Para aquellos
sistemas donde se almacena, procesa o transmite información clasificada se
distinguen los siguientes modos seguros de operación:
1 - Dedicado
El sistema se
emplea por personal habilitado con el mayor grado de clasificación y teniendo
en común la misma "necesidad de conocer" para toda la información
contenida en el sistema; la separación de los datos no es un requisito del
sistema.
2 - Unificado
al nivel superior
El sistema
maneja información con diferentes grados de clasificación. Permite el acceso
selectivo y simultáneo a dicha información al personal habilitado con el mayor grado
de clasificación pero con distinta "necesidad de conocer". El sistema
realiza de manera fiable la separación de los datos y dispone de control de
acceso selectivo a la información conforme a la diferente "necesidad de
conocer".
3 –
Multinivel
El sistema
maneja información con diferentes grados de clasificación. Permite el acceso
selectivo y simultáneo a dicha información al personal habilitado con
diferentes grados de clasificación y "necesidad de conocer". El
sistema realiza de manera fiable la completa separación de los datos y el
control de acceso selectivo.
Para los tres
modos seguros de operación, los controles físicos, del personal y de los
procedimientos deben cumplir los requisitos impuestos por el mayor grado de
clasificación de la información residente.
[CCN-STIC-103:2006]
La
determinación del modo de explotación de seguridad del sistema consiste en
indicar cómo el sistema permite a los usuarios de diferentes categorías
procesar, transmitir o conservar datos en mayor o menor medida sensibles.
Permite tomar conciencia de la problemática de la seguridad general porque el
modo de explotación de seguridad define el contexto de gestión de la
información de un sistema de información.
En líneas
generales, el modo de explotación de seguridad del sistema pertenece a una de
las siguientes categorías:
·
Categoría 1: modo de explotación
exclusivo
Todas las personas que tienen acceso al sistema están autorizadas para el más
alto nivel de procesamiento y tienen idéntica (o equivalente) necesidad de
conocer toda la información procesada, almacenada o transmitida por el sistema.
·
Categoría 2: modo de explotación
dominante
Todas las personas que tienen acceso al sistema están autorizadas para el más
alto nivel de procesamiento, pero no todas tienen idéntica (o equivalente)
necesidad de conocer toda la información procesada, almacenada o transmitida
por el sistema.
·
Categoría 3: modo de explotación
multinivel
Las personas que tienen acceso al sistema no están todas habilitadas para el
más alto nivel de procesamiento y no tienen todas idéntica (o equivalente)
necesidad de conocer toda la información procesada, almacenada o transmitida
por el sistema.
Para elegir
el modo de explotación de seguridad del sistema, es importante saber si existe
o debe existir:
·
una clasificación jerárquica de
las informaciones (por ej.: confidencial, secreto...) y/o por compartimiento
(médico, sociedad, nuclear...),
·
categorías de usuarios,
·
una noción de la necesidad de
conocer, modificar o disponer de la información...
La elección
del modo de explotación de seguridad puede reconsiderarse teniendo en cuenta
los riesgos identificados en el transcurso de las etapas siguientes. Sin
embargo, es importante plantearse este aspecto lo antes posible porque su
implementación tiene importantes consecuencias en el diseño del SI y de la SSI.
[EBIOS:2005]
Description of the
conditions under which an information system operates based on the sensitivity
of information processed and the clearance levels, formal access approvals, and
need-to-know of its users. Four modes of operation are authorized for
processing or transmitting information: dedicated mode, system high mode,
compartmented/partitioned mode, and multilevel mode. [CNSSI_4009:2010]
The mode of operation is
determined by:
·
The type
of users who will be directly or indirectly accessing the system.
·
The type
of data, including classification levels, compartments, and categories, that
are processed on the system.
·
The type
of levels of users, their need to know, and formal access approvals that the
users will have.
All users
must have ...
mode |
signed NDA for |
proper clearance for |
formal access approval for |
a valid need-to-know for |
Dedicated |
ALL |
ALL |
ALL |
ALL |
System high |
ALL |
ALL |
ALL |
SOME |
Compartmented |
ALL |
ALL |
SOME |
SOME |
Multilevel |
ALL |
SOME |
SOME |
SOME |
http://en.wikipedia.org/wiki/Security_modes
2. (I) /system operation/ A
type of security policy that states the range of classification levels of
information that a system is permitted to handle and the range of clearances
and authorizations of users who are permitted to access the system. (See: compartmented
security mode, controlled security mode, dedicated security mode, multilevel
security mode, partitioned security mode, system-high security mode. Compare: protection level.)
[RFC4949:2007]
A description of the
conditions under which an IS functions, based on the sensitivity of data
processed and the clearance levels and authorizations of the users. Four modes
of operation are authorized:
(1a) An IS is operating in
the dedicated mode when the system
is specifically and exclusively dedicated to and controlled for the processing
of one particular type or classification of information, either for full-time
operation or for a specific period of time.
(1b) An IS is operating in
the dedicated mode when each user
with direct or indirect individual access to the IS, its peripherals, its
remote terminals, or its remote hosts has all of the following:
·
a valid
personnel clearance for all information on the system,
·
formal
access approval for, and signed nondisclosure agreements for, all the
information stored and/or processed (including all compartments,
subcompartments, and/or special access programs), and
·
a valid
need-to-know for all information contained within the system.
