the
Sarbanes–Oxley Act (SOX), the Department of State International Traffic in Arms Regulations (ITAR),
and the Department of Commerce Export Administration Regulations (EAR). The presence of this
legislation regarding the protection of certain types of information has mandated the implementation
of security controls in many sectors of the U.S. economy. Companies are required to show due diligence
in the protection of such information, which is a worthwhile objective, given the impact on an individual,
a company, or the nation if this information is disclosed.
Depending on the legislation, the ramifications associated with noncompliance may be minimal or
very significant. The penalty for the unlawful export of items or information controlled under the ITAR
is up to ten years’ imprisonment or a fine of up to $1,000,000, or both, for criminal charges; civil charges
have fines up to $500,000 per violation. The penalty for the unlawful export of items or information
controlled under the EAR is a fine of up to $1,000,000 or five times the value of the exports, whichever
is greater. For an individual, the fine is imprisonment up to ten years or a fine of $10,000 to $120,000 per
violation, or both. These are just the fines; not included are the costs of frequent reporting to the auditors
for a designated time period regarding resolution of the data exposure and new corrective actions, damage
to the brand of the company, or loss of current or prospective customers who will go elsewhere for their
products and services. The cost of controls to protect such information is likely to be considerably less.

5
6 Information Security Management Handbook

Identify the Organization’s Data and Its Characteristics

To identify the controls required to protect data, it is necessary to know what data the organization has.
Some information may be more readily identified because human resources and finance departments
and privacy offices have been identifying such data for a long time. But, to be complete in an analysis of
corporate data, it is necessary to document all business processes and the associated data. What infor-
mation is being created when the corporation builds a product, sells a product, or provides technical
support on a product to a customer?
When the data has been identified, it is then necessary to determine its characteristics. Is it public
data? Should access be restricted? Who can see and use the data? What persons cannot? Determining
what information has to be protected will depend on the expertise of the data owners, account managers,
program managers, business managers, research directors, and privacy and legal staff (and possibly
others). In some instances, government legislation and regulations for certain types of data change over
time, so a regular review of procedures and controls may be required to determine if the established
controls are still appropriate. For the purposes of this chapter, the terms “sensitive” or “restricted” data
are used to represent data that must be protected from access by individuals not authorized to have that
data. This chapter is not addressing the protection of classified data, although many of the controls being
described are used in protecting classified data.

Identify Data Owner and Data Custodians

After the company’s data has been determined, an individual who is responsible for that data must be
identified. The data owner is a key resource in the definition of the company’s data, including the source,
the type of data (personal, medical, financial), the business processes that use the data, the data form,
the storage location of the data, and the means by which it is transmitted to others. This individual is
also (ultimately) responsible for the integrity, confidentiality, and availability of the data under consid-
eration. The data custodian is the person (or organization) entrusted with possession of and responsibility
for the security of the specified data and must apply the rules established to protect the data. The
cooperation of these individuals is vital to the determination of information sensitivity and criticality
and the associated content-based data access controls.

Determine Information Sensitivity and Criticality

The two information designation categories are sensitivity and criticality, and each category may have
multiple levels. The number of levels will depend not only on the varying types of information requiring
protection but also on the protection measures available to protect a particular level of information.
For example, if it is possible to implement only three levels of controls for a particular category because
of resource restraints, then having five levels for that category will be more differentiation than can be
implemented given those restraints. In instances where several levels have been identified, only the
protection measures required for that specific level are applied to data associated with that level. The
levels of sensitivity and criticality are usually determined by conducting a business impact assessment
(BIA).
Sensitivity reflects the need to protect the confidentiality and integrity of the information. The min-
imum levels of sensitivity are sensitive and nonsensitive. Criticality reflects the need for continuous
availability of the information. Here, the minimum levels are critical and noncritical. Sensitivity and
criticality are independent designations. All corporate information should be evaluated to determine
both its sensitivity and criticality. Information with any criticality level may have any level of sensitivity
and vice versa.
Sensitive or Critical Data Access Controls 7

Involve Key Resources in the Definition of Access Controls

When the data designations have been established for a given set of data, the controls to protect infor-
mation with that sensitivity and criticality must then be defined. The information security organization
will not be able to establish controls unilaterally and will require the cooperation and input of the human
resources, legal, physical security, and information technology organizations — and, of course, senior
management — to make this happen. These organizations will have to provide input regarding the
mandated controls for protecting the data, identification of individuals or groups of individuals who are
permitted to access the data, and what protective measures can be implemented and not adversely impact
the conduct of business. Defining the required controls will also require knowledge of how the systems
are configured, where the information is located, and who has access to those systems. This will require
knowledge of the organization’s enterprise information technology architecture and its security architec-
ture in order to implement the appropriate physical and logical access controls. All types of restricted
data can all be protected in the same way (system high), or the information can be grouped into different
types by content and data-dependent access controls specified.

Establish Personnel Controls

Identify Job Functions Requiring Access Restricted Data

In many cases, the ability to access data is defined by the individual’s job responsibilities; for example,
human resources (HR) information is handled by HR specialists, medical information is handled by
medical staff, and insurance information is handled by claims specialists. But, other company information
will cross many organizational activities, including manufacturing, sales, and technical support for
products sold. Identifying who is handling restricted information in an organization is not an easy process
and requires an in-depth understanding of the company’s business processes and data flows. The data
access flows for a particular company depends on the demographics of the employees, characteristics of
the data, business functions and associated processes, physical configuration of the business facilities,
and information technology infrastructure characteristics and configuration.

Screen Personnel Prior to Granting Access

Personnel accessing restricted information as part of their job responsibilities should have a level of
background screening that is based on the sensitivity and criticality of the information. Data that has a
higher sensitivity or higher criticality should be accessed only by trustworthy individuals, and this may
require a more extensive background screening process. Individuals providing support to applications,
systems, or infrastructure — for the organization or for a customer — should also meet the established
access requirements. This would include employees and consultants who are providing administrative
or technical support to the company databases and servers. With off-shore technical support being
provided for many commercial off-the-shelf (COTS) products and company services, there is a greater
risk that unauthorized individuals may, inadvertently, have access to restricted information.

Badge Personnel
Each person should have a picture badge. (In the U.S. government, this badge is referred to as a personal
identification verification [PIV] card.) The badge may contain a magnetic strip or smart chip that can
be used to access areas where restricted data is used or stored. Those pictures can also be used in
organizational charts for each business function to help employees understand who is authorized to
access a given area. Permission to access areas containing restricted information can also be indicated on
the badge by background color, borders, or symbols.
8 Information Security Management Handbook

Establish Physical Security Controls

Legislation and federal regulations may mandate that an individual who does not have authorized
access to information cannot be provided with an “opportunity” to access that information; whether
or not the individual would try to access the information has no bearing on this requirement — the
possibility for exposure must not exist. What does this mean for the organization and its business
processes?

Group Employees Working on Restricted Information

If possible, group individuals requiring access to a particular type of restricted information by floors or
buildings. This reduces the opportunity for access by unauthorized individuals. If floors in a multiple-
story building contain restricted information, badge readers can be installed to permit access to particular
floors or corridors. Personnel granted access should not allow unauthorized persons to tailgate on their
badges. Badge readers can also be installed in elevators that only permit access to certain floors by
individuals with badges for those areas. Of course, persons exiting at a given floor must ensure that only
authorized persons leave the elevator on that floor.

Define and Mark Restricted Areas

Persons who need to use restricted data as part of their job responsibilities should be physically separate
from other employees and visitors in order to prevent inadvertent access to restricted data. Areas of
restricted access should be defined based on employee job functions and marked with signs indicating
that the area is a controlled access area, with a point of contact and telephone number for questions or
assistance.

Implement Badge Readers

Each area containing restricted data should be controlled by a guard and hardcopy access control log or
by a badge or biometric reader to grant and document access. The badge reader could be a contact reader
or a proximity reader.

Provide Secure Storage for Data

Employees using restricted data as part of their work responsibilities need to a have a secure location to
store that information when it is not in use. This storage could be locked drawers and cabinets in the
employee’s work space or specifically created access-controlled filing areas.

Install Alarms
Install physical alarms in restricted areas to alert guards regarding unauthorized physical access. Install
electronic alarms on devices on the networks to alert security administrators to unauthorized access.
Ensure that trained individuals are available to readily respond to such an alarm and reduce, if not resolve,
the impact of the unauthorized access.

Mark Hardcopy and Label Media

Restricted information, whether in electronic or nonelectronic format, should be legibly and durably
labeled as “RESTRICTED INFORMATION.” This includes workstation screen displays, electronic media,
and hardcopy output. The copy number and handling instructions should be included on hardcopy
documents.
Sensitive or Critical Data Access Controls 9

Establish Management Controls

Develop Content-Dependent Access Control Policies and Procedures

Policies provide high-level direction and set management expectations, and procedures provide the step-
by-step instructions for controlling access. It is human nature for users to perform tasks differently and
inconsistently without proper direction. Inconsistent task performance increases the potential for unau-
thorized (accidental or intentional) access to take place. An acceptable and appropriate use policy sets
management’s expectations concerning the protection of sensitive and critical information and the work-
related use of e-mail and the Internet, as well as browsing, modifying, or deleting information belonging
to others.

Establish Visitor Controls

Visitors may be required to access individuals and information residing in a restricted area. Before the
visitor can be granted access to the area, it is important to document the purpose of the visit, determine
need-to-know and fulfillment of legislative requirements, and provide a trained escort for the visitor.
Information about a visitor, such as the purpose of the visit, employer (or organization the visitor
represents), proof of citizenship, need-to-know, length of visit, and point of contact at the company,
should be reviewed, approved, documented, and maintained by a security organization. If proof of
citizenship is necessary, the visitor should bring a passport, birth certificate, or notarized copy of either
for a security officer to review and verify. If a birth certificate is used, the individual should also bring
government proof of identity (e.g., driver’s license).
A company should not allow individuals access to the company who have arrived at the last minute
as part of a larger group from another organization. This is a common practice used by industrial
espionage specialists, and it is quite effective because general courtesy would make it seem rude to exclude
that person.
The escort for a visitor should be an individual who has an understanding of the information being
requested, discussed, or presented and can make an accurate determination as to whether or not the
visitor can receive, hear, or see the information. The escort should be prepared to remain with that
individual throughout the visit or identify another appropriate employee who can assume the escort
responsibilities as required.
Secure storage for a visitor’s unauthorized personal items should be provided. Depending on the
sensitivity of the visit and the information being discussed, visitors may not be permitted to bring cellular
phones, camera phones, pagers, personal digital assistants (PDAs), laptop computers, or other data
collection instruments into the restricted areas.
Secure visitor passage corridors should be established. A walk-through prior to the visit can be used
to verify that restricted information is properly secured. Escorts assigned to visitors should ensure that
the visitors are not exposed to information for which they are not authorized, such as on whiteboards
in meeting rooms or employee cubicles, in conversations overheard in hallways or breakrooms, or in
documents in employee cubicles. The escort should control tour groups to prevent one or more indi-
viduals from breaking away from the group to pursue unauthorized discussions or observations.

