• Subject: Re: Security Admin package for multi level security
  • From: "V. Leveque" <vleveque@xxxxxxxxxxxxx>
  • Date: Thu, 04 Nov 1999 20:39:16 -0800

Very good!

I lumped this under "discretionary access control" which as you pointed out
the 400 does well.

To look at "Top Secret -- Crypto" classified data, a "Top Secret -- Nukes"
clearance  will not do.

  The security officer is always an issue, which is why this person must be
trusted.  Less of an issue with AS/400, as many functions which require
"root" on UNIX can be done with a more granular special authority on the
AS/400.  You don't have to give away the whole machine just because a help
desk person may need to reset passwords once in a while.

But most businesses still need transactional security more -- you aren't
keeping secrets so much as keeping people from writing checks to themselves
& charging it to "suspense".  Major fraud looks really bad when it hits the
Wall Street Journal.


At 01:54 PM 11/4/99 -0800, you wrote:
>Actually, your description is partly correct regarding government
>security clearance, but leaves something out.  That is called the
>"Need to know".  Even though I have a secret security clearance
>does not mean I have access to all data that is marked as secret.
>I only have access to it if I have a "Need to know" the information.
>
>If something is marked as Top Secret, and I have a Secret clearance,
>I can never see that data, even if I have a need to know it, unless my
>clearance is upgraded to Top Secret.
>
>The AS/400 security handles this pretty well on a "Need to know"
>basis if the security is set up correctly.  The security administrator
>must determine the need to know any piece of information, or access
>to a program.  All other data should be excluded, unless a need to
>know is shown.
>
>A notable exception to this rule, however, is the Security Officer,
>who basically has all access to the system.  But then, the Security
>Officer can be considered to have the "need to know" the entire
>system.
>
>Regards,
>
>Jim Langston
>
>"V. Leveque" wrote:
>
>> I'm not sure how Bob/Martin would define it, but conventionally it is the
>> security model followed for government classified information.  Each item of
>> information has a classification, based on the consequences if disclosed
>> (e.g., Top Secret means it would cause "grave harm" to national security if
>> disclsed, etc.).  Each user is given a clearance level corresponding to how
>> trustworthy they are(are they citizens?  Did they pass the polygraph test?
>> Did they ever "inhale"?).  The higher the clearance you have, the higher the
>> classification of information you can access.
>
><SNIP>
>
>+---
>| This is the Midrange System Mailing List!
>| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
>| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
>| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
>| Questions should be directed to the list owner/operator: david@midrange.com
>+---
>
>

     |----------------------------|  "Outside of a dog, a book is a man's
     |\  /         |    \  /      |  best companion.  Inside of a dog,
     | \/ INCENT   |__E  \/EQUE   |  it's too dark to read."  
     |----------------------------|        -- Groucho Marx 

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].