Supervision may be ensured by restricting access to certain sources of requests. For example, access to some resources might be granted only if the request comes from a job or session associated with a particular program, (e.g., the master PAYROLL program), a subsystem (e.g., CICS or IMS), ports, (e.g., the terminals in the area to which only bank tellers have physical access), type of port (e.g., hard-wired rather than dial-up lines), or telephone number. Restrictions based on telephone numbers help prevent access by unauthorized callers and involve callback mechanisms.

Restricting access on the basis of particular programs is a useful approach. To the extent that a given program incorporates the controls that administrators wish to exercise, undesired activity is absolutely prevented at whatever granularity the program can treat. An accounts-payable program, for example, can ensure that all the operations involved in the payment of a bill are performed consistently, with like amounts both debited and credited from the two accounts involved. If the program, which may be a higher-level entity, controls everything the user sees during a session through menus of choices, it may even be impossible for the user to try to perform any unauthorized act.

Program development provides an apt context for examination of the interplay of controls. Proprietary software under development may have a level of sensitivity that is higher than that of leased software that is being tailored for use by an organization. Mandatory policies should:

•  Allow only the applications programmers involved to have access to application programs under development.

•  Allow only systems programmers to have access to system programs under development.

•  Allow only librarians to have write access to system and application libraries.

•  Allow access to live data only through programs that are in application libraries.

Discretionary access control, on the other hand, should grant only planners access to the schedule data associated with various projects and should allow access to test cases for specific functions only to those whose work involves those functions.

When systems enforce mandatory access control policies, they must distinguish between these and the discretionary policies that offer flexibility. This must be ensured during object creation, classification downgrading, and labeling, as discussed in the following sections.

Object Creation

When a new object is created, there must be no doubt about who is permitted what type of access to it. The creating job or session may specify the information explicitly; however, because it acts on behalf of someone who may not be an administrator, it must not contravene the mandatory policies. Therefore, the newly created object must assume the sensitivity of the data it contains. If the data has been collected from sources with diverse characteristics, the exclusionary nature of the mandatory policy requires that the new object assume the characteristics of the most sensitive object from which its data derives.

Downgrading Data Classifications

Downgrading of data classifications must be effected by an administrator. Because a job or session may act on behalf of one who is not an administrator, it must not be able to downgrade data classifications. Ensuring that new objects assume the characteristics of the most sensitive object from which its data derives is one safeguard that serves this purpose. Another safeguard concerns the output of a job or session — the output must never be written into an object below the most sensitive level of the job or session being used. This is true even though the data involved may have a sensitivity well below the job or session’s level of sensitivity, because tracking individual data is not always possible. This may seem like an impractically harsh precaution; however, even the best-intentioned users may be duped by a Trojan horse that acts with their authority.

Outside the Department of Defense’s (DoD’s) sphere, all those who may read data are routinely accorded the privilege of downgrading their classification by storing that data in a file of lower sensitivity. This is possible largely because aggregations of data may be more sensitive than the individual items of data among them. Where civil law applies, de facto upgrading, which is specifically sanctioned by DoD regulations, may be the more serious consideration. For example, courts may treat the theft of secret data lightly if notices of washroom repair are labeled secret. Nonetheless, no one has ever written of safeguards against de facto upgrading.

Labeling

When output from a job or session is physical rather than magnetic or electronic, it must bear a label that describes its sensitivity so that people can handle it in accordance with applicable policies. Although labels might be voluminous and therefore annoying in a physical sense, even a single label can create serious problems if it is misplaced.

For example, a program written with no regard for labels may place data at any point on its output medium — for example, a printed page. A label arbitrarily placed on that page at a fixed position might overlay valuable data, causing more harm than the label could be expected to prevent. Placing the label in a free space of adequate size, even if there is one, does not serve the purpose because one may not know where to look for it and a false label may appear elsewhere on the page.

Because labeling each page of output poses such difficult problems, labeling entire print files is especially important. Although it is easy enough to precede and follow a print file with a page that describes it, protecting against counterfeiting of such a page requires more extensive measures. For example, a person may produce a page in the middle of an output file that appears to terminate that file. This person may then be able to simulate the appearance of a totally separate, misleadingly labeled file following the counterfeit page. If header and trailer pages contain a matching random number that is unpredictable and unavailable to jobs, this type of counterfeiting is impossible.

Discussions of labels usually focus on labels that reflect sensitivity to observation by unauthorized individuals, but labels can reflect sensitivity to physical loss as well. For example, ensuring that a particular file or document will always be available may be at least as important as ensuring that only authorized users can access that file or document. All the considerations discussed in this section in the context of confidentiality apply as well to availability.