Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Implementing Company Classification Policy with the S/MIME Security Label (RFC3114)

IP.com Disclosure Number: IPCOM000008144D
Original Publication Date: 2002-May-01
Included in the Prior Art Database: 2002-May-23
Document File: 15 page(s) / 28K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

W. Nicolls: AUTHOR

Abstract

This document discusses how company security policy for data classification can be mapped to the S/MIME security label. Actual policies from three companies provide worked examples.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 12% of the total text.

Network Working Group                                         W. Nicolls

Request for Comments: 3114                            Forsythe Solutions

Category: Informational                                         May 2002

              Implementing Company Classification Policy

                     with the S/MIME Security Label

Status of this Memo

   This memo provides information for the Internet community.  It does

   not specify an Internet standard of any kind.  Distribution of this

   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

Abstract

   This document discusses how company security policy for data

   classification can be mapped to the S/MIME security label.  Actual

   policies from three companies provide worked examples.

1. Introduction

   Security labels are an optional security service for S/MIME.  A

   security label is a set of security information regarding the

   sensitivity of the content that is protected by S/MIME encapsulation.

   A security label can be included in the signed attributes of any

   SignedData object.  A security label attribute may be included in

   either the inner signature, outer signature, or both.  The syntax and

   processing rules for security labels are described in RFC 2634 [ESS].

   The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT',

   'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this

   document are to be interpreted as described in RFC 2119 [MUSTSHOULD].

1.1 Information Classification Policies

   Information is an asset, but not all information has the same value

   for a business.  Not all information needs to be protected as

   strongly as other information.

   Research and development plans, marketing strategies and

   manufacturing quality specifications developed and used by a company

   provide competitive advantage.  This type of information needs

Nicolls                      Informational                      [Page 1]

RFC 3114       Implementing Company Classification Policy       May 2002

   stronger protective measures than other information, which if

   disclosed or modified, would cause moderate to severe damage to the

   company.

   Other types of information such as internal organization charts,

   employee lists and policies may need little or no protective measures

   based on value the organization places on it.

   A corporate information classification policy defines how its

   information assets are to be protected.  It provides guidance to

   employees on how to classify information assets.  It defines how to

   label and protect an asset based on its classification and state

   (e.g., facsimile, electronic transfer, storage, shipping, etc.).

1.2 Access Control and Security Labels

   "Access control" is a means of enforcing authorizations.  There are a

   variety of access control methods that are based on different types

   of policies and rely on different security mechanisms.

   - Rule based access control is based on policies that can be

     algorithmically expressed.

   - Identity based access control is based on a policy which applies

     explicitly to an individual person or host entity, or to a defined

     group of such entities.  Once identity has been authenticated, if

     the identity is verified to be on the...