Prevent Information Leakage at External Gatherings

Presentations and presentation materials for trade shows, conferences, and symposiums should be
approved in advance. Attendees should be instructed about what topics can and cannot be discussed.
Employees should be trained on the risks of discussing business functions or products with family, friends,
colleagues, and acquaintances.
10 Information Security Management Handbook

Authorize Access
Each person’s qualification for access should be verified based on job responsibilities (need to know),
background screening, and any legislative requirements (e.g., U.S. citizen). This authorization should
be documented in the individual’s personnel file and electronic files such as Microsoft’s Active Directory.
Several control models can be used to grant access to corporate information. Organizations implement-
ing mandatory access controls assign security labels to each subject (user) and each data object; man-
datory access control consists of the owner authorizing access based on need to know and the system
allowing access based on the labeling. Discretionary access control allows data owners (representing
organizational units) to specify the type of access (e.g., read, write, delete) others can have to their data;
this decentralized approach is usually implemented through access control lists. Rule-based discretionary
access control is based on specific rules linking subjects and objects. Administrator-based discretionary
access control allows system administrators to control who has access to which objects. Role-based
access control grants and revokes access based on a user’s membership in a group; this method is used
in most large organizations. For organizations with large data warehouses, data views are preapproved
for various role-based groups. Content-based access control uses an arbiter program to determine
whether a subject with discretionary access to a file can access specific records in the file. This model
provides greater granularity than simple file access. Similar granularity is available using views for access
to a database. Regardless of the access control model used, the design of access controls should be based
on the principle of least privilege, and the continuing need for access should be revisited on an annual
basis for each individual.

Establish Enterprise Security Architecture

Require Approved Hardware and Software

To ensure the integrity of the computing infrastructure and the associated information, hardware and
software should be standardized and controlled by an information technology governance committee or
organization; that is, the hardware and software should be on the approved list and only acquired from
approved sources. Personnel wishing to use hardware and software not on the list should first obtain
approval from the information technology governance committee or organization.

Harden Computing Platforms

Hardening control standards should be implemented specific to each platform. These standards should
be updated as new vulnerabilities are uncovered and updates are available. Platforms should not be
deployed to a production environment prior to hardening. Unnecessary services and applications should
be removed or disabled. Unnecessary default accounts and groups should be removed or disabled.
Computers should be configured to deny log-in after a small number of failed attempts. Controls should
be configured to limit privileged access, update and execute access to software, and write access to
directories and files. Guidelines should be established regarding a user’s password length and associated
format complexity. Security mechanisms, such as tokens or certificates, can be configured to strengthen
the system administrator authentication requirements.

Track Hardware and Software Vulnerabilities

Vulnerability advisories involving the software and hardware in use within the corporation should be
tracked and corrective actions implemented as deemed appropriate. Vulnerabilities within a Web server
might allow attackers to compromise the security of the servers and gain unauthorized access to resources
elsewhere in the organization’s network.
Sensitive or Critical Data Access Controls 11

Implement Configuration and Change Management

Changes to hardware and software configurations should be managed to ensure that information
resources are not inadvertently exposed to unnecessary risks and vulnerabilities. All changes should be
appropriately tested, approved, and documented. Inappropriate configuration or improper operation of
a Web server may result in the disclosure of restricted corporate information, information about users
or administrators of the Web server including their passwords, or the configuration of the Web server
or network that could be exploited in subsequent attacks.

Implement Software Security Features and Controls

Safeguards embedded in computer software should be activated to protect against compromise, subver-
sion, or unauthorized manipulation. All features and files that have no demonstrable purpose should be
disabled or removed. Default privileged log-on IDs, default passwords, and guest accounts should be
disabled or removed. The use of administrative and root accounts for running production applications
should be prohibited. Access to specific applications and files should be limited. Access to systems software
utilities should be restricted to a small number of authorized users. Software that is unlicensed, borrowed,
downloaded from online services, public domain shareware/freeware, or unapproved personal software
should not be installed.

Sanitize Memory and Storage To Remove Data Residue

Allocated computer memory of shared devices should be sanitized before being made available for the
next job (i.e., object reuse). Likewise, file storage space on shared devices should be sanitized before being
reassigned.

Implement Virus Protection

Virus protection software should be installed and enabled. Centralization of automatic updates ensures
that the latest versions of virus detection software and signature files are installed.

Implement Audit Logs

Audit logs should record significant operation-related activities and security-related events. Audit logs
must be reviewed periodically for potential security incidents and security breaches. The use of an audit
reduction tool increases the efficiency and accuracy of the log review.

Establish Separate Database Servers for Restricted Data

Corporate data is often stored in large databases or data warehouses that are accessible to all employees
and contractors, but not all employees and contractors should have access to the data. The use of
knowledge discovery in database (KDD) tools for data exploration (often called data mining) in an
iterative process can result in the discovery of “interesting” outcomes. It is possible that those outcomes
can support the inference or actual discovery of restricted information, even with individual identification
and authentication measures for data access in place. Information systems and databases containing
restricted information should be separate from other servers, including Web and application servers, in
order to ensure that unauthorized individuals cannot gain access to restricted information. Such database
servers must also implement security controls appropriate for the level of sensitivity and criticality of
the information they contain.
12 Information Security Management Handbook

Control Web Bots

Web bots (also known as agents or spiders) are software applications used to collect, analyze, and index
Web content. An organization may not want its Web site appearing in search engines or have information
disclosed that it would prefer to remain private or at least unadvertised (e.g., e-mail addresses, personal
Internet accesses).

Implement File Integrity Checkers

A file integrity checker computes and stores a checksum for every guarded file. Where feasible, checksums
should be computed, stored, and continually checked for unauthorized changes on restricted data.

Implement Secure Enclaves

Information designated as restricted may be placed in a secure enclave. Secure enclaves are network areas
where special protections and access controls, such as firewalls and routers, are utilized to secure the
information. Secure enclaves apply security rules consistently and protect multiple systems across appli-
cation boundaries. Secure enclaves should employ protection for the highest level of information sensi-
tivity in that enclave.

Protect the Perimeter

The perimeter between the corporate network and the Internet should be protected by implementing
firewalls and demilitarized zones (DMZs). Firewalls should run on a dedicated computer with all non-
essential firewall-related software, such as compilers, editors, and communications software, deleted. The
firewall should be configured to deny all services not expressly permitted, audit and monitor all services
including those not permitted, detect intrusions or misuse, notify the firewall administrator in near real
time of any item that may require immediate attention, and stop passing packets if the logging function
becomes disabled. Web servers and electronic commerce systems accessible to the public must reside
within a DMZ with approved access control, such as a firewall or controlled interface. Sensitive and
critical data should not reside within a DMZ. All inbound traffic to the intranet from the DMZ must be
passed through a proxy-capable device.

Control Business Partner Connections

When establishing third-party connections, access controls and administrative procedures should be
implemented to protect the confidentiality of corporate information and that of its business partners
when such information is maintained in the corporate network.

Implement Operational Controls

Authenticate Users
Authentication can be based on something the user knows (password, personal identification number
[PIN], or pass phrases), something the user holds (token), or some user characteristic (biometric).
The use of PINs should be restricted to applications with low risk. Passwords should be complex and
at least eight characters in length. Personal passphrases are the preferred knowledge-based authenticator
because they can be 15 or more characters in length; they can be made more complex by the use of
upper- and lowercase alphabetic characters, numbers, and special characters; and they are easy to
remember (i.e., they do not have to be written down). The number of unsuccessful authentication
attempts should be limited, and the user should just be told that the access attempt failed, not why it
failed.
Sensitive or Critical Data Access Controls 13

Implement Remote Access Controls

Where remote access is required, remote access security should be implemented. Information resources
requiring remote access should be capable of strong authentication. Remote access from a non-corporate
site should require users or devices to authenticate at the perimeter or connect through a firewall.
Personnel outside corporate firewalls should authenticate at the perimeter. In addition, personnel outside
corporate firewalls should use an encrypted session, such as a virtual private network (VPN) or Secure
Sockets Layer (SSL).

Implement Intrusion Detection and Intrusion Prevention Systems

Intrusion detection and prevention systems should be implemented to detect and shutdown unapproved
access to information resources.

Encrypt Restricted Information

Restricted information transmitted over untrusted networks should be encrypted. Restricted information
stored on portable devices and media (e.g., backups) that leave a secured area should be encrypted.
Depending on the level of sensitivity, it may also be prudent to encrypt information in storage.

Implement Workstation Controls

Workstations should have an approved personal firewall installed. Other security controls may include,
but are not limited to, positioning screen to restrict viewing from passersby, lockable keyboard, power
lock, and desk-fastening hardware. Computer sessions should time out after a period of inactivity and
require reauthentication to continue the session. The reauthentication can be a password, a token such
as a fob or smart card, or a biometric. The location of the workstation and signal strength of the device
must be considered for proximity fobs and smart cards to ensure that the session is not reactivated when
the user and the user’s device are in an adjacent hallway, breakroom, restroom, etc. because the signal
may not be attenuated by interior wall and cubicles.

Implement Controls for Portable Devices

Portable devices must be protected against damage, unauthorized access, and theft. All personnel who
use or have custody of portable devices, such as laptop computers, notebook computers, palm tops,
handheld devices, wireless telephones, and removable storage media devices, are responsible for their
safekeeping and the protection of any sensitive or critical information stored on them. Laptop and
notebook computers should connect to the corporate intranet at least once a week to receive the latest
software patches, antivirus pattern recognition files, and personal firewall patterns. In addition, sensitive
information on portable devices must be protected (e.g., encrypted) when leaving a secure environment.

Release Information on Factory-Fresh or Degaussed Media

Before releasing information on electronic media outside the corporation, the information should be
copied onto factory-fresh media (never used) or onto media appropriately degaussed to prevent the
inadvertent release of restricted information.

Implement Precautions Prior to Maintenance

To prevent inadvertent disclosure of restricted information, all hardware and electronic media being
released for maintenance outside of corporate facilities should, prior to release, undergo data eradication
or the corporation should have in place a legally binding contract with the contractor or vendor regarding
the secure handling and storage of the hardware and electronic media.
14 Information Security Management Handbook

Eradicate Electronic Hardware and Media Prior to Disposal

To prevent inadvertent disclosure of restricted information, all electronic hardware and media must,
prior to being disposed of, undergo data eradication. Unacceptable practices of erasure include a high-
level file erase or high-level formatting that only removes the address location of the file. Acceptable
methods of complete erasure include zero-bit formatting, degaussing, overwriting several times (the
number depends on information sensitivity), and physical destruction.

