B2 security definition
B1 security is a rating within the framework of the Trusted Computer System Evaluation Criteria (TCSEC), which is used by the US Department of Defense to officially assess computer systems security. B2 security is also known as “Structured protection” because it requires a structured approach to organizational security, with a clear delineation between critical and non-critical security elements.
See also: cybersecurity framework, Cybersecurity Maturity Model Certification, enterprise security architecture, infrastructure security, IT security, security audit, security assessment, system security
Key B2 security features
- To achieve the B2 security level, organizations must take a more structured approach to security system design. They must not only put clear formal security policies into place, but also keep system documentation up to date and available for review. The system must be both tested and auditable — while B1 systems have audit capabilities, B2 systems enhance these by requiring that audit records be comprehensive, securely stored, and accessible only by authorized administrators.
- In other areas, B2 security builds upon the protections established at the B1 level, requiring even greater precision and sophistication when enforcing mandatory access controls (MAC). In addition, B2 security introduces the requirement for a trusted path — a secure communication channel between the user and the system that cannot be tampered with.
- B2 systems must integrate the organization’s security policy into their system’s architecture. One of the ways to achieve enforcement is through the use of reference monitors (reference validation mechanisms for determining when processes and users are able to perform operations), which must be isolated from other system components to minimize vulnerabilities and prevent unauthorized access.
