•  Offered the concept of "Separation of
                              Duties" as an assurance mechanism
                              for this functional requirement.
                          •  Internal and External Consistency.
                                 ▪  Internal consistency: the
                                     transaction must fit the internal
                                     parameters of the system.
                                 ▪  External consistency: the
                                     transactions must fit the real
                                     world.
                          •  Access triple: subject – program –
                              object
                   •  Access control matrix.
                   •  Lattice: Information flow matrix.
                   •  Brewer and Nash Model / Chinese Wall.
                          •  More of a policy model.
                          •  Chinese wall – the doctor should not
                              tell patient A about patient B.
                   •  Graham-Denning Model – uses 'monitor'
                       (rule checker).
                          •  James Anderson calls this a 'reference
                              monitor.'
                   •  Harrison-Ruzzo-Ullmann – uses an access
                       matrix (another name for a reference
                       monitor.)