Remove Access on Terminations and Transfers

Routine separation of personnel occurs when an individual receives reassignment or promotion, resigns,
retires, or otherwise departs under honorable and friendly conditions. Unless adverse circumstances are
known or suspected, such individuals should be permitted to complete their assigned duties and follow
official employee departure procedures. When personnel leave under nonadverse circumstances, the
individual’s manager, supervisor, or contracting officer must ensure that all accountable items, including
keys, access cards, laptop computers, and other computer-related equipment are returned; the individual’s
computer log-on ID and building access authorizations must be terminated coincident with the
employee’s or contractor’s effective date of departure, unless needed in the new assignment; and all
restricted information, in any format, in the custody of the terminating individual must be returned,
destroyed, or transferred to the custody of another individual.
Removal or dismissal of personnel under involuntary or adverse conditions includes termination for
cause, involuntary transfer, and departure with pending grievances. In addition to the routine separation
procedures, termination under adverse conditions requires extra precautions to protect corporate infor-
mation resources and property. The manager, supervisor, or contracting officer of an individual being
terminated under adverse circumstances must ensure that the individual is escorted and supervised at
all times while in any location that provides access to corporate information resources; immediately
suspend and take steps to terminate the individual’s computer log-on IDs, physical access to information
systems, and building access authorizations; ensure prompt changing of all computer passwords, access
codes, badge reader programming, and physical locks used by the individual being dismissed; and ensure
the return of accountable items and correct disposition of “restricted information” as described under
routine separation.

Train Users To Protect Restricted Data

Employees must be trained in the identification, marking, handling, and storage of restricted data. A
company with a large number of employees that handle restricted information should consider creating
an automated mechanism for training and tracking of training, so the security personnel are not bogged
down. Security personnel should be available to answer questions, however. Materials and periodic
opportunities should be created to remind employees of their responsibilities to protect information and
provide annual refreshers.

Destroy Information No Longer Needed

Hardcopy containing restricted information no longer needed should be cross shredded on site or stored
in a secure container for pickup by a service provider. Electronic removable media containing restricted
information should be sanitized before reuse or destroyed.
Sensitive or Critical Data Access Controls 15

Monitoring for Compliance

Inspect Restricted Data Areas

Physical reviews of areas containing restricted data should be conducted to ensure the data is being
appropriately handled, marked, and stored. Other areas of the company should be reviewed to ensure
that restricted data is not located in those spaces.

Review Electronic Data Access

System and applications logs should be reviewed for intrusion and unauthorized access to restricted
information. Access authorizations should also be reviewed periodically to ensure that individual’s who
no longer require access have been removed.

Ramifications for Noncompliance

What will be the costs to a company for not implementing required information security controls? What
fines would be imposed on its operations? Could the company be sued because exposure of an employee’s
personal information caused significant embarrassment or harm? Will the company’s image be tarnished?
What would the costs be in terms of loss of customers? It is hoped that the experiences of others can
provide an incentive for action, although organizations must be prepared to address the “it can’t happen
here” attitude. They will have to depend on the expertise of the data owners, account managers, program
managers, business managers, research directors, and privacy and legal staff (and possibly others) not
only to determine what information has to be protected and how to protect it but also to help justify
why it must be protected. The controls that may have to be put into place to protect the company’s data
may seem extensive, but the costs associated with not protecting the information can be enormous.
This page intentionally left blank
 2
An Introduction to Role-
Based Access Control

Ian Clark

Introduction
Today’s large organization’s information technology (IT) infrastructure is a mix of complex and incom-
patible operating systems, applications, and databases spread over a large geographical area. The orga-
nization itself has a dynamic population of employees, contractors, business partners, and customers, all
of whom require access to various parts of the infrastructure. Most companies rely on manual or
semiautomated administration of users and their access to and privileges for various systems. Often
different systems will have their own sets of access requirements with different sets of administrators
who will have different but often overlapping skill sets, leading to poor use of resources. This increasing
number of disparate systems creates an enormous administrative overhead, with each group of admin-
istrators often implementing their own policies and procedures with the result that access control data
is inconsistent, fragmented across systems, and impossible to analyze.
As the complexity of the organization’s IT infrastructure increases, the demand for access control
administration across the enterprise outgrows the capacity of manual administration across the distrib-
uted systems; the increased administrative complexity can also result in increased errors that in turn can
lead to increased security risks (Allen, 2001). Additionally, a raft of new legislation, such as Sar-
banes–Oxley (SOX) (Sarbanes–Oxley, 2005), means that companies now must be able to prove compli-
ance with well-defined security policies, must be able to provide adequate proof of who has access to
which data, and must maintain access and authorization audit trails.
Role-based access control (RBAC) is purported to give a new, fresh approach to access control. It has
the ability to represent the organizational structure and enforce access control policies across the enter-
prise while easing the administrative burden. Additionally, it encompasses the best design principles from
earlier models, such as the principle of least privilege and separation of duties, and can assist in proving
compliance with company security policies and legislative requirements.

Role-Based Access Control

Traditional access control models, such as Bell LaPadula and Clark–Wilson, rely on an access control
matrix where subjects are assigned specific sets of rights according to their level of access. This approach
to access control is still the most popular form of access control today, albeit slightly less complicated in
modern operating systems; however, the thinking surrounding access control and access control man-
agement has slowly been shifting away from the more traditional subject–object models, where the focus

17
18 Information Security Management Handbook

Users Roles Permissions

FIGURE 2.1 Core RBAC concept.

is on the action of the subject, toward task- or role-based models (Sandhu, 1995–1997; Thomas and
Sandhu, 1993). These models encompass organizational needs and reflect the organizational structure,
with a focus on the tasks that must be accomplished. Although the idea of roles has been used in software
applications and mainframe computers for over 20 years (NAC, 2002), the last decade has seen a rise in
interest in the field, as can be seen in the work of Thomas and Sandhu (1993), Ferraiolo and Kuhn (1992),
and Baldwin (1990), where the traditional concepts of access control are challenged and task- and role-
based approaches are presented.
A survey by the U.S. National Institute of Standards and Technology (NIST) (Ferraiolo et al., 1993),
showed that many organizations base their access control decisions on the role of the user within the
organization, with the main drivers for access control decisions being customer and shareholder confi-
dence, privacy of data, and adherence to standards, none of which can be easily accomplished using
traditional models. These findings were further supported and enhanced by a follow-up survey conducted
by SETA Corp. (Smith et al., 1996).
Role-based access control (RBAC) has emerged as the new model to embrace the concept of using
roles to enforce enterprisewide security policies while providing a platform to streamline and simplify
access control management. The basic concept of RBAC, as shown in Figure 2.1, is very simple (Sandhu,
1998b): “Permissions are associated with roles, and users are made members of appropriate roles thereby
acquiring the roles’ permissions.” This is, of course, a simplistic view of RBAC; we will see how the
basic concept can be further extended to make it quite complex.
Within an RBAC system, roles are created that mirror the organizational structure. Users are assigned
to roles according to their job functions and responsibilities within the organization, and permissions
are then assigned to the roles. This allows the access control policy to closely match the organizational
structure of the company. For example, roles in a hospital may include doctor, nurse, or surgeon; in a
bank, they may include accountant, cashier, or loan officer. All of these roles can be defined in the RBAC
system and the appropriate permissions assigned to each.
From its early inception, the concept of RBAC has meant different things depending on where it is
being applied or who has written the paper defining it. The first published RBAC model, which forms
the basis of the standards we have today, came from Ferraiolo and Kuhn (1992) and was further revised
in 1995 (Ferraiolo et al., 1995) after a successful reference implementation (Ferraiolo et al., 2001a). Also
in 1995, the Association for Computing Machinery (ACM, 1995) held its first RBAC workshop, which
brought together both researchers and vendors from across the globe to discuss the salient issues sur-
rounding RBAC.
In 1996, Sandhu et al. (1996) introduced a framework of four reference models to provide a uniform
approach to RBAC; this framework clearly defined each of the four reference models and allowed them
to be interchanged to create an RBAC system to meet differing implementation needs. In 2000, the model
from Ferraiolo et al. and the framework from Sandhu et al. were combined by NIST to create a standard
RBAC model (Sandhu et al., 2000). After this proposal was further refined by the RBAC community
(Jaeger and Tidswell, 2000; Jansen, 1998), it was proposed by NIST as an RBAC standard (Ferraiolo et
al., 2001b). The model proposed by NIST was adopted in 2004 by the American National Standards
Institute/International Committee for Information Technology Standards (ANSI/INCITS) as ANSI
INCITS 359-2004 (ANSI, 2004). In the following sections, we will take an in-depth look at the RBAC
model using the approved ANSI standard as our reference.
An Introduction to Role-Based Access Control 19

TABLE 2.1 Role-Based Access Control Terms

Term Description

User A human being. Although the concept of a user can be extended to include machines, networks, or
intelligent autonomous agents, the definition is limited to a person in this paper for simplicity.
Role A job function within the context of an organization with some associated semantics regarding the
authority and responsibility conferred on the user assigned to the role.
Objects Any passive system resource, subject to access control, such as a file, printer, terminal, database record, etc.
Component One of the major blocks of RBAC (i.e., core RBAC, hierarchical RBAC, SSD relations, and DSD relations).
Permissions An approval to perform an operation on one or more RBAC protected objects.
Operations An executable image of a program, which upon invocation executes some function for the user.
Sessions A mapping between a user and an activated subset of roles that are assigned to the user.
Constraints A relationship between or among roles.

Source: ANSI/INCITS. 2004. 359-2004: Information Technology and Role-Based Access Control. American National Standards
Institute/International Committee for Information Technology Standards, http://www.techstreet.com/cgi-bin/
detail?product_id=1151353.

The RBAC Reference Model

The ANSI standard consists of two parts: the RBAC reference model and the RBAC system and admin-
istrative functional specification. For the purposes of this article, we will only consider the RBAC reference
model. Terms used in the RBAC reference model are defined in Table 2.1. Because not all RBAC features
are either appropriate or necessary for all implementations, the reference model has been broken down
into three distinct but interchangeable components (we will consider each of these components in turn):
• Core RBAC
• Hierarchical RBAC1
• Constrained RBAC
• Static separation of duty (SSD) relations
• Dynamic separation of duty (DSD) relations

Core RBAC
Core RBAC is the very basis of the model. In order to conform to the ANSI standard, an RBAC system
must, as a minimum, implement these core elements. The core model, illustrated in Figure 2.2, consists
of five basic data elements: users, roles, objects, operations, and permissions. As mentioned earlier, users
are assigned to roles and permissions are assigned to roles, in this case to perform operations on objects.
Additionally, the core model includes a set of sessions, with each session being a mapping between a user
and an activated subset of roles assigned to the user.

