ebook img

Computer security PDF

112 Pages·1998·5.6 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Computer security

NATL INST. OF STAND & TECH R.I.C. NiST PUBLICATIONS AlllDS bSD711 NIST Special Publication 800-18 Guide for Developing Security Plans for Information U.S. DEPARTMENT OF COMMERCE Technology Systems Technology Administration National Institute of Standards Marianne Swanson and Technology and Federal Computer Security Program Managers' Forum Working Group COMPUTER SECURITY QC Nisr .U57 0.800-18 998 rhe National Institute ofStandards and Technology was established in 1988 by Congress to "assist industry in thedevelopmentoftechnology . . .neededtoimproveproductquality,tomodernizemanufacturingprocesses, to ensure product reliability . . . and tofacilitate rapid commercialization ... ofproducts based on new scientific discoveries." NIST, originally founded as the National Bureau of Standards in 1901, works to strengthen U.S. industry's competitiveness; advance science and engineering; and improve public health, safety, and the environment. One of the agency's basic functions is to develop, maintain, and retain custody of the national standards of measurement, and provide the means and methods for comparing standards used in science, engineering, manufacturing, commerce, industry, and education with the standards adopted or recognized by the Federal Government. As an agency of die U.S. Commerce Department's Technology Administration, NIST conducts basic and applied research in the physical sciences and engineering, and develops measurement techniques, test methods, standards, and related services. The Institute does generic and precompetitive work on new and advanced technologies. NIST's research facilities are located atGaithersburg, MD 20899, and atBoulder, CO 80303. Major technical operating units and their principal activities are listed below. For more information contact the Publications and Program Inquiries Desk, 301-975-3058. Office of the Director Physics Laboratory • National Quality Program • Electron and Optical Physics • International and Academic Affairs • Atomic Physics • Optical Technology Technology Services • Ionizing Radiation • Standards Services • Time and Frequency' • Technology Partnerships • Quantum Physics' • Measurement Services • Technology Innovation Materials Science and Engineering • Information Services Laboratory • Intelligent Processing ofMaterials Advanced Technology Program • Ceramics • Economic Assessment • Materials Reliability' • Information Technology and Applications • Polymers • Chemical and Biomedical Technology • Metallurgy • Materials and Manufacturing Technology • NIST Center for Neutron Research • Electronics and Photonics Technology Manufacturing Engineering Manufacturing Extension Partnership Laboratory Program • Precision Engineering • Regional Programs • Automated Production Technology • National Programs • Intelligent Systems • Program Development • Fabrication Technology • Manufacturing Systems Integration Electronics and Electrical Engineering Laboratory Building and Fire Research • Microelectronics Laboratory • Law Enforcement Standards' • Structures • Electricity • Building Materials • SemiconductorElectronics • Building Environment • Electromagnetic Fields' • Fire Safety Engineering • Electromagnetic Technology' • Fire Science • Optoelectronics' Information Technology Laboratory Chemical Science and Technology • Mathematical and Computational Sciences^ Laboratory • Advanced Network Technologies • Biotechnology • Computer Security ' Physical and Chemical Properties^ • Information Access and User Interfaces • Analytical Chemistry • High Performance Systems and Services • Process Measurements • Distributed Computing and Information Services • Surface and Microanalysis Science • Software Diagnostics and Conformance Testing 'At Boulder, CO 80303. ^Someelements at Boulder, CO. NIST Special Publication 800-18 Guide for Developing Security Plans for Information Technology Systems Marianne Swanson and Federal Computer Security Program Managers' Forum Working Group COMPUTER SECURITY Information Technology Laboratory National Institute of Standards and Technology MD Gaithersburg, 20899-0001 December 1998 U.S. Department