Ver:
· Modo unificado al nivel superior
Para aquellos
sistemas donde se almacena, procesa o transmite información clasificada se
distinguen los siguientes modos seguros de operación:
1 - Dedicado
El sistema se
emplea por personal habilitado con el mayor grado de clasificación y teniendo
en común la misma "necesidad de conocer" para toda la información
contenida en el sistema; la separación de los datos no es un requisito del
sistema.
2 - Unificado
al nivel superior
El sistema
maneja información con diferentes grados de clasificación. Permite el acceso
selectivo y simultáneo a dicha información al personal habilitado con el mayor
grado de clasificación pero con distinta "necesidad de conocer". El
sistema realiza de manera fiable la separación de los datos y dispone de
control de acceso selectivo a la información conforme a la diferente "necesidad
de conocer".
3
Multinivel
El sistema
maneja información con diferentes grados de clasificación. Permite el acceso
selectivo y simultáneo a dicha información al personal habilitado con
diferentes grados de clasificación y "necesidad de conocer". El
sistema realiza de manera fiable la completa separación de los datos y el
control de acceso selectivo.
Para los tres
modos seguros de operación, los controles físicos, del personal y de los
procedimientos deben cumplir los requisitos impuestos por el mayor grado de
clasificación de la información residente.
[CCN-STIC-103:2006]
La
determinación del modo de explotación de seguridad del sistema consiste en
indicar cómo el sistema permite a los usuarios de diferentes categorías
procesar, transmitir o conservar datos en mayor o menor medida sensibles.
Permite tomar conciencia de la problemática de la seguridad general porque el
modo de explotación de seguridad define el contexto de gestión de la
información de un sistema de información.
En líneas
generales, el modo de explotación de seguridad del sistema pertenece a una de
las siguientes categorías:
·
Categoría 1: modo de explotación exclusivo
Todas las personas que tienen acceso al sistema están autorizadas para el más
alto nivel de procesamiento y tienen idéntica (o equivalente) necesidad de
conocer toda la información procesada, almacenada o transmitida por el sistema.
·
Categoría 2: modo de explotación dominante
Todas las personas que tienen acceso al sistema están autorizadas para el más
alto nivel de procesamiento, pero no todas tienen idéntica (o equivalente)
necesidad de conocer toda la información procesada, almacenada o transmitida
por el sistema.
·
Categoría 3: modo de explotación multinivel
Las personas que tienen acceso al sistema no están todas habilitadas para el
más alto nivel de procesamiento y no tienen todas idéntica (o equivalente)
necesidad de conocer toda la información procesada, almacenada o transmitida
por el sistema.
Para elegir
el modo de explotación de seguridad del sistema, es importante saber si existe
o debe existir:
· una clasificación jerárquica de las informaciones (por ej.: confidencial, secreto...) y/o por compartimiento (médico, sociedad, nuclear...),
· categorías de usuarios,
· una noción de la necesidad de conocer, modificar o disponer de la información...
La elección
del modo de explotación de seguridad puede reconsiderarse teniendo en cuenta
los riesgos identificados en el transcurso de las etapas siguientes. Sin
embargo, es importante plantearse este aspecto lo antes posible porque su
implementación tiene importantes consecuencias en el diseño del SI y de la SSI.
[EBIOS:2005]
Description of
the conditions under which an information system operates based on the
sensitivity of information processed and the clearance levels, formal access
approvals, and need-to-know of its users. Four modes of operation are
authorized for processing or transmitting information: dedicated mode, system high
mode, compartmented/partitioned mode, and multilevel mode. [CNSSI_4009:2010]
The mode of operation
is determined by:
·
The
type of users who will be directly or indirectly accessing the system.
·
The
type of data, including classification levels, compartments, and categories,
that are processed on the system.
·
The
type of levels of users, their need to know, and formal access approvals that
the users will have.
All users
must have ...
mode |
signed NDA for |
proper
clearance for |
formal access
approval for |
a valid
need-to-know for |
Dedicated |
ALL |
ALL |
ALL |
ALL |
System high |
ALL |
ALL |
ALL |
SOME |
Compartmented |
ALL |
ALL |
SOME |
SOME |
Multilevel |
ALL |
SOME |
SOME |
SOME |
http://en.wikipedia.org/wiki/Security_modes
2. (I) /system
operation/ A type of security policy that states the range of classification
levels of information that a system is permitted to handle and the range of
clearances and authorizations of users who are permitted to access the system.
(See: compartmented security mode, controlled security mode, dedicated security
mode, multilevel security mode, partitioned security mode, system-high security
mode. Compare:
protection level.) [RFC4949:2007]
A description of
the conditions under which an IS functions, based on the sensitivity of data
processed and the clearance levels and authorizations of the users. Four modes
of operation are authorized:
(1a) An IS is
operating in the dedicated mode when
the system is specifically and exclusively dedicated to and controlled for the
processing of one particular type or classification of information, either for
full-time operation or for a specific period of time.
(1b) An IS is
operating in the dedicated mode when
each user with direct or indirect individual access to the IS, its peripherals,
its remote terminals, or its remote hosts has all of the following:
·
a
valid personnel clearance for all information on the system,
·
formal
access approval for, and signed nondisclosure agreements for, all the
information stored and/or processed (including all compartments,
subcompartments, and/or special access programs), and
·
a
valid need-to-know for all information contained within the system.
