RE: Help needed with Mandatory Access Control Security Labels




Im not certain about this, so take what I say here with a grain of salt, Im
only going by my experience within the Air Force (11 years of service).

I would think knowing that the classification of the resource MUST be the
classification of the most sensative classified document stored in a given
resource, (I.E. 3x Unclass Documents, 2x Secret Documents, 1 x Top Secret
Document = a Top Secret resource) then if you stored the unclass SCIENCE
resource as a child resource of the (SECRET;(TECHNOLOGY;SCIENCE)) resource,
then no, you shouldnt have read access unless you are properly cleared for
the highest level of classification of that resource (TOP SECRET). Now, that
shouldn't prevent a cleared user of that resource (who has the
responsibilities of dissiminating this information) from recognizing your
need to access it and possibly allowing you to read it in another fasion,
but giving Read access to a resource and its contents MUST be considered by
the individual's :
1) Security Clearance
2) Need to Know.

That being said, if a person cleared for Top Secret could not
demonstrate a clear NEED to KNOW for a particular (SECRET) resource, or (For
Official Use Only) for that matter, they should be denied access. Just
because a clearance is held, does not mean they have a need to access all
resources they are cleared for.

Lee Hit




-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Kelly Robinson
Sent: 2008-01-31 7:25
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Help needed with Mandatory Access Control Security Labels

Hi, I am studying for my CISSP at the moment and I have a question regarding
Mandatory Access Controls and security labels.

I understand the whole security labels thingy ie Top Secret > Secret >
Classified > Unclassified and I understand some of the different models and
their write-up, read-up, write-down etc rules.

I just dont get the {Resource} part.

Say I have the following (SECRET;{TECHNOLOGY}) and I want read access to an
UNCLASSIFIED document in the SCIENCE resource I am assuming that since I
dont have (SECRET;(TECHNOLOGY;SCIENCE}) that I would NOT have read access?
Is that right?

Thanks

K.