Users Roles Operations Objects

Permissions

Sessions

FIGURE 2.2 Core RBAC components.

20 Information Security Management Handbook

User Assignment Permission Assignment

(UA) (PA)
Users Roles Operations Objects

Permissions
user_sessions session_roles

Sessions

FIGURE 2.3 Core RBAC role relations.

The core model also specifies role relations, illustrated in Figure 2.3, which are a key concept. Both
user assignment and permission assignment are shown in the figure with two-way arrows, indicating
that there can be a many-to-many relationship between users and roles (i.e., a user can be assigned to
one or more roles and a role can be assigned to one or more users), as well as between roles and
permissions. This allowance for many-to-many relationships allows the assignment of both roles and
permissions to be flexible and granular which enhances the application of the principle of least privilege.2
Each session is a mapping of one user to possibly many roles; that is, users establish sessions during
which they activate some subsets of roles assigned to them. Each session is associated with a single user
and each user is associated with one or more sessions. The function “session_roles” gives us the roles
activated by the session, and the function “user_sessions” gives us the user that is associated with a session.
The permissions available to the user are the permissions assigned to the roles that are currently active
across all of that user’s session (ANSI, 2004).

Hierarchical RBAC
The second component in the RBAC reference model is hierarchical RBAC. In any organization, employ-
ees often have overlapping responsibilities and privileges, and generic operations exist that all employees
should be able to perform. It would be extremely inefficient and would cause unnecessary administrative
overhead to assign these permissions to all roles. To avoid this overhead, role hierarchies are used. A role
hierarchy defines roles that have unique attributes and that may contain other roles; that is, “one role
may implicitly include the operations, constraints and objects that are associated with another role”(Fer-
raiolo et al., 1995).
Role hierarchies are consistently discussed whenever considering roles, as they are a natural way to
implement roles in such a way as to reflect an organizational structure to show lines of authority and
responsibility; conventionally, the more senior role is shown toward the top of the diagram and the less
senior role toward the bottom (Sandhu et al., 1996). An example of role hierarchies in a hospital is shown
in Figure 2.4, where the roles of surgeon and radiologist contain the role of specialist, which in turn
contains the role of intern. Because of the transitive nature of role hierarchies, surgeon and radiologist
also contain the role of intern.
The RBAC reference model (Figure 2.5) describes inheritance in terms of permissions; role r1 “inherits”
role r2 if all privileges of r2 are also privileges of r1. Additionally, role permissions are not managed
centrally for some distributed RBAC implementations; for these systems, role hierarchies are managed
in terms of user containment3 relations: Role r1 “contains” role r2 if all users authorized for r1 are also
authorized for r2 (ANSI, 2004). The reference model also recognizes two types of role hierarchies:
• General role hierarchies
• Limited role hierarchies
An Introduction to Role-Based Access Control 21

Surgeon Radiologist Most Senior

Specialist

Intern
Least Senior

FIGURE 2.4 An example of role hierarchies.

General role hierarchies support multiple inheritances, which allow roles to inherit permissions from
two or more roles; conversely, limited role hierarchies are restricted to inheriting permissions from a
single immediate descendent (ANSI, 2004).

Constrained RBAC
Constrained RBAC adds separation of duty (SoD) relations to the RBAC model. SoD is a universally
practiced principle that helps to prevent fraud and errors by ensuring that “no individual is given sufficient
authority within the system to perpetrate fraud on his own”(Sandhu, 1990). SoD ensures that if a person
is allowed to create or certify a well-formed transaction he or she is not allowed to execute it, thus
ensuring that at least two people are required to make a change to the system. It should be noted that
SoD could be bypassed if two employees were to collude to defeat the system. Further reading on SoD
can be found in the work by Clark and Wilson (1987), Sandhu (1990), and Gligor et al. (1998).
The RBAC reference model refers to two types of SoD: static separation of duty (SSD) relations and
dynamic separation of duty (DSD) relations. As illustrated in Figure 2.6, SSD is concerned with ensuring
that a user cannot hold a particular role set while in possession of a directly conflicting role set; therefore,
within this model it is concerned with constraining user assignments. This makes SSD very efficient at

Role Hierarchy
(RH)
User Permission
Assignment Assignment
(UA) (PA)
Users Roles Operations Objects

Permissions
user_sessions session_roles

Sessions

FIGURE 2.5 Hierarchical RBAC.

22 Information Security Management Handbook

SSD Role Hierarchy

(RH)
User Permission
Assignment Assignment
(UA) (PA)
Users Roles Operations Objects

Permissions
user_sessions session_roles

Sessions DSD

FIGURE 2.6 Constrained RBAC.

implementing conflict of interest policies. It should also be noted that SSD relations may exist within
hierarchical RBAC; if this is the case, special care must be taken to ensure that inheritance does not
undermine SSD policies (ANSI, 2004). This could easily happen; for example, a senior role could inherit
two roles of a directly conflicting role set. Various ways to work around this issue have been suggested
(Ferraiolo et al., 1999; Sandhu, 1998a).
Additionally, within a company, a specific role may only be allowed to be filled with a finite number
of users at any given time; for example, the company would only ever have one CEO. Alternatively, a
single user may only be allowed to hold a finite number of roles. SSD allows enforcement of these
cardinality constraints;4 however, despite its obvious advantages, SSD can be considered as being too
inflexible in the area of granularity of specification of conflict of interests. These criticisms are similar
to those leveled against the Chinese Wall model (Brewer and Nash, 1989). These issues have been
addressed by the introduction of DSD, which allows a user to hold two roles that would conflict if
activated together but ensures that the roles are not activated during the same session, thus removing
the possibility of any conflict being realized (ANSI, 2004).

RBAC Versus Traditional Access Control Methods

No look at RBAC would be complete without comparing RBAC to some of the more traditional access
control methods, such as:
• Discretionary and mandatory access controls
• Access control lists
• Groups
Discretionary and Mandatory Access Controls
Mandatory access controls (MACs) and discretionary access controls (DACs), are still the most widely
used forms of access control in today’s commercial and military access controls systems (Ferraiolo et al.,
2003). A lot of research has been published that discusses the similarities and differences between RBAC
and MAC and DAC (Ferraiolo et al., 2003; Nyanchama and Osborn, 1995; Osborn, 1997; Osborn et al.,
2000); however, one question that remains unanswered is does the introduction of RBAC mean that
MAC and DAC will be replaced? Positions on this question differ. In a survey by the SETA Corp. (Smith
et al., 1996), it was stated that “RBAC is not a replacement for the existing MAC and DAC products, it
is an adjunct to them.” Conversely, Kuhn (1998) stated that “RBAC is an alternative to traditional MAC
and DAC policies.” Kuhn’s statement would seem to be supported by research that shows that RBAC can
successfully implement both MAC and DAC policies (Nyanchama and Osborn, 1995; Osborn, 1997;
An Introduction to Role-Based Access Control 23

Users Groups Permissions

FIGURE 2.7 User and group permission assignment.

Osborn et al., 2000); for completeness, it should be noted that additional research shows that RBAC can
be implemented using MAC policies (Ferraiolo et al., 2003).
It, therefore, appears initially that because RBAC can so successfully implement MAC and DAC policies
they could become redundant; however, Osborn (1997) showed that significant constraints exist on the
ability to assign roles to subjects without violating MAC rules (Ferraiolo et al., 2003). These constraints,
the lack of guidance in this area from the current standards, and the proliferation of their use in many
of today’s systems mean that, regardless of whether or not RBAC is an adjunct to or replacement for
MAC and DAC, they will remain widely used forms of access control for the foreseeable future. This will
undoubtedly mean that we will see implementations that use RBAC and MAC and DAC as well as
implementations where RBAC interfaces with legacy MAC and DAC systems (Kuhn, 1998).

Groups
The use of groups5 (Figure 2.7) in modern operating systems such as Windows 2000 can be considered
very similar to the core RBAC concept illustrated in Figure 2.1; however, some fundamental differences
exist. Groups are generally considered to be collections of users, and determining which users are members
of a given group is extremely easy; however, as permissions can be granted to a group on an ad hoc basis
across several systems, it can be a nearly impossible task to determine exactly where the group has been
granted permission across an enterprise. Because a role is a collection of both users and permissions it
is equally as easy to determine which users and permissions are assigned to the role, and roles cannot
be bypassed. A more fundamental difference is that a role can be considered a policy component; groups
cannot. A role in an enterprise will adhere to a given rule set and exhibit the same properties regardless
of the implementation. Groups, on the other hand, are implementation specific; therefore, their properties
may change from one implementation to another within the same enterprise — for example, between a
Windows 2000 implementation and a UNIX implementation (Sandhu, 1994).

Access Control Lists

The discussion regarding RBAC and access control lists (ACLs) could be very similar to that of RBAC
and groups; in reality, it would merely be an extension of that discussion. With ACLs, the access rights
to an object are stored with the object itself, and these access rights are either users or groups. The fact
that users can be entries in the ACL can complicate management and result in legacy access permissions
for a user being left after group access has been revoked (Ferraiolo et al., 1999); this can make security
assurance extremely difficult and devalues the overall security infrastructure. Barkley (1997) illustrated
how a simple RBAC model can be compared to ACLs if the only entries permitted in the ACL are
groups. While this is a very good argument and is certainly true in the context in which it is presented
(i.e., a basic RBAC model), it does not hold when we consider the more complex RBAC models we
have seen, which are far more flexible and useful than basic ACLs. Additionally, the real power of RBAC
is its ability to abstractly represent the access control policy across the enterprise rather than on the
individual system, which is where an ACL model such as Barkley’s would have to be implemented;
however, ACLs will continue to be used throughout operating systems for the foreseeable future, with
an overlaying RBAC system managing their entries, an example of which can be seen in Karjoth’s work
(Karjoth, 2003).
24 Information Security Management Handbook

TABLE 2.2 Companies Offering RBAC-Enabled Products in 2002

Access360, Inc. Oracle Corp.
Adexa, Inc. PGP Security, Inc
Baltimore Technologies Protegrity, Inc.
BEA Systems, Inc. Radiant Logic, Inc.
BMC Software, Inc. RSA Security, Inc.
Cisco Systems, Inc. Secure Computing Corp.
Entrust, Inc. Siemens AG
Entrust Information Security Corp. SETA Corp.
International Business Machines Corp. Sun Microsytems, Inc.
Internet Security Systems, Inc. Sybase, Inc.
iPlanet E-Commerce Solutions Symantec Corp.
Microsoft Corp. Systor AG
Network Associates, Inc. Tivoli Systems, Inc.
Novell Corp. Vignette Corp.
OpenNetwork Technologies, Inc.

Source: Gallaher, M. et al. 2002. The Economic Impact of Role-Based

Access Control, a report prepared by RTI and submitted to National
Institute of Standards and Technology, Gaithersburg, MD (http://
www.nist.gov/director/prog-ofc/report02-1.pdf).

