RE: Help needed with Mandatory Access Control Security Labels

["Jerry Pettus" <rogue5 () bluemarble net>]

That's pretty much correct.  The trick is trying to make available only what
needs to be available.

For the CISSP it's also helpful to remember that of the three legs of CIA
(Confidentiality, Integrity and Availability) you can manage two of the
three at any given time, but not three.  One of the three will take a hit.

In the military, confidentiality and Integrity are paramount and
Availability is the leg that will be lessened in importance as necessary.

For the private sector, Availability and Integrity are more important than
confidentiality, though you will want to limit access for some things, like
company/trade secrets.  That data itself may be treated the way the military
treats their priorities.


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Lee Hilt
Sent: Friday, February 01, 2008 8:12 PM
To: 'Kelly Robinson'; security-basics () securityfocus com
Subject: RE: Help needed with Mandatory Access Control Security Labels

 
Im not certain about this, so take what I say here with a grain of salt, Im
only going by my experience within the Air Force (11 years of service).

I would think knowing that the classification of the resource MUST be the
classification of the most sensative classified document stored in a given
resource, (I.E. 3x Unclass Documents, 2x Secret Documents, 1 x Top Secret
Document = a Top Secret resource) then if you stored the unclass SCIENCE
resource as a child resource of the (SECRET;(TECHNOLOGY;SCIENCE)) resource,
then no, you shouldnt have read access unless you are properly cleared for
the highest level of classification of that resource (TOP SECRET). Now, that
shouldn't prevent a cleared user of that resource (who has the
responsibilities of dissiminating this information) from recognizing your
need to access it and possibly allowing you to read it in another fasion,
but giving Read access to a resource and its contents MUST be considered by
the individual's :
                1) Security Clearance
                2) Need to Know.

        That being said, if a person cleared for Top Secret could not
demonstrate a clear NEED to KNOW for a particular (SECRET) resource, or (For
Official Use Only) for that matter, they should be denied access. Just
because a clearance is held, does not mean they have a need to access all
resources they are cleared for.

Lee Hit




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Kelly Robinson
Sent: 2008-01-31 7:25
To: security-basics () securityfocus com
Subject: Help needed with Mandatory Access Control Security Labels

Hi, I am studying for my CISSP at the moment and I have a question regarding
Mandatory Access Controls and security labels.

I understand the whole security labels thingy ie Top Secret > Secret >
Classified > Unclassified and I understand some of the different models and
their write-up, read-up, write-down etc rules.

I just dont get the {Resource} part.

Say I have the following (SECRET;{TECHNOLOGY}) and I want read access to an
UNCLASSIFIED document in the SCIENCE resource I am assuming that since I
dont have (SECRET;(TECHNOLOGY;SCIENCE}) that I would NOT have read access?
Is that right?

Thanks

K.