(2a) An IS is operating in
the system-high mode when each user
with direct or indirect access to the IS, its peripherals, remote terminals, or
remote hosts has all of the following:
·
a valid
personnel clearance for all information on the IS,
·
formal
access approval for, and signed nondisclosure agreements for, all the
information stored and/or processed (including all compartments,
subcompartments, and/or special access programs), and
·
a valid
need-to-know for some of the information contained within the IS.
(2b) An IS is operating in
the system-high mode when the system
hardware and software are trusted only to provide discretionary protection
between users. In this mode, the entire system, to include all components
electrically and/or physically connected, must operate with security measures
commensurate with the highest classification and sensitivity of the information
being processed and/or stored. All system users in this environment must
possess clearances and authorization for all information contained in the
system. All system output must be clearly marked with the highest
classification and all system caveats until the information has been reviewed
manually by an authorized individual to ensure appropriate classifications and
that caveats have been affixed.
(3) An IS is operating in
the compartmented mode when each
user with direct or indirect access to the IS, its peripherals, remote
terminals, or remote hosts has all of the following:
·
a valid
personnel clearance for the most restricted information processed in the IS,
·
formal
access approval for, and signed nondisclosure agreements for, that information
to which he or she is to have access, and
·
a valid
need-to-know for that information to which he or she is to have access.
(4) An IS is operating in
the multilevel mode when all the
following statements are satisfied concerning users with direct or indirect
access to the IS, its peripherals, remote terminals, or remote hosts:
·
some do
not have a valid personnel clearance for all the information processed in the
IS,
·
all have
the proper clearance and have the appropriate formal access approval for that
information to which they are to have access, and
·
all have a
valid need-to-know for that information to which they are to have access.
http://www.garlic.com/~lynn/secgloss.htm
Determining the security
operating mode of the system consists in indicating how the system enables
various categories of users to process, send or store various types of
sensitive information. This allows the general security issues to be understood
since the security operating mode defines the information management context of
an information system.The security operating mode of the system usually belongs
to one of the following categories:
·
Category
1: exclusive operating mode
Everyone accessing the system has the highest level of authorisation and an
identical need to know (or equivalent) with regard to all the information
processed, stored or sent by the system.
·
Category
2: dominant operating mode
Everyone accessing the system has the highest level of authorisation but they
do not have an identical need to know (or equivalent) with regard to the
information processed, stored or sent by the system.
·
Category 3:
multilevel operating mode
Not everyone accessing the system has the highest level of authorisation and
they do not all have an identical need to know (or equivalent) with regard to
the information processed, stored or sent by the system.
To choose the security
operating mode of the system, it is important to know if the following exist or
should exist:
·
a
prioritised information classification structure (e.g. confidential, secret,
etc.) and/or compartmentalised structure (medical, company, nuclear, etc.),
·
user
categories,
·
a notion
of need to know, need to modify, need to have, etc.
The choice of security
operating mode can be reassessed once the risks have been identified during the
next stages. However, it is important to consider this aspect as early as
possible, as its implementation has major consequences on the IS and ISS
architecture.
[EBIOS:2005]
La détermination du
mode d'exploitation de sécurité du système consiste à indiquer comment le
système permet aux utilisateurs de catégories différentes de traiter,
transmettre ou conserver des informations de sensibilités différentes. Elle
permet de prendre connaissance de la problématique sécuritaire générale car le
mode d'exploitation de sécurité définit le contexte de gestion de l'information
d'un système d'information.
De manière générale, le
mode d'exploitation de sécurité du système appartient à l'une des catégories
suivantes:
·
Catégorie
1: mode d'exploitation exclusif
Toutes les personnes ayant accès au système sont habilitées au plus haut niveau
de classification et elles possèdent un besoin d'en connaître (ou équivalent)
identique pour toutes les informations traitées, stockées ou transmises par le
système.
·
Catégorie
2: mode d'exploitation dominant
Toutes les personnes ayant accès au système sont habilitées au plus haut niveau
de classification mais elles n'ont pas toutes un besoin d'en connaître (ou
équivalent) identique pour les informations traitées, stockées ou transmises
par le système.
·
Catégorie
3: mode d'exploitation multiniveaux
Les personnes ayant accès au système ne sont pas toutes habilitées au plus haut
niveau de classification et elles n'ont pas toutes un besoin d'en connaître (ou
équivalent) identique pour les informations traitées, stockées ou transmises
par le système.
Pour choisir le mode
d'exploitation de sécurité du système, il est important de savoir s'il existe
ou doit exister:
·
une
classification des informations hiérarchique (ex: confidentiel, secret...)
et/ou par compartiment (médical, société, nucléaire...),
·
des catégories d'utilisateurs,
·
une
notion de besoin d'en connaître, d'en modifier, d'en disposer...
Le choix du mode
d'exploitation de sécurité peut être reconsidéré au vu des risques identifiés
lors des étapes suivantes. Il est cependant important de s'interroger sur cet
aspect au plus tôt car sa mise en oeuvre a de fortes conséquences sur
l'architecture du SI et de la SSI.
[EBIOS:2005]