Commercial RBAC
Role-based access control has already been successfully implemented to varying degrees in many com-
mercial systems. In a report submitted to NIST in 2002, Gallaher et al. (2002) identified organizations
offering RBAC-enabled products at the time (see Table 2.2). These commercially available products range
from database management systems (DBMSs) and application management to operating systems; in
most cases, they meet the basic requirements for RBAC as laid out in the ANSI standard, but few of the
products offer enterprisewide solutions as they mainly focus on their own systems or related applications.
Of course, this list has grown since the original research in 2002, with improved offerings and an
increasing number of companies moving into the “enterprise RBAC” niche; however, the number of
companies offering truly enterprisewide RBAC is still minimal.This seems a shame because the strength
of RBAC over other access control systems is its ability to represent the organizational structure and
enforce access control policies across the enterprise; this is the area vendors must address if RBAC is to
become a viable and easy option for today’s enterprises. That said, this does not mean that RBAC is not
ready for the enterprise today; rather, several issues must simply be taken into account when planning
an RBAC implementation.

Implementing RBAC
Before an organization can even consider the actual RBAC implementation, they must consider all of
the additional work, as illustrated in Figure 2.8, which must be successfully completed before such an
implementation can be achieved. Much has already been written about access control policies so they
will not be considered here.

Identify the Scope and Motivation

It should be remembered when implementing an RBAC system that technology is only a small part of
the overall solution. Before making any technology choices the implementing organization should ensure
that the scope and requirements are clearly defined. One of the biggest challenges to implementing an
enterprisewide RBAC system is integration with legacy systems.6 As with all new initiatives within an
enterprise, an RBAC implementation requires support from senior management to be successful. If
implementation required the costly replacement of all legacy systems with more compatible systems, that
An Introduction to Role-Based Access Control 25

Access Control Policy Definition

Identify Scope
and Motivation

Requirements Role
Gathering Engineering

Technology
Selection

Implementation

FIGURE 2.8 Implementation flow.

support would not be forthcoming and the project would fail. It is for this reason that the scope of a
potential project must be well defined in the early stages and expectations set at the correct level. If the
project is sold as the silver bullet that will end all access control woes, it is likely to be approved, but
when the final solution can only cover 45 percent of the organization’s systems some tough questions
will have to be answered. To fully understand the scope of the implementation and ensure that the scope
can be achieved, the motivation for implementing RBAC must also be fully understood. If the motivation
is purely for regulatory compliance, then all systems affected by that legislation must fall under the scope;
if the motivation is to bring together existing user management and access control systems in one unified
solution, then all existing systems must be identified. The motivation may also have an impact on the
project schedule, which in turn may have a direct impact on which vendors can offer a solution to meet
the organization’s needs.

Requirements Gathering
Today’s large and complex enterprises may have many incompatible operating systems, applications, and
databases spread over a large geographical area; each may have its own requirements when it comes to
access control. Once the systems within the scope of the project have been identified, the requirements
of each must be understood and documented so they can be conveyed to potential vendors. It is important
to understand which requirements are primary and which are secondary, so vendors can get a true
understanding of which solutions will meet the organization’s core needs. Time spent on this area early
on will undoubtedly save time with vendor selection and implementation later.

Role Engineering
The process of defining roles, permissions, role hierarchies, and constraints and assigning permissions
to roles is known as role engineering (Qingfeng, 2003). Role engineering is an essential first step when
implementing RBAC and possibly the most important step to ensuring success. The task of identifying
Another random document with
no related content on Scribd:
till the birds perched on his hands. Another Columba, the founder, as
I suspect, of Columb Major and Minor, was almost incommoded with
their affection, fluttering about his face.
“How is it,” asked one of his disciples, “that the birds avoid us and
gather round you?”
“Is it not natural,” answered the saint, “that birds should come to
a bird?”
A play on his name, for Columba signifies a dove.
S. Cainnech saw a rich lady with a starved dog.
“Who feeds that poor brute?” he asked.
“I do,” answered the lady.
“Feed it? Maltreat it. Go and eat what you cast to the poor hound,
and in a week return and tell me how you relish such treatment.”
One day an abbot saw a little bird with drooping wings.
“Why is the poor thing so wretched?” he asked.
“Do you not know,” said a bystander, “that Molua is dead? He was
full of pity to all animals. Never did he injure one. Do you marvel
then that the little birds lament his decease?”
It was the same with regard to children.
One day King Eochaid sent his little son with a message to S.
Maccarthen. The child’s mother gave him an apple to eat on the
way. The boy played with it, and it rolled from him and was lost. He
hunted for his apple till the sun set, and then, tired, laid himself
down in the middle of the road and fell asleep. Maccarthen was
going along the road and found the sleeping child there. He at once
wrapped his mantle round him, and sat by him all night. Many
horsemen and cars passed before the child woke, but the old man
made them get by as best they might, and he would neither suffer
the child to be disturbed, nor let an accident befall him in the dark.
 Great as were the powers conferred on the Celtic saints or
arrogated to themselves, there can be no doubt but that they
employed them mainly as a means of delivering the innocent, and in
putting down barbarous customs.
S. Erc—​in Cornwall Erth—​made use of his influence to prevent the
king of Connaught from baptising his new lance, after pagan
custom, in the blood of an infant; S. Euny his in rescuing a boy from
being tossed on the spears of some soldiers. Again, finding after a
battle that it was the custom to cut off the heads of all who had
fallen, and stack them at the king’s door to be counted, he with
difficulty induced the victors to take turves instead of the heads.
I do not think we at all adequately appreciate the service the
saints rendered to the Celtic nations in raising the tone of
appreciation of woman.
Next to founding their own monastic establishments, they were
careful to induce their mothers or sisters to establish communities
for the education of the daughters of the chiefs and of all such
maidens as would be entrusted to them.
The estimation in which woman had been held was very low. In
the gloss to the law of Adamnán is a description of her position in
the house. A trench three feet deep was dug between the door and
the hearth, and in this, in a condition almost of nudity, the women
spent the day cooking, and making candles out of mutton suet. In
the evening they were required to hold these candles whilst the men
caroused and feasted, and then were sent to sleep in kennels, like
dogs, outside the house as guardians, lest a hostile attack should be
made during the darkness.
The current coin seems to have been, in Ireland, a serving-maid,
for all fines were calculated by cumals—​that is, maidservants—​and
the value of one woman was the same as that of three cows.
A brother of one of the saints came to him to say that he was
bankrupt; he owed a debt of seven maidservants to his creditor, and
could not rake so many together. The saint paid the fine in cows.
 Bridget’s mother was sold as a slave by the father of Bridget to a
Druid, and the father afterwards tried to sell his daughter; but as the
idea had got about that she was wasteful in the kitchen, he could
not find a purchaser.
But this condition of affairs was rapidly altered, and it was so
through the influence of the saints and the foundation of the great
schools for girls by Bridget, Itha, Brig, and Buriana.
Till the times of Adamnán women were called out to fight as well
as the men, and dared not refuse the summons. Their exemption
was due to this abbot. He came on a field of battle and saw one
woman who had driven a reaping-hook into the bosom of another,
and was dragging her away thereby. Horror-struck, he went about
among the kings of Ireland and insisted on the convocation of an
assembly in which he carried a law that women were thenceforth
exempted from this odious obligation.
I have but touched the fringe of a great subject, which is one that
has been unduly neglected. The early history of Cornwall is
inextricably mixed up with that of the saints who settled there, or
who sprang from the native royal family. We have unhappily no
annals, hardly a Cornish record, of those early times. Irish, Welsh,
Bretons, have been wiser, and have preserved theirs; and it is to
them we are forced to appeal to know anything of the early history
of our peninsula. As to the saintly lives, it is true that they contain
much fable; but we know that they were originally written by
contemporaries, or by writers very near the time. S. Columba of Tir-
da-Glas, whom I take to have been the founder of the two Columbs
in Cornwall and Culbone in Somersetshire, caught one of his
disciples acting as his Boswell, noting down what he said and did,
and he was so angry that he took the MS. and threw it in the fire,
and insisted on none of his pupils attempting to write his life.
S. Erc was wont to retire in Lent to jot down his reminiscences of
S. Patrick. The writer of the Life of S. Abban says, “I who have
composed this am the grandson of him whom S. Abban baptised.”
But about the eleventh century a fashion set in for rewriting these
histories and elaborating the simple narratives into marvellous tales
of miracle, just as in James I.’s reign the grand simple old ballads of
the English nation were recomposed in stilted style that robbed them
of all their poetry and most of their value.
Now it is almost always possible to disengage the plain threads of
history from the flourish and frippery that was woven in at this late
period. The eye of the superficial reader is at once caught by all the
foolery of grotesque miracle, and turns in disgust from the narrative;
but if these histories be critically examined, it will almost always be
found that the substratum is historical.
Surely it affords an interest, and gives a zest to an excursion into
Cornwall, when we know something of the founders of the churches,
and they stand out before us as living, energetic characters, with
some faults, but many virtues, and are to us no longer nuda nomina.
 CHAPTER II.

THE HOLY WELLS

S. Patrick in Ireland—​A pagan holy well—​S. Samson—​Celtic saints
very particular about the water they drank—​S. Piran and S.
Germoe—​S. Erth and the goose-eggs—​S. Sithney and the polluted
well—​Dropping of pins into wells—​Hanging rags about—​Well-
chapel of S. Clether—​Venton Ia—​Jordan wells—​Gwennap
ceremony—​Fice’s well—​Modern stupidity about contaminated
water.
The system adopted by S. Patrick in Ireland was that of making as
little alteration as he could in the customs of the people, except only
when such customs were flatly opposed to the precepts of the
gospel. He did not overthrow their lechs or pillar-stones; he simply
cut crosses on them. When he found that the pagans had a holy
well, he contented himself with converting the well into a baptistery.
It is a question of judgment whether to wean people gently and by
slow degrees from their old customs, or whether wholly to forbid
these usages. S. Patrick must have known perfectly what the
episcopal system was in Gaul, yet when he came into a land where
the Roman territorial organisation had never prevailed, he
accommodated Christian Church government to the conditions of
Celtic tribal organisation.
 S. MELOR’S WELL, LINKINHORNE

