A commercial integrity model that uses well-formed transactions and separation of duties to ensure data integrity. Unlike Biba's lattice approach, Clark-Wilson maps more closely to real business controls.
Clark-Wilson is the model that most closely reflects how real-world financial and commercial systems enforce integrity. The CISSP exam tests whether you can identify it by its key components: CDIs, UDIs, TPs, and IVPs.
Constrained Data Items (CDIs): Data items that must maintain integrity.
Unconstrained Data Items (UDIs): Raw input data not yet validated. UDIs become CDIs only after a valid Transformation Procedure runs.
Transformation Procedures (TPs): The only authorised methods for modifying CDIs.
Integrity Verification Procedures (IVPs): Audit procedures that confirm CDIs are in a valid state.
C1: IVPs must ensure all CDIs are in a valid state. C2: TPs must be certified to only produce valid CDIs from valid CDIs. E1: The system must maintain an authenticated list of which users can run which TPs on which CDIs. E2: The system must maintain a list of TP-to-CDI relationships. Separation of Duties: No single user can run all TPs needed to complete a sensitive transaction.
Biba operates on a lattice of integrity levels. Clark-Wilson operates on real-world transactions and procedures. Clark-Wilson is closer to SOX, PCI-DSS, and real auditing requirements.
Clark-Wilson core components
| Component | Type | Purpose |
|---|---|---|
| CDI | Data | Constrained data items — must stay valid at all times |
| UDI | Data | Unconstrained input — not yet validated |
| TP | Procedure | Only authorised way to modify CDIs |
| IVP | Procedure | Verifies CDIs are in valid state (read-only audit) |