Information Security Models: Types and How They Work

Information security models are formal frameworks that define how data should be protected within a system — who can access it, under what conditions, and with what safeguards. They translate abstract security objectives into enforceable rules that organisations use to design access controls, manage data integrity, and build compliance programmes.

For compliance professionals at EU financial institutions, security models matter practically: the access control requirements in ISO 27001 Annex A, DORA’s ICT security obligations, and NIS2’s security measures are all grounded in principles that these models formalise. Understanding them helps you design controls that satisfy the underlying security objective — not just tick a box.

What Is an Information Security Model?

An information security model is a set of rules and principles that specify how a system should protect information against unauthorised access and modification. Models map to the CIA triad — Confidentiality, Integrity, and Availability — and provide the theoretical foundation for the practical controls that compliance frameworks require.

Most organisations implement multiple models simultaneously. A financial institution’s access control architecture will reflect Bell-LaPadula’s confidentiality rules, Biba’s integrity restrictions, and Zero Trust’s continuous verification principles — all operating together through a role-based access control system.

Types of Information Security Models

1. Bell-LaPadula Model — Confidentiality

Developed for the US Department of Defense, Bell-LaPadula is the foundational model for mandatory access control in high-confidentiality environments. It operates on two rules:

• No read up: A subject cannot read information at a higher classification level than their clearance.
• No write down: A subject cannot write information to a lower classification level than their current level.

This enforces one-directional information flow — upward in terms of classification — preventing data leakage from high-security to low-security environments.

Compliance relevance: Bell-LaPadula’s principles underpin ISO 27001 Annex A A.5.15 (access control) and DORA’s access management requirements — specifically the need-to-know principle and role-based data restriction.

Limitation: It addresses confidentiality only. A user with appropriate clearance can modify data freely — integrity is not protected.

---

2. Biba Model — Integrity

Developed to address Bell-LaPadula’s integrity gap, Biba mirrors its structure but for data accuracy rather than confidentiality:

• No read down: A subject cannot read information at a lower integrity level than their own.
• No write up: A subject cannot write to a higher integrity level than their own.

This prevents low-integrity processes from corrupting high-integrity data — critical in financial systems where data accuracy is non-negotiable.

Compliance relevance: Biba maps to ISO 27001 A.8.32 (change management) and DORA’s ICT change management requirements. The principle that only authorised, high-integrity processes should modify critical systems is foundational to both.

Limitation: The restrictions on reading lower-integrity data can reduce operational flexibility.

---

3. Clark-Wilson Model — Business Integrity

Where Biba addresses integrity mathematically, Clark-Wilson applies it to business environments. It introduces two concepts:

• Well-formed transactions: Data can only be modified through specific, approved procedures — not directly.
• Separation of duties: No single user can complete a sensitive transaction without the involvement of at least one other.

Compliance relevance: Clark-Wilson is the theoretical basis for ISO 27001 A.5.3 (segregation of duties) and the four-eyes principle in financial transaction authorisation. DORA’s change control requirements — that system changes follow defined procedures with appropriate authorisation — reflect Clark-Wilson directly.

---

4. Brewer-Nash Model (Chinese Wall) — Conflict of Interest

The Brewer-Nash model prevents conflict of interest by dynamically restricting access based on prior data access. Once a subject accesses data from one company within a conflict-of-interest class, they cannot access data from a competing company in the same class.

Compliance relevance: Directly relevant to financial institutions managing information barriers between business units — investment banking and asset management, for example. ISO 27001 A.5.10 (acceptable use) and A.5.3 (segregation of duties) address the underlying concern.

---

5. Role-Based Access Control (RBAC) — Access Through Roles

RBAC is the most widely implemented access control model in enterprise environments. Access rights are assigned to roles rather than individuals — users are assigned roles, roles carry permissions, and changes to responsibilities are reflected through role reassignment rather than individual permission changes.

Compliance relevance: RBAC is the operational implementation model for access control across ISO 27001, DORA, and NIS2. ISO 27001 A.5.15, A.8.2 (privileged access rights), and DORA’s access management requirements are all satisfied through a well-implemented RBAC system with regular access reviews. The DORA gap analysis process consistently examines whether roles are defined proportionately and whether review cycles produce genuine evidence.

---

6. Zero Trust — Never Trust, Always Verify

Zero Trust, formalised in NIST SP 800-207, is the architectural model that has most significantly reshaped security design in the past decade. The core principle: no user, device, or network location is trusted by default. Every access request is authenticated, authorised, and continuously validated.

Three principles define it:

• Verify explicitly: Authenticate and authorise based on identity, device, location, and context — every time.
• Least privilege: Limit access to the minimum necessary, using just-in-time and just-enough-access approaches.
• Assume breach: Design systems as if a breach has already occurred — minimise impact through segmentation and continuous monitoring.

Compliance relevance: Zero Trust is the architecture that ISO 27001:2022 Annex A, DORA’s ICT security requirements, and NIS2’s security measures collectively point toward. Organisations implementing Zero Trust address a significant portion of all three frameworks’ access control, monitoring, and resilience requirements from a single architectural decision. For EU financial institutions, it is the most efficient security architecture investment available — it satisfies regulatory requirements as a byproduct of good security rather than as a separate compliance exercise.

---

7. Defence in Depth — Layered Security

Defence in Depth is the principle that security controls should operate at multiple layers simultaneously — network perimeter, endpoint, application, data, identity, and monitoring — so that the failure of any single control does not result in a complete security failure.

Compliance relevance: ISO 27001’s comprehensive Annex A control set is a direct application of Defence in Depth. DORA’s operational resilience requirements formalise it for ICT systems — organisations must demonstrate that layered controls, regularly tested, provide genuine resilience rather than relying on any single safeguard. The DORA supply chain requirements extend the same principle to ICT third parties.

---

Why Security Models Matter for Compliance

The compliance professional who understands the model behind a control is better equipped to assess whether an implementation genuinely satisfies the underlying security objective — rather than simply checking a box. ISO 27001 Stage 2 auditors and DORA supervisory authorities are trained to make exactly this distinction.

For most EU financial institutions, the practical combination is: Zero Trust as the architecture, RBAC as the access control implementation, Defence in Depth as the control layering approach, and Clark-Wilson principles for transaction integrity and separation of duties. Together, these satisfy the majority of access control, integrity, and resilience requirements across ISO 27001, DORA, and NIS2 — without requiring separate control architectures for each framework.

---

How Copla Implements Security Controls for EU Financial Institutions

We build information security programmes grounded in the right architecture from the start — risk-driven, connected, and designed to satisfy DORA, ISO 27001, and NIS2 simultaneously rather than as three separate exercises.

Schedule a call with Copla to discuss how this would work for your organisation.