He found that the Irish, like all other Celtic peoples, held wells in
great veneration. He did not preach against this, denounce it as
idolatrous, or pass canons condemning it. He quietly appropriated
these wells to the service of the Church, and made of them
baptisteries.
What Patrick did in Ireland was what had been done elsewhere.
When S. Samson was travelling in Cornwall between Padstow and
Southill, and visited his cousin Padarn on the way; at a place called
Tregear he found the people dancing round an upright stone, and
offering it idolatrous worship. He did not smash it in pieces. He
contented himself with cutting a cross on it.
Now the Celtic saints were mighty choice in their tipple. They
insisted on having the purest of water for their drink; and not only
did they require it for imbibing, but they did a great deal of tubbing.
One day S. Germoe paid S. Piran a visit; after they had prayed
together, “It is my tubbing time,” said Piran. “Will you have a bath
too?” “With the greatest of pleasure,” responded Germoe. So the
two saints got into the tub together. But the water was so cold that
Germoe’s teeth began to chatter, and he put one leg over the edge,
intending to scramble out. “Nonsense!” said Piran; “bide in a bit, and
you will feel the cold less sharply.”
Germoe did this. Presently Piran yelled out, “Heigh! a fish! a fish!”
and, between them, the two nude saints succeeded in capturing a
trout that was in the vat.
“I rejoice that we have the trout,” said Piran, “for I am expecting
home my old pupil Carthagh, and I was short of victuals. We will
cook it for his supper.”
Some of the saints had the fancy for saying their prayers standing
up to their necks in water.
There is a story of S. Erc, the S. Erth of Land’s End district, to the
purpose, but I admit it is on late authority.
Domnhal, king of Ireland, sent his servants to collect goose-eggs.
They found a woman carrying a black basket on her head piled up
with the eggs of geese. The king’s servants demanded them, but she
answered that they were intended as a present to Erc, who spent
the day immersed to the armpits in running water, with his Psalter
on the bank, from which he recited the psalms. In the evening he
emerged from his bath, shook himself, and ate an egg and a half
together with three bunches of watercress.
However, regardless of the saint’s necessities, the servants carried
the eggs away.
When S. Erc came out of the river, dripping from every limb, and
found there were no eggs for his supper, he waxed warm, and
roundly cursed the rascals who had despoiled him, and those who
had set them on, and all such as should eat them.
The story goes on to tell how these eggs became veritable apples
of discord, breeding internecine strife.
But to return to the wells.
Whether taught by experience, or illumined by the light of nature,
I cannot say, but most assuredly the saints of Ireland, Wales, and
Cornwall were vastly particular as to their wells being of the purest
and coldest water obtainable.
S. Senan had settled for a while by a well in Inis Caorach, and
one day his disciple Setna—​our Cornish Sithney—​found a woman
washing her child’s dirty clothes in the fountain. He flew into a fury,
and his companion Liberius was equally abusive in the language
employed. Shortly after the boy tumbled over the rocks into the sea.
The distracted mother ran to S. Senan, and when he heard the
circumstances, assuming that this was due to the imprecations
called down on the woman and her child by his two pupils, he bade
both of them depart and not see his face again, unless the child
should be produced uninjured. Setna and Liberius sneaked away
very disconsolate, but as they happily found the lad on the beach
uninjured, they were once more received into favour.
It is unnecessary here to repeat all the hackneyed references to
the cult of fountains among the Celts; they may be taken for
granted. We know that such was the case, and that the same cult
continues very little altered among the Irish and Breton peasantry to
the present day. In Cornwall there is now little or none of it. “When I
was a man I put away childish things,” says S. Paul, and the same
applies to peoples. When they are in their cultural childhood they
have their superstitious beliefs and practices; but they grow out of
them, and we pity those who stick in the observance of usages that
are unreasonable.
In pagan times money was dropped into wells and springs, and
divination was taken from the rising of bubbles. Now the only relic of
such a proceeding is the dropping in of pins or rush crosses.
Wells were also sought for curative purposes, and unquestionably
some springs have medicinal qualities, but these are entirely
unconnected with the saints, and depend altogether on their
chemical constituents.
It is said that rags may still be seen on the bushes about Madron
well as they are about holy wells in Ireland and about the tombs of
fakirs and Mussulman saints. I doubt if any Cornish people are so
foolish as to do such a thing as suspend rags about a well with the
idea of these rags serving as an oblation to the patron of the spring
for the sake of obtaining benefits from him.
In Pembrokeshire till quite recently persons, even Dissenters,
were wont to drink water from S. Teilo’s well out of a portion of the
reputed skull of S. Teilo, of which the Melchior family are the
hereditary custodians.
The immersing of the bone of a saint in water, and the drinking of
the water thus rendered salutary, is still practised in Brittany. This
was done when Ireland was pagan; but the bones soaked were
those of Druids.
There is a curious illustration, as I take it, of this practice in S.
Clether’s well chapel, recently restored. Here the stone altar remains
in situ; it has never been disturbed.
 WELL-CHAPEL OF S. CLETHER

S. Clether was the son of Clydwyn, prince of Carmarthen and

grandson of Brychan. He came to Cornwall in consequence of the
invasion of his territories by Dyfnwal, and here he spent a great part
of his life, and died at an advanced age. He settled in the Inney
valley in a most picturesque spot between great ruins of rock, where
a perennial spring of the coolest, clearest water gushes forth. There
can be very little doubt that S. Clether employed this spring as his
baptistery, for the traditional usage of fetching water from it for
baptisms in the parish church has lingered on there.
The holy well lies north-east of the chapel or oratory. When the
chapel was reconstructed in the fifteenth century the water from the
holy well was conveyed in a cut granite channel under the wall, and
came sparkling forth in a sort of locker on the right side of the altar
in the thickness of the wall.
 To reach this there was a descent of a step in the floor. Thence
the water flowed away underground, and gushed forth in a second
holy well, constructed in the depth of the chapel wall outside on the
south near the east end. Consequently there are two holy wells. The
first, I take it, was the baptismal well; the second was used to drink
from. A relic of the saint was placed in the channel where exposed;
the water flowed over it, acquired miraculous virtues, and was drunk
at the second well outside the chapel by those who desired healing.
That there was a further significance in the management of the
course of the water I do not doubt.
An attempt was made to carry out the imagery of the vision of
the holy waters in Ezekiel:—​
“Afterward he brought me again unto the door of the
house; and, behold, waters issued out from under the
threshold of the house eastward: for the forefront of the
house stood toward the east, and the waters came down
from under from the right side of the house, at the south side
of the altar.” (xlvii. 1.)
Cornwall possesses a vast number of holy wells, many of them in
very bad repair. That at S. Cleer has been restored admirably;
Dupath is in perfect condition; that of S. Guron at Bodmin has been
restored; S. Melor’s well at Linkinhorn is very beautiful and in perfect
condition; S. John’s well, Morwenstow, S. Julian’s, Mount Edgcumbe,
S. Indract’s in the parish of S. Dominic, the well of S. Sidwell and S.
Wulvella at Laneast, S. Samson’s, Southill, Menacuddle, S. Anne’s,
Whitstone, S. Neot’s, S. Nin’s, Pelynt, Roche, S. Ruan’s, are in good
condition, but many are ruinous, or have been so altered as to have
lost their interest. That of S. Mawes has been built up, and two great
cast-iron pipes carried up from it for the circulation of air over the
water, which is drawn away to a tap which supplies the town or
village.[2]
Here is a melancholy account of the condition to which a holy well
has sunk:—​
 “Venton Eia (S. Ia’s well), on the cliff overlooking
Porthmeor.—​This ancient well, associated with the memory of
the patron saint of the town (S. Ives), was formerly held in
the highest reverence. Entries occur in the borough records of
sums paid for cleansing and repairing it, under 1668-9 and
1692-3. On the last of these occasions the well was covered,
faced, and floored with hewn granite blocks in two
compartments. It is still known as ‘the Wishing Well,’ from the
old custom of divination by crooked pins dropped into the
water. For some years past, however, this ancient source of
purity has been shamefully outraged by contact with all that
is foul. Close to it is a cluster of sties, known as ‘Pig’s Town,’
and the well has become the receptacle for stinking fish and
all kinds of offal. Just above it are the walls of the new
cemetery. All veneration for this spot, so dear to countless
generations of our forefathers, seems to have departed.”[3]
The well of S. Bridget at Landue remains, but the saint’s chapel is
gone. Stables near the well are thought to have polluted the water,
and the well is closed lest the incautious should drink of the
reputedly contaminated waters.
There are a good many holy wells in Devon also, but none of
mark. At Sticklepath above the well rises a very early inscribed
stone. There is a holy well, ruinous, at Halwell, one, probably of S.
Lo, at Broadwood, one at Ermington, from which water is still drawn
for baptisms, one at Lifton, one at Ashburton, probably dedicated to
S. Wulvela. S. Sidwell and S. Anne each has her well at Exeter, and
the water of the latter has of late become of repute, and is in
request under the form of beer. It supplies a brewery.
When S. Cadoc returned from the Holy Land he brought with him
a bottle of water from the Jordan, and poured it into a well in
Cornwall. None that I know of bears his name, but that at Laneast is
called Jordan well.
There is a very singular custom still observed in connection with a
stream in place of a holy well at Gwennap. There, on Good Friday,
children seek two spots by a stream to baptise their dolls. This can
be due only to a dim reminiscence of baptising in the open.
In addition to the holy wells, there are the pixy wells, where the
ancient spirits have not been dispossessed by the saints.
Poughill parish takes its name from a puck or pisgie well.
Fice’s well, near Prince Town, has on it “J. F. 1568.” John Fitz, the
astrologer, and his lady were once pixy-led whilst riding on Dartmoor.
After long wanderings in the vain effort to find their way, they
lighted on a pure spring, drank of it; and their eyes were opened to
know where they were and which was their right direction. In
gratitude for this deliverance, old John Fitz caused the stone
memorial to be set over the spring for the advantage of all pixy-led
wanderers. Alas! the convict establishment has enclosed the moor all
round, and now this well, though intact, no longer stands, as I
remember it, in wild moorland, but enclosed by a protecting wall in a
field.
In a certain large village of which I know something water was
introduced by means of earthenware pipes for a considerable
distance, and then conveyed to taps at convenient spots by iron and
lead.
Now there was one of these taps placed outside the Board school.
The master said within himself, “If I go to the tap, I shall have to
pay the water rate, which will be very heavy; if I never turn the tap,
I surely cannot be required to pay. So I know what I will do. Go to! I
will draw all my water from the well in the yard of the farm at the
back of my premises.”
He did so, and lost his wife and child by diphtheria. Verily even
modern Board school masters might learn something from these wild
old pure water-loving Celtic saints.
Note.—​Book on Cornish Holy Wells:—​
Quiller-Couch (M. and L.), Ancient and Holy Wells of Cornwall.
London: Clark, 1894.
 CHAPTER III.