(2a) An IS is
operating in the system-high mode
when each user with direct or indirect access to the IS, its peripherals,
remote terminals, or remote hosts has all of the following:
·
a
valid personnel clearance for all information on the IS,
·
formal
access approval for, and signed nondisclosure agreements for, all the
information stored and/or processed (including all compartments,
subcompartments, and/or special access programs), and
·
a
valid need-to-know for some of the information contained within the IS.
(2b) An IS is
operating in the system-high mode when
the system hardware and software are trusted only to provide discretionary
protection between users. In this mode, the entire system, to include all
components electrically and/or physically connected, must operate with security
measures commensurate with the highest classification and sensitivity of the
information being processed and/or stored. All system users in this environment
must possess clearances and authorization for all information contained in the
system. All system output must be clearly marked with the highest
classification and all system caveats until the information has been reviewed
manually by an authorized individual to ensure appropriate classifications and
that caveats have been affixed.
(3) An IS is
operating in the compartmented mode
when each user with direct or indirect access to the IS, its peripherals,
remote terminals, or remote hosts has all of the following:
·
a
valid personnel clearance for the most restricted information processed in the
IS,
·
formal
access approval for, and signed nondisclosure agreements for, that information
to which he or she is to have access, and
·
a
valid need-to-know for that information to which he or she is to have access.
(4) An IS is
operating in the multilevel mode when
all the following statements are satisfied concerning users with direct or
indirect access to the IS, its peripherals, remote terminals, or remote hosts:
·
some
do not have a valid personnel clearance for all the information processed in
the IS,
·
all
have the proper clearance and have the appropriate formal access approval for
that information to which they are to have access, and
·
all
have a valid need-to-know for that information to which they are to have access.
http://www.garlic.com/~lynn/secgloss.htm
Determining the
security operating mode of the system consists in indicating how the system
enables various categories of users to process, send or store various types of
sensitive information. This allows the general security issues to be understood
since the security operating mode defines the information management context of
an information system.The security operating mode of the system usually belongs
to one of the following categories:
·
Category
1: exclusive operating mode
Everyone accessing the system has the highest level of authorisation and an
identical need to know (or equivalent) with regard to all the information
processed, stored or sent by the system.
·
Category
2: dominant operating mode
Everyone accessing the system has the highest level of authorisation but they
do not have an identical need to know (or equivalent) with regard to the
information processed, stored or sent by the system.
·
Category
3: multilevel operating mode
Not everyone accessing the system has the highest level of authorisation and
they do not all have an identical need to know (or equivalent) with regard to
the information processed, stored or sent by the system.
To choose the
security operating mode of the system, it is important to know if the following
exist or should exist:
·
a
prioritised information classification structure (e.g. confidential, secret,
etc.) and/or compartmentalised structure (medical, company, nuclear, etc.),
·
user
categories,
·
a
notion of need to know, need to modify, need to have, etc.
The choice of
security operating mode can be reassessed once the risks have been identified
during the next stages. However, it is important to consider this aspect as
early as possible, as its implementation has major consequences on the IS and
ISS architecture.
[EBIOS:2005]
La détermination du
mode d'exploitation de sécurité du système consiste à indiquer comment le
système permet aux utilisateurs de catégories différentes de traiter,
transmettre ou conserver des informations de sensibilités différentes. Elle
permet de prendre connaissance de la problématique sécuritaire générale car le
mode d'exploitation de sécurité définit le contexte de gestion de l'information
d'un système d'information.
De manière générale, le
mode d'exploitation de sécurité du système appartient à l'une des catégories
suivantes:
·
Catégorie
1: mode d'exploitation exclusif
Toutes les personnes ayant accès au système sont habilitées au plus haut niveau
de classification et elles possèdent un besoin d'en connaître (ou équivalent)
identique pour toutes les informations traitées, stockées ou transmises par le
système.
·
Catégorie
2: mode d'exploitation dominant
Toutes les personnes ayant accès au système sont habilitées au plus haut niveau
de classification mais elles n'ont pas toutes un besoin d'en connaître (ou
équivalent) identique pour les informations traitées, stockées ou transmises
par le système.
·
Catégorie
3: mode d'exploitation multiniveaux
Les personnes ayant accès au système ne sont pas toutes habilitées au plus haut
niveau de classification et elles n'ont pas toutes un besoin d'en connaître (ou
équivalent) identique pour les informations traitées, stockées ou transmises
par le système.
Pour choisir le mode
d'exploitation de sécurité du système, il est important de savoir s'il existe
ou doit exister:
·
une
classification des informations hiérarchique (ex: confidentiel, secret...)
et/ou par compartiment (médical, société, nucléaire...),
·
des catégories d'utilisateurs,
·
une
notion de besoin d'en connaître, d'en modifier, d'en disposer...
Le choix du mode
d'exploitation de sécurité peut être reconsidéré au vu des risques identifiés
lors des étapes suivantes. Il est cependant important de s'interroger sur cet
aspect au plus tôt car sa mise en oeuvre a de fortes conséquences sur
l'architecture du SI et de la SSI.
[EBIOS:2005]
Temas relacionados