ofCommerce William M. Daley, Secretary Technology Administration Gary R. Bachula, Acting Under Secretary for Technology National Institute ofStandards and Technology Raymond G. Kammer, Director Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation's measurement and standards infrastructure for information technology. ITL develops tests, test methods, reference data, proof ofconcept implementations and technical analysesto advance the development and productive use of information technology. ITL's responsibilities include the development oftechnical, phys- ical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in federal computer systems. This Special Publication 800 series reports on ITL's research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-18 Natl. Inst. Stand. Technol. Spec. Publ. 800-18, 102 pages (Dec. 1998) CODEN: NSPUE2 U.S. GOVERNMENT PRINTING OFFICE WASHINGTON: 1998 For sale by the Superintendent of Documents, U.S. Government Printing Office, Washington, DC 20402 Executive Summary The objective ofsystem securityplanning is to improve protection ofinformation technology (IT) resources. All federal systems have some level ofsensitivity and require protection as part ofgood management practice. The protection ofa system must be documented in a system securityplan. The completion ofsystem securityplans is a requirement ofthe Office ofManagement and Budget (0MB) Circular A-130, "Management ofFederal hiformation Resources," Appendix III, "Security ofFederal Automated Information Resources," and Public Law 100-235, "Computer SecurityAct of 1987." The purpose ofthe security plan is to provide an overview ofthe security requirements of the system and describe the controls in place orplarmed for meeting those requirements. The system securityplan also delineates responsibilities and expected behavior ofall individuals who access the system. The security plan should be viewed as documentation ofthe structured process ofplanning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system operator, and the system security manager. Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable. In order for the plans to adequatelyreflect the protection ofthe resources, a management official must authorize a system to process information or operate. The authorization ofa system to process information, granted by a management official, provides an important quality control. By authorizing processing in a system, the manager accepts its associated risk. Management authorization should be based on an assessment ofmanagement, operational, and technical controls. Since the securityplan establishes and documents the security controls, it should form the basis for the authorization, supplemented by more specific studies as needed. In addition, a periodic review ofcontrols should also contribute to fiiture authorizations. Re-authorization should occur prior to a significant change in processing, but at least every three years. It should be done more often where there is a high risk and potential magnitude ofharm. iii 9 111 Table ofContents Executive Summary iii 1 Introduction 1 1.1 Background 1 1.2 Major Application or General Support System Plans 1 1.3 Relationship to OtherNIST Security Documents 2 1.4 Purposes ofSecurity Plans 2 1.5 Security Plan Responsibilities 3 1.6 Recommended Format 3 1.7 Advice and Comment on Plan 4 1.8 Audience 4 1.9 Organization ofDocument 4 2 System Analysis 5 2.1 System Boundaries 5 2.2 Multiple Similar Systems 5 2.3 System Category 6 2.3.1 Major Applications 6 2.3.2 General Support System 7 3 Plan Development—All Systems 9 3.1 Plan Control 9 3.2 System Identification 9 3.2.1 System Name/Title 9 3.2.2 Responsible Organization 10 3.2.3 Information Contact(s) 10 3.2.4 Assignment ofSecurity Responsibility 1 3.3 System Operational Status 1 3.4 General Description/Purpose 1 3 5 System Environment 12 . 