Security Basics mailing list archives
RE: Help needed with Mandatory Access Control Security Labels
From: "Jerry Pettus" <rogue5 () bluemarble net>
Date: Fri, 1 Feb 2008 20:30:14 +0430
That's pretty much correct. The trick is trying to make available only what needs to be available. For the CISSP it's also helpful to remember that of the three legs of CIA (Confidentiality, Integrity and Availability) you can manage two of the three at any given time, but not three. One of the three will take a hit. In the military, confidentiality and Integrity are paramount and Availability is the leg that will be lessened in importance as necessary. For the private sector, Availability and Integrity are more important than confidentiality, though you will want to limit access for some things, like company/trade secrets. That data itself may be treated the way the military treats their priorities. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Lee Hilt Sent: Friday, February 01, 2008 8:12 PM To: 'Kelly Robinson'; security-basics () securityfocus com Subject: RE: Help needed with Mandatory Access Control Security Labels Im not certain about this, so take what I say here with a grain of salt, Im only going by my experience within the Air Force (11 years of service). I would think knowing that the classification of the resource MUST be the classification of the most sensative classified document stored in a given resource, (I.E. 3x Unclass Documents, 2x Secret Documents, 1 x Top Secret Document = a Top Secret resource) then if you stored the unclass SCIENCE resource as a child resource of the (SECRET;(TECHNOLOGY;SCIENCE)) resource, then no, you shouldnt have read access unless you are properly cleared for the highest level of classification of that resource (TOP SECRET). Now, that shouldn't prevent a cleared user of that resource (who has the responsibilities of dissiminating this information) from recognizing your need to access it and possibly allowing you to read it in another fasion, but giving Read access to a resource and its contents MUST be considered by the individual's : 1) Security Clearance 2) Need to Know. That being said, if a person cleared for Top Secret could not demonstrate a clear NEED to KNOW for a particular (SECRET) resource, or (For Official Use Only) for that matter, they should be denied access. Just because a clearance is held, does not mean they have a need to access all resources they are cleared for. Lee Hit -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Kelly Robinson Sent: 2008-01-31 7:25 To: security-basics () securityfocus com Subject: Help needed with Mandatory Access Control Security Labels Hi, I am studying for my CISSP at the moment and I have a question regarding Mandatory Access Controls and security labels. I understand the whole security labels thingy ie Top Secret > Secret > Classified > Unclassified and I understand some of the different models and their write-up, read-up, write-down etc rules. I just dont get the {Resource} part. Say I have the following (SECRET;{TECHNOLOGY}) and I want read access to an UNCLASSIFIED document in the SCIENCE resource I am assuming that since I dont have (SECRET;(TECHNOLOGY;SCIENCE}) that I would NOT have read access? Is that right? Thanks K.
Current thread:
- Help needed with Mandatory Access Control Security Labels Kelly Robinson (Feb 01)
- RE: Help needed with Mandatory Access Control Security Labels Lee Hilt (Feb 01)
- RE: Help needed with Mandatory Access Control Security Labels Jerry Pettus (Feb 01)
- <Possible follow-ups>
- Re: Help needed with Mandatory Access Control Security Labels sculark-tx (Feb 01)
- RE: Help needed with Mandatory Access Control Security Labels Lee Hilt (Feb 01)