Page 925 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 925

Security Boundaries


               A security boundary is the line of intersection between any two areas,
               subnets, or environments that have different security requirements or
               needs. A security boundary exists between a high-security area and a

               low-security one, such as between a LAN and the internet. It is
               important to recognize the security boundaries both on your network
               and in the physical world. Once you identify a security boundary, you
               need to deploy mechanisms to control the flow of information across
               those boundaries.

               Divisions between security areas can take many forms. For example,
               objects may have different classifications. Each classification defines

               what functions can be performed by which subjects on which objects.
               The distinction between classifications is a security boundary.

               Security boundaries also exist between the physical environment and
               the logical environment. To provide logical security, you must provide
               security mechanisms that are different from those used to provide
               physical security. Both must be present to provide a complete security

               structure, and both must be addressed in a security policy. However,
               they are different and must be assessed as separate elements of a
               security solution.

               Security boundaries, such as a perimeter between a protected area and
               an unprotected one, should always be clearly defined. It’s important to
               state in a security policy the point at which control ends or begins and
               to identify that point in both the physical and logical environments.

               Logical security boundaries are the points where electronic
               communications interface with devices or services for which your
               organization is legally responsible. In most cases, that interface is
               clearly marked, and unauthorized subjects are informed that they do
               not have access and that attempts to gain access will result in
               prosecution.

               The security perimeter in the physical environment is often a

               reflection of the security perimeter of the logical environment. In most
               cases, the area over which the organization is legally responsible
   920   921   922   923   924   925   926   927   928   929   930