Reference LibraryClark-Wilson Model
Security ModelDomain 3: Security Architecture & Engineering

Clark-Wilson Model

Exam Relevance:

A commercial integrity model that uses well-formed transactions and separation of duties to ensure data integrity. Unlike Biba's lattice approach, Clark-Wilson maps more closely to real business controls.

Why It Matters for CISSP

Clark-Wilson is the model that most closely reflects how real-world financial and commercial systems enforce integrity. The CISSP exam tests whether you can identify it by its key components: CDIs, UDIs, TPs, and IVPs.

Core Components

Constrained Data Items (CDIs): Data items that must maintain integrity.

Unconstrained Data Items (UDIs): Raw input data not yet validated. UDIs become CDIs only after a valid Transformation Procedure runs.

Transformation Procedures (TPs): The only authorised methods for modifying CDIs.

Integrity Verification Procedures (IVPs): Audit procedures that confirm CDIs are in a valid state.

The Two Integrity Rules

C1: IVPs must ensure all CDIs are in a valid state. C2: TPs must be certified to only produce valid CDIs from valid CDIs. E1: The system must maintain an authenticated list of which users can run which TPs on which CDIs. E2: The system must maintain a list of TP-to-CDI relationships. Separation of Duties: No single user can run all TPs needed to complete a sensitive transaction.

Comparison to Biba

Biba operates on a lattice of integrity levels. Clark-Wilson operates on real-world transactions and procedures. Clark-Wilson is closer to SOX, PCI-DSS, and real auditing requirements.

Clark-Wilson core components

ComponentTypePurpose
CDIDataConstrained data items — must stay valid at all times
UDIDataUnconstrained input — not yet validated
TPProcedureOnly authorised way to modify CDIs
IVPProcedureVerifies CDIs are in valid state (read-only audit)

Related Concepts

Bell LapadulaBibaRisk Formula