8(495)909-90-01
8(964)644-46-00
pro@sio.su
Главная
Системы видеонаблюдения
Охранная сигнализация
Пожарная сигнализация
Система пожаротушения
Система контроля удаленного доступа
Оповещение и эвакуация
Контроль периметра
Система домофонии
Парковочные системы
Проектирование слаботочных сетей
Аварийный
контроль
            
Раздел: Документация

0 ... 78 79 80 81 82 83 84 ... 117

FDPIFF.2 Hierarchical security attributes

User application notes

This component requires that all information flow control SFPs in the TSP use hierarchical security attributes that form a lattice.

For example, it should be used when at least one of the information flow control SFPs in the TSP is based on labels as defined in the Bell and LaPadula security policy model [B&L] and form a hierarchy.

It is important to note that the hierarchical relationship requirements identified in FDPIFF.2.5 need only apply to the information flow control security attributes for the information flow control SFPs that have been identified in FDPIFF.2.1. This component is not meant to apply to other SFPs such as access control SFPs.

Like the preceding component, this component could also be used to implement a privilege policy that covers rules that allow for the explicit authorisation or denial of information flows.

If it is the case that multiple information flow control SFPs are to be specified, and that each of these SFPs will have their own security attributes that are not related to one another, then the PP/ ST author should iterate this component once for each of those SFPs. Otherwise a conflict might arise with the sub-items of FDPIFF.2.5 since the required relationships will not exist.

Operations

Assignment:

In FDPIFF.2.1, the PP/ST author should specify the information flow control SFPs enforced by the TSF. The name of the information flow control SFP, and the scope of control for that policy are defined in components from FDPIFC.

In FDPIFF.2.1 the PP/ST author should specify the minimum number and type of security attributes that the function will use in the specification of the rules. For example, such attributes may be things such as subject identifier, subject sensitivity level, subject clearance level, information sensitivity level, etc. The minimum number of each type of security attribute should be sufficient to support the environmental needs.

In FDPIFF.2.2 the PP/ST author should specify for each operation, the security attribute-based relationship that must hold between subject and information security

attributes that the TSF will enforce. These relationships should be based upon the ordering relationships between the security attributes.

In FDP IFF.2.3 the PP/ST author should specify any additional information flow control SFP rules that the TSF is to enforce. If there are no additional rules then the PP/ ST author should specify "none".

In FDPIFF.2.4 the PP/ST author should specify any additional SFP capabilities that the TSF is to enforce. If there are no additional rules then the PP/ST author should specify "none".

In FDPIFF.2.5, the PP/ST author should specify the rules, based on security attributes, that explicitly authorise information flows. These rules are in addition to those specified in the preceding elements. They are included in FDP IFF.2.5 as they are intended to contain exceptions to the rules in the preceding elements. An example of rules to explicitly authorise information flows is based on a privilege vector associated with a subject that always grants the subject the ability to cause an information flow for information that is covered by the SFP that has been specified. If such a capability is not desired, then the PP/ST author should specify "none".

In FDPIFF.2.6, the PP/ST author should specify the rules, based on security attributes, that explicitly deny information flows. These rules are in addition to those specified in the preceding elements. They are included in FDP IFF.2.6 as they are intended to contain exceptions to the rules in the preceding elements. An example of rules to explicitly authorise information flows is based on a privilege vector associated with a subject that always denies the subject the ability to cause an information flow for information that is covered by the SFP that has been specified. If such a capability is not desired, then the PP/ST author should specify "none".

FDPIFF.3 Limited illicit information flows

User application notes

This component should be used when at least one of the SFPs that requires control of illicit information flows does not require elimination of flows.

For the specified illicit information flows, certain maximum capacities should be provided. In addition a PP/ST author has the ability to specify whether the illicit information flows must be audited.

Operations

Assignment:

In FDPIFF.3.1 the PP/ST author should specify the information flow control SFPs enforced by the TSF. The name of the information flow control SFP, and the scope of control for that policy are defined in components from FDPIFC.

In FDPIFF.3.1 the PP/ST author should specify the types of illicit information flows that are subject to a maximum capacity limitation.

In FDPIFF.3.1 the PP/ST author should specify the maximum capacity permitted for any identified illicit information flows.

FDPIFF.4 Partial elimination of illicit information flows

User application notes

This component should be used when all the SFPs that requires control of illicit information flows require elimination of some (but not necessarily all) illicit information flows.

Operations

Assignment:

In FDPIFF.4.1 the PP/ST author should specify the information flow control SFPs enforced by the TSF. The name of the information flow control SFP, and the scope of control for that policy are defined in components from FDPIFC.

In FDPIFF.4.1 the PP/ST author should specify the types of illicit information flows which are subject to a maximum capacity limitation.

In FDPIFF.4.1 the PP/ST author should specify the maximum capacity permitted for any identified illicit information flows.

In FDPIFF.4.2 the PP/ST author should specify the types of illicit information flows to be eliminated. This list may not be empty as this component requires that some illicit information flows are to be eliminated.

FDPIFF.5 No illicit information flows

User application notes

This component should be used when the SFPs that require control of illicit information flows require elimination of all illicit information flows. However, the PP/ST author should carefully consider the potential impact that eliminating all illicit information flows might have on the normal functional operation of the TOE. Many practical applications have shown that there is an indirect relationship between illicit information flows and normal functionality within a TOE and eliminating all illicit information flows may result in less than desired functionality.



0 ... 78 79 80 81 82 83 84 ... 117