Which is more granular System High or Dedicated Mode?

All: Can somebody please explain the rationale on this question:

Which security mode performs the most granular control over resources and user?
A: System High
B. Dedicated
C:Compartmentalized
D:Multi User

Answer: System high mode provides the most granular control over resources and users because it enforces clearances, requires need to know and allows the processing of only single sensitivity levels. All the other levels either do not have unique need to know between users(dedicated), allow multiple levels of data processing (compartmented), or allow a wide number of users with varying clearance (multilevel).

It seems like Dedicated should be the right answer to me. Doesn't system high remove the need to know in some situations?

Find more posts tagged with

Comments

TheFORCE

System High mode has classification labels, classified, secret, top secret etc. Do the other modes have any classification? They do not, based on the labels, system high is more granular.

gespenstern

Why not multilevel? If I understand it right, most granular means that we should have most freedom in assigning access rights to a resource.

Dedicated is the most restricted mode as all information requires all security controls, we have no freedom in any rights assignments here.

System high requires all security controls but "need to know", which could be assigned to SOME resources. Therefore we have freedom here to assign "need to know" or not to assign, depending on who asks for what.

I won't consider compartmented, let's skip it right to multilevel. On multilevel we have freedom to assign all security controls or not assign them, but NDA, which is strictly required and we have to implement this security control to ALL resources and therefore we have no granularity with NDA, while we have granularity with "need to know", clearance and fromal apporoval all of which we can assign to some resources depending on who asks.

Therefore, multilevel should be the most granular, no? Otherwise I'm lost with what "granular" could mean here, just checked with merriam webster and can't come up with any other explanation besides provided above.

gespenstern

TheFORCE wrote: »

System High mode has classification labels, classified, secret, top secret etc. Do the other modes have any classification? They do not

How come they do not? All security modes rely on clearance which means that a user should have a proper level of clearance to match a sensitivity level of a resource or have it higher.

djasonslick

gespenstern wrote: »

Why not multilevel? If I understand it right, most granular means that we should have most freedom in assigning access rights to a resource.

Dedicated is the most restricted mode as all information requires all security controls, we have no freedom in any rights assignments here.

System high requires all security controls but "need to know", which could be assigned to SOME resources. Therefore we have freedom here to assign "need to know" or not to assign, depending on who asks for what.

I won't consider compartmented, let's skip it right to multilevel. On multilevel we have freedom to assign all security controls or not assign them, but NDA, which is strictly required and we have to implement this security control to ALL resources and therefore we have no granularity with NDA, while we have granularity with "need to know", clearance and fromal apporoval all of which we can assign to some resources depending on who asks.

Therefore, multilevel should be the most granular, no? Otherwise I'm lost with what "granular" could mean here, just checked with merriam webster and can't come up with any other explanation besides provided above.

Maybe the right way to think about this is that "Granular" control starts at the 2nd level, which is system high.
Not most control, which would be dedicated, but most granular control.
I don't know. I could argue A,B, or D. Depending on what granular is defined as in this situation.
Thanks for the feed back!!

gespenstern

djasonslick wrote: »

Maybe the right way to think about this is that "Granular" control starts at the 2nd level, which is system high.

Even if such a logic exists your question bank author failed to explain it. His explanation doesn't make any sense to me anyways.

I've read some materials yesterday trying to understand the logic of explanation and here's a "granularity" definition right from TCSEC:

Granularity - The relative fineness or coarseness by which a
mechanism can be adjusted. The phrase "the granularity of
a single user" means the access control mechanism can be
adjusted to include or exclude any single user.

So we can easily see that granularity is used here in common sense and means simply a level of detail that we can use to assign rights. Therefore the most detailed approach that allows us to configure access rights in the most detailed fashion is the most granular. Here's an example of use from TCSEC:

Discretionary controls are not a replacement for mandatory
controls. In an environment in which information is
classified (as in the DoD) discretionary security provides
for a finer granularity of control within the overall
constraints of the mandatory policy.

What this means is sometimes using DAC on top of existing MAC gives additional granularity to access control. It's not related to the question but gives overall idea what granularity is.

And again, multilevel security mode of operation seems to give the most granular access control over resources as it allows determining access based on a clearance level, on a "need to know" and on a formal approval.