The next step for the security administrator is to resolve how to use the classifications and compartments to encode the labels and clearances.
The next step for the security administrator is to resolve the following issues:
How to use the classifications and compartments to encode the labels and clearances
Which handling instructions will appear on printed output
The security administrator uses a large board. Pieces of paper are marked with the words that will be in the labels, as shown in Figure 6–4. This setup illustrates the relationships among labels. The pieces are rearranged until they all fit together.
The administrator drafts the following label relationships:
The four labels are hierarchical with the REGISTERED label as the highest label. The PUBLIC label is the lowest.
Only one label needs to be associated with group names
The list of people who are cleared to receive registered information is limited on a case-by-case basis. Therefore, REGISTERED does not need any associated group names. INTERNAL_USE_ONLY applies to all employees and people who have signed nondisclosure agreements. PUBLIC labels are for everybody. Therefore, INTERNAL_USE_ONLY and PUBLIC labels do not need further qualification. The NEED_TO_KNOW label does need to be associated with non-hierarchical words, such as NEED_TO_KNOW MARKETING or NEED_TO_KNOW ENGINEERING. The words that identify the group or department can also be included in a user's clearance, as part of establishing that user's need to know.
Each label except the PUBLIC label requires the person who is accessing the information to have signed a nondisclosure agreement.
A phrase such as NON-DISCLOSURE AGREEMENT REQUIRED is a good reminder that this requirement exists.
The handling instructions on banner and trailer pages must have clear wording on how to handle the information. These instructions are based on the classification and on any group name that can appear in the label.
Along with information about the sensitivity of the printer output, handling instructions must explain that a nondisclosure agreement is required when the label requires such an agreement.
Figure 6-4 Sample Planning Board for Label Relationships at SecCompany