CORNISH CROSSES
Abundance of crosses—​The menhîr—​Crosses marked the
limits of a Llan—​Crosses marked places for public prayer—​
Instance of a Cornish Dissenter—​Churches anciently few and
far between—​The cross erected where was no church—​Which
therefore precedes the village church—​Crosses as waymarks
—​The Abbot’s Way—​Interlaced work—​The plat a subject for
study.
There is no county in England where crosses abound as they do in
Cornwall. Second to it comes Devonshire. Indeed, on Dartmoor and
in the west of the latter county they are as numerous as in Cornwall.
Their origin is various.
In the first place, where the pagans worshipped a menhîr or
standing stone, there it was Christianised by being turned into a
cross. In the second place, crosses marked the bounds of a minihi or
llan, the sanctuary of the saint.
 CROSS, S. LEVAN

Then, again, the Celtic churches were very small, mere oratories,
that could not possibly contain a moderate congregation. The saints
took their station at a cross, and preached thence. With the Saxons
there was a rooted dread of entering an enclosed place for anything
like worship, fearing, as they did, the exercise of magical rites; and
they were accustomed to hold all their meetings in the open air. S.
Walpurga, the sister of S. Willibald, who wrote in 750, and was a
Wessex woman, says:—​
“It is the custom of the Saxon race that on many estates of
nobles and of good men they are wont to have not a church,
but the standard of the holy cross dedicated to our Lord and
reverenced with great honour, lifted up on high so as to be
convenient for the frequency of daily prayer.”
In connection with this, I may mention a fact. In the parish of
Altarnon was an old pious Wesleyan, and when the weather was too
bad for him to go to chapel he was wont to go to one of the crosses
of granite that stood near his cottage, kneel there, and say his
prayers. He died not long ago.
Bede, some twenty years before Walpurga, says that—​
“The religious habit was then held in great veneration, so
that wheresoever a clerk or a monk happened to come he
was joyfully received, ... and if they chanced to meet him
upon the way, they ran to him, and bowing, were glad to be
signed with his hand and blessed with his mouth. On Sundays
they flocked largely to the” (bishop’s) “church or the
monasteries to hear the word of God. And if any presbyter
chanced to come into a village, the inhabitants flocked
together to hear the word of life; for the presbyters and
clerks went into the villages on no other account than to
preach, baptise, visit the sick, and in short to take care of
souls” (H.E., iii. 16).
This shows that, in the first place, among the Anglo-Saxons there
were no churches except the cathedral and the monastic church,
and no parochial clergy. Bede does not actually say that there was a
cross set up from which the itinerant clergy preached, and to which
the faithful resorted for prayer, but this additional fact we have
learned from Walpurga.
So we come to this very interesting conclusion, that the village
cross preceded the parish church. The crosses were, in fact, the
religious centres of church life, and we ought accordingly to value
and preserve them with the tenderest care. A great many of those
that we have now on our village greens are comparatively modern,
and date from the fourteenth or fifteenth century, but there still
remain a vast number, not in the midst of a village, but on moors
and by highways of an extremely early description, and which most
assuredly have been the scene of many a primitive “camp meeting”
in the fifth and sixth centuries.
On Sourton Down beside the road stands a cross of very coarse
granite. On it is inscribed PRINCIPI FIL AVDEI, and above it an early
and rude cross of Constantine. Some time in the Middle Ages the
rudeness of the stone gave dissatisfaction, and its head was trimmed
into a cross.
A third occasion for the erection of crosses was as waymarks.
Across Dartmoor such a succession of rude crosses exists where was
what is called the Abbot’s Way from Buckfast to Tavistock and to
Plympton. But there are others not on these lines, and such may
have served both as guiding marks and also as stations for prayer.
That the monks of Buckland—​and Buckland goes back to pre-Saxon
times—​did go out to the moor and there minister to the tin-
streamers or squatters and shepherds, I cannot doubt, and
accordingly look with much emotion at these grey monuments of
early Christianity.
The interlaced work which is found on some of the crosses is of
the same character as the ornamentation in the early Irish MSS., and
it was adopted from the Celtic clergy by their Anglian and Saxon
converts.
But whence came it?
 We know that the Britons delighted in plaited work with osiers,
and it was with wattle that they built their houses, their kings’
palaces, and defended their camps. By constant use of wattle
through long ages they became extraordinarily skilful in devising
plaits; and when they began to work on stone they copied thereon
the delicate interlaced work they loved to exhibit in their domestic
buildings.
The various plaits have been worked out by Mr. A. G. Langdon in
his admirable study of the Cornish crosses. At a meeting of the
British Association he exhibited a hundred drawings of different
crosses, etc., illustrative of a paper read by Mr. J. Romilly Allen on
“The Early Christian Monuments of Cornwall.” When some incredulity
was expressed as to there being so many examples in that county,
Mr. Langdon explained that not only did all these come from
Cornwall, but that the examples brought before the Association
represented only about one-third of the whole number known to
exist. And since that date a good many more have been noticed. The
variety in design of the crosses is very great indeed. Some affect the
Greek cross, some the Latin; some are with a figure on them, some
plain, others richly ornamented. But what is remarkable about them
is, in the first place, they are nearly all in granite, a material in which
nothing was done from the seventh century down to the fifteenth, as
though the capability of working such a hard intractable stone had
been lost. And, in the second place, the ornamentation is in the lost
art of plaiting, of the beauty and difficulty of which we can hardly
conceive till we attempt it. There is first the four-string plait, then
that with six, and lastly that with eight. Then three strings are
combined together in each plait, then split, forming the so-called
Stafford knot; the knot and the plait are worked together; now a
loop is dropped, forming a bold and pleasing interruption in the
pattern. Then a ring is introduced and plaited into the pattern; then
chain-work is introduced; in fact, an endless variety is formed,
exercising the ingenuity of the artist to the uttermost. It would be an
excellent amusement and occupation for a rainy day in an hotel for
the tourist to set to work upon and unravel the mysteries of these
Celtic knots.
The old interlaced work, or the tradition of it, seems to have
lingered on in the glazing of windows, and some very beautiful
examples remain in England and in France. Mr. Romilly Allen points
out:—​
“In Egyptian, Greek, and Roman decorative art the only
kind of interlaced work is the plait, without any modification
whatever; and the man who discovered how to devise new
patterns from a simple plait, by making what I term breaks,
laid the foundation of all the wonderfully complicated and
truly bewildering forms of interlaced ornament found on such
a masterpiece of the art of illumination as the Book of Kells.
Although we do not know who made the discovery of how to
make breaks in a plait, we know pretty nearly when it was
made.”[4]
He goes on to show that the transition from plaitwork to knotwork
took place in Italy between 563 and 774. But is that not a proof of
introduction into Italy, and not of its discovery there? I am rather
disposed to think that partly through the adoption of the osier wattle
in domestic architecture, partly through the employment of the
tartan, the plait in all its intricacy was a much earlier product of the
genius of the Celtic race.
There is a pretty story in the life of an early Irish saint. He had
been put at school, but could not learn. At last, sick of books, he ran
away. He found a man at work with willow rods, weaving them to
form the walls of a house he was building. He dipped them in water,
and laced them in and out with wonderful neatness, patience, and
dexterity. And the boy, looking on, marvelled at it all, took it to
heart, and said to himself, “These osiers flip out; but when there are
patience and skill combined, they can be made into the most
exquisite patterns, and plaited together into a most solid screen.
Why may not I be thus shaped, if I allow myself to be bent, and am
docile in my master’s hands?” So he went back to school.
 CHAPTER IV.

CORNISH CASTLES
The ancient camps—​Their kinds—​1. Rectangular, Roman—​2. The
Saxon burh—​3. The Celtic circular or oval camp—​The lis and the
dun—​4. Stone fortresses—​Heroic legends in Ireland—​The Firbolgs
—​5. The stone castle with mortar, Norman—​No good examples.
Anyone with a very little experience can at once “spot” a camp or
castle by the appearance from a distance of a hill or headland; and
the traveller in Devon and Cornwall will pass scores of them, as he
will see by his Ordnance Survey Map, without giving much attention
to them, without supposing that they can be of great interest, unless
his attention has been previously directed to the subject. It is a pity
that anyone should go through a country which may really be said to
make ancient camps and castles its speciality and not know
something about them.
 LAUNCESTON