3.6 System Interconnection/Information Sharing 13 3.7 Sensitivity ofInformation Handled 14 3.7.1 Laws, Regulations, and Policies Affecting the System 14 3.7.2 General Description ofSensitivity 15 4 Management Controls 19 4.1 Risk Assessment and Management 19 4.2 Review ofSecurity Controls 1 4.3 Rules ofBehavior 20 4.4 Planning for Security in the Life Cycle 21 4.4.1 Initiation Phase 22 4.4.2 Development/Acquisition Phase 22 4.4.3 Implementation Phase 23 4.4.4 Operation/Maintenance Phase 23 4.4.5 Disposal Phase 24 4.5 Authorize Processing 24 5 Operational Controls 26 V 5.MA. Major Application—Operational Controls 27 5.MA.1 Personnel Security 27 5.MA.2 Physical and Environmental Protection 28 5.MA.2. Explanation ofPhysical and Environment Security 28 1 5.MA.2.2 Computer Room Example 30 5.MA.3 Production, Input/Output Controls 30 5.MA.4 Contingency Planning 31 5.MA.5 Application Software Maintenance Controls 32 5.MA.6 Data hitegrityA/^alidation Controls 34 5.MA.7 Documentation 35 5.MA.8 Security Awareness and Training 36 MA 6. Major Application - Technical Controls 37 6.MA.1 Identification and Authentication 37 6.MA.1.1 Identification 37 6.MA.1.2 Authentication 38 6.MA.2 Logical Access Controls (Authorization/Access Controls) 40 6.MA.3 Public Access Controls 44 6.MA.4 Audit Trails 45 -. 5.GSS General Support System—Operational Controls 47 5.GSS. Personnel Controls 47 1 5.GSS.2 Physical and Environmental Protection 48 5.GSS.2. Explanation ofPhysical and Environment Security 48 1 5.GSS.2.2 Computer Room Example 50 5.GSS.3 Production, Input/Output Controls 50 5.GSS.4 Contingency Planning (Continuity ofSupport) 51 5.GSS.5 Hardware and System Software Maintenance Controls 52 5.GSS.6 hitegrity Controls 54 5.GSS.7 Documentation 55 5.GSS.8 Security Awareness and Training 55 5.GSS.9 Incident Response Capability 56 6.GSS General Support System - Technical Controls 58 6.GSS.1 Identification and Authentication 58 6.GSS.1.1 Identification 58 6.GSS.1.2 Authentication 59 6.GSS.2 Logical Access Controls (Authorization/Access Controls) 61 6.GSS.3 Audit Trails 65 Rules ofBehavior - Major Application lA Rules ofBehavior - General Support System IB Template(s) for Security Plan IC Glossary ID References IE Index IF vi Acknowledgments Acknowledgments The National Institute ofStandards and Technology would like to acknowledge the Federal Computer Security Program Managers' Forum, an organization sponsored by the National Institute ofStandards and Technology. The Forum established a working group to develop a guideline for developing security plans for all federal systems. This document evolved from that effort. The members ofthe working group are identified below. Please note that some members' affiliations have changed; however, both individual and agency are acknowledged. Robert L. Gignilliant (Chairperson) Sadie I. Pitcher (Originating Author) Department ofHealth & Human Services Department ofCommerce, Retired Daniel Bartko JudyBloom Department ofState Department ofJustice Pauline Bowen Marlene Broadus Food and Drug Administration Department ofState Doris Carter Grace Culver Department ofLabor Patent and Trademark Office Brenda Dyer William Gill Department ofJustice Environmental Protection Agency Alice Gannon John Haines Office ofFederal Housing Department ofInterior Enterprise Oversight W. Ron Hess Mary Stone Holland National Institutes ofHealth Department ofState Sherman Howell Phyllis Jones Federal Deposit Insurance Corporation Internal Revenue Service John Kurpiel Sonja D. Martin General Services Administration Agency for International Development Francis D. McCusker Don McGinnis Patent and Trademark Office Environmental Protection Agency Louis M. Numkin Steve Posniak Nuclear Regulatory Commission Equal Employment Opportunity Commission vii Lloyd Reese Bob Sargis Department ofVeterans Affairs Administration for Children and Families Phil Sibert Steve Skolochenko Department ofEnergy Department ofJustice Carl Spellacy Josephine M. Thomas Office ofThrift Supervision Small Business Administration John Tressler TimothyTurner Department ofEducation Office ofFederal Housing Enterprise Oversight Rebecca Vasvary Ted Wells I. National Oceanographic and Patent and Trademark Office Atmospherics Administration Timothy M. Wooten Farm Credit Administration Li addition, a special thank you is due to Cynthia A. Gosewehr, Census Bureau, for sharing the planning guide template. Finally, NIST would like to thank all the other individuals who contributed to this effort; their assistance was critical to the preparation ofthis document. viii

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.