Solar Systems, Inc. is a fictional name for the company whose label requirements are modeled in this example. To protect the corporation's intellectual property, the company's legal department mandates that employees use three labels on all sensitive email and printed materials. The three labels, from most-sensitive to least-sensitive are:
Solar Proprietary/Confidential: Registered
Solar Proprietary/Confidential: Need To Know
Solar Proprietary/Confidential: Internal Use Only
The legal department also approves the use of an optional fourth label for information that can be distributed to anyone without restrictions:
Public
At Solar Systems, Inc., the manager in charge of Information Protection makes use of all possible channels to get the word out about labeling requirements. Some employees either do not understand, forget about, or ignore the requirements. Even when labels are properly applied, the information is not always properly handled, stored, and distributed. For example, reports trickle back that even Registered information (which only a limited list of people should see and nobody but the originator should copy) is sometimes found unattended next to copy machines and printers, in break rooms, and lobbies.
The legal department wants a better way to ensure that information is properly labeled without relying totally on employee compliance
The system administrators wants a better way to control:
Who can see or modify sensitive information,
Which information is printed on which printers,
How printer output is handled, and
How information at various levels of security is distributed internally and externally via email
The Trusted Solaris operating system does not leave labeling up to computer users. All printer output from hosts running Trusted Solaris software is automatically labeled according to the site's requirements. The Solar Systems' executives decided to use the Trusted Solaris operating system when they realized that the product could both meet the requirements of the legal department and support the goals of the system administrators.
Even though security was not yet fully understood at the company, executives knew they could put the following features to use right away:
Each print job is automatically assigned a label, which is the label that corresponds either to the level at which the user is working or to the user's level of responsibility.
Figure 5-1 shows an employee working at a level of INTERNAL_USE_ONLY, which means that the work he is doing should only be accessible by Solar Systems employees and others who have signed nondisclosure agreements. When he sends email to the printer, the print job is automatically assigned the label INTERNAL_USE_ONLY.
The printer automatically prints a company-specified label at the top and bottom of each page of printed output.
In Figure 5-2, the letter that was sent to the printer in Figure 5-1 is printed with the user's working label, INTERNAL_USE_ONLY, at the top and bottom of every page.
Banner and trailer pages are automatically created for each print job and are printed with company-specific handling guidelines.
Figure 5-3 shows the wording for a print job whose sensitivity level has a classification of NEED_TO_KNOW and a department of HUMAN_RESOURCES.
NEED_TO_KNOW HR DISTRIBUTE ONLY TO HUMAN RESOURCES (NON-DISCLOSURE AGREEMENT REQUIRED) |
Below the sensitivity label in the previous example, a handling caveat provides instructions about how the printed material should be distributed. The instructions are understood to mean that the information should be distributed only to human resources personnel with a need to know about it and that the reader must have signed a nondisclosure agreement.
Printers can be configured to print only jobs with labels within a restricted label range.
For example, the legal department's printer can be set up (as illustrated in Figure 5-4) to print only jobs sent at the following three labels:
NEED_TO_KNOW LEGAL (to be viewed only by those with a need to know within the legal department)
INTERNAL_USE_ONLY (to be viewed only by permanent employees of the Solar Systems company and other who have signed nondisclosure agreements), and
PUBLIC (to be viewed by anybody)
A printer set up as specified above would exclude jobs sent at any other label. For example, the legal department printer set up as described above would reject jobs at:
NEED_TO_KNOW MARKETING, and
REGISTERED
Printers in other locations that are accessible to all employees can be configured to print jobs only at the two labels that allow the output to be viewed by all employees:
INTERNAL_USE_ONLY
PUBLIC
A label is automatically assigned to each email message based on the sensitivity level at which the sender is working.
Figure 5-5 shows email being labeled at the sensitivity label of the user's mail application and sent to the mail application at that label.
Similar to how the printer label range controls which jobs can be printed on a particular printer, a user's personal sensitivity label range limits which email the person can receive and send (see Figure 5-6).