Of hill castles or camps there are several kinds:—​

1. Those that are rectangular or approximately so, and which
have been attributed to the Romans. Of these in Cornwall there are
but few. Tregear, near Bodmin, and Bossens, in S. Erth, have yielded
Roman coins and relics of pottery; but whether actually Roman or
Romano-British remains undecided.
2. There are those which consist of a tump or mound, sometimes
wholly artificial, usually natural, and adapted by art, and in
connection with this is a bass-court, usually, but not universally,
quadrilateral. This was the Saxon type of burh; it was also that of
the Merovingian. The classic passage descriptive of these is in the
Life of S. John of Terouanne, written in the eleventh century:—​
“It was customary for the rich men and nobles of these
parts, because their main occupation is the carrying on of
 feuds, to heap up a mound of earth as high as they are able
to raise it, and to dig round it a broad, open, and deep ditch,
and to girdle the whole upper edge of the bank with a barrier
of wooden planks, stoutly fastened together, and set round
with numerous turrets, and this in place of a wall.
“Within was constructed a house, or rather a citadel,
commanding the whole area, so that the gate of it could
alone be reached by means of a bridge that sprang from the
counterside of the ditch, and was gradually raised as it
advanced, supported by sets of piers, two, or even three,
trussed on each side, over convenient spans, crossing the
moat with a managed ascent, so as to attain the upper level
of the mound, landing on its edge level with the threshold of
the door.”
A very good idea of such a camp may be derived from the
representation of the fortifications of Dinan on the Bayeux tapestry.
In France the mottes on which the wooden dongeons of the
Merovingian chiefs were planted certainly abound; but in many cases
the bank enclosing the bass-court has disappeared. Good examples
may be seen at Plympton, at Lydford, and at Launceston. At the
former and latter Norman walls took the place of the palisading; but
at Lydford a keep was erected on the tump, but the line of
earthworks was never walled.
In Ireland and in Scotland such camps abound; they are there
due to Saxon and Danish invaders. In Ireland they are called motes,
in England burhs. They afforded the type on which the Normans
constructed their castles.
3. A much more common form of camp in Devon and Cornwall is
one that is circular or oval, and consists of concentric rings of earth,
or earth and stone mixed, with ditches between.
There is, however, a variant where a headland is fortified, either
one standing above the sea into which it juts, or at the junction of
two streams. There it sufficed to run defensive banks and ditches
across the neck of the promontory.
This description of camp or castle is usually supposed to be Celtic.
In Ireland such a camp is a rath. The same word is employed for
similar camps in a portion of Pembrokeshire.
Every noble had a right to have a rath, and every chief had his lis
or dun.
A lis was an enclosed space, with an earth-mound surrounding it,
and was the place in which justice was administered. Lis enters into
many place-names in Cornwall, as Liskeard, Lesnewth, Listewdrig,
the court of that king who killed S. Gwynear and bullied S. Ewny and
the other Irish settlers; Lescaddock, Lescawn, Lestormel, now
corrupted into Restormel.
In Ireland les had a wider meaning. S. Carthagh was throwing up
a mound around a plot of land where he was going to plant a
monastery.
“What are you about there?” asked an inquisitive woman.
“Only engaged in the construction of a little lis,” was the reply.
“Lis beg!” (small lis), exclaimed the woman. “I call it a lis mor” (a
big lis). And Lismore is its name to this day.
In Ireland every king had his dun. This was an enlarged rath with
an outer court in which he held his hostages, for the law required
this: “He is no king who has not hostages in lock-up.”
Dun in Welsh is din, and dinas is but another form of the same
word, and signifies a royal residence.
A gloss to an old Irish law tract says that a royal dun must have
two walls and a moat for water.
Dun in Scotland is applied to any fort. According to the Gaelic
dictionaries, it is “a heap or mound,” and even a dung-hill is a dun.
 In fact, the French dune and the Cornish towan derive from the
same root. Dun so much resembles the Anglo-Saxon tun that we
cannot always be sure of the derivation of a place-name that ends in
tun.
Every tribe had its dun, to which the cattle were driven, and
where the women and children were placed in security in times of
danger. This would be in addition to the royal residence, that is the
dun of the rig.
Within the dun were numerous structures of timber, roofed with
oak shingles, some of a large description, such as a banqueting hall;
but the habitations of the garrison were circular, of wickerwork, and
thatched with rushes.
In Cornwall there is Dingerrein, the dinas of S. Geraint; Castel-an-
Dinas; Damelioc (Din-Maeloc); Dunheved, the old name for
Launceston; Dundagel.
4. I come now to the stone fortresses that are found in parts of
Cornwall and Wales. They are also to be seen in Scotland and
Ireland. These are called caerau in Wales. A cathair is the term
applied to them in Ireland, and cathair signifies as well a city.
They are found in England only in Somersetshire, Devon, and
Cornwall; and in Wales only in such parts as were invaded and
occupied from Ireland.
In Kerry and the isles of Arran are those in best preservation, and
from these we can see that the walls were regularly built up with
double faces, rubble being between them. Very usually in Arran
stones are placed with the end outwards, so that they serve as ties
to hold the walls together.
The Welsh examples are very perfect, and precisely similar to
those in Ireland.
We know that the Gauls built stone camps—​Cæsar calls them
their oppida—​but they employed beams of timber along with the
stone to tie the walls together. The wood has everywhere rotted
away, and the enclosing walls of the Gaulish camps now present the
same appearance precisely as do the similar stone camps in Devon,
Somerset, and Cornwall. When the timber decayed the stones fell
into heaps. In Arran and Anglesey there was no timber;
consequently stones were employed as ties, and there the walls
remain comparatively intact.
Within the caer were circular stone beehive huts; also chambers
that were circular were contrived in the thickness of the walls. These
“sentry boxes” have been noticed in Wales, and also in Cornwall and
Devon.
The account of Castel-an-Dinas, before it was robbed for the
erection of a tower, is precisely such as might be given of one of
those in Ireland or Wales:—​
“It consisted of two stone walls, one within the other, in a
circular form, surrounding the area of the hill. The ruins are
now fallen on each side of the walls, and show the work to
have been of great height and thickness. There was also a
third or outer wall built more than half-way round. Within
these walls are many little enclosures of a circular form, about
seven yards in diameter, with little walls round them of two or
three feet high; they appear to have been so many huts for
the shelter of the garrison.”
In fact, this was a royal dinas. Not only had it the requisite double
wall, but also the drecht gialnai, or dyke of the hostages. Every king
retained about him pledges from the under-chiefs that they would be
faithful.
There are several of these stone camps in Devon and Cornwall. In
Somersetshire Whorlebury is very interesting; in Devon are Whit Tor
and Cranbrook; in Cornwall the Cheesewring camp, Carn Brea, Chun
Castle, the camp of Caer Conan on Tregenning Hill, Helborough,
beside Castel-an-Dinas in Ludgvan.
The heroic legends of Ireland attribute these stone camps to the
Firbolgs, the non-Aryan dusky race that was in possession previous
to the arrival of the Celts. But that the Milesians learned from them
the art of constructing such castles is very certain, for in Christian
times the monks imitated them in some of their settlements.
Lord Dunraven, who has photographed these stone duns, says:—​
“The legends of the early builders are preserved in the
compilations of Irish scribes and bardic writers dating from
the twelfth to the fifteenth centuries. The story, which is said
by these writers to have been handed down orally during the
earliest centuries of the Christian era, and committed to
writing when that art first became known in Ireland, is the
history of the wanderings and final destruction of a hunted
and persecuted race, whose fate would seem to have been
mournful and strange as the ruined fortresses of the lost tribe
which now stand before us. Coming to Ireland through
Britain, they seem to have been long beaten hither and
thither, till, flying still westward, they were protected by Ailill
and Maeve, who are said to have reigned in Connaught about
the first century of the Christian era. From these monarchs
they obtained a grant of lands along the western coast of
Galway, as well as the islands of Arran, where they remained
till their final expulsion. Thus their forms seem to pass across
the deep abyss of time, like the white flakes of foam that are
seen drifted by the hurrying wind over the wild and wasted
ruins of their fortresses.”
Excavations show that these stone caers are more ancient than
the Christian era; they belong to the period of flint weapons and the
introduction of bronze. But, as already stated, the conquerors of the
rude stone monument builders adopted some of their arts, and some
of their camps are much later.
5. The stone castle, the walls set in mortar, is not earlier in Devon
and Cornwall than the Norman Conquest. There are no really stately
castles in either county, with the exception of Launceston.
Rougemont, Exeter, is eminently unpicturesque; Tiverton, Totnes,
Plympton, are almost complete ruins; Lydford—​well, as Browne the
poet wrote of it in the reign of James I.:—​
“They have a castle on a hill;
I took it for an old windmill,
The vanes blown off by weather;
To lie therein one night, ’tis guessed
’T were better to be stoned or pressed
Or hanged ere you come hither.”
And ruin that has fallen on it has not improved its appearance.
Okehampton is but a mean relic; Restormel is circular; Trematon
is like a pork-pie; Pendennis, S. Mawes, late and insignificant.
Tintagel owes everything to its superb situation and to the legend
that it was the place where King Arthur was born. The most
picturesque of all is Pregersick, near Breage, but that is late. Its
story shall be told in the chapter on Penzance.
 CHAPTER V.

TIN MINING
The granite eruptions in Devon and Cornwall—​Elvans—​Lodes—​Tin
passing into copper—​Stream-tin—​Story of S. Piran and S.
Chigwidden—​Dartmoor stream-tin—​Joseph of Arimathea—​The
Cassiterides—​Jutes—​Danish incursions—​Tin in King John’s time—​
Richard, Earl of Cornwall—​Elizabeth introduces German engineers
—​Stannary towns—​Carew on mining—​Blowing-houses—​Miners’
terms—​Stannary Courts—​Dr. Borlase on tin mining—​Present state.
I remember being at a ball many years ago at that epoch in the
development of woman when her “body” was hooked along her
dorsal ridge. Now I learn from competent authorities that it is held
together in other fashion.
There was at the ball a very lusty stout lady in slate-grey satin.
By nature and age, assisted by victuals, she was unadapted to
take violent exercise. Nevertheless dance she would. Dance she did,
till there ensued an explosion. Hooks, eyes, buttons, yielded, and
there ensued an eruption of subjacent material. In places the
fastenings held so that the tumescent under-garments foamed out
at intervals in large bulging masses.
This is precisely what took place with Mother Earth in one of her
gambols. Her slate panoply gave way, parted from N.E. to S.W., and
out burst the granite, which had been kept under and was not
intended for show.
Her hooks and eyes gave way first of all in South Devon, and out
swelled the great mass of Dartmoor. They held for a little space, and
then out broke another mass that constitutes the Bodmin moors. It
heaved to the surface again north of S. Austell, then was held back
as far as Redruth and Camborne. A few more hooks remained firm,
and then the garment gave way for the Land’s End district, and,
finally, out of the sea it shows again in Scilly.
Or take it in another way. Cornwall is something like a leg. Let it
be a leg vested in a grey stocking. That stocking has so many
“potatoes” in it, and each “potato” is eruptive granite.
Granite, however, likewise cracked, formed “faults,” as they are
called, in parallel lines with the great parent crack to which it owed
its appearance, and cracks also formed across these; and through
the earlier cracks up gushed later granite in a molten condition, and
these are dykes.
Moreover, the satin body not only gave way down its great line of
cleavage, but the satin itself in places yielded, revealing, not now the
under-linen which boiled out at the great faults, but some material
which, I believe, was the lining. So when the granite broke forth
there were subsidiary rifts in the slate, and through these rifts a
material was extruded, not exactly granite, but like it, called elvan.
These elvan dykes vary from a few feet to as many as four hundred
in breadth, and many can be traced for several miles. The younger
granite intruded into the older granite is also called elvan.
But when the secondary fissures occurred, the intrusive matter
was not only a bastard granite, but with it came also tin and copper.
And these metallic lines, which run on Dartmoor from E. to W., and
in Cornwall from E.N.E. to W.S.W., are called lodes.
The cross-cracks do not contain metal. They are called cross-
courses.
In addition there are some capricious veins that do not run in the
normal direction, and these are called counter-lodes. Their usual
direction is N.E.
The cross-courses, although without metal, are of considerable
value to the miner, because, as he knows well, the best lodes are
those which are thus traversed.
There is, however, one description of cross-course that is called
floocan, and which is packed with clay, and holds back water. These
are accordingly not cut through if it can possibly be avoided.
A very curious feature in the lodes is, that after going down to a
variable depth the tin is replaced by copper.
Percy was the first to establish this, towards the close of last
century. He pointed out that many an old tin mine was in his time
worked for copper. And it came to be supposed that this would be
found to be an unchanging law: Go deep enough after tin, and you
come to copper. But this opinion was shaken when it was found that
Dolcoath, the profoundest mine in Cornwall, which had for some
time been worked for copper, became next rich in tin. What seems
to have been the case was this: when a vent offered, there was a
scramble between the two minerals which should get through first
and out of the confinement under earth’s crust, and now a little tin
got ahead; then came copper trampling on its heels, but was itself
tripped up by more tin.
Now, when the granite came to the surface, it did not have
everything its own way, and hold its nose on high, and lord it over
every other rock as being the most ancient of all, though not the
earliest to put in an appearance. There was a considerable amount
of water about. There is plenty and to spare in the west of England
now, but we may feel grateful that we do not exist in such
detestable weather, nor exposed to such sousing rains, nor have to
stand against such deluges, as those which granite had to encounter.
Hot, over-hot, it may have been below, but it was cold and horribly
wet above.
The rains descended; the floods came, and beat on the granite,
which, being perhaps at the time warm and soft, and being always
very absorbent, began to dissolve.
As it dissolved, the water swept away all its component parts, and
deposited the heaviest near at hand, and took the lightest far away.